Fatigued by a relentless onslaught from hackers, Corporate America is mulling a more aggressive and proactive approach to powerful cyber evildoers.
Offensive counterstrikes are likely illegal in today’s murky legal structure, but some security professionals are calling for at least a more proactive stance that utilizes measures like disinformation campaigns, honey pots and intelligence gathering.
All of this is aimed at squashing cyber attacks that can generate millions of dollars in damages and lost revenue, lead to the loss of intellectual property and even cause reputational harm.
“These adversaries are like a dog with a bone. They will not go away,” said Dmitri Alperovitch, co-founder of security firm CrowdStrike. “It doesn’t matter how many times you stop them, the one time they get through they cause very, very serious damage.”
Whether it’s from vindictive terrorists, anti-capitalistic hacktivists or stealthy Chinese hackers, it’s clear that companies are under attack from nefarious online forces.
Just in the past few years there have been known high-profile attacks that have slowed the websites of big U.S. banks like Bank of America (BAC), shut down Sony’s (SNE) PlayStation Network and destroyed 30,000 workstations at state-owned oil giant Saudi Aramco.
According to a report last month from security firm Radware (RDWR), 65% of organizations polled suffered an average of three distributor denial of service attacks in the past 12 months, costing financial-services companies a hefty $32,560 a minute.
No Prevent Defense Here
This helps explain a rising frustration about the limited options companies have to fight back.
“If someone were to rob a bank today, doesn’t the bank have a responsibility to protect its customers and employees from someone armed? They don’t simply wait until someone shoots innocent victims,” said Frank Cilluffo, director of George Washington University’s Homeland Security Policy Institute.
Some security firms like CrowdStrike are advocating a more proactive defense, though companies need to be careful to navigate U.S. laws.
“We’re not advocating hacking back. In most cases that is illegal,” said Alperovitch. “We’re talking about doing legal things on your network…that are more aggressive as opposed to just sitting there and trying to swat away these intrusions.”
Alperovitch added: “This active defense, which the U.S. government has also embraced quite openly, can be a very effective deterrent.”
One such strategy involves creating a disinformation campaign by distributing fake documents throughout a company’s own network to confuse and potentially misguide potential adversaries.
This can help companies do everything from protect intellectual property to obscure strategic plans like acquisitions or bids.
‘Like Going Fishing’
Another proactive defense includes the use of so-called honey pots, which like the name implies, aim to lure adversaries.
“It’s like going fishing,” said Jeffrey Carr, founder and CEO of boutique security firm Taia Global. “The worm is files you create that are entirely fake but would attract the interest of bad actors.”
Those files are then tracked by the security firm in an effort to learn more about adversaries and test the safety of the system.
While Carr advocates the use of honey pots, he said “a lot of corporations have problems, especially the legal departments,” due to liability concerns.
Another option is for companies to engage in snooping of their own through buying cyber-intelligence services that aim to provide the methods, identities and motivations of hacker groups.
Carr said this type of threat intelligence is tantamount to knowing what’s in the other team’s playbook before a football game.
Others believe the U.S. government should unleash private companies, letting them punch back at hackers through offensive measures such as counterstrikes.
“We’re never going to have nor should we have virtual law enforcement everywhere. We should provide opportunities and responsibilities to the private sector to hack back,” said Cilluffo, who has testified before Congress and served as a Homeland Security adviser in the Bush Administration.
Cilluffo compared offensive measures with a football linebacker, who technically plays on the defense. “You’re blitzing and attacking the adversary, or quarterback, who is trying to score on you,” he said.
Of course, counterstrikes can backfire, especially because DDoS attacks often employ systems owned by unwilling participants. That means an effective counterpunch could inadvertently hit innocent bystanders.
“You can’t simply just shoot back because there will be a lot of collateral damage unrelated to the attacker, but we don’t want to just sit there and call the locksmith” either, said Cilluffo.
Some are more cautious about giving companies the power to fight back.
“Do you want vigilante justice in cyberspace? Maybe you do,” said Jim Rickards, senior managing director at Tangent Capital in New York. “It just conjures up notions of pirates on the high seas and wild west posses.”
Legal Gray Area
Companies could also find themselves in violation of privacy and computer abuse laws.
“Citizens aren’t allowed to walk around with guns without permits just because they want to be vigilantes. Even though your intentions might be good, you have to refrain from breaking the law,” said Rickards.
Tel Aviv-based Radware said its security measures stop short of counterattacks.
“It’s unfair that hackers can do whatever they want and companies have to follow rules. But companies should only operate within the law and not even operate within the gray area,” said Ronen Kenig, director of security product marketing at Radware.
Harriet Pearson, a partner at law firm Hogan Lovells, said the policy discussion and norms “haven’t really settled out yet,” pointing out that the law doesn’t even use the offensive and defensive terms.
“The time to plan corporate cyber strategy is before something happens,” said Pearson, who urged companies to conduct “advance thinking and analysis of the relevant law” ahead of time.
Clarity From D.C.?
U.S. companies are understandably quiet about the extent of their cyber defenses.
Cyber security experts have been urging Washington to issue new guidance to companies about what’s permitted as they defend themselves from hackers.
While an executive order from the White House could be forthcoming, Cilluffo said legislation from Congress would be far more helpful and could even indemnify companies from lawsuits.
“We need to have these conversations because the current approach is doomed for failure. We’re losing too much,” said Cilluffo.