Cyberattacks trigger talk of 'hacking back'
WASHINGTON -- The recent rash of cyberattacks on major U.S. companies has highlighted the scant options available to the victims, who often can do little more than hunker down, endure the bad publicity and harden their defenses in hopes of thwarting the next assault.
But behind the scenes, talk among company officials increasingly turns to an idea once considered so reckless that few would admit to even considering it: Going on the offensive. Or, in the parlance of cybersecurity consultants, "hacking back."
The mere mention of it within cybersecurity circles can prompt a lecture about the many risks, starting with the fact that most forms of hacking back are illegal and ending with warnings that retaliating could spark full-scale cyberwar, with collateral damage across the Internet.
Yet the idea of hacking back -- some prefer the more genteel-sounding "active defense" -- has gradually gained currency as frustration grows about the inability of the government to stem lawlessness in cyberspace, experts say. The list of possible countermeasures also has grown more refined, less about punishing attackers than keeping them from profiting from their crimes.
"Active defense is happening. It's not mainstream. It's very selective," said Tom Kellerman, chief cybersecurity officer for Trend Micro and a former member of President Barack Obama's commission on cybersecurity. Then Kellerman added, as if by reflex, that he and his company would never do it: "For you to hack back, you actually put at risk innocents."
One vocal advocate of some limited forms of hacking back, former National Security Agency general counsel Stewart Baker, said even some government officials are warming to the idea. Officials, he said, are more likely to consider assisting frustrated companies than threaten prosecution when they talk about going on the offensive.
"The government is giving ground silently and bit by bit on this by being more open," said Baker, now a partner at Steptoe & Johnson. "I have a strong sense from everything I've heard ... that they're much more willing to help companies that want to do this."
A popular metaphor in these discussions is the exploding dye pack that bank tellers sometimes slip into bags of cash during old-fashioned bank robberies. The cyberspace equivalent, called a "beacon," potentially could be attached to sensitive data, making it easier to spot both the stolen loot and determine who spirited it away across the Internet.
Other ideas include tricking hackers into stealing a fake set of sensitive data, then tracking its movements across cyberspace. Some experts also suggest taking advantage of the way hackers often operate, moving files in stages from a victim's network to a remote server before collecting them hours later; the lag potentially gives companies time to spot the stolen files and destroy them before hackers can complete the theft.
Hacking back is a staple of conversations at cybersecurity conferences worldwide and also in private consultations between companies and their security consultants. At the Black Hat USA security conference in 2012, 36 percent of respondents said they had engaged in "retaliatory hacking" on at least one occasion, according to cybersecurity company nCircle, which conducted the survey of 181 conference attendees.
Financial industry security experts have had discussions behind closed doors about the possibility of retaliatory cyberattacks but concluded the legal risks were too great to pursue the idea, according to people familiar with the discussions who were not authorized to speak publicly.
"Most of the offensive talk is from the private sector, saying, 'I've had enough and I'm going to go do something about it,' " said Rep. Mike Rogers, R- Mich., chairman of the House intelligence committee, at a cybersecurity summit at The Washington Post last week. Yet Rogers, like many other government officials, has publicly warned about the dangers of hacking back.
Entering another person or company's network without permission violates the Computer Fraud and Abuse Act, officials say, even if the intrusion happens in the course of attempting to identify hackers or destroy data they have stolen.
Michael Sussmann, a partner at Perkins Coie and a former federal cybercrime prosecutor, said, "It's not uncommon to be called in after an intrusion and come across the well-intentioned system administrator or investigator who, without realizing it, violated the law in trying to protect their systems."
Any resulting consequences -- even unintended ones, such as accidentally damaging an innocent company's network -- could cause significant legal liability. Plus, it's notoriously difficult to correctly identify who is behind a cyberattack.
"Attribution is very difficult to do," said White House cybersecurity coordinator Michael Daniel. "The bad guys don't tend to use things labeled 'bad guy server.' They tend to corrupt and use innocent third-party infrastructure. So we have always said you need to be really cautious about taking activities that are 'hacking back' or even what some people try to call 'active defense.' "
Officials within the financial industry, the most recent target of headline-grabbing attacks, echo Daniel's concerns. "Hacking is illegal. Attribution is difficult. And the liability for doing it wrong are such that no responsible enterprise, banking or otherwise, is going to engage in that," said Greg Garcia, executive director of Financial Services Sector Coordinating Council, an industry group.
Yet even detractors have little trouble seeing the appeal. Recent intrusions into JPMorgan Chase, Home Depot, Target and others caused massive headaches for the companies and their customers. The attack against JPMorgan and other financial firms caused particular alarm -- up through the highest levels of the U.S. government -- because of the companies' critical role in the economy.
That prompted aggressive action by the FBI and Secret Service, but U.S. law enforcement agencies often struggle to solve crimes emanating from foreign countries. U.S. officials could apply diplomatic pressure on countries that support cyberattacks or even fail to police them aggressively, but other priorities tend to prevail in foreign policy debates, said James Lewis, a cybersecurity expert at the Center for Strategic and International Studies.
"There's an unwillingness to admit to the scope of the problem because we don't have the tools to deal with it," Lewis said. "Despite all the noise, cybersecurity is still a secondary concern."
That leaves many companies feeling left on their own.
Former federal officials said they knew of cases when companies have reached beyond their own computer networks to find the source of an intrusion or to delete stolen data. These officials said they have also noticed a quiet acceptance on the part of federal agents.
"There are companies that have certain measures in place for determining where the source of a hack is coming from and for [deleting] the data, and that could technically violate the law," said another former federal prosecutor, who spoke on the condition of anonymity. "And when the agents are called in and they understand what tools the company is using, they may not report them or shut them down for using those tools."