Western companies are being fleeced for hundreds of millions by
cybercriminals. Is it time to give them a dose of their own medicine? Banks are considering striking back at hackers – but what are the implications?
If we’re losing the war against cybercrime, then should we take off the gloves and strike back electronically against hackers?
As banks reel from another major hacking revelation, a former US
director of intelligence has joined some of them in advocating for
online counterstrikes against cybercriminals.
In February, security firm Kaspersky detailed a direct hack against 100 banks,
in a co-ordinated heist worth up to $1bn. This follows growing
sentiment among banks, expressed privately, that they should be allowed
to hack back against the cybercriminals penetrating their networks.
At February’s Davos forum, senior banking officials reportedly lobbied for permission to track down hackers’ computers and disable them.
They are frustrated by sustained hacking campaigns from attackers in
other countries, intent on disrupting their web sites and stealing their
data.
Dennis Blair, former director of national intelligence in the Obama
administration, has now spoken out in favour of electronic
countermeasures, known in cybersecurity circles as hacking back, or
strikeback.
Blair co-authored a 2013 report
from the US Commission on the Theft of American Intellectual Property.
It considered explicitly authorising strikeback operations but stopped
short of endorsing this measure at the time.
Instead, the report suggested exploring non-destructive alternatives,
such as electronically tagging stolen data for later detection. It also
called for a rethinking of the laws that forbid hacking, even in
self-defence.
Western law enforcers don’t have jurisdiction in the countries where
cybercriminals operate. Ideally, they would pass information about
hackers onto their counterparts there, said Blair, but in many cases
local police are un-cooperative. It’s time to up the ante, he suggested.
“I am more leaning towards some controlled experiments in officially
conducting aggressive cyber-tracking of where attacks come from,
discovering their origin, and then taking electronic action against
them,” he told the Guardian.
Legal problems
There’s just one problem with strikeback operations, said Mark Rasch,
a former federal cybercrime prosecutor and the head of Maryland-based Rasch Technology and Cyber-law: it’s against the law. “You have to start with the general assumption that hacking back is most likely illegal,” he said.
Long-standing laws on both sides of the Atlantic clearly forbid
unauthorised tampering with a computer, even if someone is using that
computer to attack you. In the UK, the Computer Misuse Act sets those rules. In the US, the Computer Fraud and Abuse Act does the same.
Even without this legislation, the law generally frowns upon what Rasch calls “self help”. Judges dislike vigilante justice.
The stakes are getting higher, though. Since the report’s release,
corporate America has seen several devastating cyber-attacks. JP Morgan suffered a breach
affecting 76 million households. Home Depot and Target were also
hacked, and most recently, Sony Entertainment was embarrassed by the
theft of internal documents.
“I’ve been seeing the way that technology is developing. I think it’s
worth some limited legislation to post penalties back to hackers,” Mr
Blair said, adding that companies should work with law enforcement
rather than taking matters into their own hands.
“Law enforcement authorities can go back down the same route that
[the hackers] use to attack, and cause physical damage to their
equipment,” he added.
A Gentler Poke
Is frying someone’s laptop remotely with a killer poke
even possible? Even if it is, it may not achieve the desired effect,
says Dave Dittrich, a computer specialist at the University of
Washington’s Applied Physics Laboratory, who is a specialist in the
topic. “How expensive is it to buy a new one? $500? Cyber is not the
same as physical when it comes to disabling ‘weapons’ to remove a
threat.”
Frying is not the only form of counter-hack, points out Dittrich. “I
prefer the term ‘active response continuum’ to make it clear and
explicit that there is a wide range of actions, from benign to very
aggressive and intrusive,” he said.
These actions include simply probing an attacker’s computer to see what kinds of attack tool they are using.
“That falls on the lower end of the active response continuum, and
has less chance of causing any harm to anyone (beyond trespassing, which
may still be a crime, but a lesser offense),” Dittrich said.
Could laws be tweaked to allow gentler forms of active defence? Even
if they were, technical problems remain, warned Jon Ramsey, chief
technology officer at Dell SecureWorks,
Dell’s security unit. One of the biggest challenges is attribution, he
pointed out. It is difficult to trace an attack to a specific individual
in cyberspace.
“Without accurate traceback there is a significant and substantial
risk that organisations start attacking legitimate organizations,” he
said. “Where would this end? It would cascade out of control. Threat
actors often use compromised devices of companies and individuals that
become unwilling and unknowing participants in attacks and are attacked
themselves.”
For example, cybercriminals frequently launch compromised computers
that are part of a botnet to launch their attacks, said Bill Nelson. He
is the executive director of FS-ISAC, a US industry forum for financial services firms to privately share information about cyber threats.
A botnet is a large collection of computers owned by innocent users,
which have been infected by malware. The malware enables cybercriminals
to remotely control the computers.
“We do not endorse hacking back because there can be significant unintended consequences,” said Nelson.
These issues apparently haven’t stopped financial institutions from
considering the idea in private before. In December, Bloomberg reported
that banks had considered using offshore contractors to carry out a counter-attack, after a widespread attack on the US banking community that US officials believed was mounted from within Iran.
According to Bloomberg, the FBI discovered that computers used in a
cyber-attack on the banking community had been disabled by a third
party, and the agency had investigated banks to see if they had already
engaged in strikeback activity across national boundaries. It apparently
absolved banks under investigation, though.
Banks would have been particularly sensitive to the idea of hacking
back across international borders, said John Pescatore, who worked in
the Secret Service and the NSA before becoming director of security
research and training company the SANS Institute.
“They need to cross country boundaries to do it. That’s what was
really coming out of Davos,” he said, adding that these companies are
well aware of the legal dangers when crossing international lines. “It’s
that boundary crossing issue where I think the larger financial
institutions are saying: ‘we need some help’.”
Sharing is caring
Instead of engaging in such legally risky behaviour, banks that are
attacked should simply share information about it with the government to
help prepare an industry-wide response, argued John Carson. He is the
executive vice president of BITS, the technology policy division of the US Financial Services Round Table, an industry association for financial firms.
Information sharing, while good for cybersecurity, may carry its own
legal risks, Carson warned: “Today if there is an attack, there’s a
reluctance to share that information because it could be used against
that institution in a civil suit.”
Legislators are trying to plug that gap. In January, the Cyber
Intelligence Sharing and Protection Act (CISPA) was reintroduced in the
House. The Bill would allow companies to share information about
cyber-threats and hacks with law enforcement without fear of legal
reprisal.
In February, Senator Tom Carper (D-Del) also introduced the Cyber
Threat Sharing Act of 2015, which would accomplish similar goals. President Obama also signed an executive order advocating cybersecurity information sharing.
Armed with this information, the government might be the ideal partner to hack back against cybercriminals .
Blair affirms that banks shouldn’t handle it themselves: “I still
think it should be handled through law enforcement authorities, and I
would not give some immunity to companies who try it on their own.
Because then you just make it wild west, vigilante stuff.”
Law enforcement is equally constrained by the law, though, said
Rasch. “You can get a warrant to search and seize stuff, but since when
did law enforcement have the authorisation to impose punishments on
their own? If that’s what you’re talking about with hacking back, I
don’t think they can do it,” he said.
The real question, he added, is whether a government would consider
refusing to prosecute law enforcement in the event of a cyber
strikeback. But at that point, it stops being a legal discussion.
“You’re getting out of the realm of law. You’re getting into the realm
of politics,” he warned.
At this level, the problem is that one government may simply have
different rules or priorities to another. If a government refuses to
prosecute its own cybercriminals when they’re attacking companies in
your country, then should your government support strikebacks by law
enforcement that believes it has identified a hacking group?
“It’s a dangerous game you play, when you decide that because they’re
not following the rules, you’re not going to either. Because then you
don’t have rules,” he said.
The problem seems simple: do you take the high road, or stoop to
their level? At stake are not only millions of dollars in intellectual
property, but also elements of critical national infrastructure, and even free speech.
As we face such threats, Blair remains convinced that strikebacks are
a useful deterrent. He is less concerned with the legal debate than he
is with the fact that western firms are being fleeced by shadowy
cyber-crooks half a world away.
“Sitting around sucking our thumbs debating legal points is getting us nowhere,” he concluded. “We’re being robbed blind.”
