CybersecurityThe best cyberdefense is cyber offense, some experts say

In response to the surge in cyberattacks against the U.S. private sector, some firms are exploring “active defense” measures which they hope will send a message to hackers.

In October, dozens of cybersecurity firms collaborated to eliminate malware believed to originate from Axiom, a Chinese state-sponsored group. “We wanted to make absolutely sure we did something that caused them some level of pain,” said Zachary Hanif at iSight Partners, one of the cybersecurity firms involved in the operation which cleaned up roughly 43,000 infections over two weeks. The operation did not counter-hack Axiom, but it did “throw a large wrench into their engine,” according to Brian Bartholomew with iSight.

Some cyber analysts say tougher defense will not deter new cyberattacks, and some sort of offensive action is needed (see “Report: U.S. companies should consider counter-hacking Chinese hackers,” HSNW, 24 May 2013). Stewart Baker, a former assistant secretary of homeland security, argues that limited “hacking back” could be justified, though the legality is unclear. Cyber actions a company takes outside its own network could be viewed as illegal, but it could be acceptable for companies to infiltrate the networks of third parties used by hackers to transit stolen data. “I think you are morally justified for sure” in taking such actions, Baker told Agence France Presse. “And I think the probability of being prosecuted is very low.” If a firm locates its stolen data and is capable of recovering it, “they would be crazy not to.” “They can’t wait for the government to get a court order. By the time that happened, everything is going to be gone,” Baker said (see also “Former DHS official says U.S. should go on cybersecurity offensive,” HSNW, 1 October 2012).

The Justice Department discourages any retaliation to cyberattacks, but Yahoo News reportsthat a 2013 presidential commission report on intellectual property theft suggested that some types of retaliatory actions should be legal. “Without damaging the intruder’s own network, companies that experience cyber-theft ought to be able to retrieve their electronic files or prevent the exploitation of their stolen information,” the report said.

Kristen Eichensehr, a national security law specialist at the University of California-Los Angeles, said the private sector is considering a wide range of actions to deal with cyberattacks. “Depending on where on the spectrum a ‘hacking back’ action is, the private entity’s actions could look a lot like counterespionage, law enforcement, or even military action.”

Admiral Mike Rogers, who heads the Pentagon’s Cyber Command and the NSA, said the military is considering a “deterrence” policy, and wants hackers to know there are consequences for infiltrating key U.S. infrastructure. James Lewis, a cybersecurity specialist at the Center for Strategic and International Studies, argues that deterrence will be ineffective. “The idea of a deterrent effect is not plausible because you can’t deter espionage and crime,” Lewis said. “What is the threat to get them to stop breaking into banks? There is no threat.”