The browser or device you are using is out of date. It has known security flaws and a limited feature set. You will not see all the features of some websites. Please update your browser. A list of the most popular browsers can be found below.
If your company is hacked, should you hack the hacker? It's a growing debate in the cybersecurity world. Comstock/Thinkstock
In the murky underworld of cybersecurity, the line between defense and offense can be blurry. And a handful of private firms are taking advantage, offering services they contend can make hackers who break into networks pay for their crimes.
Proponents call it "active defense,'' but critics have dubbed it "hack back,'' suggesting that it smacks of vigilante justice.
Lawyers agree it’s a grey area in the "Wild West" of Internet law. And Silicon Valley investors are putting millions of dollars into companies that market these aggressive tactics.
Fortune 500 companies get targeted by hackers thousands of times a day. Some hackers want to steal credit card numbers. Others want to shame an oil company for harming wildlife, or a media conglomerate for favoring the enemy in a civil war.
No matter the motive, the cybsercurity firm Bishop Fox, based in Phoenix, Ariz.,has built a small business helping corporations respond. CEO Vincent Liu says his clients have a hard choice to make. “Do I actually try to figure out who did this, or do I just clean up and move on?”
Security experts say that more and more, targets are choosing to gather intelligence on their intruders. It can be like looking for a needle in the haystack because, Liu explains, “a lot of people jump through different servers to get to your system.”
Liu cannot name his clients because of confidentially agreements. But he describes a common scenario: a hacker breaks into confidential records, and then tries to blackmail the company in exchange for not releasing the stolen data.
The target does not call 911. There are no cybercops to respond swiftly, and a criminal case would embarrass the victim. “No one wants the world to know they got broken into,” Liu says.
Instead, the company pretends it’s going to negotiate. They fool the blackmailer into downloading a file. “Tell them we need to communicate securely,” Liu explains. “Tell them, ‘you need to use this encryption program.’”
The blackmailer installs the software and, suddenly, “you use it to push back into their system, get into their laptop, figure out where they are.”
That is, the victim goes inside the invading server.
A new legal theory
Liu says his own firm doesn’t offer the service, even though it’s in demand, because he’s not sure if it’s legal.
“That’s a very gray area because you’re attacking them back,” he said.
Lawyer David Willson has a different take on it. He’s a retired Army JAG officer who has given legal advice on computer networks and information security to the Defense Department and National Security Agency.
“No, it’s not legal, not unless the blackmailer gave permission,'' he said. "But who’s going to report it? Not the bad guy.”
The Computer Fraud and Abuse Act, passed in 1986, prohibits unauthorized access of a computer. It does not carve out exceptions for self-defense or vigilante justice.
But Willson argues that it should.
He is now at the law firm Titan Info Security Group in Colorado Springs, Colo., which advises companies on active defense. “Gray area” has become a term of art among cybersecurity experts.
As hacking experts flock from the Pentagon to the private sector, Willson is touting a legal theory around how private citizens can exercise surveillance powers similar to the government and, “out of necessity,” enter someone else’s server without permission.
Say a company is the target of an ongoing attack. Their defenses are up, but they’re bleeding intellectual property or bank account numbers because the intruder keeps on breaking in.
Willson says the CEO has to step up.
“You have a fiduciary responsibility to protect your company, which requires the leadership to gather as much information as possible and decide how to move forward,” he said. “Call law enforcement or not. Call the server owner or disrupt the server. Stop the attack.”
The CEO can deal with retribution or blowback from lawsuits or media. “If you’re losing a hundred thousand dollars a week, and you think a lawsuit involved could cost five hundred thousand total, you may decide to take a chance with the lawsuit.”
Willson admits, however, that this approach could spiral out of control.
In most cases, good hackers don’t take stolen goods back to their server. They take it to another server they’ve compromised, he said, “somebody who – I don’t want to call an innocent bystander – but who is also a victim."
"You’re running the risk of having them think you’re attacking them,'' he said, "when you’re really just trying to figure out who attacked you.”
The Justice Department has not prosecuted any firm for hacking back and, as a matter of policy, will not say if any criminal investigations are pending. SpokesmanMichael Passman also declined to describe the types of questions the department is getting from companies that may be practicing active defense.
Former federal prosecutor Kimberly Peretti is now with the high-powered Washington D.C. law firm Alston & Bird. “Active defense is an important topic for public policy,” she said. “It matters to my clients.”
Major targets of cyber attack include Bank of America, JP Morgan Chase and Goldman Sachs; their representatives would not comment on active defense as a public policy debate.
He just attended a retreat for chief information security officers (CISOs) who are charged with protecting computer networks. He sums up the challenge they’re facing. “Nobody likes to be hit and not punch back," he said. "The CISOs want active defense, but the general counsels won’t permit it.”
International relations are another major concern.
Willson and other experts say a few cybersecurity firms are setting up shop in regions like the Middle East and the Philippines, where there is little to no legislation on computer access.
Rodriguez says if an American firm is contracting these services and they hit the wrong target – say friendly fire against a business partner or civilian – the firm could be blamed for it.
If that wrong target is based abroad and calls for help, "then the State Department would have to get involved, which no one wants.”
Toning down the message
Perhaps no company in the U.S. has stirred more controversy in the debate than Crowdstrike.
“We’re certainly not advocating hack back,” co-founder Dmitri Alperovitch said when asked to describe the full range of services offered by Crowdstrike’s active defense platform. “We’re not advocating anything illegal or vigilante. We’re advocating intelligence gathering.”
Ken Baylor doesn’t buy it. The former vice president of security at Wells Fargo says he has attended three Crowdstrike presentations.
“They talk about hunting people down actively and have the tools to do that,” said Baylor, now a researcher at NSS Labs in Austin TX. He analyses new cybersecurity services on the market.
Crowdstrike just raised $30 million with help from Accel Partners, a leading venture capital firm in Silicon Valley. The start-up is well positioned to cross the legal gray area because of its political connections, Baylor said.
“Is that something you and I can do?” he asked rhetorically. “Or is that something someone with very powerful friends in Washington who’ll turn a blind eye can do?”