Following a year of high-profile data breaches, continued lack of guidelines for industry-government information sharing and frequent naming of attack victims as culprits by regulators, one might forgive those on the receiving end of cyber intrusions for revisiting thoughts of alternative cyber protective measures.
The Sony Pictures data capture-and-release heist and the reactions that followed may have provided the year’s only comedic interlude in a year of numerically impressive but otherwise gray-flannel suit, button down breaches that swept across a wide swath of corporate America with seeming ease.
In the larger picture, there are many players in a high profile attack, and attribution of blame more difficult. With the FBI fingering the North Koreans as perpetuator of the attacks, a range of detractors claiming otherwise, oft-reversed positions by Sony and high government officials weighing in on the company’s business decisions, one is hard pressed to know where to place the blame for the effectiveness of the U.S. response.
Noted information assurance authority William Hugh Murray may have captured the spirit of the melee when he categorized the incident as sort of madcap circus where the response of the film exhibitors was “craven,” the media “gleeful” and our government reduced to “the wringing of hands.”
It is at points such as this that the call for stronger response capabilities such as active defenses, also known as “hacking back” begin to look more and more like a rational solution.
Interest in reconsidering changes in cybersecurity methods might also be stoked following several years of continuing changes to national cybersecurity strategy which has left private industry without consistent guidelines to follow in reporting or dealing with cyber incidents. And with increases in cyber incidents up some 215% over the past four years, as noted in a recent DHS report, the issue is only getting larger.
In spite of its poor reputation, hacking back has both its supporters and participants. Tom Kellerman, chief cybersecurity officer for Trend Micro, states “Active defense is happening.” Confirming this belief, a survey at a recent Black Hat USA security conference revealed that an impressive 36 percent of respondents had engaged in “retaliatory hacking.”
If more official sanction for hacking back than from the unconventional, venturesome attitudes prevalent in a Black Hat gathering, such acceptance can be found in a report on intellectual property theft co-authored by Dennis Blair, Obama’s first director of national intelligence. The authors of the study argue that American companies “ought to be able to retrieve their electronic files” which had been misappropriated. Another recommendation was for the government to consider allowing American companies to counterattack following breaches in specific circumstances.
Others call for the government itself to take a stronger role in cyber defenses. An argument for stronger government-driven enforcement measures was heard from National Security director Admiral Mike Rogers, who observed in a recent talk that lax U.S. responses to cyberattacks was leading hackers to believe that there is “little price to pay” for misappropriating U.S. government or corporate data. Adm. Rogers might have thought he was catching the cybersecurity industry at a weak time, as stronger government involvement has long been something many companies are wary of.
A recent Op-Ed in The Wall Street Journal citing President Obama’s statement that cyberattacks are “one of the most serious challenges we face as a nation” leaned strongly toward echoing
Adm. Rogers’ call, proposing that due to its critical importance, cyber defense is rightly a government responsibility.
Given the alternatives of continuing to shore up current processes, bringing in more direct government involvement, or establishing rules for the deployment of active defenses, the latter may seem more and more attractive.
However, even hints of consideration of hacking back measures can easily draw strong, swift responses describing such practices in terms ranging from “reckless” and “illegal” to irresponsibly producing undesired collateral damage.
The overall industry tone of caution around active defenses may be calibrated to defuse the notion rather than taking the argument, buying time for other alternatives to surface. The Washington Post put its attempt at obfuscation this way: “The norms around cyberspace and the technological limits of hacking are evolving so rapidly and unpredictably that it's tough to really evaluate the upsides and downsides of hacking back. The costs of inaction are clear and substantial, but the costs of expanding the cyberwar to any corporation with an IT department are nearly impossible to judge, which is exactly what makes them so scary.”
One might argue that the absolute necessity of keeping U.S. critical infrastructure functioning would trump such wordsmithing, dictating implementation of “all legal and effective measures” to ensure the country’s national security.
For now, definition of “legal and effective” measures are clearly in a state of flux. But in an encouraging development, Congress passed at the end of its last session The National Cybersecurity Protection Act of 2014. This measure broadens sharing of cybersecurity information and analysis as well incident response assistance from government agencies.