JP Morgan Chase. Sony Pictures. Target. Anthem Healthcare. Fiat Chrysler. All of these companies have been hit by high-profile cyber-attacks in the past 20 months, rattling the confidence of their customers and employees, and forcing them to spend more to improve their defences.
But for John Strand, these attacks have been great for business. A cyber security expert based in the remote Black Hills of South Dakota, Mr Strand specialises in a new approach to protecting companies from hackers known as “active defence” — an aggressive alternative to simply relying on traditional passwords and firewalls.
“It has been attack after attack after attack. My business has skyrocketed. I feel like I should send the Chinese a Christmas card saying thank you for a wonderful year,” he said.
Businesses such as Mr Strand’s use tactics to lure hackers into traps, or to trace their steps to discover the origin of an attack. But there are others who offer more controversial — and probably illegal — methods to “hack back” against cyber criminals. Some quietly resort to such tactics, while others want to but are afraid of running foul of the law. Legal or not, some say hacking back is necessary given the threat.
After a spate of devastating attacks, companies and governments are mounting a fightback to reinforce their defences, and find more active ways to neutralise the threats from attackers. But the technical advantage lies with the attackers, while legal and political considerations limit how far potential victims can go.
Some 46 per cent of US companies have raised their cyber security budgets in the past two years, with half saying they will spend more in the next two, reports the Ponemon Institute, a cyber security research centre.
“There is an unprecedented level of interest in active defence and frustration with the reactive approach,” says James Lyne, global head of research for Sophos, a web security specialist.
Using funds from the US Defense Advanced Research Projects Agency, Mr Strand helped create a set of 20 tricks and traps to thwart cyber criminals. Downloads of the Active Defense Harbinger Distribution kit have almost doubled in the past two months, to an average of about 500 a week. His “active defence” sessions at the upcoming security conference Black Hat in Las Vegas have already sold out. There is a “huge spike” in interest in active defence after each big cyber attack, Mr Strand says.
The onslaught of cyber attacks have shown how vulnerable every sector is, from banks to retailers, entertainment companies to healthcare providers. They want to bolster their defences to protect the customer data, intellectual property and financial information that is the lifeblood of their business — and a treasure trove for hackers.
Mr Lyne showed how active defence techniques could be used to trace a hacker in a 2013 TED talk. He accessed cloud services used by a hacker group, found their phone numbers and used GPS information to pinpoint their office building. He was even able to find pictuers of the hackers’ Christmas party.
But finding them was the easy part. “Despite the theft of millions of dollars, the cyber criminals haven’t been arrested and at this point possibly never will,” he said. “Most laws are national despite cyber crime conventions, while the internet is borderless and international by definition.”
Deploying the honey badger
Cyber security specialists categorise the main active defence tactics as the three As: annoyance, attribution and attack. Only two of the three As are considered above-board, however.
Annoyance involves tracking a hacker and leading him into a fake server, wasting his time — and making him easy to detect. A new generation of start-ups is specialising in building traps for data centres, including two Israeli companies,TrapX and Guardicore.
Attribution uses tools to trace the source of an attack back to a specific location, or even an individual hacker. The two most popular tools in the ADHD kit are attribution techniques: the “honey badger,” which locates the source of an attack, tracking its latitude and longitude with a satellite picture, and beacons, which are placed in documents to detect when and where data is accessed outside the user’s system.
But it is the third A — attack — that is most controversial. To “hack back,” a company accesses an alleged hacker’s computer to delete its data or even to take revenge. Both of these steps are considered illegal.
Mr Strand has seen companies so frustrated they want to hack back. A Malaysian bank contacted him for help to track down some hackers — but turned the job down because he feared aiding “vigilante justice”.
“We don’t work cases like that. I don’t want to pick up a newspaper and find out a hit has been taken out on a hacker in another country,” he said. “I’m terrified of what some banks, not necessarily US banks, but some international banks do to dissuade attackers.”
Chris Hoff, security chief technology officer at Juniper Networks, is integrating elements of active defence into its products. “The dirty little secret is if there were no worries ethically and legally, everyone wants a ‘nuke from orbit’ button,” he says.
Instead, security lawyers have been forced to draw a line between what is legally acceptable “active defence” and illegal “hacking back” using a case that has little obvious relevance to the world of large-scale cyber attacks.
In 2011, a teacher in Ohio used a laptop, which she did not realise was stolen, for webcam sex chats with her lover. Absolute Software, which monitored stolen property for the owner, tracked down the laptop, intercepted her communications and took screenshots of her most private online moments.
Susan Clements Jeffrey sued Absolute Software and won, with the judge ruling that even if the laptop was stolen, the company could not break into it to monitor its use. Based on this precedent, cyber security lawyers have concluded that companies risk breaking the law if they enter another network, even if it is just to delete their own stolen data.
However, some companies evade these restrictions in US law by putting cyber defence units in countries with few laws governing the internet. Andsome cyber security companies outside the US are also attacking hackers on behalf of their US clients, says David Cowan, an investor in security start-ups at Bessemer Venture Partners.
“If we didn’t have the restrictive laws we have, I expect the banks would have been much more aggressively attacking the sources of their threats. I’ve seen situations where vendors [outside the US] have, as a courtesy, attacked hackers on behalf of their [US] clients without charging for it.”
In the UK, Mr Lyne adds, most lawyers have concluded the law is similar to the US. However, there was “quite some distance from legal clarity”, with some companies’ lawyers deciding that injecting code into a website to track an attackers’ IP address is legal, but inserting code that collects more information is malicious. Until there is clear and co-ordinated international law, how far companies can go with active defence depends on “the number of lawyers they have and the size and maturity of their security team”.
Former government officials acknowledge the frustration felt by companies who are told to rely on the FBI or intelligence agencies to respond.
Howard Schmidt, former White House cyber security advisor to President Barack Obama and former President George W Bush, says there is a “big discussion” on whether companies should be able to hack back. “There’s a tremendous amount of frustration.”
If a person has their car stolen and finds it abandoned, they are legally allowed to get back in it, he says. “In cyber it doesn’t work that way. It is a felony to do that. You need a body that will do it for you.”
However, many cyber security experts see serious problems with allowing companies to hack back. Pinpointing exactly who committed the attack is difficult, so companies risk targeting innocent users. “At the root of all of this is the issue of attribution,” says Mr Hoff. “Most people can’t do that.”
Mr Lyne adds that hackers are “very good at exploiting the law” by using legitimate networks that lawyers will not give their companies permission to attack. “No lawyer is going to authorise offensive techniques to be used against the web server of Joe Bloggs, the flower seller whose computer just happens to be distributing some nasty malware.”
Striking back could also increase the problem, leading to more serious attacks and goading potential adversaries in the hacker community, as a cyber criminal’s supporters join the fight.
In a rare public attempt at retaliation, Israeli company Blue Security tried to turn the tables nearly a decade ago by responding to spam emails with a deluge of electronic traffic designed to disrupt the attackers. The counter-attack brought a swift and devastating response: Blue Security’s systems were hit by a massive denial of service attack that took them offline, forcing the company to abandon its ill-advised counter measures and, eventually, shut down.
For companies itching to go on the offensive, it is a cautionary reminder of just how dangerous the cyber frontiers have become. “In the Wild West, it was common to fight your own battles because you were afraid of the sheriff. But at some point that is not a scalable way to preserve justice,” says Mr Cowan.
Defining government’s role
When Mr Obama held his first cyber security summit in Silicon Valley last February, he signed an executive order designed to encourage information sharing between companies and government. That idea had been on the agenda for years, well before the recent spike in attacks, but some say it could help to create a legal framework for a more active cyber defence.
If companies felt more comfortable sharing information with the government, they could do the annoyance and attribution elements of active defence, then hand the information they discovered to law enforcement, who would take responsibility for counter-attack.
“I, for one, would feel much more comfortable knowing the Department for Homeland Security, the Defence department and the FBI are part of the solution protecting our nuclear power plants. I don’t think they should be left to their own devices,” Mr Cowan says.
As well as the executive order and an information sharing bill, the Department of Justice is contacting general counsels to try to make them more comfortable with handing data —which might relate to their customers or vendors — to the government.
John Carlin, assistant attorney general for national security at the Department of Justice, admits the laws on active defence are not keeping pace with the rising number of attacks. “In cyber in general it is incredibly fast-moving technology and fast-moving policy change. Almost every issue we confront in cyber is an area where you are looking to clarify the law,” he says.
However, some lawyers are looking beyond information-sharing to push for companies to be allowed to take more action. Ben Wittes, a senior fellow at the Brookings Institution and co-author of A Future of Violence, agrees the laws that bind companies hand the advantage to the attackers. “The offensive side is never thinking about legality, but the defensive side has loads of lawyers saying, ‘You can’t do that, you can’t do that, you can’t do that’,” he says. “In an environment in which you cannot reliably turn to government to protect you, the law should be relatively more permissive of reasonable steps you take to protect yourselves.”
Mr Wittes suggests that writing law with self-defence provisions would be hard. But he suggests that legal authorities might end up simply turning a blind eye to companies’ cyber defences, even when they appear to cross the line. “I think the answer is not legalising it but tolerating a lot of active self defence,” he said. “A fair bit of it is going on. No one is saying it is OK. But no one is getting prosecuted for it.”