Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

Hacking Back: Active Defenses Redux?

Following a year of high-profile data breaches, continued lack of guidelines for industry-government information sharing and frequent naming of attack victims as culprits by regulators, one might forgive those on the receiving end of cyber intrusions for revisiting thoughts of alternative cyber protective measures.

Following a year of high-profile data breaches, continued lack of guidelines for industry-government information sharing and frequent naming of attack victims as culprits by regulators, one might forgive those on the receiving end of cyber intrusions for revisiting thoughts of alternative cyber protective measures.

The Sony Pictures data capture-and-release heist and the reactions that followed may have provided the year’s only comedic interlude in a year of numerically impressive but otherwise gray-flannel suit, button down breaches that swept across a wide swath of corporate America with seeming ease.

In the larger picture, there are many players in a high profile attack, and attribution of blame more difficult. With the FBI fingering the North Koreans as perpetuator of the attacks, a range of detractors claiming otherwise, oft-reversed positions by Sony and high government officials weighing in on the company’s business decisions, one is hard pressed to know where to place the blame for the effectiveness of the U.S. response.

Hacking Back

Noted information assurance authority William Hugh Murray may have captured the spirit of the melee when he categorized the incident as sort of madcap circus where the response of the film exhibitors was “craven,” the media “gleeful” and our government reduced to “the wringing of hands.”

It is at points such as this that the call for stronger response capabilities such as active defenses, also known as “hacking back” begin to look more and more like a rational solution.

Interest in reconsidering changes in cybersecurity methods might also be stoked following several years of continuing changes to national cybersecurity strategy which has left private industry without consistent guidelines to follow in reporting or dealing with cyber incidents. And with increases in cyber incidents up some 215% over the past four years, as noted in a recent DHS report, the issue is only getting larger.

In spite of its poor reputation, hacking back has both its supporters and participants. Tom Kellerman, chief cybersecurity officer for Trend Micro, states “Active defense is happening.” Confirming this belief, a survey at a recent Black Hat USA security conference revealed that an impressive 36 percent of respondents had engaged in “retaliatory hacking.”

If more official sanction for hacking back than from the unconventional, venturesome attitudes prevalent in a Black Hat gathering, such acceptance can be found in a report on intellectual property theft co-authored by Dennis Blair, Obama’s first director of national intelligence. The authors of the study argue that American companies “ought to be able to retrieve their electronic files” which had been misappropriated. Another recommendation was for the government to consider allowing American companies to counterattack following breaches in specific circumstances.

Advertisement. Scroll to continue reading.

Others call for the government itself to take a stronger role in cyber defenses. An argument for stronger government-driven enforcement measures was heard from National Security director Admiral Mike Rogers, who observed in a recent talk that lax U.S. responses to cyberattacks was leading hackers to believe that there is “little price to pay” for misappropriating U.S. government or corporate data. Adm. Rogers might have thought he was catching the cybersecurity industry at a weak time, as stronger government involvement has long been something many companies are wary of.

A recent Op-Ed in The Wall Street Journal citing President Obama’s statement that cyberattacks are “one of the most serious challenges we face as a nation” leaned strongly toward echoing

Adm. Rogers’ call, proposing that due to its critical importance, cyber defense is rightly a government responsibility.

Given the alternatives of continuing to shore up current processes, bringing in more direct government involvement, or establishing rules for the deployment of active defenses, the latter may seem more and more attractive.

However, even hints of consideration of hacking back measures can easily draw strong, swift responses describing such practices in terms ranging from “reckless” and “illegal” to irresponsibly producing undesired collateral damage.

The overall industry tone of caution around active defenses may be calibrated to defuse the notion rather than taking the argument, buying time for other alternatives to surface. The Washington Post put its attempt at obfuscation this way: “The norms around cyberspace and the technological limits of hacking are evolving so rapidly and unpredictably that it’s tough to really evaluate the upsides and downsides of hacking back. The costs of inaction are clear and substantial, but the costs of expanding the cyberwar to any corporation with an IT department are nearly impossible to judge, which is exactly what makes them so scary.”

One might argue that the absolute necessity of keeping U.S. critical infrastructure functioning would trump such wordsmithing, dictating implementation of “all legal and effective measures” to ensure the country’s national security.

For now, definition of “legal and effective” measures are clearly in a state of flux. But in an encouraging development, Congress passed at the end of its last session The National Cybersecurity Protection Act of 2014. This measure broadens sharing of cybersecurity information and analysis as well incident response assistance from government agencies.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Cyberwarfare

Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Cyberwarfare

Several hacker groups have joined in on the Israel-Hamas war that started over the weekend after the militant group launched a major attack.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cybercrime

On the first anniversary of Russia’s invasion of Ukraine, cybersecurity companies summarize the cyber operations they have seen and their impact.