Companies are striking back at hackers in retaliation for security breaches, a questionable practice that may temporarily discourage cyber crime but could create long-term problems.
Corporations are going on the offensive with “active defense” or “strike-back” technology, designed to discourage hackers from stealing vital business secrets and essentially hacking hackers themselves.
“Not only do we put out the fire, but we also look for the arsonist,” said Shawn Henry, the former head of FBI cyber crime investigations. His new employer, CrowdStrike, aims to help businesses fend off cyber criminals with a variety of strike-back tools.
Henry’s approach to fighting cyber crime includes feeding hackers fake documents or information-stealing code. These bogus files can sometimes identify intruders’ machines, helping companies to recognize and prevent them from striking again. In more extreme cases, companies even hire hackers to hack intruders who infiltrate their networks, creating a dizzying loop of breaches.
CrowdStrike founder Dmitri Alperovich recommends companies dealing with China take special care to guard their secrets from prying eyes. Google and other Western companies suspect the Chinese government of hacking their networks to gain an upper hand in business transactions.
“Deception plays an enormous role,” Alperovich explained about his company’s approach to foiling hackers, possibly underscoring the need for similar tactics.
CrowdStrike’s advice may help companies like Sony and Citibank prevent further disastrous breaches without government help, which often comes with strings attached.
One pending House bill may give U.S. companies legal protection for disclosing security breaches, while the Cyber Intelligence Sharing and Protection Act aims to give corporations government security tools in exchange for user data.
But rights groups say these controversial bills defy the Fourth Amendment and may also stifle free speech, making them unlikely candidates to help companies avoid hacks anytime soon.
In the absence of dependable government help and given the regular failure of purely defensive tactics, businesses may well find strike-back tactics a very effective tool to prevent hacks. It is too early to tell, however, whether the advantages of active defense outweigh its many risks.
Opponents caution strike-back campaigns may violate U.S. laws as well as goading hackers to even more extreme measures.
“There is no business case for it and no possible positive outcome,” said John Pescatore, a National Security Agency and Secret Service veteran and head of Gartner’s Internet security practice.
Pescatore points out that angering cyber criminals with pre-emptive strikes may lead to bigger breaches or political problems down the road, especially if those hackers are government-backed.
For example, experts suspect China may have created the Shady Rat virus, which silently collected U.S. government and commercial data for five years. Had any of the compromised companies reacted with a direct strike, China’s government may have escalated the operation beyond simple data collection.
Furthermore, companies that take preventive action against hackers may be classified as criminals themselves under U.S. law. Without concrete proof of an impending cyber attack, it may be difficult for corporations to prove unprovoked measures against hackers.
As corporations around the world attempt to ward off cyber criminals, they may consider using offensive tactics against their shadowy opponents. But the risky nature of this practice may also lead them out of the frying pan and into a legal fire if they aren’t extremely cautious.