Cyberattacks trigger talk of ‘hacking back’

  • By Craig Timberg, Ellen Nakashima and Danielle Douglas-Gabriel The Washington Post
  • Saturday, October 11, 2014 9:34pm
  • Local NewsNation / world

WASHINGTON — The recent rash of cyberattacks on major U.S. companies has highlighted the scant options available to the victims, who often can do little more than hunker down, endure the bad publicity and harden their defenses in hopes of thwarting the next assault.

But behind the scenes, talk among company officials increasingly turns to an idea once considered so reckless that few would admit to even considering it: Going on the offensive. Or, in the parlance of cybersecurity consultants, “hacking back.”

The mere mention of it within cybersecurity circles can prompt a lecture about the many risks, starting with the fact that most forms of hacking back are illegal and ending with warnings that retaliating could spark full-scale cyberwar, with collateral damage across the Internet.

Yet the idea of hacking back – some prefer the more genteel-sounding “active defense” – has gradually gained currency as frustration grows about the inability of the government to stem lawlessness in cyberspace, experts say. The list of possible countermeasures also has grown more refined, less about punishing attackers than keeping them from profiting from their crimes.

“Active defense is happening. It’s not mainstream. It’s very selective,” said Tom Kellerman, chief cybersecurity officer for Trend Micro and a former member of President Barack Obama’s commission on cybersecurity. Then Kellerman added, as if by reflex, that he and his company would never do it: “For you to hack back, you actually put at risk innocents.”

One vocal advocate of some limited forms of hacking back, former National Security Agency general counsel Stewart Baker, said even some government officials are warming to the idea. Officials, he said, are more likely to consider assisting frustrated companies than threaten prosecution when they talk about going on the offensive.

“The government is giving ground silently and bit by bit on this by being more open,” said Baker, now a partner at Steptoe &Johnson. “I have a strong sense from everything I’ve heard … that they’re much more willing to help companies that want to do this.”

A popular metaphor in these discussions is the exploding dye pack that bank tellers sometimes slip into bags of cash during old-fashioned bank robberies. The cyberspace equivalent, called a “beacon,” potentially could be attached to sensitive data, making it easier to spot both the stolen loot and determine who spirited it away across the Internet.

Other ideas include tricking hackers into stealing a fake set of sensitive data, then tracking its movements across cyberspace. Some experts also suggest taking advantage of the way hackers often operate, moving files in stages from a victim’s network to a remote server before collecting them hours later; the lag potentially gives companies time to spot the stolen files and destroy them before hackers can complete the theft.

Hacking back is a staple of conversations at cybersecurity conferences worldwide and also in private consultations between companies and their security consultants. At the Black Hat USA security conference in 2012, 36 percent of respondents said they had engaged in “retaliatory hacking” on at least one occasion, according to cybersecurity company nCircle, which conducted the survey of 181 conference attendees.

Financial industry security experts have had discussions behind closed doors about the possibility of retaliatory cyberattacks but concluded the legal risks were too great to pursue the idea, according to people familiar with the discussions who were not authorized to speak publicly.

“Most of the offensive talk is from the private sector, saying, ‘I’ve had enough and I’m going to go do something about it,’ “ said Rep. Mike Rogers, R- Mich., chairman of the House intelligence committee, at a cybersecurity summit at The Washington Post last week. Yet Rogers, like many other government officials, has publicly warned about the dangers of hacking back.

Entering another person or company’s network without permission violates the Computer Fraud and Abuse Act, officials say, even if the intrusion happens in the course of attempting to identify hackers or destroy data they have stolen.

Michael Sussmann, a partner at Perkins Coie and a former federal cybercrime prosecutor, said, “It’s not uncommon to be called in after an intrusion and come across the well-intentioned system administrator or investigator who, without realizing it, violated the law in trying to protect their systems.”

Any resulting consequences – even unintended ones, such as accidentally damaging an innocent company’s network – could cause significant legal liability. Plus, it’s notoriously difficult to correctly identify who is behind a cyberattack.

“Attribution is very difficult to do,” said White House cybersecurity coordinator Michael Daniel. “The bad guys don’t tend to use things labeled ‘bad guy server.’ They tend to corrupt and use innocent third-party infrastructure. So we have always said you need to be really cautious about taking activities that are ‘hacking back’ or even what some people try to call ‘active defense.’ “

Officials within the financial industry, the most recent target of headline-grabbing attacks, echo Daniel’s concerns. “Hacking is illegal. Attribution is difficult. And the liability for doing it wrong are such that no responsible enterprise, banking or otherwise, is going to engage in that,” said Greg Garcia, executive director of Financial Services Sector Coordinating Council, an industry group.

Yet even detractors have little trouble seeing the appeal. Recent intrusions into JPMorgan Chase, Home Depot, Target and others caused massive headaches for the companies and their customers. The attack against JPMorgan and other financial firms caused particular alarm – up through the highest levels of the U.S. government – because of the companies’ critical role in the economy.

That prompted aggressive action by the FBI and Secret Service, but U.S. law enforcement agencies often struggle to solve crimes emanating from foreign countries. U.S. officials could apply diplomatic pressure on countries that support cyberattacks or even fail to police them aggressively, but other priorities tend to prevail in foreign policy debates, said James Lewis, a cybersecurity expert at the Center for Strategic and International Studies.

“There’s an unwillingness to admit to the scope of the problem because we don’t have the tools to deal with it,” Lewis said. “Despite all the noise, cybersecurity is still a secondary concern.”

That leaves many companies feeling left on their own.

Former federal officials said they knew of cases when companies have reached beyond their own computer networks to find the source of an intrusion or to delete stolen data. These officials said they have also noticed a quiet acceptance on the part of federal agents.

“There are companies that have certain measures in place for determining where the source of a hack is coming from and for deleting the data, and that could technically violate the law,” said another former federal prosecutor, who spoke on the condition of anonymity. “And when the agents are called in and they understand what tools the company is using, they may not report them or shut them down for using those tools.”

Talk to us

> Give us your news tips.

> Send us a letter to the editor.

> More Herald contact information.

More in Local News

Firefighters respond to a 911 call on July 16, 2024, in Mill Creek. Firefighters from South County Fire, Tulalip Bay Fire Department and Camano Island Fire and Rescue left Wednesday to help fight the LA fires. (Photo provided by South County Fire)
Help is on the way: Snohomish County firefighters en route to LA fires

The Los Angeles wildfires have caused at least 180,000 evacuations. The crews expect to arrive Friday.

x
Edmonds police shooting investigation includes possibility of gang violence

The 18-year-old victim remains in critical condition as of Friday morning.

The Everett Wastewater Treatment Plant along the Snohomish River. Thursday, June 16, 2022 in Everett. (Olivia Vanni / The Herald)
Everett council approves water, sewer rate increases

The 43% rise in combined water and sewer rates will pay for large infrastructure projects.

Robin Cain with 50 of her marathon medals hanging on a display board she made with her father on Thursday, Jan. 2, 2025 in Lake Stevens, Washington. (Olivia Vanni / The Herald)
Running a marathon is hard. She ran one in every state.

Robin Cain, of Lake Stevens, is one of only a few thousand people to ever achieve the feat.

People line up to grab food at the Everett Recovery Cafe on Wednesday, Dec. 4, 2024 in Everett, Washington. (Olivia Vanni / The Herald)
Coffee, meals and compassion are free at the Everett Recovery Cafe

The free, membership-based day center offers free coffee and meals and more importantly, camaraderie and recovery support.

Washington Gov. Jay Inslee proposed his final state budget on Tuesday. It calls for a new wealth tax, an increase in business taxes, along with some programs and a closure of a women’s prison. The plan will be a starting point for state lawmakers in the 2025 legislative session. (Jerry Cornfield / Washington State Standard)
Inslee proposes taxing the wealthy and businesses to close budget gap

His final spending plan calls for raising about $13 billion over four years from additional taxes. Republicans decry the approach.

Devani Padron, left, Daisy Ramos perform during dance class at Mari's Place Monday afternoon in Everett on July 13, 2016. (Kevin Clark / The Herald)
Mari’s Place helps children build confidence and design a better future

The Everett-based nonprofit offers free and low-cost classes in art, music, theater and dance for children ages 5 to 14.

The Everett Wastewater Treatment Plant along the Snohomish River on Thursday, June 16, 2022 in Everett, Washington. (Olivia Vanni / The Herald)
Everett water, sewer rates could jump 43% by 2028

The rate hikes would pay for improvements to the city’s sewer infrastructure.

Everett
Police believe Ebey Island murder suspect fled to Arizona

In April, prosecutors allege, Lucas Cartwright hit Clayton Perry with his car, killing him on the island near Everett.

The bond funded new track and field at Northshore Middle School on Thursday, Oct. 24, 2024 in Bothell, Washington. (Courtesy of Northshore School District)
Northshore School District bond improvements underway

The $425 million bond is funding new track and field complexes, playgrounds and phase one of two school replacements.

Nate Nehring announces reelection campaign for county council

The 29-year-old council member from Arlington is seeking a third term in District 1.

Israel, Hamas agree to Gaza ceasefire and hostage deal

The start date is not clear, and the deal still needs to be ratified by the Israeli cabinent

Support local journalism

If you value local news, make a gift now to support the trusted journalism you get in The Daily Herald. Donations processed in this system are not tax deductible.