U.S. companies that have their networks routinely penetrated and their trade secrets stolen cannot be surprised by a new National Intelligence Estimate on the cyber-espionage threat. The classified NIE, the first-ever focusing on cybersecurity, concludes that the U.S. is the target of a major espionage campaign, with China the leading culprit.
Private firms and government agencies have struggled with cyberattacks from China and other countries for years. Many are angry about the constant intrusions into their networks, and in frustration some want to turn the tables on their attackers.
"There is no way that we are going to win the cybersecurity effort on defense," says Steven Chabinsky, formerly the FBI's top cyber-attorney. "We have to go on the offensive."
After leaving the FBI, Chabinsky took a position as chief risk officer at CrowdStrike, a firm set up to serve companies ready to take the cybersecurity fight to their adversaries.
"You can never win a fight, whether in a boxing match or a war, by only taking defensive actions," says Dmitri Alperovitch, CrowdStrike's co-founder. "If you're just standing up taking blows, the adversary will ultimately hit you hard enough that you fall to the ground and lose the match. You need to hit back."
A Tepid Response
Other cybersecurity experts agree that companies have been too slow to confront the people attacking their computer networks.
"What we need to do is get rid of the attackers and take away their tools and learn where their hideouts are and flush them out," says Greg Hoglund, co-founder of HBGary, another firm known for its aggressive approach to cybersecurity, until it was acquired by another company.
At times, such firms seem to be advocating vigilante justice. It is normally not up to private individuals or firms to "get rid" of bad guys or "flush them out" from their hideouts. That's the responsibility of law enforcement. But frustrated cybersecurity experts such as Hoglund and Alperovitch complain that the government does little more than warn U.S. companies about the cyberthreats they face.
"It's [like] the government sees a missile heading for your company's headquarters, and the government just yells, 'Incoming!' " Alperovitch says. "It's doing nothing to prevent it, nothing to stop it [and] nothing to retaliate against the adversary."
Alperovitch says this is how private firms feel under current circumstances.
"Until that changes," he says, "the private sector is going to take actions into their own hands, and the government shouldn't be surprised about that."
Potential For Mistakes
U.S. officials say they understand the frustration of private companies that face a constant barrage of cyberattacks. President Obama signed an executive order on Tuesday that sets out procedures by which the government and the private sector can collaborate in confronting cyberthreats.
A turn toward more aggressive actions against cyberattackers, however, could be risky. Because the source of a cyberattack is often hard to identify, counterattacking is not always well-advised.
"I will guarantee you there will be lots of mistakes made," said Rep. Mike Rogers of Michigan, chairman of the House Permanent Select Committee on Intelligence, speaking at a recent cybersecurity conference at George Washington University. "I worry about the private sector engaging in offensive [activities] ... because a lot of things are going to go wrong."
Companies that want to go on the offense against their cyber-adversaries need to consider the legal risks such actions would involve.
"I have only found one or two lawyers ... who have said, 'Let's consider pursuing some kind of offensive response,' " says Richard Bejtlich, chief security officer at Mandiant, a cyber-consultancy. "The corporate legal structure is very conservative when it comes to what we can allow someone to do."
Alperovitch of CrowdStrike insists there are safe and lawful ways a company can go after an intruder — and come out ahead.
"If they're going after [your] negotiation strategy for a business deal you're involved in, one thing you can do is craft a fake negotiation document and feed that to them," Alperovitch says. "[If] you feed them a different strategy, you're going to cause them to act in a certain way that's actually gong to benefit you."
Security experts call this a "honeypot" approach. The idea is to plant a document in your network that an adversary will find irresistible. In one clever version, the document includes code so that when the intruder opens it, it turns the camera on in his computer, takes his picture, and sends it back so you can report him to the authorities.
Hoglund, from the firm previously known as HBGary, says he has reviewed such techniques with lawyers.
"It was pretty clear that putting a booby-trapped document in your own document is 100 percent legal," Hoglund says. "If the bad guy comes and steals it out of your network and opens it in his computer, that's his problem."
There is nevertheless a vigorous debate over the legal issues in offensive cyber-operations by private companies. If you are mugged, you can defend yourself, but you cannot track the mugger down a day later and shoot him. Nor can you break into his house and get your wallet back. Similar constraints govern in the cyberworld.
"This is completely new territory," Hoglund acknowledges, "so a lot of thinking needs to occur around this. Something will change. It will take its time, but we will see something come out, [pertaining to] self-defense as well as what kind of policies will be changed to make it so the attackers will suffer."
Hoglund and other advocates of a harder line against cyberattackers are unlikely to be satisfied by Obama's executive order. The order requires federal agencies to alert private companies to cyberthreats, but it maintains a focus on defense. Companies with critical infrastructure assets such as power plants are asked to follow security standards worked out jointly by government and industry.