Cyberattacks: The complexities of attacking back By: Tony Romm       http://dyn.politico.com/printstory.cfm?uuid=80C79EFF-0198-4063-8F05-42A224EC54E1 March 12, 2013 04:48 AM EDT

As digital malefactors continue raiding U.S. businesses for their most valuable corporate secrets, some in Washington are wondering whether companies should test the limits and cyberattack their cyberattackers. The private sector already can police its own computers and networks, but an uptick in serious intrusions from China and elsewhere is catalyzing a market for tools that might deceive or disrupt hackers and spies — a controversial development that has important limits under federal law. “I think it’s pretty obvious companies should [be] able to detect what’s coming into their network, block it, monitor it, fix it, remediate it, mitigate it,” said Michael Chertoff, former secretary of the Department of Homeland Security and now a leader of the Chertoff Group, which consults clients on cyberissues. “Where we’re getting into controversy is the idea that when you think you’ve detected a server that’s launched an attack, to go and attack back, and either recover your data or take down the server. It’s a very risky thing to do, and it needs to be carefully considered.” The idea is known as “active defense” to some, “strike-back” capability to others and “counter measures” to still more experts in the burgeoning cybersecurity field. Whatever the name, the idea is this: Don’t just erect walls to prevent cyberattacks, make it more difficult for hackers to climb into your systems — and pursue aggressively those who do. It’s a controversial strategy, partly because of the potential legal and political implications. The Computer Fraud and Abuse Act — the very statute making headlines as a result of the Aaron Swartz hacking case — prohibits companies from accessing another computer or network without authorization, even if only to stop cyberthieves. The law, however, generally does allow businesses to kick out hackers and spies from servers they do own. A patchwork of international laws further complicates the picture. And then there are normative, legal and diplomatic considerations: What might happen if a company pursuing its attacker finds itself at odds with a foreign government? What if an obscured digital trail leads a firm to an unrelated, sensitive system, perhaps one used by a hospital, which a hacker has used to disguise his or her real location or intentions? Those considerations are resonating again in Washington, amid the reports of attacks from China and incidents affecting Apple, Facebook, The New York Times and countless others. A return to cybersecurity reform this year could ultimately elevate the active-defense debate right to Capitol Hill. The main Senate cybersecurity reform measure in 2012 drew criticism precisely because consumer groups felt it granted the private sector new, broad and vague authority to deploy “counter measures.” The House’s controversial information-sharing bill, known by its acronym CISPA, doesn’t include specific mention of “active defense” or any related tools. Still, there’s a sense the measure as introduced this year “gives the power to companies to launch countermeasures and to perform hacks against threats,” said Mark Jaycox, a policy analyst at the Electronic Frontier Foundation, which has long opposed the bill. Some of those fears have reached Rep. Mike Rogers (R-Mich.), chairman of the chamber’s Intelligence Committee and one of CISPA’s lead authors. In fact, panel aides told POLITICO they’re open to revising the relevant definitions in the bill. And Rogers himself this year has railed on the idea of an aggressive active defense, describing it as a “disaster for us” at a time when the country’s digital defenses remain subpar. “What if you don’t get the [threat] signature right?” the congressman said in little-noticed comments at a late January cybersecurity event. Rogers added he does “see a day where you can be proactive, but I do think we better be cautious before we get there.” For now, there’s still plenty of gray area that might allow companies to bait and chase their attackers. It’s generally accepted that businesses can set beacons, for example, in fake documents on their servers. If stolen, the ploy would radio some information about the incident or the perpetrator back to its corporate victim. There’s far more legal controversy, however, as to whether companies should have an independent ability to search for — and possibly destroy — data stolen by hackers and stored on a compromised server. Still, the market leaders in active defense say their capabilities are increasingly attractive to businesses that are tired of being on the losing end of the existential cyberwar. It’s part of the premise behind new technology revealed by CrowdStrike. Dmitri Alperovitch, a founder of the firm, told POLITICO in an interview the idea is to “identify who is attacking you and [find] a way to raise their costs” of attacking in the first place. Alperovitch emphasized his firm isn’t preaching private-sector “vigilantism” in staving off attacks from China and beyond. Indeed, its demonstration recently at the RSA Conference — a live-action takedown of a notorious botnet — had the blessings of federal law enforcement. CrowdStrike didn’t snoop on another system or try to corrupt data stolen by hackers. Still, Alperovitch said it’s time for a more robust conversation on active defense. “We do need to have this debate,” he said, adding that “we need to empower the private sector to be more than just victims.” Most companies aren’t willing to talk about what, if any, cybersecurity countermeasures they might implement. In fact, many contacted by POLITICO cited a fear that openness could inform the very hackers they’re trying to deter. The strategy, though, certainly has its public defenders — including Stewart Baker, a partner at Steptoe & Johnson and former assistant secretary for policy at DHS. Baker has long argued for beaconing, or the honeypot approach, to lure and deceive attackers, which he said fits under federal law. Baker noted there is renewed interest in the field “because people are really pissed.” “They don’t think any of the things we’re currently doing are going to work,” he added, “and they see the appeal of making this more painful for the attacker.” Still, others urge more caution, in part because of the international implications. Jim Lewis, director of the Technology and Public Policy Program at CSIS, told POLITICO that overly aggressive active defenses “undercut all of our negotiating plans” with China, Iran and others. That’s on top of the general risk of “collateral damage” to unrelated computer systems. Ultimately, Lewis emphasized most companies’ top lawyers are keeping their boardrooms in check, ensuring companies’ cyberfrustrations don’t result in rash, illegal decision making. At the very least, the law now allows private companies to work with the operators of other computer networks and systems when they discover a hacker. And there’s always a way for companies to work directly with law enforcement to bring down malicious networks. Microsoft and Symantec, for example, have worked closely with the FBI to disable a number of botnets. Microsoft declined to make available a company representative to discuss its cybersecurity work. The feds on their own have disrupted a string of cybercriminals, including a major FBI takedown of the Coreflood botnet in 2011. That effort won plaudits last Wednesday on Capitol Hill, though lawmakers led by Sen. Sheldon Whitehouse (D-R.I.) pressed Attorney General Eric Holder at a hearing on why the Justice Department hadn’t pursued similar cases against other hackers and their resources. The senator later promised a hearing focused squarely on the FBI and its cybercrime resources.

© 2013 POLITICO LLC