How America's biggest corporations became cyber vigilantes.
- By Tim Maurer <p> Tim Maurer is a research associate in the technology and public policy program at the Center for Strategic and International Studies and a non-resident fellow at the Global Public Policy Institute in Berlin. David Weinstein is a graduate student at Georgetown University's School of Foreign Service in its Security Studies Program. </p>
The Pentagon is gearing up for cyber-warfare. General Keith Alexander, commander of U.S. Cyber Command, testified in March that the Department of Defense "is conducting a coordinated, thorough review with the Joint Staff of existing standing rules of engagement on cyberspace. These revised standing rules of engagement should give us authorities we need to maximize pre-authorization of defense responses and empower activity at the lowest level." NATO’s Cooperative Cyber Defence Centre of Excellence recently released its "Tallinn Manual," outlining how international law can be translated to cyber warfare. And, as Ellen Nakashima of the Washington Post reported last month, the Department of Defense may broaden its authority and ability to combat attacks not only on its own systems, but also against private computers, including infrastructure abroad.
This latter development is crucial — after all, the private sector is critical to national security, intellectual property is a pillar of the American economy, and protecting citizens not only from physical but also virtual threats is a core function of government.
The problem is that the government is not the only one taking on cyber threats. Corporations, which have long worked to defend their networks from intrusion, are increasingly going on the offensive, turning from firewalls to retaliation. William J. Fallon, former commander of U.S. Pacific Command and U.S. Central Command, recently wrote about a survey of cybersecurity executives conducted by his firm, CounterTack, Inc.: "more than half [of the respondents] thought their companies would be well served by the ability to ‘strike back’ against their attackers." This raises important questions about cyber-warfare and the role of private companies. What happens when a corporation takes matters into its own hands? What if its attacks hit the wrong target, involve a foreign government, or lead to escalation? In short, what happens when corporations become cyberwarriors?
These are not theoretical questions. In January 2010, Google announced it had been hacked the previous month in an attack nicknamed Operation Aurora that was traced back to China. The hackers exploited a previously unknown vulnerability in Microsoft’s Internet Explorer, routed the attack through servers at two Chinese educational institutions to hide their tracks, accessed Gmail accounts and — more importantly — stole Google’s source code. When Google discovered the attack, "the company began a secret counteroffensive," according to the New York Times. "It managed to gain access to a computer in Taiwan that it suspected of being the source of the attacks. Peering inside that machine, company engineers actually saw evidence of the aftermath of the attacks, not only at Google, but also at least 33 other companies, including Adobe Systems, Northrop Grumman, and Juniper Networks." McAfee’s George Kurtz wrote, "Like an army of mules withdrawing funds from an ATM, this malware had enabled the attackers to quietly suck the crown jewels out of many companies while people were off enjoying their December holidays."
Some in the field cheered Google’s aggressive response, and some are following in its shoes. Matt Buchanan at the technology blog Gizmodo commented, "It’s pretty awesome: If you hack Google, they will hack your ass right back." The CounterTack survey found that 29 percent of participants felt that their "company would be well-served if it could proactively strike at the attackers’ infrastructure to minimize threats" and an additional 25 percent said that their "company’s data would be more secure if the company would strike back, but only if were attacked first." In June, Reuters reported, "Frustrated by their inability to stop sophisticated hacking attacks or use the law to punish their assailants, an increasing number of U.S. companies are taking retaliatory action." At this year’s Black Hat conference in Las Vegas in July, a poll of 181 participants revealed that 36 percent had already engaged in retaliatory hacking in the past with 23 percent having hacked back once and 13 percent frequently. And Tim ‘TK’ Keanini from nCircle, which conducted the poll, thinks the real numbers are higher: "Retaliatory hacking is a huge topic at Black Hat this year, but we should take these survey results with a grain of salt…. It’s safe to assume some respondents don’t want to admit they use retaliatory tactics. It’s very tempting to strike back out of anger and frustration."
Taking offensive actions such as intruding on another system to trace or block an attack are among the more controversial measures institutions can take as part of what has been called "active defense," which also involves more defensive tools such as honeypots, which lure hackers into a trap, or bogus decoy files that make it more difficult for hackers to find valuable data. And, if a company does not have the know-how to carry out a counter-strike, it can hire contractors. Brian Krebs wrote about such digital hit men in 2011: "Hackers are openly competing to offer services that can take out a rival online business or to settle a score." He also provided pricing for Distributed Denial of Service attacks similar to the attacks Estonia witnessed in 2007 and Georgia in 2008. They range from "$5 to $10 per hour; $40 to $50 per day; $350-$400 a week; and upwards of $1,200 per month."
The threat to corporations is not going away. "Operation Aurora was one of the most visible attacks we’ve seen in years. It wasn’t the first of its kind, nor will it be the last. The sophistication levels and frequency of attacks will likely continue to increase," McAfee’s Rees Johnson warns. But Fallon cautions against companies’ enthusiasm for offensive action: "In my opinion, this mindset reveals misplaced priorities. Enterprise should focus on its core business, while defending the most critical assets, not striking back at unseen adversaries." Keanini agrees, saying, "As infuriating as cyber criminals can be, this ‘eye for an eye’ code of justice can be extremely dangerous." And even if the unmasked hacker is deterred from attacking again, what happens if the company gets it wrong or causes collateral damage? What if companies trigger an escalatory spiral that puts national security at risk?
As Max Weber might have put it, the government needs to maintain control over the legitimate use of force — whether physical or virtual. The CounterTack survey offers a straightforward solution. It prefaced the question "would your company’s critical infrastructure be better protected if you moved away from a ‘defense only’ strategy and started to play ‘offense’?" with the caveat "if there were no legal ramifications." In other words, the government must make clear to companies that they will face legal ramifications if they decide to take matters into their own hands in cyberspace without government sanction. And Robert Clarke, an attorney at U.S. Cyber Command, points out that such action may already violate the Computer Fraud Abuse Act.
But, the government must also fulfill its protective role. Joel Brenner, former senior legal counsel at the National Security Agency explains that "After the Google heist, companies started asking the government for help in defending themselves against nations. This was unprecedented." The State Department announced an official complaint, and Secretary Clinton said, "We look to the Chinese authorities to conduct a thorough review of the cyber intrusions that led Google to make its announcement. And we also look for that investigation and its results to be transparent." Yet, little has changed since the 2009 hack. The high-profile hack in 2011 of another top technology company, RSA Security, shows that the private sector continues to be targeted by Advanced Persistent Threats. And later that year, the U.S. Office of the National Counterintelligence Executive publicly blamed China for conducting economic cyber-espionage. So if a tech-savvy company gets hacked again, it would not be too surprising if it decides not to call Washington and takes matters into its own hands instead
So if companies are already taking to the cyber battlefield, a more concerted discussion is essential. As retired Lieutenant General Kenneth Minihan, former director of the National Security Agency, argued at the RSA security conference earlier this year, "It’s time to have the debate about what the actions would be for the private sector." Especially since Janet Napolitano, Secretary of Homeland Security, said in April that she was considering having private entities participate in "proactive" efforts against hackers abroad. There has been little follow-up since then, however, which begs the question: is this discussion still on-going or if it has come to a close, what was the outcome?