Some companies looking at retaliating against cyberattackers

June 13, 2013 by Paresh Dave

Frustrated by their inability to stem an onslaught of computer hackers, some companies are considering adopting the standards of the Wild West to fight back against online bandits.

In taking an eye-for-an-eye approach, some of the companies that have been attacked are looking at retaliating against the attackers, covertly shutting down computers behind the assaults or even spreading a new virus to stymie the hackers.

Such retaliation is illegal in the United States, but companies see it as a way to curtail the breaches, particularly if the attack is originating from another country, where the legality of retaliatory attacks is unclear.

Companies also view counterattacking as a way to bypass U.S. authorities, avoiding publicly admitting that they've been attacked and exposing themselves to lawsuits from loss of or service disruptions.

Many companies that have publicly acknowledged costly breaches declined to say whether they retaliated or considered hacking back, and no company was willing to talk about the issue out of fear of additional attacks.

But analysts say hacking back has become part of a serious debate among companies, lawmakers and cyber-security experts.

"From a technical perspective, it's not that challenging," said Alex Harvey, a security strategist for the security solutions provider Fortinet. "Breaking in and shutting them down isn't hard, but a new one will just pop. You'll get a couple of minutes of peace and quiet."

provider FireEye says a single organization is targeted by malware about every three minutes. From detection to , the average company of more than 1,000 workers spends nearly $9 million annually on , according a survey last year by the independent Ponemon Institute.

In a recent report about combating , a private commission led by former U.S. Ambassador to China Jon Huntsman Jr. and former Director of National Intelligence Dennis Blair called for "informed deliberations" about whether corporations and individuals should have more flexibility to defend intrusions.

Federal lawmakers remain at odds about how to deter cyber crime. Many in the security industry strongly advise against retaliation. Federal law bars any unauthorized computer intrusion, and it offers no exception for digital self-defense.

"I don't think companies should be hiring gunslingers to fight back," FireEye co-founder Ashar Aziz said. "Before we encourage every random company to hack, we have to look at what makes sense to disrupt cybercrime."

Aziz and other information security experts promote what they say are smarter alternatives. For instance, companies can bolster security by creating multiple versions of sensitive data, with only one version being the legitimate one. In that case, attackers are likely to get their hands on worthless data rather than precious information.

Companies remain intrigued by the idea of shutting down an attacker's system.

The report from the commission chaired by Huntsman and Blair notes that counterattacks have the potential to deter hackers because the cost of doing business rises. But the commission stopped short of recommending legalizing retaliatory hacking "because of the larger questions of collateral damage."

Many cyberattacks rely on a network of computers. These infected machines might be owned by innocent Internet users who, for example, accidentally clicked on a bad link in their email. Surreptitiously accessing this computer violates federal law, even if it's to update out-of-date software or remove the malicious program.

"If Honda comes over and attacks Ford, then Ford can't send someone over to attack Honda," said Anthony Di Bello, head of strategic partnerships at Pasadena, Calif.-based Guidance Software.

But some legal experts say it's not so clear-cut. Under one legal argument, the hacker becomes subject to the rules and policies of the organization it attacks by virtue of connecting to that network. Counterattacks could be justified in the same way that an employer has the right to monitor activities on an employee's work computer.

Microsoft Corp. has taken another approach, considered by some to be a "responsible" counterattack. The sues unidentified hackers and secures court approval to shut down computers engaged in malicious activity. But that approach may not be feasible for most companies, which don't have the computer giant's cash coffers.

Rodney Joffe, senior technologist at the security software manufacturer Neustar Inc. and a regular cybersecurity advisor to the White House, said counterattacks and even legally sanctioned actions provide only temporary relief.

"It makes a great splash and creates a sudden vacuum, but there's hundreds of people who fit into that vacuum because it doesn't take attackers very long to climb back over the wall," Joffe said.

Criminal prosecutions are the best deterrent, but they require more cooperation between the government and the private sector, he said.

The Cyber Intelligence Sharing and Protection Act, passed by the House in April, frees companies from liability if they share information about incoming attacks with law enforcement. Senate leaders have said they may introduce a competing measure with stronger privacy protections for consumers.

Joffe said he expects some form of a safe-harbor law for companies by the end of the year.

"We need something that encourages sharing of information, and in some cases mandates it," he said. "Our enemies have almost carte blanche to walk over us right now, and there's little that can be done about it."

Some security analysts argue that lawmakers need to go even further, using a constitutional provision to grant a "letter of marque and reprisal" authorizing private companies to counterattack in self-defense. The nation's Founding Fathers wrote the provision as a way to help merchant ships fend off pirates.

Patrick Lin, director of the Ethics and Emerging Sciences Group at California Polytechnic State University-San Luis Obispo, said today's companies may be able to obtain the authorization and justify a counterattack.

"To be sure, it would have to be a desperate situation to grant a letter of marque, but we may be in that situation now," he said.

Explore further: Silicon Valley at front line of global cyber war

Related Stories

Silicon Valley at front line of global cyber war

June 4, 2013

Chinese President Xi Jinping and American counterpart Barack Obama will talk cyber-security this week in California, but experts say the state's Silicon Valley and its signature high-tech firms should provide the front lines ...

Hackers hit Apple in wake of Facebook attack

February 19, 2013

Apple on Tuesday said it suffered a cyber attack similar to the one recently carried out against Facebook, but that it repelled the invaders before its data was plundered.

Washington Post joins list of hacked US media

February 2, 2013

The Washington Post disclosed Saturday that it had suffered a cyberattack and suspects Chinese hackers were behind it, joining Twitter and major US media outlets that have endured intrusions.

Twitter says hackers compromise 250K accounts

February 2, 2013

Twitter confirmed Friday that it had become the latest victim in a number of high-profile cyber-attacks against media companies, saying that hackers may have gained access to information on 250,000 of its more than 200 million ...

Recommended for you

AI and 5G in focus at top mobile fair

February 24, 2018

Phone makers will seek to entice new buyers with better cameras and bigger screens at the world's biggest mobile fair starting Monday in Spain after a year of flat smartphone sales.

Google Assistant adds more languages in global push

February 23, 2018

Google said Friday its digital assistant software would be available in more than 30 languages by the end of the years as it steps up its artificial intelligence efforts against Amazon and others.


Adjust slider to filter visible comments by rank

Display comments: newest first

1 / 5 (3) Jun 13, 2013
Countering with a virus? Do they think that the attackers are as wedded to Windows as their corporate desktops and servers usually are?
2.7 / 5 (7) Jun 14, 2013
No OS is invulnerable. Viruses, worms and Trojan Horses are not constrained to living solely in the realm of Windows. In fact, they were birthed elsewhere.
2.3 / 5 (3) Jun 14, 2013
ome companies are considering adopting the standards of the Wild West to fight back against online bandits

While I can understand the urge to fight back - this isn't Hollywood or "Ghost in the Shell". Hackers work via proxies/botnets. All you'd achieve by 'fighting back' is burning a machine of some hapless user who got his machine turned into a zombie (worst case you'd take down the subverted servers of your own ISP. Wouldn't THAT be great.)

And anyone you'd hit would probably sue your pants off afterwards, because he didn't know the malware was on his machine in the first place.

Even if a hacker were dumb enough to use the machine at their place of origin: How do you know the IP isn't spoofed? If company X knows that company Y hacks back with great results it would be trivial to spoof an attack by company Z on Y so that Y takes out Z and you have one competitor less.

This is Pandora's box, guys.

Use honeypots. That way you can at last identify the attacker in post.

1 / 5 (1) Jun 14, 2013
Hire people to track them down and kill them, that would put a little excitement in their lives and maybe make them think about getting an honest job.
1 / 5 (2) Jun 14, 2013
No OS is invulnerable. Viruses, worms and Trojan Horses are not constrained to living solely in the realm of Windows. In fact, they were birthed elsewhere.

Yes, but I've been waiting since 2004 for that big Linux virus to show up real soon now...
1 / 5 (1) Jun 14, 2013
To echo antialias, this is a good way to harm some third party who might have had nothing to do with it, not to mention any collateral disruption to networks or important resources. It is very unlikely that a skilled attacker will be a sitting target, and even less likely that their systems will be as uniform as a large organization's computers. If you have an obvious client behind the perpetrator, that might be a better target, but one would have to be very certain to justify the risk of consequences.
2.7 / 5 (7) Jun 15, 2013
No OS is invulnerable. Viruses, worms and Trojan Horses are not constrained to living solely in the realm of Windows. In fact, they were birthed elsewhere.

Yes, but I've been waiting since 2004 for that big Linux virus to show up real soon now...

The purveyors of malware follow good business practices, going where they can get the best ROI, which means targeting the platforms which account for the largest portion of the installed user base.

As for Linux, are you aware that true root kits are unique to Unix like OSes?

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.