U.S. companies that have their networks routinely penetrated and their trade secrets stolen cannot be surprised by a new National Intelligence Estimate on the cyber-espionage threat. The classified NIE, the first-ever focusing on cybersecurity, concludes that the U.S. is the target of a major espionage campaign, with China the leading culprit.

Private firms and government agencies have struggled with cyberattacks from China and other countries for years. Many are angry about the constant intrusions into their networks, and in frustration some want to turn the tables on their attackers.

"There is no way that we are going to win the cybersecurity effort on defense," says Steven Chabinsky, formerly the FBI's top cyber-attorney. "We have to go on the offensive."

After leaving the FBI, Chabinsky took a position as chief risk officer at CrowdStrike, a firm set up to serve companies ready to take the cybersecurity fight to their adversaries.

"You can never win a fight, whether in a boxing match or a war, by only taking defensive actions," says Dmitri Alperovitch, CrowdStrike's co-founder. "If you're just standing up taking blows, the adversary will ultimately hit you hard enough that you fall to the ground and lose the match. You need to hit back."

A Tepid Response

Other cybersecurity experts agree that companies have been too slow to confront the people attacking their computer networks.

"What we need to do is get rid of the attackers and take away their tools and learn where their hideouts are and flush them out," says Greg Hoglund, co-founder of HBGary, another firm known for its aggressive approach to cybersecurity, until it was acquired by another company.

At times, such firms seem to be advocating vigilante justice. It is normally not up to private individuals or firms to "get rid" of bad guys or "flush them out" from their hideouts. That's the responsibility of law enforcement. But frustrated cybersecurity experts such as Hoglund and Alperovitch complain that the government does little more than warn U.S. companies about the cyberthreats they face.

"It's [like] the government sees a missile heading for your company's headquarters, and the government just yells, 'Incoming!' " Alperovitch says. "It's doing nothing to prevent it, nothing to stop it [and] nothing to retaliate against the adversary."

Alperovitch says this is how private firms feel under current circumstances.

"Until that changes," he says, "the private sector is going to take actions into their own hands, and the government shouldn't be surprised about that."

Potential For Mistakes

U.S. officials say they understand the frustration of private companies that face a constant barrage of cyberattacks. President Obama signed an executive order on Tuesday that sets out procedures by which the government and the private sector can collaborate in confronting cyberthreats.

A turn toward more aggressive actions against cyberattackers, however, could be risky. Because the source of a cyberattack is often hard to identify, counterattacking is not always well-advised.

"I will guarantee you there will be lots of mistakes made," said Rep. Mike Rogers of Michigan, chairman of the House Permanent Select Committee on Intelligence, speaking at a recent cybersecurity conference at George Washington University. "I worry about the private sector engaging in offensive [activities] ... because a lot of things are going to go wrong."

Companies that want to go on the offense against their cyber-adversaries need to consider the legal risks such actions would involve.

"I have only found one or two lawyers ... who have said, 'Let's consider pursuing some kind of offensive response,' " says Richard Bejtlich, chief security officer at Mandiant, a cyber-consultancy. "The corporate legal structure is very conservative when it comes to what we can allow someone to do."

Alperovitch of CrowdStrike insists there are safe and lawful ways a company can go after an intruder — and come out ahead.

"If they're going after [your] negotiation strategy for a business deal you're involved in, one thing you can do is craft a fake negotiation document and feed that to them," Alperovitch says. "[If] you feed them a different strategy, you're going to cause them to act in a certain way that's actually gong to benefit you."

New Territory

Security experts call this a "honeypot" approach. The idea is to plant a document in your network that an adversary will find irresistible. In one clever version, the document includes code so that when the intruder opens it, it turns the camera on in his computer, takes his picture, and sends it back so you can report him to the authorities.

Hoglund, from the firm previously known as HBGary, says he has reviewed such techniques with lawyers.

"It was pretty clear that putting a booby-trapped document in your own document is 100 percent legal," Hoglund says. "If the bad guy comes and steals it out of your network and opens it in his computer, that's his problem."

There is nevertheless a vigorous debate over the legal issues in offensive cyber-operations by private companies. If you are mugged, you can defend yourself, but you cannot track the mugger down a day later and shoot him. Nor can you break into his house and get your wallet back. Similar constraints govern in the cyberworld.

"This is completely new territory," Hoglund acknowledges, "so a lot of thinking needs to occur around this. Something will change. It will take its time, but we will see something come out, [pertaining to] self-defense as well as what kind of policies will be changed to make it so the attackers will suffer."

Hoglund and other advocates of a harder line against cyberattackers are unlikely to be satisfied by Obama's executive order. The order requires federal agencies to alert private companies to cyberthreats, but it maintains a focus on defense. Companies with critical infrastructure assets such as power plants are asked to follow security standards worked out jointly by government and industry.

Copyright 2015 NPR. To see more, visit http://www.npr.org/.

Transcript

RENEE MONTAGNE, HOST:

In last night's State of the Union address, the president touched on the importance of fending off cyber-attacks. All this week we've been reporting on how they U.S. military is prepared to wage cyber-war. But it's not just the government that's moving away from a strictly defensive posture; so too are some private companies. In the final report in this series, NPR's Tom Gjelten reports on companies that think it's time to attack the attackers.

TOM GJELTEN, BYLINE: For the first time ever, the CIA and other agencies have prepared a National Intelligence Estimate on the threat to the United States posed by cyber-espionage. The NIE is classified, but it's said to identify China as the leading culprit and it describes the espionage campaign as massive. That comes as no surprise to U.S. companies who see their networks routinely penetrated and their trade secrets stolen. Many are deeply frustrated over their inability to keep intruders out of their networks.

When he was the FBI's top cyber attorney, Steven Chabinsky saw hundreds of U.S. companies being hacked. Then he resigned and went to work as a private cyber-security expert. His view: Companies spend too much time trying to patch their security holes and defend their networks.

STEVEN CHABINSKY: That model needs to reverse itself, okay? There is no way that we are going to win the cyber-security effort on defense. We have to go on the offensive.

GJELTEN: Chabinksy was speaking at a recent conference. He's now the chief risk officer at CrowdStrike, a firm set up to serve companies ready to take the cyber-security fight to their adversaries. Dmitri Alperovitch co-founded CrowdStrike. In an interview, he explained the company philosophy.

DMITRI ALPEROVITCH: You can never win a fight, whether in a boxing match, whether it's in a war, by only taking defensive actions, right? If you're just standing up taking blows, the adversary will ultimately hit you hard enough that you fall to the ground and lose the match. You need to hit back.

GJELTEN: This idea of fighting back is increasingly popular among companies with assets at risk. Greg Hoglund co-founded HBGary, another firm known for its aggressive approach to cybersecurity. He too complains that companies are too slow to confront the people attacking their computer networks.

GREG HOGLUND: What we need to do is get rid of the attackers and take away their tools and learn where their hideouts are and flush them out. And that isn't really happening yet in the security space.

GJELTEN: This is tough talk. At times it sounds like these security people are advocating vigilante justice. It's hardly been up to private individuals or firms to get rid of bad guys or flush them out of their hideouts. That's normally the job of law enforcement. But Dmitri Alperovitch says the government does little more than warn U.S. companies about the cyber-threats they're facing.

ALPEROVITCH: It's sort of the equivalent of the government sees a missile heading for your company's headquarters, and the government just yells incoming, right, and it's doing nothing to prevent it, nothing to stop it, nothing to retaliate against the adversary. That's how the private sector feels today. And until that changes, the private sector is going to take actions into their own hands, and the government shouldn't be surprised about that.

GJELTEN: Part of the problem is that the government's jurisdiction in the cyber-security area is not clear. Some companies don't want the government involved. President Obama yesterday signed an executive order setting out procedures by which the government and the private sector would collaborate in confronting cyber-threats.

A turn toward more aggressive, more offensive actions against cyber-attackers can be risky. In remarks at George Washington University recently, Congressman Mike Rogers, chairman of the House Intelligence Committee, reminded companies that they may not know for sure who is attacking them, so counterattacking might not be a good idea.

REPRESENTATIVE MIKE ROGERS: I will guarantee you there will be lots of mistakes made, given the sophistication of nation-states in hiding their hand in activities. So I worry about the private sector engaging in offensive or active defense, as they call it. I cannot blame them because if we can't get this framework right, you have an obligation to protect your networks. I get very, very concerned about an unleashed private sector to do active defense because a lot of things are going to go wrong, I think.

GJELTEN: Rogers prefers defense-oriented cyber-security. He's introducing legislation today that would promote cyber-threat information sharing between industry and government. Companies that want to go on offense, striking back at their cyber-adversaries, do need to consider the legal risks. Just because you've been hacked doesn't necessarily mean you can hack back.

Richard Bejtlich is chief security officer at the cyber-firm Mandiant.

RICHARD BEJTLICH: I have only found one or two lawyers, in all the work that I've done over the years, who have said let's consider pursuing some type of offensive response. The corporate legal structure is very conservative when it comes to what we could allow someone to do.

GJELTEN: Companies dealing with cyber-threats may have to choose between listening to their lawyers and listening to their security people. Bejtlich says it may feel good for companies to move aggressively against whoever is hacking them, but he questions whether it's practical.

BEJTLICH: Most of the lawyers think, look, the data has already been stolen, so if the data's been stolen, what are you going to gain by doing something to the intruder?

GJELTEN: Dmitri Alperovitch at CrowdStrike is familiar with all the arguments against striking back. He insists there are safe and lawful ways a company can stop an intruder in his tracks and come out ahead.

ALPEROVITCH: One thing you can do as a private sector company when they're coming at you is draft a fake negotiation document that they may be after and feed that to them. If they're going after a particular negotiation strategy for a business deal you're involved in, and they're on the other side, you feed them a different strategy, you're going to cause them to act in a certain way that's actually going to benefit you.

GJELTEN: This is called a honeypot approach. You plant a document in your network that an adversary will find irresistible. But it's a booby-trap. The attacker steals the document, takes it home - and boom. In one clever version, the document includes secret code so that when the intruder opens it, it turns the camera on in his computer, takes his picture, and sends it back to you so you can report him to the authorities.

Greg Hoglund, the founder of HBGary, says he has reviewed techniques like this with lawyers.

HOGLUND: It was pretty clear that putting a booby-trapped document in your own network is 100 percent legal. There's no problem with that. If the bad guy comes and steals it out of your network and opens it in his computer, that's his problem.

GJELTEN: Perhaps, but there is still a vigorous debate around what is legal in offensive cyber-operations. In the physical world, if you're mugged, you can defend yourself, but you can't track the mugger down a day later and shoot him. Nor can you break into his house and get your wallet back. Similar constraints govern in the cyberworld. Hoglund recognizes this. He concedes that risks in the offensive approach have to be considered carefully.

HOGLUND: This is completely new territory, so a lot of thinking needs to occur around this. Something will change. It will take its time, but we will see something come out, both from an aspect of what you can do from a self-defense as well as what kind of policies will be changed to make it so that the attackers will suffer.

GJELTEN: Hoglund and other advocates of a harder line against cyber-attackers are unlikely to be satisfied by yesterday's executive order. The order requires federal agencies to alert private companies to cyber-threats, but it maintains the focus on defense. Companies with critical infrastructure assets like power plants are asked to follow security standards worked out jointly by government and industry. Tom Gjelten, NPR News. Transcript provided by NPR, Copyright NPR.

300x250 Ad

Support quality journalism, like the story above, with your gift right now.

Donate