Tuesday, May 28, 2013

Companies should ‘hack back’ at cyber attackers: security experts

http://www.afr.com/p/technology/companies_should_hack_back_at_cyber_KeoJyUX9HEEtjh9hYAnpgK

 

advertising

Companies should 'hack back' at cyber attackers: security experts

James Hutchinson

IT security professionals and lobby groups are calling for new laws that would allow private companies to retaliate against cyber attackers, effectively authorising them to "hack back" at states and companies rather than rely on federal authorities to respond.

In what has been equated to civil arrest powers for individuals, those backing the calls argue it would allow companies to lessen the risk of being attacked repeatedly, while potentially preventing key intellectual property (IP) from being stolen.

Dmitri Alperovitch, co-founder and chief technology officer at security ­start-up CrowdStrike, said companies needed to take an "active defence" approach to online security. While it often involved a "legal grey area" where companies could legally attack those who attacked them, he said it was not unethical for private companies to attempt to foil attacks on their IP.

"There's no question that things have become dramatically better in terms of the security level we're at," he said at the AusCERT security conference on the Gold Coast on May 23.

"And yet the paradox is that every single organisation out there is getting compromised and, in fact, the number of compromises is escalating. This idea of practising passive defence is fairly ludicrous."

He argued that laws similar to those allowing for a citizen's arrest were required so that companies could better resist attack from "hacktivists", criminal organisations, competitors and nation states.

Attackers should be identified

Australian companies have in the past complained of foreign companies and governments stealing and then ­re-appropriating their IP to create knock-off products or potentially change high-value negotiations.

Local security authorities had begun to work more closely with private companies to secure their systems from attack, but Mr Alperovitch argued that typical defences only slowed down, rather than stopped, those who wanted access to key information.

"What we have as a strategy today is essentially. . . castle-building," he said. "Why is it that no one is actually asking that question today, 'who's actually breaking into my company'? Our exe­cutives want to know that, yet the [chief security officers and chief information officers] seem to be completely uninterested in answering that question."

Mr Alperovitch stopped short of advocating for companies to physically hack into systems, instead proposing that they mitigate attacks by planting false information on servers that had been, or were likely to be, infiltrated.

He also suggested that publicly revealing the identity of the companies or states that had carried out the attack, or those that had benefited from stolen IP, would help in terms of second-guessing their motives in future.

"I can tell you there's nothing that has more impact on an intelligence agency than being unable to trust your sources," he said. "Some may say this is an activity that should be done by ­governments, perhaps, but they're not doing it.

Give the private sector more legal grunt

"We want the private sector to have the ability to restrain a threat with restraint. Today it may be difficult with the existing legal system and I think we need to have an open discussion with policymakers about the authorities that need to be granted to the private sector."

Similar calls have also been raised in the US, where lobby group, the Commission on the Theft of American Intellectual Property, urged the US government to legalise counter-attacks on hackers. Led by commission co-chairs Dennis Blair, former US director of national intelligence, and Jon Huntsman, a former US ambassador to China, the report was squarely aimed at ­stemming IP theft, often attributed to attacks sourced from China.

The report said more action was needed in the private sector, as years of diplomatic efforts by the US government to curb the attacks had failed.

"If counter-attacks against hackers were legal, there are many techniques that companies could employ that would cause severe damage to the ­capability of those conducting IP theft," it stated. "These attacks would raise the cost to IP thieves of their actions, potentially deterring them."

Those supporting the calls say governments have failed to implement laws to protect private ­companies from online attacks. US ­President Barack Obama heeded those calls in March by signing an executive order that would see government agencies begin to share information on ­cyber-security matters to private companies. It is envisaged the order will allow companies to be made aware of potential threats to their ­systems, using national intelligence. However, civil ­liberty groups warned it would not immunise companies who shared information with government departments.

Cyberwars risk collateral damage

Concerns remain about the possible effects of allowing private companies to retaliate. Though suggesting a legal way of hacking, the commission was hesitant in its concerns, noting the ­possibility of collateral damage.

Tenable Network Security chief security officer Marcus Ranum, a vocal critic of governments initiating "cyberwar", said companies should instead focus on existing diplomatic and government channels to urge state-­sponsored attackers to relieve pressure.

"The 'best defence is a strong offence' is a term I've heard several times inside Washington," he said.

"In fact the only defence in cyberspace is a strong defence, the only thing we can do, actually, is to defend ­yourself, because the idea of attacking somebody else. . . it makes absolutely no freaking sense.

"If I know that you're doing things that are damaging me, I've got lots more recourse in the global legal system as well as diplomatic channels through government – so going directly towards attacking back, displays a lack of understanding of the problem."

He said it was largely a diplomatic issue that should be solved at government level, while the notion of active defence was "like they want to jump into the mud puddle with someone and get into a fist fight – it doesn't make any sense".

The Australian Financial Review

 

No comments:

Post a Comment