Call it retribution, justice, or just plain revenge: few films are as satisfying as when the bad guy (or gal) gets what they deserve in the end. But vigilante movies are about as close as most law abiding citizens get to meting out justice. Civilized countries like ours have convinced citizens not to take matters in their own hands: we’re supposed to let the police and the FBI do that.
The underlying assumption is that we believe law enforcement has the resources to be effective on our behalf. When we have such confidence, most citizens will leave their guns at home and let the cops “attack back” criminals as necessary.
Enter cybercrime, where we now see more malicious software in a day than we saw in all of the year 2006. And according our best estimates, hackers are harming the US to the tune of at least $250 billion a year. Even without Internet of Things, there are over a 1 billion entry points for malware among the internet-connected devices we use every day in the US. Does it surprise anyone that our government doesn’t have the resources to deal with it? At least one commission has called for legislators to help victims by legalizing the right to hack-back because companies who “experience cyber theft ought to be able to retrieve their electronic files“. (An absurd concept in the world of cyber, but we’ll get to that later.)
However, before we all go out and buy a copy of Hacking for Dummies or hire teams of hacker hitmen and women to defend us, let’s consider three things about cyberattack which make it special. In fact, these traits make the cyber domain so different that our own military cyber command are known to have big blind spots in the realm: much as we’d like it to be just like the four other domains (land, sea, air, space) in which US technology dominates, cyber is actually radically different. This topic is the subject of whole dissertations and books, but to be brief, here are four of the top reasons that cyberattacks are special:
- Attackers can remain anonymous forever
- Cyber attacks are asymmetric: a single hacker is capable of successfully destroying an entire company
- It’s cheap and easy for hackers to regroup almost anywhere, anytime, even if their systems are physically destroyed
- Organized crime has enthusiastically embraced cybercrime (i.e., don’t expect them to play nice)
Let’s consider a physical crime analogy: you’re relaxing in your backyard alone on a lovely weekend day. Suddenly someone starts lobbing water balloons full of paint over the fence, splattering everything in sight. You’re pretty sure it’s the neighbor kid, since this would be a logical escalation to the feud you’ve been having over parking spaces. Property destruction is definitely crossing the line, so you indignantly march around the corner with your cell phone camera, intent on catching him in the act. Only it’s not him. It’s a gang of guys in masks and SWAT gear and now they have their weapons trained on you. You’re outgunned, with nowhere to run and nowhere to hide.
This scenario plays out all the time in cybersecurity. Behind many attacks are nation-states trying to steal secrets, and sometimes they hire cyber-mercenaries or organized crime to do their dirty work. Every few years we see hacker aggression in action when a new CEO tries to grab headlines by saying their product can defeat hackers. In spite of all the history which tells us exactly what will happen next, our noob CEO will be surprised to be mercilessly hacked. In another example, executives at an Israeli cybersecurity company claimed they could defeat hackers. In addition to being cyber attacked, they received photos of their children as a warning of what they had to lose. The dark forces cloaked by the internet may not seem entirely “real” but it’s not child’s play to mess with them: R.I.P., companies who dare.
Granted, hacking-back someone who attacked you is somewhat different than boasting of one’s invulnerability. The motives of a victim are different – in fact there are six different motives which inspire hack-backs. But is it ever in the interest of a company to take this route? Is there a legitimate ROI to do so? My next blog will look at the six justifications along with eight rules to make it work.