So say a dozen security specialists and former law-enforcement officials, who described an intensifying and largely unspoken sense of unease inside many companies after the recent breach of Sony Pictures networks.
The hacked are itching to hack back. The US officials have shown little appetite to intervene as banks, retailers, casinos, power companies and manufacturers have been targeted by foreign-based hackers. Private-sector companies doing business in the USA have few clear options for striking back on their own.
That has led a growing number of companies to push the limits of existing law to consider ways to break into hackers’ networks to retrieve stolen data or even knock computers offline to stop attacks, the cybersecurity professionals said in interviews. Some companies are enlisting cybersecurity firms, many with military or government security ties, to walk them through options for disrupting hacker operations or peering into foreign networks to find out what intellectual property hackers may have stolen.
In one case, the Federal Bureau of Investigation is looking into whether hackers working on behalf of any U.S. financial institutions disabled servers that were being used by Iran to attack the websites of major banks last year, said two people familiar with the investigation. JPMorgan Chase & Co. (JPM) advocated such a move in a closed meeting in February 2013, these people said. A bank spokeswoman said no action was ever taken. Federal investigators are still trying to determine who was responsible, the people said. ‘Very Frustrated’
“It’s kind of a Wild West right now,” said U.S. Representative Michael McCaul, the Texas Republican who is the chairman of the House Homeland Security Committee. Some victim companies may be conducting offensive operations “without getting permission” from the federal government, he said. “They’re very frustrated,” McCaul said of these firms. Hacking costs the global economy as much as $575 billion annually, according to a study published in June by McAfee, a security-software maker owned by Intel Corp. (INTC), and the Center for Strategic & International Studies. Counterstrikes are a small part of the overall cyber-security industry, which Gartner Inc. projects will surpass $78 billion in worldwide revenue next year.
Hacker on Hacker
The idea of hacker-on-hacker justice raises thorny questions, including when U.S. companies can legally order international strikes on their behalf. Also little explored, so far, are the consequences of engaging hackers that may be backed, explicitly or implicitly, by states from North Korea and Iran to China and Russia.
The idea of counterstrikes gained an unprecedented level of visibility when President Barack Obama vowed on Dec. 19 to mount a “proportional” response against North Korea for the Sony breach, which destroyed data and leaked movies and employee e-mails.
North Korea suffered Internet outages a few days later. The White House has declined to comment on North Korea’s accusation that the U.S. government played a role. “Sony represents a dramatic escalation — one so punitive in nature that I think it does change the equation,” said Tom Kellermann, chief cybersecurity officer at Trend Micro Inc., a Tokyo-based security firm. Trend Micro advises clients against taking aggressive countermeasures, he said.
While many companies discuss hacking back in the immediate aftermath of a breach, almost none follow through, said Kevin Mandia, founder of Mandiant, the FireEye Inc. division responsible for investigating the Sony breach and other high-profile hacking cases. Efforts to retaliate can make things worse, he said, because attackers who aren’t purged from the network could escalate the assault or ramp up attacks on other companies targeted by the same group.
“When data leaks out, it’s like a supernova exploding — you can’t put a lid on it unless you’re like two seconds behind it, and even then I don’t think you can,” Mandia said. Private-sector companies generally “opt not to do it because they’re in a glass house,” he added, saying firms might ask: “‘Did we really get the attackers out? Don’t they currently have the keys to our kingdom?’”
Following the Sony attacks, someone appears to have struck back. Fake copies of “Fury,” “Annie” and other leaked films began appearing earlier this month on file-sharing sites, slowing the computers of people attempting to download the movies and crippling torrent sites disseminating the files, said Tal Klein, vice president of strategy at Adallom Inc., a Palo Alto, California-based security company. The fake files have now largely been eliminated as file-sharing sites have used rating systems to blacklist the decoys, he said.
Sony declined to comment on the fakes or on any steps the company is taking to recover from the breach. In the U.S., companies are prohibited by the 30-year-old Computer Fraud and Abuse Act from gaining unauthorized access to computers or overloading them with digital demands, even to stop an ongoing attack. The act exempts intelligence and law-enforcement activities, allowing the government to respond more aggressively than private-sector firms.
There’s little indication, though, that military and intelligence agencies have used their most powerful tools to shut down attacks on businesses, as the U.S. has attempted to address foreign-based hacking through diplomacy and the courts. U.S. law-enforcement agencies appear to give security companies more leeway when it comes to breaching computers to gather intelligence on the hackers or discover what data they took, according to a former law-enforcement official. Such work is “widely done” by security firms, Kellermann said.
Last year’s discussion among banks about retaliatory strikes came after a wave of so-called denial of service attacks starting in 2012 that temporarily disabled several of their websites. The U.S. attributed the attack to Iran’s Quds Force, McCaul said. Iran denied being behind the strikes. In February 2013, U.S officials met with bank executives in New York. There, a JPMorgan official proposed that the banks hit back from offshore locations, disabling the servers from which the attacks were being launched, according to a person familiar with the conversation, who asked not to be identified because the discussions were confidential.
Within JPMorgan, the biggest U.S. bank by assets, the idea had been vetted, according to a second person familiar with the incident. Some of the people at the New York meeting -- which included FBI and Treasury Department officials, as well as representatives of Citigroup Inc. (C), Goldman Sachs Group Inc. (GS) and the New York Stock Exchange -- dismissed the idea on legal grounds, the two people said.
Federal investigators later discovered that a third party had taken some of the servers involved in the attack offline, according to the people familiar with the situation. Based on that finding, the FBI began investigating whether any U.S. companies violated anti-hacking laws in connection with the strike on those servers, according to people familiar with the probe. JPMorgan spokeswoman Trish Wexler said the JPMorgan employee didn’t put forth a formal plan at the meeting and that the bank wanted the government to do more to stop the attacks. The FBI questioned JPMorgan representatives about the incident and appeared satisfied the bank wasn’t involved in hacking, Wexler said.
Spokespeople for other attendees, including NYSE, Citigroup and Goldman Sachs, declined to comment when asked this month about the meeting. The Treasury Department, in an emailed statement, said that as the leader of cybersecurity in the financial sector, it regularly meets with financial institutions to facilitate information-sharing and support post-hacking recovery efforts.
Jenny Shearer, an FBI spokeswoman, declined to comment about the meeting or any probe. “The FBI cautions private-sector entities from taking offensive measures in response to being hacked,” Shearer said. Hackers typically commandeer other people’s computers, including home PCs and corporate servers, to launch attacks. Those machines may be located in friendly countries and hold the data of innocent users. Erasing or stealing data from these computers would result in collateral damage, including bad publicity and the disruption of legitimate online services.
The practice of reaching into or disabling computers over international borders is so sensitive that if the U.S. government disables attacking servers without the permission of the host country, the approval of the president is required, according to a White House directive leaked last year by former National Security Agency contractor Edward Snowden.
The White House confirmed that such a directive exists. A spokesman for the National Security Council declined to to comment on the details of the directive. Some counteroffensives that would be legally sensitive in the U.S. are mounted from foreign soil, according to people who work for several security firms. RSA, the security division of Hopkinton, Massachusetts-based EMC Corp. (EMC) that generated $987 million in revenue last year and whose clients include government agencies, banks and defense contractors, has insulated its Israeli division so that its analysts could engage in activities they might not be able to do in the U.S., according to a former employee, who asked not to be named discussing internal company matters.
RSA experts in Israel send malware into online forums where stolen data is swapped, or the experts hack directly into these computers, the person said. This allows them to recover stolen bank passwords and other data on behalf of financial institutions through methods the banks can’t use themselves, the person said, adding that no U.S.-based employees of RSA are allowed to engage in the activities or handle the data.
RSA representatives declined to comment. An EMC spokesman didn’t respond to requests for comment. The growing arsenal of unconventional services is often provided by consultants who formerly worked at intelligence agencies or the Pentagon. That has led to fears among some people in the private-sector digital security business that their industry is becoming increasingly militarized.
The delicacy of the issues involved means that it’s sometimes difficult to discern exactly what’s on offer. Root9B LLC, a Colorado Springs, Colorado-based company, employs several people who formerly worked in the Pentagon’s offensive cyber units, according to people familiar with the security firm. According to a 2013 press release, the company offers breach-prevention and digital forensics services, in addition to “computer network operations,” or CNO. The term, as used by the military, includes cyber-espionage and other operations inside enemy networks. Bob Zito, a spokesman for Root9B, declined to comment on how the firm defines CNO.
Other companies are offering what they describe as common-sense measures to protect clients’ information. Rook Security, an Indianapolis-based firm known until recently as Rook Consulting, has clients stipulate in their contracts how far they are willing to let the company go in guarding their information. One of the services that Rook offers is stolen-data retrieval.
J.J. Thompson, Rook’s founder and chief executive officer, said his company will go into hackers’ computers only if two conditions are met: The data must be stored in plain sight, and it must be clear that the target machines aren’t hacked PCs or servers owned by legitimate consumers, businesses or government agencies.
Thompson said that in the past three months, Rook yanked back a large dataset of sensitive client material from a command-and-control computer located in Eastern Europe. The hackers who stole the files hadn’t secured them, and the server appeared to be used strictly for cyber-crime, Thompson said. Rook detected and retrieved the data in less than a half-hour using international computers, he said.
Clients now routinely ask about what offensive countermeasures the company offers, he said. “The question is very common these days,” he said, “and yet no one understands the consequences in full because of the absence of case law.”
110 Reykjavik, Iceland