Active cyberdefense, sometimes called "hacking back," is no longer just a term bandied about by federal officials...
with access to top-level security clearance. These days, companies in the private sector are also turning to offensive tactics, particularly as cyberattacks become more sophisticated.
But the terrain is dangerous. "You're responding to an adversary with bytes when they're used to responding with bullets. They're not operating in a world where they're simply going to compromise your host and deface your website. They're going to come back shooting," warned Adam O'Donnell, chief architect at security vendor Sourcefire Inc.
Because active cyberdefense isn't a black-and-white issue, particularly considering the many questions that surround its legality, companies looking to pursue a more offensive security stance must take care should they decide to go after malicious actors. In this #GRCChat recap, SearchCompliance Twitter followers and editors share their predictions for the murky future of active cyberdefense.
What is the future of active cyberdefense? Will more companies 'hack back'?
SearchCompliance Site Editor Ben Cole and Senior Managing Editor Rachel Lebeaux provided an initial overview of, and outlook for, proactive cyberdefense, speculating that more private companies will take matters into their own hands as a growing number are targeted by advanced attacks -- which will necessitate further involvement from the U.S. government and regulators:
A5 Yes more companies will likely start – gov has become more accepting and legal issues could be sorted out #GRCchat— Ben Cole (@BenjaminCole11) November 20, 2014
A5 I predict we'll see more active cyberdefense, not less. As breaches mount, lawmakers will get on board w/ defining legal limits. #GRCChat— RachelTT (@RachelatTT) November 20, 2014
One of the reasons security experts can't agree about what offensive security involves, as Lebeaux hinted, is the lack of clear legal parameters around the issue. The primary U.S. regulation that governs active cyberdefense activities is the 1984 Computer Fraud and Abuse Act (CFAA), which penalizes anyone who exceeds authorized network access. The law is vague, however, because the legal definition of access ranges from physical access of a computer to crossing the barrier of any given network. Companies that have experienced a data breach often aren't clear on the legal limits of responsive action.
As Randy Sabett, attorney at ZwillGen PLLC, explains, "If you now come back at [the attacker] yourself or maybe you hire one of these companies, the thing that you have to worry about is, 'Are the activities that you're engaged in, or that you've authorized someone to engage in, potentially violating the CFAA?'"
A5: Like all tech, it will be packaged, monetized, etc. w/ constant updates for new vectors/actors and legal concerns. Someday. #grcchat— Forvalaka41 (@Forvalaka41) November 20, 2014
There is, however, progress being made in terms of aid and protection from the U.S. government. Tweet chatter Mark Underwood linked to a promising Air Force Research Laboratory (AFRL) announcement detailing research topic areas in cyberdefense that will receive federal funding:
For companies not fortunate enough to receive such funding, specialization in offensive tactics is costly. Underwood suggested that companies outsource the security capabilities they lack, or those for which it's difficult to secure funding:
Outsourcing is easier said than done, however, and isn't a fit for all companies, as renowned security expert Bruce Schneier writes in his blog. In deciding which security capabilities to assign out, Schneier's rule of thumb is to outsource expert assistance such as forensics and vulnerability assessments, but never management.
Underwood wasn't as optimistic about the promise of offensive strategies such as hacking back; instead, he argued that companies need to focus on bolstering their cyberdefenses. He pointed to Home Depot's failure to adequately protect its customers' information, which contributed to the data theft of 56 million payment cards:
A5 The Home Depot breach shows that basic blocking & tackling are a problem; can't see HomeDepot improving by offense #grcchat— knowlengr (@knowlengr) November 20, 2014
Among the industry-standard security practices Home Depot failed to put in place? It used outdated antivirus systems and an in-store payment system that didn't include encryption software, and -- according to former employees -- its technology executives preferred to institute "C-level security" due to the higher costs of tighter installations.
Underwood drove home the point that while there are malware campaigns that get past even the best security defenses (such as the 19-year-old Microsoft OLE vulnerability), they are the exception rather than the rule. Data breaches usually occur as a result of holes in organizations' security strategies:
How about you? Do you think the future of cybersecurity lies in proactive defense or cyberoffense? Let us know in the comments section below.
Read our previous #GRCChat recaps on the blurry line between offensive security and cybercrime, as well as on active cybersecurity examples and warnings. Then, get advice on taking a proactive security approach from 2014 MIT Sloan CIO Symposium.