When you’re under attack, you want to fight back and protect yourself and defend everything important to you. It’s why countries go to war. It’s why there are laws such as Stand Your Ground.
But what if you aren’t allowed to fight back? What if defending yourself means doing everything internally to protect yourself to try and prevent an attack, but you can’t do anything to retaliate?
That’s how it is in cybersecurity in the United States. You can defend yourself with internal security systems, but you can’t go on offense and “hack back,” by law. The Computer Fraud and Abuse Act forbids retaliatory cyber defense actions, such as hacking an adversary’s computer system. The Active Cyber Defense Certainty (ACDC) Act was introduced as a House bill last year “to provide a defense to prosecution for fraud and related activity in connection with computers for persons defending against unauthorized intrusions into their computers.”
As cyberattacks from all vectors continue to rise, it seems as though all segments of society are under siege, ranging from government entities to businesses to our ability to vote without concern. At this year’s RSA Conference, Venafi surveyed 517 IT professionals and found that 87 percent think the world is currently in the middle of a cyberwar. Also, 72 percent believe nation-states should have the right to “hack back” by targeting cybercriminals who level attacks on their infrastructure and 58 percent believe private organizations have the right to “hack back.”
“It’s clear that security professionals feel under siege,” Kevin Bocek, vice president of security strategy and threat intelligence at Venafi said in a release about the survey. “With the increasing sophistication and frequency of cyberattacks targeting businesses, everyone is involved in cyberwar.”
What is Cyberwar?
It appears that organizations feel as though they are in a war zone, and they are getting fired on from multiple angles—cybercriminals, nation-states and even malicious insiders. But cyberwar is a term that is usually reserved for nation-state aggressions, so I asked Bocek how he defined cyberwar.
It’s a term that is still relatively new to our lexicon that we don’t have a common definition yet, he told me. For some security professionals, cyberwar is an attack that goes beyond simple theft but one that purposely causes disruption or creates chaos.
“The problem is that cyberspace is not a traditional battlefield; it’s everywhere, including public and private infrastructure for cities, workplaces, school [and] parks as well as transportation and communication,” explained Bocek. “Because the battlefield is so large and guerilla actions are taking place all the time, ‘cyber peace’ is razor thin. Any number of actions can cause a cascade of events that are devastating.”
How to Fight Back
Because private enterprises are not legally authorized to access an attacker’s computer, even if they are in the middle of an attack, most security professionals feel frustrated about the ability to respond. But would retaliation actually work, if it was allowed?
Probably not, said Bocek. Even if these hack-backs were successful, they would likely lead to an escalation of attacks. Plus, it’s always difficult to determine exactly which machine is being used to drive malicious action, so it’s quite possible that hacking back can lead to unintended damages.
“Even if this type of action were to become legal, most organizations are too optimistic about their abilities to target the correct intruder,” he said. “Even with the most sophisticated security technology, it’s nearly impossible to be certain about attack attribution because attackers are adept at using a wide range of technologies to mislead security professionals.”
This means security teams must focus on better defensive actions. Simply put, he said, businesses need to take cybersecurity more seriously; it must be a core business function like sales or manufacturing. Additionally, the function of cybersecurity should be overseen by a dedicated leader who wakes up every day thinking about how to protect their business from cyber threats.
“Business leaders need to architect their businesses to go faster and be more secure,” Bocek said. “While these are not simple problems, we are entering an exciting new frontier for businesses. We all need to work together to solve these problems.”