Should we let cyber espionage victims hack back?

Some private-sector victims of cyber espionage sound like they want to go all Blackwater on the internet. What could possibly go wrong?
Written by Stilgherrian , Contributor

"If we have a problem with cyber, why aren't we enabling the people that are getting attacked and robbed to defend themselves actively, dynamically, and to go after the people that are stealing their information," asks Randall Fort, director of programs security at defence firm Raytheon, and a previous head of intelligence for the US Department of State.

"A commercial bank can shoot the robber that comes in to steal their money. Why can't companies that are having their information stolen go out and do something dynamically to the very entities, the individuals, who are doing that? We know who the people are that are attacking my company. We have screenshots of them, down to the individual. You [the intelligence community] can do that as well."

So instead of exploring "a thousand reasons why it won't work, legally and mechanically", asks Fort, "why don't we do something that'll actually get at the problem?"


Fort posed his question to the panel at this week's Cyber Risk Wednesday discussion, Rethinking Commercial Espionage, one in a series sponsored by Washington-based international affairs think tank the Atlantic Council and Christian Science Monitor's security news site Passcode.

Economic cyber espionage is a huge problem for the US, and it's getting worse and worse, according to panellist Dmitri Alperovitch, co-founder and chief technology officer of CrowdStrike.

"We often cite our natural frenemies, if you you will, in this space, China and Russia, as being the main problems, and they're certainly contributing to a massive segment of the economic espionage that's being perpetrated against the Western private sector. But the reality is, it's no longer just them," Alperovitch said.

"In fact, most of our allies are engaged in this type of activity. At CrowdStrike, we're tracking actors out of India, out of France, Israel, South Korea, and many other countries. They're now engaging in economic espionage against our own private-sector companies, and giving it for the benefits of their own industries -- whether it's state-owned industries, or their 'titans of industry'."

Fort's question cuts straight to the heart of a uniquely American problem. While the US is a world-leader in both technology and technology-based spying, by law its intelligence agencies cannot engage in commercial espionage. Effectively, they're playing with one hand tied behind their back.

That said, the legal boundaries can be flexible.

"Where we think it will affect policy-makers, we do economic intelligence-gathering," said Stewart Baker, now a partner at law firm Steptoe & Johnson, but once general counsel of the US National Security Agency.

"Since the 1973 oil embargo, the prospect that oil would be a weapon has led the US to be focused on 'What's the state of oil supplies around the world?' and what's going to happen to the market. Are we going to have another shock like 1973, 1979? And that led to -- I suspect, I have no idea -- the Petrobras intrusions that the Brazilians got so upset about," Baker said.

"If we're negotiating over economic issues with other countries, we might feel comfortable trying to find out what their negotiating position is going to be."

Baker suggested that the US could engage in commercial counter-intelligence. If they suspected that a company was benefiting from hacked information, for example, they could hack that company to gather evidence -- which could then be used to prosecute an intellectual property legal case or justify diplomatic sanctions.

Wednesday's discussion makes it clear that the US does need some new ways to respond to commercial espionage, something that sits between doing nothing and going to war. But should that include Fort's option of simply letting the targets shoot back?

Well, right now that'd be illegal for US companies. The Computer Fraud and Abuse Act would see to that. Empowering companies to act as some sort of cyber posse with government authority would run into the Economic Espionage Act. And if companies worked through a proxy or a mole in the target company's own nation, they'd run up against that nation's anti-espionage laws.

The law could be changed, of course, but would we really want that?

The whole idea reminds of times gone by, when merchant shops carried cannon as a matter of routine -- from the Venetian traders of the Middle Ages and Renaissance to the Dutch and English trading companies from the age of global colonisation.

The freedom to run their own private wars made those companies phenomenally rich, but that tended not to be accompanied by what we would now call "good corporate", or "corporate social responsibility".

More recently, the scandals surrounding the mercenary outfit then called Blackwater in Iraq and Afghanistan showed just some of the problems that can arise when military-style operations happen without matching political controls.

The US does have a problem with commercial cyber espionage, sure, but I don't think arming the victims is the way to go.

Editorial standards