Cybersecurity: Is It Time to Start Hacking the Hackers?

As IT risks mount, security guardians ponder going on the offensive

Thursday, May 09, 2013 , By Sara K. Gates

printPrint   |  Order  |  Email this Story  | 

In light of unprecedented attacks by cybercriminals against businesses that span every industry, experts in information technology and data security are debating whether it is time to fight back -- to hack the hackers.

As the founder and CEO of Wisegate, a private, expert peer group for senior-level IT executives, I get to work with some of the best and brightest and have a ringside seat at the high-profile discussions that unfold at  major security venues like the annual RSA Conferences. Among Wisegate members, chief information security officers (CISOs) and senior security professionals from brand-name companies and government agencies who are discussing this issue, one solution stands out clearly: industry collaboration.

"Hacker groups and disruption of business have reached an all-time high and no longer can be ignored," said cyber intelligence expert Jeff Bardin, chief intelligence strategist at Treadstone 71. "We want to get the adversary to understand that if they launch an attack against a company, there will be costs to pay."

In Wisegate, those not in favor of going on offense raise the issue of attribution as a major factor why this tactic won't work. They say it is too difficult to pinpoint the location and source of many cyberattacks. Yet many security experts point out that there are "offense-like" tactics that can drive up the cost of hacking into a corporate network and, if deployed properly, could discourage hackers enough to have a major impact on the threat landscape.

"Interesting questions are being raised about how far businesses can go and what types of attacks can actually be effective," said Martin Zinaich, a Wisegate member who is information security officer of the City of Tampa, Florida. "It doesn't necessarily have to go from nothing to launching a full-out assault against cybercrime infrastructure. It could be much more subtle things like feeding the bad guys misinformation or doing your own reconnaissance."

050913_WiseGate_Figure1
Source: Wisegate (April 2013).

Initial Caution

A recent Wisegate poll captured the overall sentiment reflected about the level of retribution security practitioners and their companies are ready for. Forty percent of the IT security leaders agreed "we should at least be discussing" fighting back; 30% were not ready because "too many legal and ethical questions" are unresolved; and 58% had not even begun discussing a counterstrike policy.

Many Wisegate members believe there are other offensive security measures that the good guys can leverage. Misdirection tactics can be deployed by the most targeted companies, such as those in the financial or defense sectors.

"We need to start thinking like our adversaries, to look at different approaches and techniques to confuse an attacker," said Wisegate member Tim McCreight, CISO for the Government of Alberta, Canada. "We're looking at using ethical or 'white hat' hackers to check our defenses, and we're approaching our program like we're trying to break into our systems. We need to adopt this mindset and keep focusing on risks."

Offensive security tactics may have drawbacks as well. Some companies may want to refrain from specifically targeting hackers or hacktivist groups because of the ethical and legal questions. In addition, building and deploying phony systems and fake credentials may be too costly.

Wisegate members say that part of the difficulty is that there is no broad agreement on what "hacking back" means. Offensive security is relatively undefined and the laws governing it are vague.

050913_WiseGate_Figure2
Source: Wisegate (April 2013).

Collaborative Potential

I believe the lessons learned from this dialogue are critical. While hot-button issues will be raised and flames fanned by the media, it takes time to think through the best responses to issues our IT organizations are facing.  It takes time for the issues to be raised in the trenches of organizations and for substantive opinions to be developed.

But it is always the perfect time for the industry to collaborate on what it means and what steps can be taken. The threat is always evolving and always changing -- and therefore our companies must be as well.

The most important key to fighting cyber crime will be harnessing the collective intelligence of the good guys in our industry. No matter what the hot-button topic may be, if we can garner the collective intelligence of these practitioners, all things are possible. In the case of counteracting the hackers, technologies and methodologies to beat the bad guys are just a byproduct.

Before founding the online IT community Wisegate, Sara Gates (info@wisegateit.com) worked for start-up and large enterprise IT companies, including as vice president of identity management at Sun Microsystems.

Risk Management e-Journal
cover
The Risk Management e-Journal publishes paper abstracts on the topics that matter most to risk professionals. See what your risk manager colleagues are reading about today.

 

 

 

Get Free Updates on the Dodd-Frank Act
DoddFrank
Register for Morrison & Foerster's FrankNDodd service to receive Daily News Alerts on the Dodd-Frank Act, gain access to regulatory highlights and commentary, and use the exclusive FrankNDodd Tracker tool.

 

Banner Picture