Should Companies Retaliate Against Hackers? Here’s What Experts Are Saying.
This is the first of two pieces on BRINK about the Active Cyber Defense Certainty Act. The second piece can be read here.
Reflecting on the past decade, this much should be obvious: Regulation cannot keep up with the pace of technological change. This makes cybersecurity — the thin wall that protects everything from our identity and intellectual property to our financial capital — a crucial protective barrier in our society and economy.
As a communications strategist who advises companies besieged by cybercrime, I can attest that those protective walls are getting violated far too often. Since 2017, the rate of identity breaches has increased more than 400%. On top of their often-disabling impact on brand reputation, data breaches exact painful financial costs. Breaches have been known to cause damages of as much as half a billion dollars. Cybersecurity costs financial services companies, on average, some $2,300 per employee, a number that has tripled over the last four years.
But can companies and their board members be too zealous in fighting cybercrime?
A recent bipartisan bill, the Active Cyber Defense Certainty Act (ACDCA), offers to “allow use of limited defensive measures that exceed the boundaries of one’s network,” giving authorized entities the legal authority to “retrieve and destroy stolen files,” “monitor the behavior of an attacker” and “disrupt cyberattacks without damaging others’ computers,” among other things. Is the ACDCA a realistic antidote to cyber fraud? Or, by empowering companies to retaliate against hackers, is ACDCA’s solution potentially as corrosive as the problem? A walkthrough of what the experts have been saying on this subject may prove instructive.
How Far Is Too Far?
The debate over how far to go in strengthening cybersecurity is likely to roil corporate boardrooms and legislative chambers.
Argues Paul Ferrillo, a Greenberg Traurig partner and the author of Navigating the Cybersecurity Storm: A Guide for Directors and Officers, “ACDCA’s term of art, ‘active cyber defense,’ is in the eye of the beholder. Does it mean that under ACDCA a company is entitled to install a purely defensive measure such as a ‘honeypot’ to figure out who is attacking its network — and from where? Or, as some observers say, does active cyber defense enable a company to ‘hack back’ against an attacker’s computer system? Or does it depend on certain contingencies? In my view, ACDCA as presently constituted is not explicitly clear on this point.”
Still, Mr. Ferrillo believes that a properly conceived ACDCA has the potential to become a constructive instrument in the battle against cybercrime. Active defensive measures like honeypots and machine-learning solutions, if correctly deployed, can be critically important tools, he notes. Still, before any institution seeks to hack back against an adversary, it would be wise to consult with experts and attorneys.
Shining a Light into the Web’s Dark Corners
Cybersecurity expert George de Urioste, the chief financial officer of 4iQ, likens a company’s efforts to protect its cyber assets to a property owner using video surveillance technology to safeguard their possessions.
“It is generally accepted in our society that a property owner has the right to ‘see’ anyone on their premises and seek identification,” Mr. de Urioste says. “Should a crime occur, video is often used to establish attribution of criminal activity to share with law enforcement. I would strongly advocate for the ACDCA, at a minimum, to affirm a property owner’s right to unmask the cybercriminal via ‘identity threat intelligence.’” This aligns with the explanation of the bill offered by lawmakers, who wrote in an FAQ document that it would allow entities to “establish attribution of an attack” and “monitor the behavior of an attacker.”
“Every cybercriminal knows the effectiveness of surreptitious activity revolves around masking their identity,” explains Mr. de Urioste. “If we can fight back by bringing some sunshine onto the dark web, a major first step of proactive defense will be established.”
Attribution Is Critical
The impetus behind ACDCA, Mr. de Urioste says, points to “meta issues about economics and safety. Digital criminal activity grows exponentially; it will be with us forever. Private leaders see the economic impact; they constantly need to increase their cyber defense spending. Public leaders increasingly hear the outcry from consumers who are harmed by digital breaches. They want private leaders to assume greater responsibility and accountability. It all adds up to an urgent moment for greater empowerment, as intended by ACDCA principles.”
Given the enormity of these risks, companies have an obligation to explore a range of aggressive options and contingencies as contemplated by the ACDCA, notes risk management expert Kenneth J. Peterson, the founder and CEO of Churchill & Harriman.
“All offensive tactics meant to collect actionable threat intelligence executed within the law and in accordance with regulations should be on the table and considered,” Mr. Peterson says. “Boards are frustrated that the investments they’ve made to improve their enterprise risk posture have not wholly protected them.”
It seems unlikely a company will know without any doubt who the perpetrator of a cyberattack is. They must ensure accurate attribution to avoid violating international law.
Jon Frankel, a cybersecurity attorney and shareholder at the tech and privacy law firm ZwillGen, contends that the authority embodied in those ACDCA principles “is only as great as a company’s ability to accurately attribute an attack and avoid damaging other computers. Companies must understand that they cannot deploy active cyber defense measures without correctly attributing the attack.
It seems unlikely a company will know without any doubt who the perpetrator is, especially because hackers are good at concealing their identities by attacking through proxy servers or a series of compromised computers that belong to innocent third parties. Companies must ensure that they have accurately attributed an attack to avoid targeting innocent third parties and/or violating international law.”
Is ‘Cyber Vigor’ the Right Path Forward?
A muscular undertaking demands a paradigm shift in approach. Mr. de Urioste advocates cyber vigor, a commitment by companies to stay a step ahead of bad actors. This means worse-case scenario planning on the front end, and an equally aggressive range of tactics following an actual attack.
In a blog post outlining the tenets of cyber vigor, Mr. de Urioste offers a three-point prescription. First, know your adversary. What are your company’s digital “greatest hits,” and who would profit from pilfering them? “If you don’t know,” he writes, “you are flying blind.” Do your homework and don’t be afraid to let your imagination — and your crisis contingency scenarios — run wild. Second, determine your compromised data, including that which has been stolen or leaked from your suppliers and vendors. Third, establish the vulnerability of your employee attack surface. It’s the consumer data breaches that grab headlines and cause the most handwringing, but less-publicized employee password breaches often trigger the biggest headaches for companies. Company accounts hold the potential to “unlock valuable corporate data, leaving the door wide open for adversaries to walk out with whatever trade secrets they want,” Mr. de Urioste warns.
Preparing Your Audiences for Possible Cyber Breaches
In peacetime, the solutions are more mundane. Among the strategic communications elements that institutions should prepare in advance of any cyber breach or cybercrime are:
- Sophisticated holding statements approved by the counsel’s office
- A compelling protocol to respond to earned media inquiries
- A detailed social media response strategy, based on sample scenarios, “conversations,” and responses
- Talking points to address customers, employees, investors, media and other key constituencies
- A responsive email to general customers and business partners
- Comprehensive instructions for identity theft monitoring service enrollment
- A website FAQ page
In the future, a more proactive approach will likely become the norm — and legislative prescriptions are starting to move in that direction. Playing “whack-a-mole” in the wake of an attack won’t sufficiently protect the brand or business operations.