FBI probes if banks hacked back as firms mull offensives
U.S. officials have shown little appetite to intervene as banks, retailers, casinos, power companies and manufacturers have been targeted by foreignbased hackers. Private-sector companies doing business in the U.S. have few clear options for striking back on their own.
That has led a growing number of companies to push the limits of existing law to consider ways to break into hackers' networks to retrieve stolen data or even knock computers offline to stop attacks, the cybersecurity professionals said in interviews. Some companies are enlisting cybersecurity firms, many with military or government security ties, to walk them through options for disrupting hacker operations or peering into foreign networks to find out what intellectual property hackers may have stolen.
In one case, the Federal Bureau of Investigation is looking into whether hackers working on behalf of any U.S. financial institutions disabled servers that were being used by Iran to attack the websites of major banks last year, said two people familiar with the investigation. JPMorgan Chase & Co. (JPM) advocated such a move in a closed meeting in February 2013, these people said. A bank spokeswoman said no action was ever taken. Federal investigators are still trying to determine who was responsible, the people said.
"It's kind of a Wild West right now," said U.S. Representative Michael McCaul, the Texas Republican who is the chairman of the House Homeland Security Committee. Some victim companies may be conducting offensive operations "without getting permission" from the federal government, he said.
"They're very frustrated," McCaul said of these firms. Hacking costs the global economy as much as $575 billion annually, according to a study published in June by McAfee, a security-software maker owned by Intel Corp. (INTC), and the Center for Strategic & International Studies. Counterstrikes are a small part of the overall cyber-security industry, which Gartner Inc. projects will surpass $78 billion in worldwide revenue next year.
The idea of hacker-on-hacker justice raises thorny questions, including when U.S. companies can legally order international strikes on their behalf. Also little explored, so far, are the consequences of engaging hackers that may be backed, explicitly or implicitly, by states from North Korea and Iran to China and Russia. The idea of counterstrikes gained an unprecedented level of visibility when President Barack Obama vowed on Dec. 19 to mount a "proportional" response against North Korea for the Sony breach, which destroyed data and leaked movies and employee e-mails. North Korea suffered Internet outages a few days later. The White House has declined to comment on North Korea's accusation that the U.S. government played a role.
"Sony represents a dramatic escalation -- one so punitive in nature that I think it does change the equation," said Tom Kellermann, chief cybersecurity officer at Trend Micro Inc., a Tokyobased security firm. Trend Micro advises clients against taking aggressive countermeasures, he said. Already, someone appears to have struck back against the Sony attacks. Fake copies of "Fury," "Annie" and other leaked films began appearing earlier this month on file-sharing sites, slowing the computers of people attempting to download the movies and crippling torrent sites disseminating the files, said Tal Klein, vice president of strategy at Adallom Inc., a Palo Alto, California-based security company. The fake files have now largely been eliminated as file-sharing sites have used rating systems to blacklist the decoys, he said.
Sony declined to comment on the fakes or on any steps the company is taking to recover from the breach. In the U.S., companies are prohibited by the 30year-old Computer Fraud and Abuse Act from gaining unauthorized access to computers or overloading them with digital demands, even to stop an ongoing attack.
The act exempts intelligence and lawenforcement activities, allowing the government to respond more aggressively than private-sector firms. There's little indication, though, that military and intelligence agencies have used their most powerful tools to shut down attacks on businesses, as the U.S. has attempted to address foreign-based hacking through diplomacy and the courts.
U.S. law-enforcement agencies appear to give security companies more leeway when it comes to breaching computers to gather intelligence on the hackers or discover what data they took, according to a former law-enforcement official.