This post was co-authored by Dr. Stephen Bryen, Founder & CTO Ziklag Systems.
The Washington Post front page article on October 10 "Hacked Firms Quietly Talk about Fighting Fire with Fire" about growing corporate anger over successive cyber attacks has a new message: go on the offensive. Hack back!
They are not alone. The Pentagon has set up a secret unit called Plan X which is supposed to fight back against hacking. Its "rules of engagement" are classified, and nobody really knows if Plan X is operational or pie in the sky.
But how would "hacking back" work? The corporate approach, as reported in the Post, seems to be that one can attack the hackers, send them bogus information, as a way of closing them down. Would this work?
Most of the really bad hacking, attacks on government computers and networks and on America's critical infrastructure is foreign government sponsored. The latest banking attacks are thought to be Russian sponsored, President Vladimir Putin's reaction to American-led sanctions because of the Ukraine crisis. And the Senate Armed Services Committee has found that American defense companies are being systematically looted by China through cyber espionage.
Well-financed foreign governments do not directly launch attacks on American companies or our government and military. They would be foolish to do so, especially since they have plenty of other options. The Russians and Chinese have cadres of hackers who can operate on their behalf. Occasionally these state-sponsored "independent" hackers make a few extra dollars by stealing credit cards and emptying bank accounts. Sure, you can hack them back, but they will just get another computer and do it again. Living abroad they are beyond American law enforcement. The FBI may want to investigate; but one can expect few results.
Then there's the problem of recognizing that a hack has occurred. A study by Verizon which was conducted with the cooperation of many businesses, security firms and government experts points out that it often takes a long time to uncover an intrusion. If you don't know you have been ripped off you may in the end find your coffers empty when it is too late.
The level of angst circulating in business and government circles caused by huge financial losses from cyber intrusions (one study says $300 billion per year goes out America's cyber "pipeline") suggests we are rapidly reaching a tipping point. The security model we are trying to apply is a failure.
In fact, as pointed out elsewhere, the security model we have cannot work for the simple reason that it is impossible to protect computer networks when the networks, fixed and mobile platforms, and transmission equipment are composed of open-source computer code and foreign sourced hardware, predominantly manufactured in China. The time has come for the government to realize we cannot protect America's resources or critical systems such as telecommunications, energy, health care and banking if they are running on foreign produced equipment and globalized software.
And there is more.
It makes no sense to go after hackers who are employed by foreign governments. If we want to be serious when our banks are attacked or our nuclear power plants are damaged, we have to respond in kind. This is the ancient rule of warfare. We need to establish a cyber balance of power. To do so, we have to act like a grown up superpower that is no longer willing to be picked on by hackers and intruders ad nauseam. It is doubtful the Pentagon's Plan X rules of engagement allow it to attack the other guy's critical infrastructure, but maybe they should. If the White House is timid maybe Congress can put some backbone into our leadership.
Successive administrations have kicked the ball down the hall on cyber security. Leaders have bought into the idea that there is some nice solution just around the corner and all we need to do is be more rigorous, spend more money, and apply the right security safeguards. If anything, as spending on security has increased, so have cyber attacks. There is no empirical evidence that more spending has produced anything approaching a cure. While it may get them off the hook by throwing more dollars at the problem, a more serious and comprehensive approach is needed and soon.
That approach is tit for tat for those attacking us, and weaning our computer networks and communications systems off weak, compromised software and Chinese-made hardware. Would we give our soldiers rifles made in China? Then why do we run our nuclear power plants and government computers on Chinese supplied parts? It's ridiculous and make no mistake, the partying in Beijing and Moscow will continiue until we get serious. We are still buying the beer.