The cyber war conundrum: Companies contest no hack-back rules

Corporates on both sides of the Atlantic are calling for changes in the law to allow them to fight back against the current wave of cybercrime.

As things now stand, corporates are discovering that the very laws meant to protect individuals against being hacked are now serving to protect the organised criminal gangs (OCGs) who are stealing billions from their accounts, compromising sensitive customer data and ransoming their most confidential data.

While many institutions and their advisers have the resources to go after malicious hackers in order to discover their identities and to try and recover some of their misappropriated data and cash, they are prevented from doing so by the Computer Misuse Act in the UK and equivalent rulings in the US.

The intention of those drafting these laws was not, of course, to protect hackers and OCGs but to defend the data privacy of organisations and individuals. However, the laws are now working against the interests of legitimate organisations by forcing companies to try and fight back with both hands effectively tied behind their backs. US companies are now clamouring for changes in the law to allow them to track down hackers and have been voicing the desire to be allowed to hit back at foreign adversaries who are attacking their IT systems.

But the US authorities are wary of making changes in the law which could result in an escalation of the cyber war which is developing between the criminals and legitimate companies. US Defense Department spokesman, George Duchak, director of the Defense Department's Defense Innovation Unit Experimental has warned against an overly pro-active approach.

“Like the Wild West where everybody’s shooting”

He said: "I think once you go outside your networks, you're setting a dangerous precedent. It becomes like the Wild West where everybody’s shooting, and there would be a lot of collateral damage.”

There are also concerns among US officials that firms may lack the necessary skills to ensure that they are going after the right targets. Renee Tarun, senior cyber strategist on the National Security Agency's Cyber Task Force, has also warned companies that it can be difficult to determine the source of a hack.

But some US companies who do have the wherewithal needed to identify their attackers are now bridling under the frustration of knowing who is hacking them but feeling unable to do anything about it. This problem is accentuated by the rapidly growing global terror risk in the wake of the recent terrorist attacks in Paris.

There is growing evidence that terrorist groups are now using cyber warfare to support and augment attacks of a physical nature. There are already reports of a massive cyber-attack on French communications systems up to 48 hours prior to and during the Paris attacks. The attack is said to have taken down the French mobile network, severely limiting police surveillance of the situation. Industry commentators point to the sophistication of the cyber-attacks.

According to Dr Paul Craig Roberts, former Assistant Secretary of the Treasury for Economic Policy: “The attack was not a straightforward DDOS attack but a sophisticated attack that targeted a weakness in infrastructure hardware.” He adds that such an attack is beyond the capability of most organisations and requires capability that is generally thought unlikely to be in the Islamic State of Iraq and the Levant (ISIL)’s arsenal.

He says: “An attack on this scale is difficult to pull off without authorities getting wind of it. The coordination required suggests state involvement.”

Dividing line perilously thin

The dividing line between criminal hackers and state actors has also become perilously thin. The Chinese military, for example, now literally employs regiments of cyber-hackers bent on accruing Western know-how. Many organisations are now fearing that if their governments are not doing enough to protect them, they should be allowed to defend themselves against increasingly sophisticated attacks from stat actors.

Citing the loss of hundreds of billions of dollars of intellectual property to Chinese hackers, Randall Fort, Director of Programs Security at major defence contractor Raytheon asked, "In my company, I actually have the screenshots of the Chinese [who] are stealing my information. So the attribution issue isn't necessarily a problem for everybody…Why shouldn't firms be able to do something about that?"

There is some truth in the view that to leave it up to the private sector alone to go after OCGs, terrorist groups and state actors on their own would be unadvisable This kind of research would, in any case, be likely to led companies into investigating their attackers on the Dark Web. To attempt this without long-standing embedded sources on the criminal forums would likely expose them to further risk of hacking.

Ideally, the private sector should work in tandem with government agencies on both sides of the Atlantic to combat the growing cyber threat. Government resources are, however, currently stretched to capacity and their abilities to chase after hackers are limited.

In the current climate, the best solution is for firms to employ qualified third-party advisers with the necessary software skills and embedded sources such as KCS to locate the source of the hack before taking legal advice about how best to proceed.

Stuart Poole-Robb is the chief executive of the security, business intelligence and cyber security adviser, the KCS Group Europe

Image Credit: ra2studio / Shutterstock