Cybersecurity has traditionally been a defensive discipline. Companies take steps to secure their networks, configuring firewalls, locking down unused ports and installing software to detect intruders. At a government level, though, the best form of defense is often seen as offense. Across the world, countries are getting aggressive with their approach to cybersecurity and taking the battle directly to hackers.
In Australia, officials have finally acknowledged a long-standing offensive hacking operation within the Australian Signals Directorate (ASD). Russia has committed $250M to strengthen its offensive cyber capabilities, and the U.K. is also stepping up activities in this area.
The U.S. has been conducting offensive security operations for a while now, most recently on the Islamic State group (also known as ISIS), which has waged its own cyberwar against its enemies. Before that, the U.S. government was responsible for the 2012 Stuxnet virus that took out Iran’s nuclear production facility.
This is part of an official U.S. cyber-warfare policy, both at the executive level and in the military. In April 2015, the U.S. Department of Defense laid out a cyber strategy [PDF] that included offensive measures. Hawks in the administration now even want to elevate the U.S. Cyber Command, which carries out many of the offensive measures, to a more prominent role.
Cyberwar vs. private retaliation
This is all very well, but the military and intelligence communities have special powers when it comes to offensive tactics. The private sector is different. If a bank wanted to start bombing people then everyone would be pretty upset. Yet banks and other private-sector companies suffer from online attacks all the time that inflict real, material damage.
Historically, companies haven’t been allowed to strike back against those attackers, but can only shield their systems as best they can. Should they be allowed to launch offensive cyber measures against their attackers — effectively hacking back — to discourage and possibly disable those attackers?
Firstly, it’s worth understanding what offensive cybersecurity means. Going in and trashing your attacker’s hard drive is obviously an act of aggression, but what about if you simply probe their network to find out more about their computers? These two acts sit on the same continuum of ‘active response.’ One may only be an act of trespass, but a judge could still construe it as unauthorized access to a computer.
The other problem lies in attribution. It is difficult to know for sure who launched an attack. If your company is hacked by a computer at my IP address, then you can’t automatically assume that I did it. A hacker may have compromised my computer first and used it to launch their attack on you, thereby shielding their identity.
The attribution problem is significant, because if a counter-offensive team gets it wrong, it can easily end up striking back against the wrong attacker, potentially inflicting harm against an innocent party.
The U.S. government wants to expand its capabilities in this area, and has launched a program to identify particular hackers based on their online activities.
Sharing is caring
The future of private-sector cybersecurity may not necessarily revolve around offensive and potentially illegal measures. Instead, it could involve a more active approach to defense in which companies move beyond simply monitoring and responding. The use of security analytics and big data could help to forewarn them.
The other piece of that puzzle involves information sharing, in which companies in the same industry exchange information about the attacks they’re seeing.
In the U.S., several industry-specific Information Sharing and Analysis Centers (ISACS) have evolved to help promote information sharing in a safe and private context. They span industries ranging from financial services to retail. In an attempt to extend those initiatives, the White House has now signed its Information Sharing Act into law.
Up here in Canada, a collection of private-sector firms clubbed together to launch the Canadian Cyber Threat Exchange (CCTE), a forum for private companies to exchange information about cyber threats.
In the future, offensive security may be an increasingly common tactic for the military and intelligence communities, and in some cases for law enforcement. For the rest of us, though, constrained by civil law, the opportunities may lie not in attacking the attackers, but in understanding them so we can at least shore up our own defenses.
Photo courtesy of Free Digital Photos