When Robert Clark meets with large corporations and government agencies that have been hacked, many express the same feeling. They want revenge.
But the impulse to strike back is fraught with legal danger, said Clark, operational attorney for the U.S. Army Cyber Command, who plans to deliver that message on Thursday in a speech at the Black Hat security conference in Las Vegas.
“I’ve been involved in this field in-depth for 10 years, and the first thing everybody asks is, ‘How do I hack back? I want to smack somebody,’” he said in an interview. “And my response is always the same: Why? Because you’re mad? What do you want to get out of it?”
The allure of hacking back is growing as digital espionage and trade-secret theft have become rampant.
Shawn Henry, formerly the FBI’s top cyber crime official, has said that organizations increasingly want to go on the offensive with hackers. Henry is now president of CrowdStrike, a startup that is focused on proactive anti-hacking measures.
Companies are taking a cue from elected leaders.
Two pieces of malicious software show that governments are taking a more active role in cyber attacks. The New York Times reported last month that the U.S. and Israel jointly developed Stuxnet, which damaged nearly 1,000 centrifuges in an Iranian nuclear plant. The Washington Post reported that the countries also built Flame, a piece of eavesdropping software, to slow Iran’s nuclear ambitions.
Clark’s position is a conflicted one, as the military and civilian organizations play by different rules. He wouldn’t comment on Stuxnet or Flame, and emphasized that he was speaking in a personal capacity at Black Hat. But he did have advice for organizations considering hacking in self-defense.
Some companies are discussing whether it’s legal to place a tracking bug inside computer files that are at risk of being stolen, Clark said. The law may be on their side in some instances.
Clark pointed to a 1992 case where a driver working for the U.S. Postal Service was caught stealing envelopes stuffed with money on his route. The driver, Ervin Charles Jones, pleaded guilty but argued that investigators’ use of a small transmitter to track one of the envelopes — the key to making the arrest — led to an unlawful search of his van. The courts disagreed, and Jones was sentenced to 11 months in prison.
It’s not that different from companies trying to chase stolen computer files. But in the digital realm, it’s easy to go too far, Clark said.
Because of the powerful capabilities of spying software, organizations might be tempted to do more than simply track their purloined goods. Placing malicious software on attackers’ machines would violate anti-hacking laws, Clark said.
A grayer area, though, is whether probing attackers’ networks violates the law. Breaking into computers to recover stolen intellectual property is illegal, but doing light reconnaissance to map attackers’ networks to learn about their systems might not be, Clark said.
The law generally favors those that pursue prevention, such as the use of heavy encryption, over post-theft recovery, like a burglary victim who aggressively goes around looking for his stolen goods, Clark said.
Planting disinformation is another strategy that’s gaining popularity, he said.
Placing fake blueprints or software code in a place where hackers could steal them could be a legal, effective diversion. But spreading flawed airplane designs or pharmaceutical formulas that make their way into products and hurt people might not be, he said.
“If I’m talking about the new secret formula for a soda, and I’m just making it taste bad, that’s no big deal,” he said. “But what if my disinformation gets to the point that it harms somebody? That’s what could happen if disinformation is pushed to its ultimate end.”
A bizarre case from 1967 shows some limitations on self-defense that could apply to the cyber realm, Clark said.
The case involved Iowa landowners, Edward and Bertha Briney, who rigged a shotgun to fire on anyone who entered a bedroom in a vacant farm house that was being repeatedly burglarized. An intruder broke in to scavenge old bottles and fruit jars and had most of his leg blown off. A jury awarded the intruder $30,000 in damages, which would be more than $200,000 in today’s dollars.
Hacking attacks can now cause damage in the physical world, as the Stuxnet worm showed. Hackers have an array of non-PC targets to attack now, from the computers that run water facilities to automobiles to insulin pumps, as shown in this Bloomberg.com slide show.
Aggressive counterattacks could be justified in cases where personal safety is in danger, Clark said. But organizations that engage in a counterattack would have to prove that their response was proportional to the threat, he added.
Of course, the odds of a victim of a counterattack coming forward are slim, Clark said.
“Who’s going to complain?” he asked with a laugh.