Companies need clearer guidance on what they can and cannot do to respond to state-sponsored hackers and online criminals, to include ‘active defense’ measures often in order to gain attribution—at a time when corporate America is continuously under cyber attack. The cyber security space needs a clearer line between private and public sector responsibilities, increased reporting and collaboration, and more active measures, a panel of cyber experts concluded at an event hosted on Oct. 17th by APCO Worldwide as part of Washington DC’s Cyber Week.
The panel debated the merits of companies “hacking back” against digital assailants versus taking a more limited, yet “active,” defense of their digital systems and data. The experts included Sean Weppner, chief strategy officer at NISOS Group, a digital protection firm; Terry Roberts, chief executive officer of WhiteHawk, the first online cybersecurity exchange for small- and medium-sized businesses; and Michael Fabrico of TrapX Security, a leader in cyber deception technology. The roundtable was moderated by Jay Solomon of APCO Worldwide, a consultancy in strategic and other communications.
Not one of the panelists advocated companies hacking back against suspected digital assailants. The risk of such a counterattack sparking a wider conflict is simply too high, and does not guarantee that a company could catch or deter the adversary from future attacks. However, the cyber experts did affirm that the laws governing cyber space in the United States are ill-defined; companies should be allowed, at a minimum, to take steps to identify who was behind a hacking attack, a process known as attribution.
“Companies have everything to lose by hacking back. There is a legal gray area where the private sector must defend itself and where the government needs to step in and define boundaries and enablement when facing state-sponsored and sophisticated online criminals or ‘hacktivists’,” said Terry Roberts of WhiteHawk, who previously served as the deputy director of Naval Intelligence. “There’s too much ambiguity where the role of the private sector ends and the government begins.”
The U.S. Congress is currently debating whether to amend legislation that governs operations in cyberspace, known as the Computer Fraud and Abuse Act. The bill came into force in the mid-1980s, more than a decade before the commercialization of the Internet, and is widely seen as obsolete.
“The legislation is ambiguous and dated, making it difficult to understand what actions actually constitute hacking,” said Sean Weppner of NISOS, who is also a veteran of cyber operations at the Defense Department. “At this point, there is one clear line in the legal sand, namely that individuals and organizations cannot engage in non-consenting remote code execution.”
The panelists warned that the digitization of the United States economy has made companies even more vulnerable to hacking operations, especially over the past five years. They mentioned the growth of so-called smart cities and the “internet of things,” which is exponentially growing the number of software-driven devices embedded in everything from washing machines to pace-makers. Without baking-in assurance, any of these systems become vulnerable to cyber criminals; programs and technologies need privacy and security embedded in the design from the very start, so that criminals and hackers cannot hijack these capabilities or use the open data sets and video for their own purposes.
The panelists noted that sophisticated state actors are behind many of the attacks on U.S. companies. Nevertheless, protecting a company’s digital infrastructure can often be achieved by relatively simple and affordable products, services and best practices, such as ensuring employees receive regular cyber risk training, thereby protecting an organization’s IT infrastructure and data from malicious disruption or theft.
“Many companies are dealing with nation-state actors now, rather than common criminals, which makes hacking back a dangerous prospect,” said TrapX’s Mike Fabrico. “User behavior is still the biggest vulnerability for companies.”
Fortunately, the panelists noted, the ‘people problem’ in cyber security is one that can be solved. The government and the private sector can collaborate to fund, promote, and otherwise enable additional education and certificate programs to train a stronger workforce. This can begin with something as simple as scaling the creation of cyber operations; policy and security courses; and certification programs and majors across high schools, junior colleges, colleges, and universities. This initiative should include a digital literacy curriculum in pre-school through high school, thereby educating our youth in how to fully succeed in the Digital Age, while still protecting oneself. For those already out of school and in the workforce, education could include an expansion of cyber executive and working-level programs from two days to one week.
Indeed, one study found that human error or human behavior contributed to about 90 percent of all cyber claims. Until the government addresses the problem more holistically, with updated laws and security standards for new technology, addressing the human element may offer the best option for protection against the growing impact of online crime and fraud.