The recent spate of high profile hacking attacks on American companies including Sony, Yahoo!, Uber, and of course, the DNC’s servers, have raised serious questions about the abilities of American companies to effectively protect themselves from cyber attacks. Indeed, the former NSA director said that Chinese companies have stolen trade secrets from virtually every sector of the American economy. To determine how high profile American corporations are investing in cybersecurity without breaking the highly restrictive American laws on hacking back, NewtonX spoke with members of the cybersecurity team at Amazon, Cisco, and IBM. While these experts could not disclose how their own companies protect their data and trade secrets, they did outline the problems with the current state of cybersecurity laws, and outlined key ways that it could be improved to help corporations in America protect themselves from hackers, both domestic and abroad.
Any form of hacking has been a federal crime since 1986, when Congress enacted the Computer Fraud and Abuse Act. This act prohibits any business or individual from knowingly accessing a computer without authorization. The problem with this act, is that it makes catching hackers extremely difficult. Corporate cybersecurity firms tend to toe the line of legality, using tactics to ensnare and catch hackers that typically involve what could be construed as hacking back. The $150B cybersecurity market is expected to grow to over $200B in the next three years. So how will the market work within the confines of the law?
Toeing the Line: How the Cybersecurity Market Has Evolved Within the Law
In 2012, Robert Mueller infamously said “There are only two types of companies: those that have been hacked and those that will be.” Despite the prevalence of the problem, a former member of the cybersecurity team with IBM noted that “companies don’t know to what extent they’re allowed to identify hackers, and often assumed a ‘don’t ask don’t tell’ policy when it comes to certain forms of protection.”
One such form of protection is called “honeypots,” a type of cyber trap in which you trick a would-be hacker into thinking they are accessing the target’s system, when in fact they are inside a replica of the system. While this relatively new system of cybersecurity can be incredibly effective, privacy laws in the U.S. limit the target’s right to capture data on the attacker — from the attacker’s login/password to any deeper data such as communications. However, the exemption under Service Provider Protection allows companies to collect certain types of transactional data only if you are collecting it to protect and secure your environment. This exemption has given rise to a class of cybersecurity firms like Cymmetria, which openly employs honeypots to identify attackers.
Another form of questionable cybersecurity practices includes “dye packets” which act like the code equivalent of exploding ink that banks use to mark stolen cash. When activated, dye packets make all stolen data unusable. The questionable part of the practice comes from how one activates the dye packet: if you were to execute the dye packet by gaining access to the code remotely, this would be outside of the target’s network and control, and would therefore be hacking. If, on the other hand, the dye packet were to “phone home” when it’s opened — that is, it would try and connect to the home server — and then encrypt if it can’t connect, this would be completely legal. In fact, that’s essentially what digital rights management is (what Netflix and almost all software providers do). Of course, sophisticated hackers would be able to spot a dye packet like this in the code and wouldn’t fall for it in the first place.
Many cybersecurity companies have pushed the limits of law in ways like these, taking highly aggressive stances. For instance, Nisos, LLC., uses what it terms “active defense,” to recover stolen data and identify hackers. The CEO and Founder of the company stated that “We go as far to the edge as the law will allow.”
What exactly the law will allow, however, is unclear. Currently no company has ever been prosecuted for hacking back, and justice department officials have indicated that the optics of this would be unfortunate for the department and the company. After all, especially if the hacker is foreign, it’s reasonable that if the U.S. can’t protect companies from hackers, the company should be able to. Because there’s no precedent set, many cybersecurity companies act in a grey area, where they can push the limits of hacking back until a precedent is set for what the limits of corporate cybersecurity are.
The Wild West of Cybersecurity
Many of the practices that companies currently engage in could conceivably be prosecuted as violations of the Computer Fraud and Abuse Act. However, because the government is extremely unlikely to prosecute, especially when a hack back occurs against a foreign government, companies are free to push the limits of legality. As foreign hacking becomes more and more sophisticated, the cybersecurity market will grow, and become increasingly aggressive to beat out competition. And unless the government either changes the law or decides to prosecute, cybersecurity companies and teams will likely be allowed to hack back with impunity.