From Tim Maurer, Foreign Policy: [G]overnment is not the only one taking on cyber threats. Corporations, which have long worked to defend their networks from intrusion, are increasingly going on the offensive, turning from firewalls to retaliation. William J. Fallon, former commander of U.S. Pacific Command and U.S. Central Command, recently wrote about a survey of cybersecurity executives conducted by his firm, CounterTack, Inc.: "more than half [of the respondents] thought their companies would be well served by the ability to ‘strike back’ against their attackers." This raises important questions about cyber-warfare and the role of private companies. What happens when a corporation takes matters into its own hands? What if its attacks hit the wrong target, involve a foreign government, or lead to escalation? In short, what happens when corporations become cyberwarriors?
These are not theoretical questions. In January 2010, Google announced it had been hacked the previous month in an attack nicknamed Operation Aurora that was traced back to China. The hackers exploited a previously unknown vulnerability in Microsoft’s Internet Explorer, routed the attack through servers at two Chinese educational institutions to hide their tracks, accessed Gmail accounts and — more importantly — stole Google’s source code. When Google discovered the attack, "the company began a secret counteroffensive," according to the New York Times. "It managed to gain access to a computer in Taiwan that it suspected of being the source of the attacks. Peering inside that machine, company engineers actually saw evidence of the aftermath of the attacks, not only at Google, but also at least 33 other companies, including Adobe Systems, Northrop Grumman, and Juniper Networks." McAfee’s George Kurtz wrote, "Like an army of mules withdrawing funds from an ATM, this malware had enabled the attackers to quietly suck the crown jewels out of many companies while people were off enjoying their December holidays."
Some in the field cheered Google’s aggressive response, and some are following in its shoes. Matt Buchanan at the technology blog Gizmodo commented, "It’s pretty awesome: If you hack Google, they will hack your ass right back." The CounterTack survey found that 29 percent of participants felt that their "company would be well-served if it could proactively strike at the attackers’ infrastructure to minimize threats" and an additional 25 percent said that their "company’s data would be more secure if the company would strike back, but only if were attacked first." In June, Reuters reported, "Frustrated by their inability to stop sophisticated hacking attacks or use the law to punish their assailants, an increasing number of U.S. companies are taking retaliatory action." At this year’s Black Hat conference in Las Vegas in July, a poll of 181 participants revealed that 36 percent had already engaged in retaliatory hacking in the past with 23 percent having hacked back once and 13 percent frequently. And Tim ‘TK’ Keanini from nCircle, which conducted the poll, thinks the real numbers are higher: "Retaliatory hacking is a huge topic at Black Hat this year, but we should take these survey results with a grain of salt…. It’s safe to assume some respondents don’t want to admit they use retaliatory tactics. It’s very tempting to strike back out of anger and frustration. . . ."
[I]f a company does not have the know-how to carry out a counter-strike, it can hire contractors. Brian Krebs wrote about such digital hit men in 2011: "Hackers are openly competing to offer services that can take out a rival online business or to settle a score." He also provided pricing for Distributed Denial of Service attacks similar to the attacks Estonia witnessed in 2007 and Georgia in 2008. They range from "$5 to $10 per hour; $40 to $50 per day; $350-$400 a week; and upwards of $1,200 per month." (graphic: NextGov)