RENEE MONTAGNE, HOST:
In last night's State of the Union address, the president touched on the importance of fending off cyber-attacks. All this week we've been reporting on how they U.S. military is prepared to wage cyber-war. But it's not just the government that's moving away from a strictly defensive posture; so too are some private companies. In the final report in this series, NPR's Tom Gjelten reports on companies that think it's time to attack the attackers.
TOM GJELTEN, BYLINE: For the first time ever, the CIA and other agencies have prepared a National Intelligence Estimate on the threat to the United States posed by cyber-espionage. The NIE is classified, but it's said to identify China as the leading culprit and it describes the espionage campaign as massive. That comes as no surprise to U.S. companies who see their networks routinely penetrated and their trade secrets stolen. Many are deeply frustrated over their inability to keep intruders out of their networks.
When he was the FBI's top cyber attorney, Steven Chabinsky saw hundreds of U.S. companies being hacked. Then he resigned and went to work as a private cyber-security expert. His view: Companies spend too much time trying to patch their security holes and defend their networks.
STEVEN CHABINSKY: That model needs to reverse itself, okay? There is no way that we are going to win the cyber-security effort on defense. We have to go on the offensive.
GJELTEN: Chabinksy was speaking at a recent conference. He's now the chief risk officer at CrowdStrike, a firm set up to serve companies ready to take the cyber-security fight to their adversaries. Dmitri Alperovitch co-founded CrowdStrike. In an interview, he explained the company philosophy.
DMITRI ALPEROVITCH: You can never win a fight, whether in a boxing match, whether it's in a war, by only taking defensive actions, right? If you're just standing up taking blows, the adversary will ultimately hit you hard enough that you fall to the ground and lose the match. You need to hit back.
GJELTEN: This idea of fighting back is increasingly popular among companies with assets at risk. Greg Hoglund co-founded HBGary, another firm known for its aggressive approach to cybersecurity. He too complains that companies are too slow to confront the people attacking their computer networks.
GREG HOGLUND: What we need to do is get rid of the attackers and take away their tools and learn where their hideouts are and flush them out. And that isn't really happening yet in the security space.
GJELTEN: This is tough talk. At times it sounds like these security people are advocating vigilante justice. It's hardly been up to private individuals or firms to get rid of bad guys or flush them out of their hideouts. That's normally the job of law enforcement. But Dmitri Alperovitch says the government does little more than warn U.S. companies about the cyber-threats they're facing.
ALPEROVITCH: It's sort of the equivalent of the government sees a missile heading for your company's headquarters, and the government just yells incoming, right, and it's doing nothing to prevent it, nothing to stop it, nothing to retaliate against the adversary. That's how the private sector feels today. And until that changes, the private sector is going to take actions into their own hands, and the government shouldn't be surprised about that.
GJELTEN: Part of the problem is that the government's jurisdiction in the cyber-security area is not clear. Some companies don't want the government involved. President Obama yesterday signed an executive order setting out procedures by which the government and the private sector would collaborate in confronting cyber-threats.
A turn toward more aggressive, more offensive actions against cyber-attackers can be risky. In remarks at George Washington University recently, Congressman Mike Rogers, chairman of the House Intelligence Committee, reminded companies that they may not know for sure who is attacking them, so counterattacking might not be a good idea.
REPRESENTATIVE MIKE ROGERS: I will guarantee you there will be lots of mistakes made, given the sophistication of nation-states in hiding their hand in activities. So I worry about the private sector engaging in offensive or active defense, as they call it. I cannot blame them because if we can't get this framework right, you have an obligation to protect your networks. I get very, very concerned about an unleashed private sector to do active defense because a lot of things are going to go wrong, I think.
GJELTEN: Rogers prefers defense-oriented cyber-security. He's introducing legislation today that would promote cyber-threat information sharing between industry and government. Companies that want to go on offense, striking back at their cyber-adversaries, do need to consider the legal risks. Just because you've been hacked doesn't necessarily mean you can hack back.
Richard Bejtlich is chief security officer at the cyber-firm Mandiant.
RICHARD BEJTLICH: I have only found one or two lawyers, in all the work that I've done over the years, who have said let's consider pursuing some type of offensive response. The corporate legal structure is very conservative when it comes to what we could allow someone to do.
GJELTEN: Companies dealing with cyber-threats may have to choose between listening to their lawyers and listening to their security people. Bejtlich says it may feel good for companies to move aggressively against whoever is hacking them, but he questions whether it's practical.
BEJTLICH: Most of the lawyers think, look, the data has already been stolen, so if the data's been stolen, what are you going to gain by doing something to the intruder?
GJELTEN: Dmitri Alperovitch at CrowdStrike is familiar with all the arguments against striking back. He insists there are safe and lawful ways a company can stop an intruder in his tracks and come out ahead.
ALPEROVITCH: One thing you can do as a private sector company when they're coming at you is draft a fake negotiation document that they may be after and feed that to them. If they're going after a particular negotiation strategy for a business deal you're involved in, and they're on the other side, you feed them a different strategy, you're going to cause them to act in a certain way that's actually going to benefit you.
GJELTEN: This is called a honeypot approach. You plant a document in your network that an adversary will find irresistible. But it's a booby-trap. The attacker steals the document, takes it home - and boom. In one clever version, the document includes secret code so that when the intruder opens it, it turns the camera on in his computer, takes his picture, and sends it back to you so you can report him to the authorities.
Greg Hoglund, the founder of HBGary, says he has reviewed techniques like this with lawyers.
HOGLUND: It was pretty clear that putting a booby-trapped document in your own network is 100 percent legal. There's no problem with that. If the bad guy comes and steals it out of your network and opens it in his computer, that's his problem.
GJELTEN: Perhaps, but there is still a vigorous debate around what is legal in offensive cyber-operations. In the physical world, if you're mugged, you can defend yourself, but you can't track the mugger down a day later and shoot him. Nor can you break into his house and get your wallet back. Similar constraints govern in the cyberworld. Hoglund recognizes this. He concedes that risks in the offensive approach have to be considered carefully.
HOGLUND: This is completely new territory, so a lot of thinking needs to occur around this. Something will change. It will take its time, but we will see something come out, both from an aspect of what you can do from a self-defense as well as what kind of policies will be changed to make it so that the attackers will suffer.
GJELTEN: Hoglund and other advocates of a harder line against cyber-attackers are unlikely to be satisfied by yesterday's executive order. The order requires federal agencies to alert private companies to cyber-threats, but it maintains the focus on defense. Companies with critical infrastructure assets like power plants are asked to follow security standards worked out jointly by government and industry. Tom Gjelten, NPR News.