The Pentagon is gearing up for cyber-warfare. General Keith Alexander, commander of U.S. Cyber Command, testified in March that the Department of Defense "is conducting a coordinated, thorough review with the Joint Staff of existing standing rules of engagement on cyberspace. These revised standing rules of engagement should give us authorities we need to maximize pre-authorization of defense responses and empower activity at the lowest level." NATO's Cooperative Cyber Defence Centre of Excellence recently released its "Tallinn Manual," outlining how international law can be translated to cyber warfare. And, as Ellen Nakashima of the Washington Post reported last month, the Department of Defense may broaden its authority and ability to combat attacks not only on its own systems, but also against private computers, including infrastructure abroad.
This latter development is crucial -- after all, the private sector is critical to national security, intellectual property is a pillar of the American economy, and protecting citizens not only from physical but also virtual threats is a core function of government.
The problem is that the government is not the only one taking on cyber threats. Corporations, which have long worked to defend their networks from intrusion, are increasingly going on the offensive, turning from firewalls to retaliation. William J. Fallon, former commander of U.S. Pacific Command and U.S. Central Command, recently wrote about a survey of cybersecurity executives conducted by his firm, CounterTack, Inc.: "more than half [of the respondents] thought their companies would be well served by the ability to ‘strike back' against their attackers." This raises important questions about cyber-warfare and the role of private companies. What happens when a corporation takes matters into its own hands? What if its attacks hit the wrong target, involve a foreign government, or lead to escalation? In short, what happens when corporations become cyberwarriors?
These are not theoretical questions. In January 2010, Google announced it had been hacked the previous month in an attack nicknamed Operation Aurora that was traced back to China. The hackers exploited a previously unknown vulnerability in Microsoft's Internet Explorer, routed the attack through servers at two Chinese educational institutions to hide their tracks, accessed Gmail accounts and -- more importantly -- stole Google's source code. When Google discovered the attack, "the company began a secret counteroffensive," according to the New York Times. "It managed to gain access to a computer in Taiwan that it suspected of being the source of the attacks. Peering inside that machine, company engineers actually saw evidence of the aftermath of the attacks, not only at Google, but also at least 33 other companies, including Adobe Systems, Northrop Grumman, and Juniper Networks." McAfee's George Kurtz wrote, "Like an army of mules withdrawing funds from an ATM, this malware had enabled the attackers to quietly suck the crown jewels out of many companies while people were off enjoying their December holidays."
Some in the field cheered Google's aggressive response, and some are following in its shoes. Matt Buchanan at the technology blog Gizmodo commented, "It's pretty awesome: If you hack Google, they will hack your ass right back." The CounterTack survey found that 29 percent of participants felt that their "company would be well-served if it could proactively strike at the attackers' infrastructure to minimize threats" and an additional 25 percent said that their "company's data would be more secure if the company would strike back, but only if were attacked first." In June, Reuters reported, "Frustrated by their inability to stop sophisticated hacking attacks or use the law to punish their assailants, an increasing number of U.S. companies are taking retaliatory action." At this year's Black Hat conference in Las Vegas in July, a poll of 181 participants revealed that 36 percent had already engaged in retaliatory hacking in the past with 23 percent having hacked back once and 13 percent frequently. And Tim ‘TK' Keanini from nCircle, which conducted the poll, thinks the real numbers are higher: "Retaliatory hacking is a huge topic at Black Hat this year, but we should take these survey results with a grain of salt.... It's safe to assume some respondents don't want to admit they use retaliatory tactics. It's very tempting to strike back out of anger and frustration."