"There may be law enforcement watching it," said Charles Shugg, retired Brigadier General of the Air Force who once headed the U.S. Air Force Cyber Command, and spoke yesterday on a panel at the RSA Conference on the topic of how far IT managers can go to "hackback" against network attackers they happen to detect. But you might be stepping into something bigger than you know, because "an undercover agent may witness crimes taking place and not stop them in hopes of getting them," said Shugg.
It's just another wrinkle in the world of cybercrime that's invaded corporate networks, whether it be suspected Chinese spies stealing important intellectual property, remotely-controlled botnets and cybercooks from everywhere making off with what they can, or hacktivists out to score political points. Increasingly, IT managers want to strike back through electronic means against these invaders when their detection systems spot them. But can they counter-strike? U.S. law doesn't suggest that retaliation is much of an option, the panelists at the RSA Conference said.
For one thing, any counterstrike against what might be thought to be the lair of the attacker may in reality simply be just another corporate network that's been compromised. An IT manager that wants to take steps to definitely stop certain actions is proceeding into an area that's immediately dominated by legal and insurance considerations.
It would be a better world if IT managers could reach out across corporate boundaries and one could tell another about what's perceived to be an attack based on malware coming from the other's network and quickly snuff it out. But that appears to be a rarity today, where warnings from outsiders contacting companies are often ignored. Instead, it's the company lawyers that will be needed to try and resolve serious problems that seem to emanate from other corporate networks.
Serge Jorgensen, CTO at Sylint Group, the Sarasota, Fla., firm that provides incident response and remediation services, pointed out that one legal option would be seeking a temporary restraining order (TRO) from a judge against what is seen as the offending entity where the cyber-attack appears to originate.
"But what does that really allow you to do? Does that mean you have a legal right to go to their server to find the malware? No," said Jergensen. So after the TRO is issued by a judge, there's still no solution to the problem. It's just the legal train leaving the station, and what might ensue are negotiations intended to really solve the problem. But these could be fraught with worries over litigation and insurance concerns in today's world. That's when the meter starts ticking in terms of time and money. Issues of liability will surface, and the two parties could end up going after each other while the attacker makes off.
Sign up for CIO Asia eNewsletters.