In September 1998, the Electronic Disturbance Theater, a group of activists that practices politically driven cyber civil-disobedience, launched an attack aimed at disabling a Pentagon Web site by flooding it with requests. The Pentagon responded by redirecting the requests to a Java applet programmed to issue a counteroffensive. The applet flooded the browsers used to launch the attack with graphics and messages, causing them to crash.
Some emboldened user organizations are answering "yes." They are striking back against hackers, sometimes with military efficiency and intensity, in an effort to protect their self-interests. In the process, they are fueling a debate over what is legal and ethical in terms of corporate vigilantism.
One end of the opinion spectrum says law enforcement agencies are generally not up to the task, so corporations have a fiduciary responsibility to protect their interests. The only question for these companies is how far they are willing to go. Will they break laws, and if so, which ones?
The opposite view is corporate vigilantism is wrong: Taking the law into one's own hands only makes things worse.
The First Vigilante Corp.
Lou Cipher (a pseudonym of his choice) is a senior security manager at one of the country's largest financial institutions. "There's not a chance in hell of us going to law enforcement with a hacker incident," he says. "They can't be trusted to do anything about it, so it's up to us to protect ourselves."
Cipher's firm has taken self-protection to the extreme. "We have the right to self-help - and yes, it's vigilantism," he says. "We are drawing a line in the sand, and if any of these dweebs cross it, we are going to protect ourselves."
Cipher says his group has management approval to do "whatever it takes" to protect his firm's corporate network and its assets.
"We have actually gotten on a plane and visited the physical location where the attacks began. We've broken in, stolen the computers and left a note: 'See how it feels?' " On one occasion, he says: "We had to resort to baseball bats. That's what these punks will understand. Then word gets around, and we're left alone. That's all we want, to be left alone."
A senior vice president of security at a major global financial firm speaks of the matter in military terms. He equates a hacker intrusion to a "first strike," and says defense is an appropriate response. "If you use measures to restore your services, that's defense, not offense," he says. When asked how far his company goes, he concedes only, "I am willing to defend myself."
In interviews with dozens of companies, a surprising number are seriously considering implementing "strike-back" capabilities. However, when asked, most companies would not admit they have already taken such steps.
Bruce Lobree, an internal security consultant at a major financial institution, is cautious about admitting his firm uses vigilante activities and strike-back techniques. He says with a smile, "I can't answer yes or no. That's proprietary. Besides, legally we can't. But I can tell you that everything that occurs at our network perimeter and inside our networks is recorded."
A recent study, "Corporate America's Competitive Edge," conducted by Warroom Research, a competitive intelligence firm in Annapolis, Md., shows that 32% of the 320 surveyed Fortune 500 companies have installed counteroffensive software. Warroom President Mark Gembecki notes that not every company will send out thugs to enforce their firewall policies. Cyber-response is OK, he says, but Cipher's physical retaliation is "a clear and overt violation of civil rights."
Such extreme counteroffensive methods raise the hackle of even the staunchest corporate information warrior. Lloyd Reese, program manager of information assurance for Troy Systems, a technical support company in Fairfax, Va., has a criminal justice background and says physical response is illegal and "doomed to failure." Such responses will only invite further attacks - perhaps even more intense, he says. "Companies need to follow the appropriate legal process. We already have chaos on the Internet, why should we make it worse?"
Joseph Broghamer, information assurance lead for the U.S. Navy's Office of the Chief Information Officer, goes further, saying even the Pentagon shouldn't have done what it did. "Offensive information warfare is not a good thing . . . period. You want to block, not punish," he says. "There is no technical reason to react offensively to a hacker attack." His opinion is shared by precious few.
As part of its information security practice, Ernst & Young has been asked about strike-back capabilities and how hostile perimeters might be used for defense. Dan Woolley, national leader of market development for the firm, says he knows of "companies in finance, insurance and manufacturing that are developing and deploying the capability to aggressively defend their networks." He is quick to point out, however, "We don't do it for ourselves even though we are attacked regularly."
The questions security software vendors and consultancies like Ernst & Young are now grappling with are wrenching: Should they develop offensive software, offer it to their clients, deploy it and support it? And if so, how open should they be about it?
How they do it
It's easy to understand why companies are interested in the idea of corporate vigilantism. Even the best layers of defense - firewalls, passwords and access control lists - can't work alone for many reasons. Among them:
Network topology, users and software are constantly changing. There is no way to keep up.
New vulnerabilities are found - and exploited - daily.
A small number of individuals with little technical skill can launch massive online attacks.
Once an attack is detected, corporate vigilantes have various methods of evening the score.
The Navy's Broghamer argues that sometimes the best response to an attack is to shut down the network connection altogether, although he acknowledges the Navy is not as sensitive to uptime and customer perception as the private sector.
Another approach is to send a strongly worded message to the source IP address or to an ISP in the path. Traceroute is a tool that can identify source IP addresses. But you have to get the assistance of ISPs down the line to trace additional hops on the Internet, because each hop has to be covered in order to find the real source. That's all legal, but you may need to pressure the ISP into working with you quickly to identify the next hop in the chain. Once you collect this data, it can be handed over to law enforcement officials - who may or may not react.
In 1994, Secure Computing, a security vendor in Roseville, Minn., introduced Sidewinder, a novel firewall with strike-back capabilities. If it senses an attack, it launches a daemon that will trigger the offensive techniques of your choice. Other companies indicate they will soon be offering a range of strike-back products.
A company crosses the line when it responds by unleashing a denial-of-service attack against an intruder, as the Pentagon did. This can be done via massive e-mail spamming, the Ping of Death and hostile Java applets.
No matter what offensive mechanism you choose, the trick is to identify the culprit before returning fire. Should you fail to recognize that the attacker spoofed the identity of another company, you may find yourself attacking J.C. Penney, NBC or General Motors. Innocent companies would not take kindly to that sort of activity - no matter the reason - and ISPs don't appreciate being the vehicle for Internet-based attacks.
Indeed, one of the big dangers with corporate vigilantism is how easy it is to overreact to an apparent attack. In spring 1997, one of the Big Six accounting firms used scanning tools from Internet Security Systems (ISS) to assess the security of a major ISP that controlled a huge amount of Internet traffic. When a network administrator on duty at the ISP noticed a thousand simultaneous connections to his firewall, he reacted quickly and shut down several routers. "His manual reaction took down 75% of the Internet," says Tom Noonan, president of ISS. "Anyone using Sprint at that time was in a world of hurt."
Even those with a strong inclination for vigilantism note that counteroffensive responses are fraught with danger. "Talk to your lawyers," Troy Systems' Reese advises. "Keep in mind that your strike back has to go through a long path, and you might do damage at any place along the way." Retribution can cause a hair-trigger response that could cause damage to systems in the path from you to the attacker.
"You really have to understand what you're doing," says Ray Kaplan, a senior information security consultant with Secure Computing. "Your first response might invite further attack, exactly the opposite of what you intended. You have to consider your firm's public relations posture and how the Internet community as a whole will react to your actions."
Don't ask, don't tell
As for how law enforcement will view vigilantism, the answer from many companies is a resounding, "Who cares?"
Vigilantism is emerging as a response to the intense frustration people feel with law enforcement authorities they view as simply not up to snuff. Complaints from top firms in the U.S. range from downright ineffectiveness ("clueless" is an oft-repeated word) to a lack of staff, lack of funding, courts that are too crowded with cases and the snail-like speed at which typical law enforcement investigations run.
"One reason you see vigilantism is because law enforcement doesn't get the job done," says Fred Cohen, president of Fred Cohen and Associates and principal scientist at Sandia National Laboratories. "Law enforcement might investigate if you have a lot of political clout and you do all of the leg work."
Companies are also fearful of what might happen if they do bring in law enforcement. "It's a hell of a situation when victim companies are more fearful of the FBI than they are of the attackers," says Michael Vlahos, senior fellow at the U.S. Internet Council. He echoes the worry that sensitive corporate information will not be protected if handed over to law enforcement.
"Law enforcement is helpless," ISS's Noonan maintains. "It's not like Israeli fighters who train every day for every contingency. Conventional law enforcement just can't match the skills needed. Besides, you can't trust law enforcement to keep your secrets from becoming public knowledge."
Predictably, law enforcement does not favor the vigilante view - at least publicly. "If someone were to attack us, we are not encouraged to swat back," says Lt. Chris Malinowski of the New York Police Department, who specializes in cybercrime. "If companies take any of these proactive defensive steps, they are taking a big chance, subject to criminal prosecution."
Dave Green, deputy chief of the Computer Crimes and Intellectual Property Section for the U.S. Department of Justice, says he relates to the frustration over law enforcement's inability to respond, but adds that his department can only recommend protective measures. Yet he stops short of advising against corporate vigilantism outright. When asked if companies should hack back at attackers, Green responds, "no comment," as he does to questions as to what could legally be considered an attack. "But I can say that law enforcement is gearing up and is much better equipped to deal with cybercrime," he adds.
When they are not speaking for attribution, law enforcement authorities of all stripes go further than Green. Local police, state police, the FBI, Secret Service, Interpol and Scotland Yard members all say the same thing - unofficially: "We can't handle the problem. It's too big. If you take care of things yourself, we will look in the other direction. Just be careful."
Security consultant Lobree seems to understand the police mentality and applies the red light theory to cybervigilantism. "Suppose it's the dead of night on a country road, and you come upon a stop light. You can see for miles in all directions. Are you going to run the light even knowing there is virtually no chance of being caught?" Some, perhaps most, won't, because they have an innate fear of being caught. Others will forge ahead. "A lot of companies recognize that the chance of getting caught in a vigilante cyberstrike is pretty darn low," he says.
It's your call
A number of sources suggest vigilantism might be a business opportunity for a firm that wants to specialize in counteroffensive network security. "In the 1860s, law enforcement was conducted by Pinkerton, a private company," Vlahos says. Many suggest that privatization should be the case in the cyberworld as well. The kind of offensive network security products needed to make it happen are starting to find their way into corporate tool kits and onto the Internet.
But the legal challenges that coexist with hostile perimeters and counteroffensive measures are daunting. The astute company will examine every aspect of its posture before marching down
the slippery slope of vigilantism. Sometimes the best defense is not to overreact. In the worst case, do nothing until a proper response can be developed.
Vlahos says courts may be the place to create new laws more attuned to the technology. "This is a whole new arena, and I don't know how we can explore it without trying new approaches, even if they are technically illegal."
Cipher, the baseball-bat-bearing vigilante, is all for new approaches. "Personal persuasion is always more effective than electronic persuasion," he says. "Personal persuasion virtually guarantees that a hacker will see the error of his ways, scamper to please and turn over a new leaf."
No matter what path you choose, make sure it is well thought out and that you have your legal ducks in a row. You just might need them.
Discuss the issues raised here.
Inside the Electronic Disturbance Theater's battle with the Pentagon.
Corporate Vigilantism Survey Results
More details from Schwartau's research into the topic.
Links and articles on various facets of network security, hackers and the like.
Schwartau is chief operating officer of The Security Experts, a global security consulting firm, and president of infowar.com. He can be contacted at winn@ infowar.com.