When the cybersecurity firm Mandiant detected Chinese hackers were infiltrating networks of their clients sometime around 2013, the company did not stand idly by, according to a new book by David Sanger.
In “The Perfect Weapon,” released June 19, the national security correspondent at The New York Times describes how Mandiant’s investigators “reached back through the network to activate the cameras on the hackers’ own laptops.”
Sitting with the Mandiant investigators, Sanger watched how the Chinese hackers “carried on like a lot of young guys around the world.” They wore leather jackets, Sanger wrote. They checked sports scores. They watched porn.
The book has sparked a minor dust-up after FireEye, which is now the owner of Mandiant, denied the account. They said in a June 25 statement it “did not employ ‘hack back’ techniques and does not endorse the practice of ’hacking back.’” They said Sanger saw videos of “consensual security monitoring.”
Sanger told Fifth Domain in an email that Mandiant’s description “wasn’t my understanding at the time,” but said it was a reasonable explanation for how the company identified the individuals.
But the episode has added to a long-running debate regarding whether a company should be able to retaliate in cyberspace. In a field that is at times notably uniform in thought, the “hack back” question evokes notable disagreement. In general, technical experts interviewed by Fifth Domain argued that attributing an attack to a perpetrator was fraught with risk, while policy experts argued that the status quo was not working.
“Go to that server and take that god damn stuff back,” said Stewart Baker, the former general counsel at the National Security Agency and assistant secretary at Department of Homeland Security. He said that a “free fire zone” for companies is not viable, but argued firms should have the right to investigate an attack. When asked if he was worried about not properly attributing a digital infiltration, Baker was resolute: “Give me a break. These guys just took data from your system … how hard is attribution?”
Others cautioned that attribution was not straightforward, arguing the identity of a hacker can be hidden behind a complex maze of users.
“It’s almost like they discuss it as a simple thing, that the cybersecurity community can do attribution easily and rapidly,” said John Harbaugh, chief operating officer at root9B, a cybersecurity firm. Harbaugh said that few commercial firms have the resources, the data and the people to properly retaliate to a digital infiltration.
“How do you know that it is the right target and you are not being tricked?” Harbaugh, who is a former intelligence official, asked.
The 1986 Computer Fraud and Abuse Act bans unauthorized access to another computer. The law makes “hack back” a likely crime.
But Rep. Tom Graves, R-Ga., told Fifth Domain that “active defense,” should be allowed. He proposed legislation last year for private citizens and companies to defend against a cyberattack, calling it an “America first cybersecurity policy.” It remains in Congress.
“We need to define the rules of the road so there is a responsible way to defend against cyberattacks,” Graves said. “We are trying to clear up the grey area.”
Justin Lynch is the Associate Editor at Fifth Domain. He has written for the New Yorker, the Associated Press, Foreign Policy, the Atlantic, and others. Follow him on Twitter @just1nlynch.