Mitigating Cyber-Attacks by Destructively Counter-Striking against Attackers - Literature review Example

MITIGATING CYBER-ATTACKS BY DESTRUCTIVELY COUNTER-STRIKING AGAINST ATTACKERS By Name Course Instructor Institution City/State Date Mitigating Cyber-Attacks by Destructively Counter-Striking Against Attackers Introduction Lobby groups together with IT security professionals are calling for new regulations which could facilitate the private companies to effectively counter-strike or retaliate against cyber attackers. Hacking back is deemed as the most suitable way that governments and companies would mitigate cyber-attacks since the existing measures have proven to be unproductive. The proponents of counter-strikes emphasise that allowing companies to hack back would reduce the risk of being attacked repetitively and also make it possible to protect their key intellectual properties (IPs). Many private companies, especially in America have implemented new cyber defence technology with the aim of upgrading the conventional cyber protection systems. Besides that, these companies have developed strategies that are more aggressive to reduce cyber attacks. Active defence also referred as ‘counter-strikes’ or ‘hack back’ is the process of reverse engineering the cyber attackers’ efforts with the goal of stopping or reducing cyber crimes through identification of attacks against the system as well as their origin. Counter-strikes are considered aggressive defensive actions, like getting back what has been stolen. The objective of this piece is to demonstrate why private companies and governments can mitigate a cyber-attack by destructively counter-striking against attackers. The mitigative counter-strikes should entail liability rules for protecting third parties in case the process of hacking back harms a different party rather than the targeted attacker. This study will also demonstrate why counter-strike is a proactive policy for helping insulate critical services from damage and mitigate harm from potential attacks. Analysis Given that counter-strikes are by nature similar to hacking, Tang (2015) posits that the public is yet to agree on its legality. The active defence legality relies on the circumstances’ exigency, but proponents maintain that it sufficiently it is justified as long as the users have proper intent. On the other hand, opponents maintain that counter-strikes not only an infringement of law but also morally and legally wrong. The majority of opponents argue that active defence without clear restrictions can lead to huge risks of misunderstanding or misattribution. Tang (2015) emphasises that the challenges associated with differentiating aggressive counter-strikes from the actions of actual hacking could result in serious legal issues. However, this is not the case in the modern business world where demand for highly developed cyber protection technologies and the secure cyber environment has increased tremendously. A number of commentators, as cited by Tang (2015) have emphasised that active defence has to be espoused as a means for preventing cyber attacks, considering that the private companies are not receiving adequate help from their respective governments. While the government has failed to protect private individuals and companies from ever-increasing cyber attacks, the private sector is justified to take actions. A number of private organisations have implemented self-help strategies, but still the government has not offered clear guidance regarding these strategies. Therefore, such actions could become risky. In Kesan and Hayes (2011) study, they observed that the weaknesses of other techniques used to address cyber attacks have necessitated the use of counter-strikes as a means of responding to as well as mitigating the harm brought about by cyber attacks. According to Kesan and Hayes (2011), the gap between There is a growing gap between cyber attack capabilities and passive defence capabilities has created the need for using active defence systems to address such issues. Whereas some consider counter-strikes as offensive actions for neutralising a looming threat, Kesan and Hayes (2011) consider them as the start of the detection stage. Active defence involves three different forms of technology: counter-strike, traceback, and IDS capabilities. In this case, counter strikes entail some means of transmitting data back at the cyber attacker with the aim of disrupting the attack. As mentioned by Kesan and Hayes (2011), counter-strikes have been utilised for many years not only by the government but also the private actors. The mitigative counter-striking technology needs some regulations that would offer guidelines in how companies or government agencies can detect, trace, and destructively counter-strike the attacker. The United States’ government is currently utilising STRATCOM, whose objective is to neutralise all cyber threats that could put the DOD missions’ effectiveness at risk. For instance, when the DOD system is attacked by a DDoS attack through a botnet, the neutralisation responses could possible involves conquering the botnet by hacking the botnet controller or compromising the botnet controller by sending a DoS attack. Although the majority of U.S. counter-striking capabilities are classified, private individuals or companies can use software to send destructive viruses to a cyber attacker. The likelihood of the private sector to counter-strike is when the counter-striking cost is below the benefits achieved from neutralising the incoming attack. Counter-strikes have successfully been utilised to address worms such as the Code Red worm, the Nimda worm, Conficker worm, as well as botnets such as the Kraken botnet which is utilised for the dissemination of spam. As pointed out by Lu, Xu, and Yi (2013), the active cyber defence concept is not new entirely new since a number of researchers had previously proposed the idea of utilising defender’s ‘benign’ or ‘white’ worms to mitigate against the malware sent by cyber attackers. Actually, counter-strike happened when Welchia worm was utilised to ‘kill’ the Blaster worm in the affected computers. A number of governments such as British, as mentioned by Paganini (2016) have publicised ‘counter-strike’ as part of their active defence strategy. British experts argue that the ‘old legacy information technology systems’ utilised by the majority of companies in the United Kingdom can be targeted easily by cyber attackers; thus, leading to serious problems. For this reason, the British government announced that it plans to strike back against actors (either individuals or states) that try to attack its critical national infrastructure. In late 2016, a £1.9bn package for the cyber defence was unveiled by Chancellor Philip Hammond with the aim of curbing cyber threats (Paganini, 2016). This was part of the U.K.’s five-year strategy of reducing the cyber-attacks effects as well as improving the security standards in both private and public sectors. Another country that has followed U.K.’s path towards count-strike strategy is China, which plans to freeze all assets of foreign attackers threatening the country’s critical infrastructure. For this reason, a new Cyber Security Law was passed and would become into effect on 1st June 2017. As mentioned by Smeenk, Wang, Veldhoen, Brink, and Arnbak (2017), the new law focuses exclusively on cyber security and it introduces unparalleled regulation on data security and data protection practices. Data localisation (Domestic data storage) has become compulsory under this law and allows for assessments of data security which could result in the sharing of private information. In the near future, full-fledged active defence against cyber attacks, according to Xu, Lu, and Li (2015), is seemingly inevitable. For that reason, it has become imperative to characterise the active cyber defence effectiveness in a systematic way. The present cyber defences are generated through reactive tools that have continually failed to mitigate the cyber attacks menace. Nowadays, it is more difficult to clean a compromised or an infected computer using numerous anti-malware tools combined. While the cyber attacks effect is amplified automatically by network connectivity, the reactive defences’ effect remains the same. These shortcomings can be eliminated by adopting active cyber defence because they utilise the same mechanism as the attackers (Zheng, Lu, & Xu, 2015). A number of studies, such as Iasiello (2014) maintain that counter-strikes cannot prevent the majority of malicious activities in cyberspace. The author emphasises that the counter-attacks should be destructive in order for displeasure to be communicated to the attacker while making sure that equal damage has been inflicted. However the author fails to consider that fact that government have been unable to halt cyber attacks using the existing tools; therefore, private companies and individual computer users should be allowed to protect their networks and their data through counter-strikes. As mentioned by Rabkin and Rabkin (2016) counter-strikes could be effective if government approve private companies to adopt self-defence strategies. Early in 2010, Google disclosed that a cyber terror group known as Elderwood Gang had infiltrated not only its network but also of nearly thirty other companies in the US. Google traced the attack dubbed ‘Operation Aurora’ into two educational institutions’ servers in China (Messerschmidt, 2013). Google did not only trace where the attack came from, it hacked back and got evidence indicating that the Chinese government was possibly involved in the attack. Although the disclosure by Google raised some eyebrows, it is evident that private companies have resorted to self-help measures to counter cyber intrusions. Governments like the US started using the counter-strike policy many years ago; for instance, when Pentagon was attacked by a hacktivist group in 1998, the US government responded swiftly by crashing the attackers’ network. The U.S. Strategic Command (STRATCOM) has been offered authority by the federal government to neutralise all cyber threats which could affect the Department of Defence DOD’s mission (Messerschmidt, 2013). The private sector is increasingly adopting active defence to counter serious threats. Symbiot, for instance, introduced in 2004 the first cyber security solution which could both plan as well as executes suitable counter-measures against cyber attacks. Symbiot offered numerous models like hackbacks, which enable the companies to access, destroy, or disable the hacker's assets by taking advantage of the attacker's system vulnerabilities. The models offered disproportionate and retaliatory counterstrikes. As pointed out by Levy (2016), the majority of active defence measures focus on generating valuable data which could enable governments and private companies to clearly understand the reality of cyber attacks as well as the effectiveness of different defences used in the past. Active defence provides various counter measures such as flooding the computers of the attackers with data as well as destroying their networks. The DOD in the U.S., purportedly, use active defence to protect, detect, analyse, monitor, as well as respond to attacks in its computer networks and information systems (Condron, 2007). The governments, according to Marmon (2009), have started mobilising their powers and resources for cyber warfare.  These days, governments have started harnessing ‘hacker assets’ actively to national power with the aim of protecting their critical assets. In so doing, they have fielded a counter-strike capacity which could strengthen the deterrence of cyber attacks. Raymond, Nojeim, and Brill (2015) respond to counter-strikes opponents by arguing that allowing the utilisation of countermeasures to the private actors cannot lead to attribution since many of the actors in the private sector cannot access complex attribution information as well as tools accessible to the governments. Therefore, private actors are less likely to adequately attribute attacks as well as bring forth collateral damage. Counter-strikes have been supported by many government-funded reports; for instance, the U.S. House Foreign Affairs Committee while holding a hearing on cyber war established a lamentation from the country’s intelligence chiefs with regard to poor cyberdeterrence strategy at the national level. The chairman of the committee, Ed Royce stressed that U.S. should strike back at cyber attackers rather than taking body blow after another (Noble, 2015). According to Noble (2015), the US should act swiftly by acting rather than making credible threats. The author emphasises that US should emulate countries like Russia, France, UK, and Israel that have publicly demonstrated their preparedness to strike back whenever attacked by cyber criminals. A number of experts such as Juan Zarate (the former Deputy Assistant to the US President), as cited by Tung (2013) believe that the U.S. government should allow the private actors to strike back against cyber attacks in order to depress the increasing threats against the country’s businesses. Zarate maintains that the options available for the majority of business in the US to defend their IP networks are limited; therefore, the US government should come up with more ‘aggressive’ capabilities that would help discourage cyber attacks (Lohrmann, 2016). These sentiments were echoed by James Clapper, the Director of National Intelligence and lamented that the lack of clear cyber deterrence policy in the U.S. allows the hackers to continue intimidating the country (Lyngaas, 2015). CrowdStrike’s chief risk officer (CRO), Steven Chabinsky argues that rather than concentrating on fixing vulnerabilities, private companies should focus their efforts on deterring threats through counter-strikes (Gross, 2015) According to Ravich (2015), the governments have continually focused on case-specific and reactive approaches towards cyber attacks. This has consequently left financial systems vulnerable; thus, leaving financial institutions frustrated and unable to defend their systems. The government are offering less support to these institutions; thus, necessitating the adoption of self-defence strategies such as counter-strikes. This can be evidenced by senior banking officials to lobby for counter-strikes during the 2015 The World Economic Forum. The senior banking officials exhibited their frustrations on never-ending cyber attacks on their web sites and data systems (Bradbury, 2015). As indicated in Hutchinson’s (2013) article, the IP Commission in U.S. asked the US government to make counter-strikes against attackers legal. This was attributed to the fact that US government had failed to curb the attacks. The IP Commission argued that if the counter-strikes against hackers were legalised, companies could utilise various methods that could severely damage the attackers’ ­capability. They further argued that counterattacks could consequently increase the cost hacking or attacking; thus, deterring them. Given that cyberterrorism, cybercrime, as well as cyberwarfare threats have increased, Homeland Security News Wire (2011) point out that active self-defence regime could be the most effective strategy to counter cyber attacks. In Australia, counter- strikes against another country’s infrastructure or a private computer is not accepted. Therefore, all retaliatory attacks against cyber terrorist or criminal have to be justified as either permissible under the legislation or as an act of self-defence. With the view to retaliation or use of force, the U.N. Convention allows a country to counter-strike against a cyber attack on critical infrastructures (Georgiades, Caelli, Christensen, & Duncan, 2013). For this reason, a number of countries like the U.S. have militarised how they respond to cyber-attacks. This is normally performed through the country’s Cyber Command (USCYBERCOM) that brings together the armed forces’ cyber components into a unified command. According to European Parliament (2011), USCYBERCOM is world’s biggest cyber-defence organisation. As mentioned by Kesan and Hayes (2011), overreliance on technology and the weakness of passive defence techniques have created a need for proactive policy that would help mitigate harm as well as insulate critical services from damage caused by cyber attacks. Therefore, critical services can be protected by undertaking active defence measures like blocking traffic, tracing the packet and instituting legal actions for seizing attackers’ computers (Goodman, Hassebroek, & Klein, 2003). General Keith Alexander, the head of USCYBERCOM maintained that the traditional cyber intrusions measures are not adequate enough; therefore, active cyber defence approach has become more urgent than before (Yağlı & Dal, 2014). Conclusion In conclusion, this piece has demonstrated why private companies and governments can mitigate a cyber-attack by destructively counter-striking against attackers. The study has also demonstrated why counter-strike is a proactive policy for helping insulate critical services from damage and mitigate harm from potential attacks. Although many private organisations have implemented self-help strategies, there is no clear guidance regarding these strategies. Counterattacks could consequently increase the cost hacking or attacking; thus, deterring cyber attackers. Given that cyber crime threats have increased, active self-defence regime has turned out to be the most effective strategy to counter cyber attacks. The present cyber-attacks situation is threatening; therefore, counter-strikes are a more effective technique that can help companies and governments protect themselves from cyber attackers. Given that attackers are advancing their techniques, governments should legally solidify counter-strikes in cyberspace and also come up with measures to protect the rights of third parties that could be harmed unintentionally by the mitigative counterstrikes. References Bradbury D (2015) Should we hack the hackers? The Guardian, Available from: https://www.theguardian.com/technology/2015/mar/09/cybercrime-should-we-hack-the-hackers (accessed 18 May 2017). Condron SM (2007) Getting It Right: Protecting American Critical Infrastructure in Cyberspace. Harvard Journal of Law & Technology 20: 401-422. European Parliament (2011) Cyber defence in the EU Preparing for cyber warfare? Brussels: European Parliamentary Research Service. Georgiades E, Caelli W, Christensen S, and Duncan W (2013) Crisis on Impact: Responding to Cyber Attacks on Critical Information Infrastructures. The Journal of Information Technology & Privacy Law 31: 31-66. Goodman SE, Hassebroek P, and Klein H (2003) Network security: Protecting our critical infrastructures. Atlanta, Georgia: Visions of the Information Society. Gross G (2015) Counterterrorism expert says it's time to give companies offensive cyber capabilities. PCWorld, Available from: http://www.pcworld.com/article/2956112/counterterrorism-expert-says-its-time-to-give-companies-offensive-cybercapabilities.html (accessed 18 May 2017). Homeland Security News Wire (2011) Active cyber-defence strategy best deterrent against cyber-attacks | Homeland Security News Wire. Homelandsecuritynewswire.com, Available from: http://www.homelandsecuritynewswire.com/active-cyber-defense-strategy-best-deterrent-against-cyber-attacks (accessed 18 May 2017). Hutchinson J (2013) Companies should ‘hack back’ at cyber attackers: security experts. Financial Review, Available from: http://www.afr.com/technology/enterprise-it/companies-should-hack-back-at-cyber-attackers-security-experts-20130527-j0rqm (accessed 18 May 2017). Iasiello E (2014) Hacking Back: Not the Right Solution. Parameters 44: 105-114. Kesan JP and Hayes CM (2011) Mitigative Counterstriking: Self-Defense and Deterrence in Cyberspace. Harvard Journal of Law and Technology 429: 1-94. Levy I (2016) Active Cyber Defence - tackling cyber attacks on the UK. National Cyber Security Centre, Available from: https://www.ncsc.gov.uk/blog-post/active-cyber-defence-tackling-cyber-attacks-uk (accessed 18 May 2017). Lohrmann D (2016) Can 'Hacking Back' Be An Effective Cyber Answer? Govtech.com, Available from: http://www.govtech.com/blogs/lohrmann-on-cybersecurity/can-hacking-back-be-an-effective-cyber-answer.html (accessed 18 May 2017). Lu W, Xu S, and Yi X (2013) Optimizing Active Cyber Defense. 4th International Conference on Decision and Game Theory for Security. New York: Springer, 206-225. Lyngaas S (2015) Intel chiefs say cyber norms, deterrence strategy still elusive. FCW, Available from: from https://fcw.com/articles/2015/09/10/intel-cyber-norms.aspx (accessed 18 May 2017). Marmon W (2009) MAIN CYBER THREATS NOW COMING FROM GOVERNMENTS AS “STATE ACTORS. European Institute, Available from: https://www.europeaninstitute.org/index.php/136-european-affairs/ea-november-2011/1464-main-cyber-threats-now-coming-from-governments-as-state-actors (accessed 18 May 2017). Messerschmidt J (2013) Hackback: Permitting Retaliatory Hacking by Non-State Actors as Proportionate Countermeasures to Transboundary Cyberharm. Columbia Journal of Transnational Law 52: 275-324. Noble Z (2015) Time to consider the 'hack-back' strategy? FCW, Available from: https://fcw.com/articles/2015/09/30/hack-back-strategy.aspx (accessed 18 May 2017). Paganini P (2016) Hacking Back: Exploring a new option of cyber defense. InfoSec Resources, Available from: http://resources.infosecinstitute.com/hacking-back-exploring-a-new-option-of-cyber-defense/ (accessed 18 May 2017). Rabkin J, and Rabkin A (2016) Hacking Back Without Cracking Up. Lawfare, Available from: https://www.lawfareblog.com/hacking-back-without-cracking-0 (accessed 18 May 2017). Ravich SF (2015) Cyber-Enabled Economic Warfare: An Evolving Challenge. Washington, D.C.: Hudson Institute. Raymond M, Nojeim G, and Brill A (2015) Private Sector Hack-Backs and the Law of Unintended Consequences. Center for Democracy & Technology, Available from: https://cdt.org/insight/private-sector-hack-backs-and-the-law-of-unintended-consequences/ (accessed 18 May 2017). Smeenk G, Wang J, Veldhoen D, Brink R, and Arnbak A (2017) China: China's New Cybersecurity Law Effective As Of 1 June 2017. Mondaq, Available from: http://www.mondaq.com/china/x/595440/Security/Chinas+New+Cybersecurity+Law+Effective+As+Of+1+June+2017 (accessed 18 May 2017). Tang A (2015) Hacking Back against Cyber Attacks. Chicago Policy Review, Available from: http://chicagopolicyreview.org/2015/07/21/hacking-back-against-cyber-attacks/ (accessed 18 May 2017). Tung L (2013) Is hacking in self-defence legal? The Sydney Morning Herald , Available from: http://www.smh.com.au/it-pro/security-it/is-hacking-in-selfdefence-legal-20130927-hv1u8.html (accessed 18 May 2017). Xu S, Lu W, and Li H (2015) A Stochastic Model of Active Cyber Defense Dynamics. Internet Mathematics, 11: 23–61. Yağlı S, and Dal S (2014) Active Cyber Defense within the Concept of NATO’s Protection of Critical Infrastructures. International Journal of Social, Behavioral, Educational, Economic, Business and Industrial Engineering 8L 909-913. Zheng R, Lu W, and Xu S (2015) Active Cyber Defense Dynamics Exhibiting Rich Phenomena. Proceeding HotSoS '15 Proceedings of the 2015 Symposium and Bootcamp on the Science of Security. New York, NY: ACM, 1-12 . Read More