Big hack attack
The best defense against hacking isn’t a good offense. Computer break-ins have cost the likes of Citigroup, Sony and the International Monetary Fund millions of dollars in stolen data. Retaliation is tempting, but risky and probably illegal. Instead, law enforcement officials need sharper tactics like the FBI’s recent hacker sting.
The problem has grown so serious that victims are getting sued for not being vigilant enough. The U.S. Federal Trade Commission, for instance, accused Wyndham Worldwide in court last week of failing to beef up defenses following three data breaches that cost customers some $10.6 million.
But prevention is getting increasingly difficult, prompting some companies to launch counter-assaults. Facebook led the way in January, outing Russian hackers who reaped some $2 million by spreading the “Koobface” computer worm through social networks. Other companies are more aggressive, tagging sensitive data so they emit signals if stolen and even cracking into the networks of attackers to gather evidence.
The idea is to deter hackers by giving them a taste of their own medicine. Such strategies, however, are fraught with peril. Attacks are often launched from hijacked computers, and retaliation could end up hurting innocent third parties. It could also provoke attack escalations, creating a mutually assured cyber destruction of sorts
What’s more, the U.S. Computer Fraud and Abuse Act prohibits doing almost anything to an Internet-connected computer “without authorization.” That may include receiving signals from tagged data in a hacker’s network, and almost certainly includes retaliatory hacking. A victim trying self-defense in such a way could end up a convicted felon.
The law shouldn’t condone vigilantism, but it could reasonably allow limited counterattacks. Until that happens, though, it’s up to the cops on the beat to guard against illegal intrusions. Last week’s arrest of two dozen alleged hackers for credit-card fraud is an encouraging start, and suggests Manhattan prosecutors are serious about expanding the war on cybercrime.
But it will take a consistent flow of arrests and convictions to persuade cyber-thieves that hacking isn’t worth the risk. Until then, victims can’t be blamed for trying to take matters into their own hands.