Frustrated by their inability to stem an onslaught of computer hackers, some companies are considering adopting the standards of the Wild West to fight back against online bandits.
In taking an eye-for-an-eye approach, some of the companies that have been attacked are looking at retaliating against the attackers, covertly shutting down computers behind the assaults or even spreading a new virus to stymie the hackers.
Such retaliation is illegal in the United States, but companies see it as a way to curtail the breaches, particularly if the attack is originating from another country, where the legality of retaliatory attacks is unclear.
Companies also view counterattacking as a way to bypass U.S. authorities, avoiding publicly admitting that they’ve been attacked and exposing themselves to lawsuits from loss of confidential data or service disruptions.
Many companies that have publicly acknowledged costly breaches declined to say whether they retaliated or considered hacking back, and no company was willing to talk about the issue out of fear of additional attacks.
But analysts say hacking back has become part of a serious debate among companies, lawmakers and cyber-security experts.
“From a technical perspective, it’s not that challenging,” said Alex Harvey, a security strategist for the security solutions provider Fortinet. “Breaking in and shutting them down isn’t hard, but a new one will just pop. You’ll get a couple of minutes of peace and quiet.”
Security platform provider FireEye says a single organization is targeted by malware about every three minutes. From detection to damage control, the average company of more than 1,000 workers spends nearly $9 million annually on cybersecurity, according a survey last year by the independent Ponemon Institute.
In a recent report about combating intellectual property theft, a private commission led by former U.S. Ambassador to China Jon Huntsman Jr. and former Director of National Intelligence Dennis Blair called for “informed deliberations” about whether corporations and individuals should have more flexibility to defend intrusions.