This week, IT security firm Kaspersky revealed that over 100 banks had been hacked across some 30 countries. The hackers, who had been at it for at least two years, made up to $1bn in ill-gotten gains, the firm said, adding that hackers were now attacking banks directly rather than stealing money from their customers. Some banks are reportedly so ticked off with the sustained hacking campaigns against them that they want to take matters into their own hands and strike back directly against hackers. But is this a good idea?
Banks have privately been lobbying for permission to do this for a while. In January 2013, US banks reportedly met privately with regulators in New York. They asked them for permission to hack back directly against hackers who had been attacking their systems. The idea was dismissed, but more recently the FBI has investigated banks to see whether they were in fact involved in taking down hackers’ servers.
There are several arguments against counter-hacking.
The first is the little question of legality. Under current laws (such as Britain’s Computer Misuse Act), it is illegal to access a computer without authorisation. In Canada, the Canadian Criminal Code section 342.1 does broadly the same thing.
Even if companies were able to lobby for a change in the law, attributing attacks to specific parties is notoriously difficult. If a smart attacker launches an attack against you, they’re likely to do it by compromising someone else’s computer first, and then launching the attack from that machine. If that happens, and you strike back against the attacking machine, then you may be injuring the wrong individual.
The third issue is collateral damage. If you launch attacks against a machine, or even probe that machine to find out more about it, then you could cause intentional or unintentional damage to that machine. If the machine happens to be, say, an important component in someone’s national infrastructure, or even if it’s connected to something else that is important, then you could cause serious problems for someone.
That leaves companies with little choice but to remain on the defensive. The problem, of course, is that attackers only have to succeed once, whereas companies have to succeed every time in thwarting an attack.
The security requirements for financial institutions in Canada are relatively low. The Banking regulator in Canada, the Office of the Superintended of Financial Institutions, has labelled cybersecurity a focal point. Yet the OSFI’s main tool appears to be a security self-assessment, unaudited by any third party, which is entirely voluntary. The regulator has said that it doesn’t plan to establish specific guidance for the control and management of cyber risk.
Perhaps information sharing could help here. Companies in vertical sectors could bolster their security by exchanging data about attacks with each other, warning each other about new threats. In the US, FS-ISAC is one of several information sharing groups established for just that purpose, some of which also deal with Canadian companies, even if indirectly.
If companies aren’t allowed to hack back, and if it would be technically ill-advised for them to do so, then the emphasis must surely be on building multiple layers of cyber defence, and on being transparent with their information. But with banks the world over smarting from a collective $1bn hack, it seems to be a losing battle.