SAN FRANCISCO — Federal agencies and companies have been slow to adopt what experts call active cyber defenses, or tools and techniques that enable them to monitor their networks and disrupt an attacker in real time.
One reason is that legal frameworks governing how companies and some agencies can respond to cyber attacks, and how far they can go to thwart an attacker’s operations or retrieve stolen data, are unclear, industry experts said at an RSA conference panel Wednesday.
“This is the heart of the cybersecurity industry right now,” said Steven Chabinsky, senior vice president of legal affairs and chief risk officer at CrowdStrike.
“There are some times where law enforcement and the courts cannot act quickly enough for you, [or] there will be irreparable harm, [and] trade secrets will be gone,” he said.
In the physical world, it’s socially acceptable and even encouraged for bystanders to detain a thief or an attacker until law enforcement arrives, Chabinsky said. The legal community is trying to determine how this translates into the cyber realm. How should companies then coordinate with the government to hand off those duties?
“The government is going to recognize that it will start to rely on the private sector to stabilize the situation, to restrain with restraint,” Chabinsky said of responding to cyber attacks. “That’s where the law is going to develop, and it’s not happening soon enough.”
Chabinsky stressed there is no room for revenge, vigilantism or retaliation on the part of industry. “It’s stability,” he said. “You’re stabilizing a situation until, and only up until, government processes can take over.”
Companies and governments operating within their own networks have the ability to engage attackers and manipulate them to do anything, similar to disarming a criminal in the physical world, Chabinsky said.
In the cyber world, that could include feeding the attacker misinformation or using tools and techniques to slow them down, he said.
“In your own network, you should be good to go,” said George Kurtz, president and CEO of CrowdStrike.
That’s where active defense comes in.
Kurtz defined active defense as a strategy that can apply to both government and commercial entities. It involves the ability to identify attacks and intrusions in real time, which requires organizations to invest in more sophisticated software and monitoring tools that go beyond antivirus.
The harder part, but not impossible, is being able to attribute those attacks to a specific group, Kurtz said. This information will allow organizations to assess what information these groups may be after.