Hacking the Hackers

The Los Angeles Times reports on a new online security company called CrowdStrike founded by the former chief technology officer at McAfee Inc., George Kurtz.  Also joining CrowdStrike is the former head of the FBI's Cyber Crimes Division, Shawn Henry.

CrowdStrike is at the forefront of a novel business model for cybersecurity, one that identifies sophisticated foreign attackers trying to steal U.S. intellectual property and uses the attackers' own techniques and vulnerabilities to thwart them.  The firm is marketing itself as a private cyber intelligence agency, staking out networks to catch infiltrators, assembling dossiers on hackers and fooling intruders into stealing bogus data.

CrowdStrike, which employs Chinese linguists and former U.S. government agents, also has identified Chinese hackers using clues in their malware.   It then profiles them — complete with real names and photos — using information gathered from a variety of sources.

That has helped the company, for example, identify a Chinese hacker who targeted financial institutions and tends to seek merger and acquisition information.  Profiles enable a more targeted defense by helping CrowdStrike know when an attacker is likely to strike, how he communicates, what malware he uses and how he tries to take the stolen data.

Some experts believe CrowdStrike and other companies should be able to "hack back" by, for example, disabling servers that host cyber attacks, whether they are in the U.S. or abroad.  But this approach is not without critics, who worry how far companies might go down the road of cyber vigilantism.

The Justice Department has said hacking back may be illegal under the Computer Fraud and Abuse Act, a 1996 law that prohibits accessing a computer without authorization.  Many lawyers liken it to the principle that a person can't use "self-help" to legally break into his neighbor's house, even if he sees his stolen television in the neighbor's living room.

But what happens when the authorities themselves are unable, or unwilling, to cope with the threat that such hackers present?  

Critics worry that third party servers may be affected, or that attacks on Chinese or Russian-controlled computers could trigger an international incident.  What do you think?