Cyberattacks: The complexities of attacking back

As digital malefactors continue raiding U.S. businesses for their most valuable corporate secrets, some in Washington are wondering whether companies should test the limits and cyberattack their cyberattackers.

The private sector already can police its own computers and networks, but an uptick in serious intrusions from China and elsewhere is catalyzing a market for tools that might deceive or disrupt hackers and spies — a controversial development that has important limits under federal law. “I think it’s pretty obvious companies should [be] able to detect what’s coming into their network, block it, monitor it, fix it, remediate it, mitigate it,” said Michael Chertoff, former secretary of the Department of Homeland Security and now a leader of the Chertoff Group, which consults clients on cyberissues. “Where we’re getting into controversy is the idea that when you think you’ve detected a server that’s launched an attack, to go and attack back, and either recover your data or take down the server. It’s a very risky thing to do, and it needs to be carefully considered.” The idea is known as “active defense” to some, “strike-back” capability to others and “counter measures” to still more experts in the burgeoning cybersecurity field. Whatever the name, the idea is this: Don’t just erect walls to prevent cyberattacks, make it more difficult for hackers to climb into your systems — and pursue aggressively those who do. It’s a controversial strategy, partly because of the potential legal and political implications.