Cyber Attack Retaliation Is Government’s Job: Poll

At a time when most people aren’t confident their workplace is safe from a hacking attack, respondents to the Bloomberg Global Poll are more certain about one thing: Vengeance is not mine.

Companies shouldn’t get a pass from the government to respond to cyber-attacks with counterstrikes against the bad guys, according to the latest results in the quarterly poll of 481 investors, analysts and traders who are Bloomberg subscribers. Some 71 percent of respondents said corporations need to defer to law-enforcement agencies to take such actions. Sixteen percent said businesses should be allowed to retaliate, and 13 percent said they weren’t sure.

The prospect of “hacking back” took on added significance after November’s cyber-attack against Sony Pictures Entertainment exposed secrets about pay, employee health data, and executives’ snarky e-mails about Hollywood stars. Fewer than half the respondents — 43 percent — said they’re confident their workplace is safe from such intrusions. While computer attacks grow more sophisticated, companies have limited legal options to fight back or retrieve stolen data.

“We as a society have agreed to abide by the laws we draft, and we have sanctioned the state to have the monopoly on the use of force,” said Benjamin Dunn, president of Alpha Theory Advisors in Crested Butte, Colorado, who was one of the poll participants. “Just as you cannot retaliate for a crime committed against your person, corporations must rely on the state to seek justice. In fact, I would argue that the transfer of the state’s monopoly on the use of force to a corporation is worse than vigilante justice as it reeks of a mercenary hire.”

Unprecedented Attention

After the cyber-attack on Sony, President Barack Obama threatened on Dec. 19 to mount unspecified “proportional” retaliatory measures against North Korea for the assault. North Korea suffered Internet outages a few days later. The White House declined to comment on North Korea’s accusation that the U.S. government played a role.

Obama ultimately imposed new sanctions against the Asian nation. In this week’s State of the Union speech, Obama called on lawmakers to pass legislation to combat cyber-attacks, in a possible boon to computer-security companies.

In a sign of companies possibly taking the law into their own hands, Bloomberg News also reported last month that the FBI is investigating whether hackers working on behalf of any U.S. financial institutions disabled servers being used by Iran to attack the websites of major banks in 2013, according to two people familiar with the investigation.

Legal Restrictions

That case shows the tension inherent to discussions of hacking back. Unlike other areas of criminal law that contain some exemptions for self-defense, such as stand-your-ground statutes governing when individuals can use lethal force, companies aren’t permitted under any circumstances to hack the hackers attacking them. The restriction holds true even if it would allow them to recover stolen customer data or stop the intrusion by disabling the thieves’ computers.

The 30-year-old Computer Fraud and Abuse Act prohibits people and corporations from gaining unauthorized access to computers or overloading them with traffic, an attack known as a “denial of service.” Penalties can include prison time. Intelligence and law-enforcement activities are exempted, and some lawmakers have proposed adding exemptions for companies acting in self-defense.

Frustrated Companies

U.S. Representative Michael McCaul, the Texas Republican who is the chairman of the House Homeland Security Committee, said some victim companies may already be conducting offensive operations without permission from the government and are “very frustrated.”

On the question of whether their workplaces were safe from hacking, 39 percent said they were mostly not confident and 18 percent weren’t sure. They were more certain about their safety from a workplace terrorist attack that could result in deaths, with 66 percent mostly confident.

Hacking costs the global economy as much as $575 billion annually, according to a study published in June by McAfee, a security-software maker owned by Intel Corp., and the Center for Strategic & International Studies. Counterstrikes are a small part of the overall cybersecurity industry, which Gartner Inc. projects will surpass $78 billion in worldwide revenue this year.

Ahmet Bilgin, a Vienna-based economist with DenizBank AG who also participated in the poll, agreed that companies need to defer to law enforcement when they are attacked.

“Companies should not be given the right to intervene against cyber-attacks because the attacks are criminal acts that should be pursued by the police and law enforcement agencies,” Bilgin said.

The poll was conducted Jan. 14-15 by Selzer & Co., a Des Moines, Iowa-based firm. It has a margin of error of plus or minus 4.5 percentage points.