IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Companies and Government Should Play Different Parts During a Hack, Experts Say

When hackers break into their systems, companies are often more concerned about patching leaks and getting their data back than finding the perpetrator.

(TNS) —  Cybersecurity companies San Antonio, Texas, gave an inside look Tuesday into what companies can and can’t do when they get hacked, and their perspective on what the government should be doing to support businesses when they get attacked.

Companies around the world last year scrambled to respond to devastating ransomware and other high-profile hacks. Stories attributing high-profile attacks have made some recent headlines, like last week when the Trump administration blamed Russia for NotPetya, and last year when it blamed North Korea for the WannaCry attack.

But Chris Gerritz, Infocyte founder and chief product officer said Tuesday during a panel discussion at the Pearl Stable that companies that get hacked are usually more concerned with recovering and getting business back online, not with finding out who did it.

“Most organizations don’t want to be in a role of finding their perpetrator,” Gerritz said.

U.S. Rep. Will Hurd asked what companies expect from government during a breach, and Gerritz said companies would not want someone from the FBI or another agency sitting “side by side” as they try to figure out what happened.

“They don’t like it when people come into their network and see all of this extraneous data, because they could have hacked emails that they don’t want necessarily in the public record,” Gerritz said.

Companies want to give the government information that may be useful, and then hand that investigation over to them, he said.

Panelists also discussed what companies actually can do when they get hacked. For example, if someone thinks they know someone else hacked them, can they “hack back,” or do anything in their attacker’s network?

“It’s hard to defend yourself, to just sit there on the defensive with all these attacks coming in,” said Bret Piatt, CEO of Jungle Disk.

But if someone eventually gets in, the business can’t go beyond doing things in the network it owns, panelists said.

The panelists went through a hypothetical of a cybercriminal taking over a car shop in Hondo, Texas’s computers, and using them to attack a business.

“Are you allowed to go back and defend yourself right now? It’s really no you can’t, you can’t go out to the car dealer in Hondo,” Piatt said.

Even if you were to go back to the car shop’s servers and “patch the hole” where the attacker got in, clean the malware off the computer and the hacking tools and just leave, “you are actually committing a crime by doing that in the U.S. right now if you’re a private enterprise,” Piatt said.

People will have a hard time building legislation allowing companies to hack back because attribution is difficult, said Jacob Stauffer, co-founder and vice president of operations at Coherent Cyber.

There are legal challenges in “being able to reach back” Gerritz said, “but even a technical point of view of finding out is this really who’s hacking?”

Legislation that would allow hacking victims to go beyond their network to take certain actions was introduced in November in the U.S. House of Representatives.

It would make changes to the Computer Fraud and Abuse Act, which “currently prohibits individuals from taking any defensive actions other than preventative protections, such as ant-virus software,” according to a news release announcing the bill’s introduction.

“ACDC (Active Cyber Defense Certainty Act) gives authorized individuals and companies the legal authority to leave their network to 1) establish attribution of an attack, 2) disrupt cyberattacks without damaging others’ computers, 3) retrieve and destroy stolen files, 4) monitor the behavior of an attacker, and 5) utilize beaconing technology,” according to the release.

©2018 the San Antonio Express-News Distributed by Tribune Content Agency, LLC.