Should Companies Bolster Their Cybersecurity by ‘Hacking Back?’
Attend any cybersecurity confab, and you’ll encounter some version of the following refrain. “There are two types of companies in this world: those that have been hacked and those that don’t yet know they’ve been hacked.”
The phrase that launched a thousand quips was coined by Dmitri Alperovitch, a Moscow-born entrepreneur and one of the world’s foremost hacker-sleuths. In 2011, as head threat researcher at antivirus pioneer McAfee, he created the classification while investigating—and publicly revealing—half a decade’s worth of (likely Chinese) cyberattacks on more than 70 organizations, including defense contractors, tech companies, and the United Nations.
Now the huff of resignation is due for an update. “I’ve since modified that phrase,” Alperovitch tells Fortune. “The first two companies still exist, but now there’s a third type that’s able to successfully defend itself against intrusion.” Ah, hope yet!
One could write off Alperovitch’s addendum as a savvy sales pitch. As the cofounder and chief technology officer of CrowdStrike, a cybersecurity company that stunned investors with a share price–popping IPO in June, there’s no wonder he’s feeling a bit of good cheer.
But there’s something to Alperovitch’s revision. Richard A. Clarke, former White House security adviser to both Bushes and to Clinton, agrees with the new, tripartite framing. He says as much in his just-published book, coauthored with Obama cyber lead Robert K. Knake, The Fifth Domain—a reference to cyber as the newest theater of war, after land, sea, air, and space.
But not all firms succumbed. “What you don’t hear about is the list of American companies that were there doing business in Ukraine”—ground zero for the attack—“that didn’t get damaged,” Clarke says. Firms like Boeing, DowDuPont, and Johnson & Johnson “were the dogs that didn’t bark, and in our book, we tried to figure out why.”
So, what separates the hacks from the hack-nots? At a technical level, the unharmed firms had patched their machines against the vulnerability exploited by NotPetya. But a more fundamental question is, Why did some companies patch, while others neglected to?
In a word: prioritization. The most resilient organizations have buy-in across the—literal—board. Any executive who blocks a chief information security officer better have a damn good reason. The CEO will surely hear about it.
That’s good defense, but what if companies could punch back? That’s what some members of Congress are proposing in a piece of legislation known as the “hack back” bill, which would allow companies to probe an attacker’s computer and destroy stolen data.
Mark Mao, head of privacy practice at Troutman Sanders, an Atlanta law firm, is a cautious proponent. “Personally, I don’t think it’s a bad idea,” he says. “To me, it’s like a cyber Second Amendment.” (He adds that it would have to be “limited” and that “a lot of the details would have to be worked out.”)
Mao draws a comparison to nuclear stalemates. “Deterrence works because nobody wants to be nuked,” he says. “Most hackers get away with [it] because there’s no retribution in any way.”
But most cybersecurity industry insiders agree that if the hack back bill became law, the results would be a fiasco. Sandra Joyce, head of intelligence at cybersecurity firm FireEye and a U.S. Air Force reservist, disapproves. “The last thing we need is to add well-intentioned rookies into the mix,” she says, noting the dangers of misidentifying attackers and the threat of tit-for-tat escalation. It’d be “releasing a vigilantism fraught with risk.”
“The last thing we need is to add well-intentioned rookies into the mix.” – Sandra Joyce, head of intelligence, FireEye
The bill, she says, represents “the voice of the commercial sector that has felt very neglected. It’s a signal of frustration.”
The vexation is understandable. Worldwide spending on cybersecurity is expected to grow about 9%, to $124 billion this year, according to Gartner. And the breaches seem to just keep coming.
Companies don’t need to bankrupt their coffers to keep hackers from bankrupting them. Clarke says companies that spend 8% to 10% of their IT budget on cybersecurity tend to be best in class.
But even this price tag is not always necessary to outrun the proverbial bear. Alperovitch says he knows of one Fortune 500 customer in the hospitality business that spends a mere $11 million annually to defend itself, and he is convinced that it’s among the most secure he has ever seen.
At that particular concern, the chair of the board gave his cell phone number to the company’s chief information security officer and included a message: “Call me anytime, day and night, if anyone says no to you.”
As Alperovitch puts it: “At that organization, no one tells him no.”
A version of this article appears in the August 2019 issue of Fortune with the headline “The Corporate Fortress.”
More must-read stories from Fortune:
—The 2019 Fortune Global 500: See the full list
—It’s China’s world: China has now reached parity with the U.S. on the Global 500
—China’s biggest private sector company is betting its future on data
—How the maker of the world’s bestselling drug keeps prices sky-high
—Cloud gaming is big tech’s new street fight
Get up to speed on your morning commute with Fortune’s CEO Daily newsletter.