FBI on seeking cyber retribution: It’s against the law

By Chad Hemenway on September 11, 2014

tcgs-header350x165NEW YORK—Enterprises victimized by hackers and thinking about retribution were met with a stern warning from a very qualified panelist during The Chertoff Group Security Series conference.

“Hacking back is against the law today,” said Joe Demarest, associate director of the FBI’s cyber division.

For a company worried about the reputational damage from a data breach, breaking the law might not be the best course of action because, as Demarest said: “The FBI has to follow up on federal statute.”

The half-day conference on September 9 was focused on the financial services sector.

Tom Quinn, chief information security officer of BNY Mellon said the subject of retribution was “still an open dialogue.” Some have looked for ways to become more aggressive in order to protect themselves but attribution remains a giant hurdle. It is difficult to affirmatively identify a hacker, or hackers. Demarest said this task is even difficult for the government.

“Are companies willing to make mistakes and misidentify?” Quinn asked.

Dwayne Melancon, chief technology officer at Tripwire, said retribution could be asking for more trouble.

“It doesn’t end when you say it’s done,” he said. “It won’t be fun.”

***

In comparison to other industries, financial services is one of the best and most prepared for cyber risk, said Demarest. The sector is “heavily invested and hired the right talent,” and has engaged the government for help.

Nevertheless, financial services are also one of the most targeted industries because of the potential gains for a criminal, terrorist or rival countries. And if there is a “standing army” determined to get in to a system, there is “nothing they’re not going to be able to penetrate.”

Demarest said information sharing has been an excellent tool for the financial sector. The FBI has met with firms, briefing them on threat indicators in order for them to develop mitigation plans.

At first, firms may have been “squeamish” about sharing information, due to the competiveness of the industry, added Andre Karamanian, security consultant at Cisco’s Sourcefire. However, enterprises have been quick to discover information sharing can cut down on the time it takes to identify and proactively prevents breaches—and have access to countermeasures that have worked for peers.

Eric Guerrino, executive vice president of the Financial Services Information Sharing and Analysis Center, said financial firms are making a “concerted effort to start sharing.” The nonprofit FS-ISAC has experienced tremendous growth in membership and threat indicators, and it has developed an automated system for firms to find specific indicators.

Chad Hemenway is Managing Editor of Advisen News. He has more than 15 years of journalist experience at a variety of online, daily, and weekly publications. He has covered P&C insurance news since 2007, and he has experience writing about all P&C lines as well as regulation and litigation. Chad won a Jesse H. Neal Award for Best Single Article in 2014 for his coverage of the insurance implications of traumatic brain injuries and Best News Coverage in 2013 for coverage of Superstorm Sandy. Contact Chad at 212.897.4824 or [email protected].