Pando

The FBI thinks private companies may be retaliating against hackers with their own attacks

By Nathaniel Mott , written on December 30, 2014

From The News Desk

The Federal Bureau of Investigation is reportedly investigating whether companies in the United States are retaliating against hackers with cyberattacks of their own.

JPMorgan Chase is coming under particular scrutiny because hackers took down Iranian servers used to attack the bank's infrastructure -- an action for which the company is said to have advocated in a meeting with the US government in 2013.

The government's increasing interest in these retaliatory attacks, which often follow the private sector's impatience with the government's inability to respond to hacks, is thought to be the result of corporate fears after Sony Pictures Entertainment's hack.

Sony might actually be a good place for the FBI to start its investigation. The company has reportedly targeted websites hosting documents leaked by its hackers with distributed-denial of service attacks, which are illegal, to limit the files' spread.

Bloomberg, which first reported on the FBI's investigation, explains the problem with private companies or the US government fighting hackers with cyberattacks:

The practice of reaching into or disabling computers over international borders is so sensitive that if the U.S. government disables attacking servers without the permission of the host country, the approval of the president is required, according to a White House directive leaked last year by former National Security Agency contractor Edward Snowden.

The White House confirmed that such a directive exists. A spokesman for the National Security Council declined to to comment on the details of the directive. The Wall Street Journal reported earlier this month that the government was struggling to determine how it should respond to the Sony hack because it didn't know what exactly a "proportional" retaliation would look like. (Apparently North Korean filmmakers aren't making a movie about Obama we could disrupt.)

All this murkiness shows why it's so important for companies and governments alike not to rush to name someone after an attack. It's clear no one knows the right response to an attack, but whatever that response is, it should have the right target.

[illustration by Brad Jonas]