INSA: In the popular imagination there’s this image “of the beleaguered IT professional at a company who sees the data on a large plasma screen slipping out of the company’s network, and it is just out of his reach,” Adam Hickey said. “If only he could go delete it from the server to which it was transferred, he could save the company.”

There’s just one problem with this scenario of “active defense,” often called “hacking back” — It never happens.

“The average time it takes to discover a data breach is about six months,” said Hickey, a deputy assistant attorney general at the Justice Department specializing in cybersecurity and China. So, by the time you realize you’ve been hacked, said Hickey and other experts speaking to the annual Intelligence & Security Alliance Conference, it’s too late to “hack back” and shut down your attacker.

Even if you could figure out who really stole your secrets — and attribution is something even intelligence agencies struggle to do with high confidence, said NSA general counsel Glenn Gerstell — they’ve already copied your data as many times as they want, to as many places as they want. No amount of cyber-vigilantism on your part is going to undo that.

In other words, hacking back is not just locking the barn door after the horse has bolted. It’s locking the barn after the horse has fled, died, and been rendered into glue.

So what should you do? Pick up the phone and call the FBI, Gerstell and Hickey said.

“It Just Doesn’t Work”

“Microsoft does not condone hacking back,” agreed Microsoft security exec Rich Boscovich. “It just doesn’t work.”

Even if you actually catch an attack in progress, trying to hack your attacker back isn’t the best way to stop them, Boscovich said. While tracing the attack all the way to its origin is immensely difficult, he explained, it’s fairly straightforward to figure out the immediate source of the bits and bytes coming into your network. Those are coming from specific IP addresses, which are administered by a specific Internet hosting service, whose contact information is publicly listed.

“You pick up the phone and you call them,” Boscovich said. Tell a hosting service that one or more of their accounts is using their IP addresses for malicious activity, he said, and, in his experience, the hosting service almost always shuts it down.

Even if the hosting company itself is shady, Boscovich went on, the fear of being publicly exposed and blacklisted can scare them into shutting down the offending account. Why? Because if a hosting service gets a reputation for hosting hackers, more and more internet service providers will simply block all traffic to and from its IP addresses, killing its business.

Yes, Microsoft has a decade-old reputation for aggressively defending its interests online. But as hackers grow more sophisticated, hiding their real origin and routing attacks through unsuspecting third parties, Microsoft has found cooperation is the best approach.

“We’re changed the way we operate… doing much closer private-public cooperation, working closely with US law enforcement, European law enforcement,” Boscovich said. Rather than rely on technological solutions, he said, “most of it is relationship-based.”

That’s the Justice Department’s experience as well, Hickey chimed in. “It is amazing to me how much we get from the FBI’s relationship with law enforcement around the world,” he said. “That gets us more than hacking back.”

So going to FBI doesn’t just bring in the bureau. It brings your problem to the attention of a whole array of federal agencies — and beyond them, foreign allies — that have far more information, and much more legal authority to act, than any private company can dream of.

The NSA’s Role

Those agencies include the notoriously far-seeing National Security Agency, although Gerstell was quick to emphasize his agency plays a supporting role. NSA will gather intelligence, he said, but then it hands it over to others to take action. the FBI handles targets in the United States, the military’s Cyber Command handles those beyond America’s borders.

Now, this demurral might be disingenuous. NSA has long conducted cyber attacks, not just surveillance — although much of the offensive capability may have been transferred over time to Cyber Command. Whatever the truth of what NSA can actually do, however, it’s not likely to roll out its big guns to take revenge just because your company got hacked.

What NSA is doing, however, is creating — or rather re-creating — a Cybersecurity Directorate as a single point of contact for other federal agencies, foreign allies, and the private sector.

“The NSA has for decades had a cybersecurity and information assurance mission,” Gerstell told reporters after the panel, “but the activities in particular of the 2018 election — as well as the general growth in cyber mischief — have convinced us it’s important for us to have one integrated focal point within the National Security Agency to deal with the cybersecurity threats.”

Again, the new NSA Cyber Directorate does not “hack back.” Its role, Gerstell explained to reporters after the panel, is to “obtain information in a very quick time; engage as appropriate, where we have the authority to do so, with the private sector and other federal government agencies; and then turn that information over to those parties who are able to tae action on it, whether it’s the FBI for law enforcement purposes, or US CYBERCOM for military activities, or other parts of the federal government.”

The new cybersecurity directorate officially opens its doors October 1st, though it won’t be fully up and running until Dec. 31st, director-to-be Anne Neuberger told the Billington Cybersecurity Summit yesterday. That’s because there are “thousands” of NSA employees across previously separate fiefdoms and specialties who need to be brought together to work side by side, literally “sitting together” for the first time, she explained to reporters afterward.

“That’s where full operating capability is,” Neuberger said, “and some of these shifts will take us a couple of months to do.”

Neuberger is a former financial sector cybersecurity expert — experienced in protecting billions of digital dollars — who went on to lead the NSA side of the Russia Small Group formed to secure the 2018 federal elections from foreign interference. She and the agency have learned a lot from those experiences.

“We’ve heard a lot of feedback that some of the information we would share — for example, IP addresses, domain names [being used by an adversary] —are temporary and by the time they’re shared, they’re no longer useful,” Neuberger told the Billington conference. “So it’s a shift to say.. .when we share threat information at the unclassified level, there needs to be more context. What are the overall goals of the actor? How do they pull together those goals, using an exploit, using a particular infrastructure to launch against a particular set of targets?”

The formal mechanisms for sharing this information are “the easy part,” Neuberger said. “What’s more challenging is creating the urgency, the operationalization of intelligence, to rapidly share while something is still relevant.”

“Ideally, she said, “we are sharing the threat information to prevent an attack.”

That sounds a lot better than hacking back.