FBI probes whether banks hacked back as firms explore cyber offensive

The hacked are itching to hack back.

So say a dozen security specialists and former law enforcement officials, who described an intensifying and largely unspoken sense of unease inside many companies after the recent breach of Sony Corp.'s networks.

U.S. officials have shown little appetite to intervene as banks, retailers, casinos, power companies, and manufacturers have been targeted by foreign-based hackers. Private-sector companies doing business in the United States have few clear options for striking back on their own.

That has led a growing number of companies to push the limits of existing law to consider ways to break into hackers' networks to retrieve stolen data or even knock computers off-line to stop attacks, the cybersecurity professionals said in interviews. Some companies are enlisting cybersecurity firms, many with military or government security ties, to walk them through options for disrupting hacker operations or peering into foreign networks to find out what intellectual property hackers may have stolen.

In one case, the FBI is looking into whether hackers working on behalf of any U.S. financial institutions disabled servers that were being used by Iran to attack the websites of major banks last year, said two people familiar with the investigation. JPMorgan Chase & Co. advocated such a move in a closed meeting in February 2013, the two people said. A bank spokeswoman said no action was ever taken. Federal investigators are trying to determine who was responsible, the two people said.

"It's kind of a Wild West right now," said Rep. Michael McCaul (R., Texas), chairman of the Homeland Security Committee. Some victim companies may be conducting offensive operations "without getting permission" from the federal government, he said.

"They're very frustrated," McCaul said of such firms.

Hacking costs the global economy as much as $575 billion annually, according to a study published in June by McAfee, a security-software maker owned by Intel Corp., and the Center for Strategic and International Studies. Counterstrikes are a small part of the ll cybersecurity industry, which Gartner Inc. projects will surpass $78 billion in worldwide revenue next year.

The idea of hacker-on-hacker justice raises thorny questions, including when U.S. companies can legally order international strikes on their behalf. Also little explored, so far, are the consequences of engaging hackers that may be backed, explicitly or implicitly, by states from North Korea and Iran to China and Russia.

The idea of counterstrikes gained an unprecedented level of visibility when President Obama vowed on Dec. 19 to mount a "proportional" response against North Korea for the Sony breach, which destroyed data and leaked movies and employee e-mails. North Korea suffered Internet outages a few days later. The White House has declined to comment on North Korea's accusation that the U.S. government played a role.

Already, someone appears to have struck back against the Sony attacks. Fake copies of Fury, Annie, and other leaked films began appearing this month on file-sharing sites, slowing the computers of people attempting to download the movies and crippling torrent sites disseminating the files, said Tal Klein, vice president of strategy at Adallom Inc., a Palo Alto, Calif.-based security company. The fake files have largely been eliminated as file-sharing sites have used rating systems to blacklist the decoys, he said.

Sony declined to comment on the fakes or on any steps the company is taking to recover from the breach.

In the U.S., companies are prohibited by the 30-year-old Computer Fraud and Abuse Act from gaining unauthorized access to computers or overloading them with digital demands, even to stop an ongoing attack.