When the world gets closer.

We help you see farther.

Sign up to our expressly international daily newsletter.

Already a subscriber? Log in .

You've reached your limit of one free article.

Get unlimited access to Worldcrunch

You can cancel anytime .


Exclusive International news coverage

Ad-free experience NEW

Weekly digital Magazine NEW

9 daily & weekly Newsletters

Access to Worldcrunch archives

Free trial

30-days free access, then $2.90
per month.

Annual Access BEST VALUE

$19.90 per year, save $14.90 compared to monthly billing.save $14.90.

Subscribe to Worldcrunch

Hack Back - When A Cyber Attack Victim Turns 'Digital Vigilante'

German authorities, like their counterparts elsewhere, have proven unable to protect certain businesses and individuals from cyber crimes. Now, more and more are taking digital justice into their own hands.

In our hands? (arkangel)
In our hands? (arkangel)
Ulrich Clauß

BERLIN - What with malware able to easily cancel out whatever security measures are in place on a computer, the cyber-crime phenomenon is in full developmental swing.

That's the word from a new report on the dark side of the information technology revolution in the current issue of "Bundeslagebild Cybercrime," published by Germany's Federal Criminal Police Office. Meanwhile, the UK's domestic intelligence service MI-5 says Internet crimes have now reached "industrial-scale" proportions.

What we know is that cyber attacks are aimed at both businesses and governments; they threaten both public and private sector data; and research and academic facilities are hardly spared. "The extent of what is going on is astonishing," says MI-5 head Jonathan Evans.

This, of course, only pertains to the attacks the police know about. Internet security experts estimate cyber crime levels are much higher. Businesses in particular are known to be reluctant to divulge what they may have experienced, in order to protect their image.

But silence is not just a question of image. The fact is that in no other area are the forces of law and order as helpless as they are when dealing with cyber crime. According to most experts, the discrepancy between the technical know-how and equipment of the perps and that of the cops is vast – and the bad guys have the upper hand.

"In what is often called "cyber war" but should be called "cyber crime," the forces of order are not as well equipped as the attackers," says IT expert Max Mühlhäuser, who heads the Telecooperation Lab at Darmstadt's Technical University. "And the growing professionalism of attackers means that action is urgently needed."

In Germany, since it has become publically known that the police couldn't even manage the "Bundestrojaner" – the "federal Trojan" spyware allegedly used by the government to access the computers of suspects in criminal investigations -- without the help of outside service providers, more and more have begun to circumvent the authorities and take on cyber-thieves directly.

Cyberwar researcher Sandro Gaycken, of the Institute for Computer Science at Berlin's Freie Universität, confirms that "digital vigilantism" is the new trend, particularly in sectors strongly affected by efficient cybercriminals such as the financial industry, development companies, and research groups. In those areas, the amount of manipulation and spying is "frightening," he says -- "and absolutely nobody is going to go public when something like that happens to them."

The tendency is to deal with it in-house, says Gaycken. "They don't involve the police. They build up their own unit, or hire outside help. And the new hype with those guys is hitting back. Attacking the attacker."

Data trap

One such "Enterprise Strikes Back" service provider is CrowdStrike, a California company that describes itself as "the stealth-mode security start-up." It provides companies with "hack back" solutions to fight private wars on the web, and minces no words when it comes to criticizing the kinds of security strategies used until now to fight cyber attacks.

"The industry's mistake was to focus on the tools the attackers were using," says Dmitri Alperovitch, co-founder and Chief Technical Officer, who espouses a kind of hand-to-hand combat strategy. "You have to concentrate on the attacker himself, not on the weapon used but on the tactics."

Shawn Henry, a former cybercrime specialist with the FBI and now president of CrowdStrike Services, puts it this way: "We don't only put out the fires, we light them too." Its range of hack-back services is wide, and includes everything from figuring out how to dodge attacks all the way to ruining the attacker financially.

For example, CrowdStrike can set up a data trap that will lure attackers into believing they have hit on something of value although it is actually worthless data that can't be copied. But it will keep the attackers busy for a while, and waste a lot of their time. There are also very clever ways of ascertaining attacker identity and sending disinformation or malware to their computer.

Not surprisingly, no company has thus far publicly admitted to using these or other hack-back tactics – attacking IT systems, even in counter-attack, is after all illegal in most Western countries. In Germany, Paragraph 202 (known as the Hacker Paragraph) of the Criminal Code outlines the acts relating to data espionage and phishing that are punishable with imprisonment or a fine.

According to those familiar with the sector, that doesn't stop many companies from using these methods against cyber attackers, particularly as frustration is growing among enterprises that realize how much is at stake, and that legal methods simply do not work.

"One of the reasons for using illegal means is that the state just isn't efficient. The prosecutors aren't good enough, partly because they have cheap, ineffective tools to work with. Investigators need more means, and more highly qualified people, to be able to work in a more targeted fashion," says computer scientist Gaycken.

Another problem is that states are bound to their own laws and territoriality – a factor that limits their radius of action. "From that perspective, vigilantism could seem justified. It's that way with self-defense: if the state is not there, and I'm attacked, I can hit back." But that's only part of the story, Gaycken believes. Investigations hampered by data protection legislation and national borders often appear cumbersome and indeed unnecessary to companies that have been attacked.

The latest cyberwar developments have only strengthened the aggressive self-help trend. The discovery that worms like Flame, Stuxnet and Duqu had been working away, sometimes for many years, in computer systems - including the uranium enrichment centrifuges of the Iranian nuclear program - was a massive defeat for the computer virus protection industry.

For Mikko Hypponen, the founder of F-Secure, a security firm, Flame malware marks nothing less than the "failure of the antivirus industry," and as such a turning point in IT security.

US and France have more leeway

Neither the German Minister of the Interior nor the Federal Office for Information Security Technology (BSI), which are responsible for security across the web in Germany as well as for government computers, had any comments on these latest developments. Paired with the trend towards vigilantism, however, the issue begs answers, particularly as it touches not only on the law but also civil rights. The bottom line is that the state has a monopoly on the use of force.

Says IT expert Mühlhäuser: "My impression from a number of indicators is that the German federal government sees defending the German economy against cybercrime and cyber-intelligence as far less important a sovereign function than, for example, the United States or France do," he said.

Mühlhäuser notes that both those countries have legitimized state-organized economic espionage in the past in the interests of keeping their own economies in good shape. But in Germany, for lack of effective enforcement, more and more businesses and institutions have no choice but to take matters into their own hands. Time will tell whether this will bring a measured, practical response, or if people will come out with all guns blazing, Wild West style.

Read the original article in German.

Photo - arkangel

You've reached your limit of free articles.

To read the full story, start your free trial today.

Get unlimited access. Cancel anytime.

Exclusive coverage from the world's top sources, in English for the first time.

Insights from the widest range of perspectives, languages and countries.


Influencer Union? The Next Labor Rights Battle May Be For Social Media Creators

With the end of the Hollywood writers and actors strikes, the creator economy is the next frontier for organized labor.

​photograph of a smartphone on a selfie stick

Smartphone on a selfie stick

Steve Gale/Unsplash
David Craig and Stuart Cunningham

Hollywood writers and actors recently proved that they could go toe-to-toe with powerful media conglomerates. After going on strike in the summer of 2023, they secured better pay, more transparency from streaming services and safeguards from having their work exploited or replaced by artificial intelligence.

But the future of entertainment extends well beyond Hollywood. Social media creators – otherwise known as influencers, YouTubers, TikTokers, vloggers and live streamers – entertain and inform a vast portion of the planet.

✉️ You can receive our Bon Vivant selection of fresh reads on international culture, food & travel directly in your inbox. Subscribe here.

For the past decade, we’ve mapped the contours and dimensions of the global social media entertainment industry. Unlike their Hollywood counterparts, these creators struggle to be seen as entertainers worthy of basic labor protections.

Keep reading...Show less

The latest