為了網絡安全，公司應該搞“黑客反擊”嗎？

參加任何有關于網絡安全的非正式會談，你都會聽到這樣一句話：“世界上有兩種類型的公司：被黑客攻擊過的公司，和那些不知道曾經被黑客攻擊過的公司。”

這句引發上千條妙語的話出自于德米特里·艾爾帕洛維蒂奇，他是一位出生于莫斯科的企業家，也是世界最前沿的黑客偵探之一。2011年，作為反病毒先驅麥克菲的首席威脅研究員，他在調查時發明了這句話——公眾對此很感興趣——調查對象是五年內發起的對超過70個組織的網絡攻擊，包括國防承包商、科技公司和聯合國。

現在這句無可奈何的話該升級一下了。“我已經修改了我的話。”艾爾帕洛維蒂奇告訴《財富》雜志，“前兩種公司仍然存在，但現在有第三類公司，他們能夠成功地防御黑客入侵。”好吧，還有希望！

你盡可以把他修改后的話，當作一種純熟的銷售技巧。作為網絡安全公司CrowdStrike的聯合創始人和首席科技官，這家公司在今年6月上市時的股價大漲讓投資者側目，艾爾帕洛維蒂奇確實有理由得意一下。

但實際上艾爾帕洛維蒂奇修改這句話，是意有所指的。在布什和克林頓政府任職的前白宮安全顧問理查德·克拉克，同意這句新的三段體話。他剛與奧巴馬政府的網絡主管羅伯特·柯內克合寫了一本書《第五領域》（The Fifth Domain），書中提到網絡已經成為繼陸地、海洋、天空和外太空之后的最新的戰爭威脅。

想想NotPetya病毒吧。俄羅斯在2017年釋放的這一病毒災難性地襲擊了全球的許多電腦，導致了像聯邦快遞、馬士基和默沙東這樣的公司損失數十億美元。

但是，并非所有公司都受害了。“你所不知道的是，有一批美國公司在烏克蘭做生意”——可謂處于網絡攻擊的中心點——“卻沒有受到損失，”克拉克說。一些公司像波音、杜邦和強生“并未吱聲，于是在我們的書中，就試圖找出原因。”

那么，為什么有些公司被黑客攻擊，有些沒有？從技術層面來說，未受損的公司把它們的設備都打了補丁，防止漏洞被NotPetya利用。但一個更基本的問題是，為什么有些公司打補丁，而有些卻忽略了？

原因就一個詞：優先級。最具韌性的組織，都有預案。一位主管若是駁回首席信息安全官的建議，得有充足的理由。首席執行官肯定也會過問。

這是很好的防御措施，但如果公司發起反擊呢？一些美國國會的成員正在提議一項立法，稱之為“黑客反擊”議案，該議案允許公司調查攻擊者的電腦并摧毀被盜數據。

位于亞特蘭大的律所長盛（Troutman Sanders）的隱私保護主管馬克·毛，對此議案表示謹慎地支持。“我個人認為，這主意不錯。”他說，“我覺得這就像網絡第二修正案。”（但他補充說，這種做法應該是“有限制的”，并且需要制定很多細節。）

毛將網絡攻擊和反擊，與核平衡相對比。“核威懾是有效的，因為沒有人希望被核攻擊。”他說，“許多黑客逃之夭夭，因為沒有任何報復措施。”

然而，許多網絡安全業內人士認為，如果黑客反擊議案變成法律，將會是巨大的災難。網絡安全公司火眼的情報主管、美國空軍預備役人員桑德拉·喬伊斯就表示反對。“最不希望看到的，就是用意良好但純屬菜鳥的人來摻和此事。”她認為這一議案會有誤判攻擊者的危險，也會導致爭鋒相對和矛盾升級。它只會“帶來人心惶惶，風險叢生。”

她還說，這項議案代表著“商業界的聲音，他們感到被忽視了。這是一種受挫的信號。”

他們的惱怒是可以理解的。據Gartner的數據，今年全球網絡安全的支出將增長9%，達1240億美元。但網絡安全還是難以保全。

要防止黑客偷光公司財產，公司卻不必耗盡家財。克拉克認為，公司把IT預算的8%到10%投入到網絡安全中，就相當不錯了。

要防護好網絡，這個比例的投入也并不總是必要的。艾爾帕洛維蒂奇說，他就知道一家《財富》美國500強的從事賓館業的公司，每年只花費區區1100萬美元做網絡防護，但他確信這家公司的網絡安全是他所見過最好的之一。

面對網絡安全的擔憂，公司的董事會主席把自己的手機號碼給了公司首席信息安全官，并告訴他：“不管白天或夜里，如果有人拒絕你的提議，隨時打我電話。”

艾爾帕洛維蒂奇加了一句：“在這個機構里，沒人敢對他說不。”（財富中文網）

本文另一版本登載于《財富》雜志2019年8月刊，標題是《公司的堡壘》。

譯者：宣峰

Attend any cybersecurity confab, and you’ll encounter some version of the following refrain. “There are two types of companies in this world: those that have been hacked and those that don’t yet know they’ve been hacked.”

The phrase that launched a thousand quips was coined by Dmitri Alperovitch, a Moscow-born entrepreneur and one of the world’s foremost hacker-sleuths. In 2011, as head threat researcher at antivirus pioneer McAfee, he created the classification while investigating—and publicly revealing—half a decade’s worth of cyberattacks on more than 70 organizations, including defense contractors, tech companies, and the United Nations.

Now the huff of resignation is due for an update. “I’ve since modified that phrase,” Alperovitch tells Fortune. “The first two companies still exist, but now there’s a third type that’s able to successfully defend itself against intrusion.” Ah, hope yet!

One could write off Alperovitch’s addendum as a savvy sales pitch. As the cofounder and chief technology officer of CrowdStrike, a cybersecurity company that stunned investors with a share price–popping IPO in June, there’s no wonder he’s feeling a bit of good cheer.

But there’s something to Alperovitch’s revision. Richard A. Clarke, former White House security adviser to both Bushes and to Clinton, agrees with the new, tripartite framing. He says as much in his just-published book, coauthored with Obama cyber lead Robert K. Knake, The Fifth Domain—a reference to cyber as the newest theater of war, after land, sea, air, and space.

Consider NotPetya. The devastatingly global computer-wiping attack, which Russia released on the world in 2017, caused billions of dollars of damage to corporations such as FedEx, Maersk, and Merck.

But not all firms succumbed. “What you don’t hear about is the list of American companies that were there doing business in Ukraine”—ground zero for the attack—“that didn’t get damaged,” Clarke says. Firms like Boeing, DowDuPont, and Johnson & Johnson “were the dogs that didn’t bark, and in our book, we tried to figure out why.”

So, what separates the hacks from the hack-nots? At a technical level, the unharmed firms had patched their machines against the vulnerability exploited by NotPetya. But a more fundamental question is, Why did some companies patch, while others neglected to?

In a word: prioritization. The most resilient organizations have buy-in across the—literal—board. Any executive who blocks a chief information security officer better have a damn good reason. The CEO will surely hear about it.

That’s good defense, but what if companies could punch back? That’s what some members of Congress are proposing in a piece of legislation known as the “hack back” bill, which would allow companies to probe an attacker’s computer and destroy stolen data.

Mark Mao, head of privacy practice at Troutman Sanders, an Atlanta law firm, is a cautious proponent. “Personally, I don’t think it’s a bad idea,” he says. “To me, it’s like a cyber Second Amendment.” (He adds that it would have to be “limited” and that “a lot of the details would have to be worked out.”)

Mao draws a comparison to nuclear stalemates. “Deterrence works because nobody wants to be nuked,” he says. “Most hackers get away with [it] because there’s no retribution in any way.”

But most cybersecurity industry insiders agree that if the hack back bill became law, the results would be a fiasco. Sandra Joyce, head of intelligence at cybersecurity firm FireEye and a U.S. Air Force reservist, disapproves. “The last thing we need is to add well-intentioned rookies into the mix,” she says, noting the dangers of misidentifying attackers and the threat of tit-for-tat escalation. It’d be “releasing a vigilantism fraught with risk.”

The bill, she says, represents “the voice of the commercial sector that has felt very neglected. It’s a signal of frustration.”

The vexation is understandable. Worldwide spending on cybersecurity is expected to grow about 9%, to $124?billion this year, according to Gartner. And the breaches seem to just keep coming.

Companies don’t need to bankrupt their coffers to keep hackers from bankrupting them. Clarke says companies that spend 8% to 10% of their IT budget on cybersecurity tend to be best in class.

But even this price tag is not always necessary to outrun the proverbial bear. Alperovitch says he knows of one Fortune 500 customer in the hospitality business that spends a mere $11?million annually to defend itself, and he is convinced that it’s among the most secure he has ever seen.

At that particular concern, the chair of the board gave his cell phone number to the company’s chief information security officer and included a message: “Call me anytime, day and night, if anyone says no to you.”

As Alperovitch puts it: “At that organization, no one tells him no.”

A version of this article appears in the August 2019 issue of Fortune with the headline “The Corporate Fortress.”