为了网络安全，公司应该搞“黑客反击”吗？

参加任何有关于网络安全的非正式会谈，你都会听到这样一句话：“世界上有两种类型的公司：被黑客攻击过的公司，和那些不知道曾经被黑客攻击过的公司。”

这句引发上千条妙语的话出自于德米特里·艾尔帕洛维蒂奇，他是一位出生于莫斯科的企业家，也是世界最前沿的黑客侦探之一。2011年，作为反病毒先驱麦克菲的首席威胁研究员，他在调查时发明了这句话——公众对此很感兴趣——调查对象是五年内发起的对超过70个组织的网络攻击，包括国防承包商、科技公司和联合国。

现在这句无可奈何的话该升级一下了。“我已经修改了我的话。”艾尔帕洛维蒂奇告诉《财富》杂志，“前两种公司仍然存在，但现在有第三类公司，他们能够成功地防御黑客入侵。”好吧，还有希望！

你尽可以把他修改后的话，当作一种纯熟的销售技巧。作为网络安全公司CrowdStrike的联合创始人和首席科技官，这家公司在今年6月上市时的股价大涨让投资者侧目，艾尔帕洛维蒂奇确实有理由得意一下。

但实际上艾尔帕洛维蒂奇修改这句话，是意有所指的。在布什和克林顿政府任职的前白宫安全顾问理查德·克拉克，同意这句新的三段体话。他刚与奥巴马政府的网络主管罗伯特·柯内克合写了一本书《第五领域》（The Fifth Domain），书中提到网络已经成为继陆地、海洋、天空和外太空之后的最新的战争威胁。

想想NotPetya病毒吧。俄罗斯在2017年释放的这一病毒灾难性地袭击了全球的许多电脑，导致了像联邦快递、马士基和默沙东这样的公司损失数十亿美元。

但是，并非所有公司都受害了。“你所不知道的是，有一批美国公司在乌克兰做生意”——可谓处于网络攻击的中心点——“却没有受到损失，”克拉克说。一些公司像波音、杜邦和强生“并未吱声，于是在我们的书中，就试图找出原因。”

那么，为什么有些公司被黑客攻击，有些没有？从技术层面来说，未受损的公司把它们的设备都打了补丁，防止漏洞被NotPetya利用。但一个更基本的问题是，为什么有些公司打补丁，而有些却忽略了？

原因就一个词：优先级。最具韧性的组织，都有预案。一位主管若是驳回首席信息安全官的建议，得有充足的理由。首席执行官肯定也会过问。

这是很好的防御措施，但如果公司发起反击呢？一些美国国会的成员正在提议一项立法，称之为“黑客反击”议案，该议案允许公司调查攻击者的电脑并摧毁被盗数据。

位于亚特兰大的律所长盛（Troutman Sanders）的隐私保护主管马克·毛，对此议案表示谨慎地支持。“我个人认为，这主意不错。”他说，“我觉得这就像网络第二修正案。”（但他补充说，这种做法应该是“有限制的”，并且需要制定很多细节。）

毛将网络攻击和反击，与核平衡相对比。“核威慑是有效的，因为没有人希望被核攻击。”他说，“许多黑客逃之夭夭，因为没有任何报复措施。”

然而，许多网络安全业内人士认为，如果黑客反击议案变成法律，将会是巨大的灾难。网络安全公司火眼的情报主管、美国空军预备役人员桑德拉·乔伊斯就表示反对。“最不希望看到的，就是用意良好但纯属菜鸟的人来掺和此事。”她认为这一议案会有误判攻击者的危险，也会导致争锋相对和矛盾升级。它只会“带来人心惶惶，风险丛生。”

她还说，这项议案代表着“商业界的声音，他们感到被忽视了。这是一种受挫的信号。”

他们的恼怒是可以理解的。据Gartner的数据，今年全球网络安全的支出将增长9%，达1240亿美元。但网络安全还是难以保全。

要防止黑客偷光公司财产，公司却不必耗尽家财。克拉克认为，公司把IT预算的8%到10%投入到网络安全中，就相当不错了。

要防护好网络，这个比例的投入也并不总是必要的。艾尔帕洛维蒂奇说，他就知道一家《财富》美国500强的从事宾馆业的公司，每年只花费区区1100万美元做网络防护，但他确信这家公司的网络安全是他所见过最好的之一。

面对网络安全的担忧，公司的董事会主席把自己的手机号码给了公司首席信息安全官，并告诉他：“不管白天或夜里，如果有人拒绝你的提议，随时打我电话。”

艾尔帕洛维蒂奇加了一句：“在这个机构里，没人敢对他说不。”（财富中文网）

本文另一版本登载于《财富》杂志2019年8月刊，标题是《公司的堡垒》。

译者：宣峰

Attend any cybersecurity confab, and you’ll encounter some version of the following refrain. “There are two types of companies in this world: those that have been hacked and those that don’t yet know they’ve been hacked.”

The phrase that launched a thousand quips was coined by Dmitri Alperovitch, a Moscow-born entrepreneur and one of the world’s foremost hacker-sleuths. In 2011, as head threat researcher at antivirus pioneer McAfee, he created the classification while investigating—and publicly revealing—half a decade’s worth of cyberattacks on more than 70 organizations, including defense contractors, tech companies, and the United Nations.

Now the huff of resignation is due for an update. “I’ve since modified that phrase,” Alperovitch tells Fortune. “The first two companies still exist, but now there’s a third type that’s able to successfully defend itself against intrusion.” Ah, hope yet!

One could write off Alperovitch’s addendum as a savvy sales pitch. As the cofounder and chief technology officer of CrowdStrike, a cybersecurity company that stunned investors with a share price–popping IPO in June, there’s no wonder he’s feeling a bit of good cheer.

But there’s something to Alperovitch’s revision. Richard A. Clarke, former White House security adviser to both Bushes and to Clinton, agrees with the new, tripartite framing. He says as much in his just-published book, coauthored with Obama cyber lead Robert K. Knake, The Fifth Domain—a reference to cyber as the newest theater of war, after land, sea, air, and space.

Consider NotPetya. The devastatingly global computer-wiping attack, which Russia released on the world in 2017, caused billions of dollars of damage to corporations such as FedEx, Maersk, and Merck.

But not all firms succumbed. “What you don’t hear about is the list of American companies that were there doing business in Ukraine”—ground zero for the attack—“that didn’t get damaged,” Clarke says. Firms like Boeing, DowDuPont, and Johnson & Johnson “were the dogs that didn’t bark, and in our book, we tried to figure out why.”

So, what separates the hacks from the hack-nots? At a technical level, the unharmed firms had patched their machines against the vulnerability exploited by NotPetya. But a more fundamental question is, Why did some companies patch, while others neglected to?

In a word: prioritization. The most resilient organizations have buy-in across the—literal—board. Any executive who blocks a chief information security officer better have a damn good reason. The CEO will surely hear about it.

That’s good defense, but what if companies could punch back? That’s what some members of Congress are proposing in a piece of legislation known as the “hack back” bill, which would allow companies to probe an attacker’s computer and destroy stolen data.

Mark Mao, head of privacy practice at Troutman Sanders, an Atlanta law firm, is a cautious proponent. “Personally, I don’t think it’s a bad idea,” he says. “To me, it’s like a cyber Second Amendment.” (He adds that it would have to be “limited” and that “a lot of the details would have to be worked out.”)

Mao draws a comparison to nuclear stalemates. “Deterrence works because nobody wants to be nuked,” he says. “Most hackers get away with [it] because there’s no retribution in any way.”

But most cybersecurity industry insiders agree that if the hack back bill became law, the results would be a fiasco. Sandra Joyce, head of intelligence at cybersecurity firm FireEye and a U.S. Air Force reservist, disapproves. “The last thing we need is to add well-intentioned rookies into the mix,” she says, noting the dangers of misidentifying attackers and the threat of tit-for-tat escalation. It’d be “releasing a vigilantism fraught with risk.”

The bill, she says, represents “the voice of the commercial sector that has felt very neglected. It’s a signal of frustration.”

The vexation is understandable. Worldwide spending on cybersecurity is expected to grow about 9%, to $124 billion this year, according to Gartner. And the breaches seem to just keep coming.

Companies don’t need to bankrupt their coffers to keep hackers from bankrupting them. Clarke says companies that spend 8% to 10% of their IT budget on cybersecurity tend to be best in class.

But even this price tag is not always necessary to outrun the proverbial bear. Alperovitch says he knows of one Fortune 500 customer in the hospitality business that spends a mere $11 million annually to defend itself, and he is convinced that it’s among the most secure he has ever seen.

At that particular concern, the chair of the board gave his cell phone number to the company’s chief information security officer and included a message: “Call me anytime, day and night, if anyone says no to you.”

As Alperovitch puts it: “At that organization, no one tells him no.”

A version of this article appears in the August 2019 issue of Fortune with the headline “The Corporate Fortress.”