We should arm companies with cyber weaponry so they can strike back against hackers says Juan Zarate, a former US deputy national security advisor for counterterrorism.
Zarate, an advisor to the administration of President George W. Bush, believes that the government should “deputize private companies to strike back against cyberattackers as a way to discourage widespread threats against the nation’s businesses,” as IT World reports.
Speaking on Monday at a forum on economic and cyberespionage hosted by a think tank called the Hudson Institute, Zarate said that since many businesses have limited options for defending their networks, the country should start developing “aggressive” means to discourage cyberattacks, or what he referred to as “tailored hack-back capabilities”.
These would take the form of “cyberwarrants,” he said, that would grant private companies license to…
protect its system, to go and destroy data that's been stolen or maybe even something more aggressive.
Our attack surface grows ever larger with more and more internet-connected devices, Zarate said.
Meanwhile, there’s a growing gap between the billions of dollars that businesses pour into cyberdefense vs. attacks that are developed on a shoestring, he said.
Focusing on vulnerability mitigation has been a “fool’s errand,” he said:
Economically, we've responded in the worst possible way. We've sunk billions of dollars of our budget into the least probable method of success. We are bleeding ourselves dry with our response.
Not everybody agreed that businesses wouldn’t get kicked to the curb if they turned from a defensive game plan to an offensive one wherein they detect threats and “hack back.”
Mike Rogers, a former Republican congressman from Michigan and former FBI agent who was also a speaker at the event, said that, given the many attacks coming from other nations, many businesses would wind up in over their heads in an escalating conflict.
That’s a loser’s strategy, he said:
When you decide you're going to breach territorial jurisdiction and go after someone, you have opened up a can of worms which is well beyond the scope of your threat.
Besides, not all companies are going to prove adept at tracking down the culprits behind an attack, he said:
Some can do it very, very well. Some don't have a clue of how to do it, but that wouldn't stop them from [responding] anyway. How do you contain that?
Indeed. How exactly would companies fight back, anyway and what are these “aggressive” means?
Once offense becomes the best defence why not just retaliate first?
And if it’s OK for private companies to go on the offensive what adversary won’t believe that companies who strike back, no matter how honourable or dishonourable their cause may be, aren’t modern day East India Companies acting as proxies for the government?
Countries like the US are still embroiled over real, bona fide intelligence agencies having overstepped their surveillance activities. Many of us don’t even trust our own government, post-Snowden, let alone companies acting at arms length with their blessing.
Whilst there’s still so much of work to do getting basic security in order and attitudes to user privacy straightened out let’s keep this Pandora’s box closed.
Image of hacking courtesy of Shutterstock.com.
WaynesWildWorld
Is it April Fool’s day – or do some people really believe that if you acquire a sheriff’s star your “are the law” and can do what you like?
Cyber shoot-outs on the Internet Super-highway?
marine veteran
this is great.. accept it is typical of government stupidity. by the time you get permission or contact the company to counter attack its gone or changed… Im a Vietnam vet.. we take fire from a village.. we took out the village immediately… no more fire from the village…. unlike to day.. where you have to ask to fire back which might take hours.. and by the time you get permission the threat is gone… the counter attack has to take place instantaneously and fry the source Now as in miliseconds after the hacking.. not days later when its to late.
Mark
When cyber-inept companies are their own internet SWAT team, a new game will emerge. Hack a company while forging your attribution to their rival. As soon as the automated systems begin firing away at company B, which will automatically return fire, you back away and watch.
Ian
Laws are different in the cyber world and it is still the “wild west.” In the physical world, we have law enforcement which society expects to enforce such laws. In tandem, for corporate self preservation, armed security may be hired to protect the business property where law enforcement doesn’t have the manpower to support.
The government doesn’t (or shouldn’t in some cases) have access to the internal networks of businesses. So let the company protect its assets.
If corporate entities can hire physical security, why shouldn’t they be able to hire a team of cyber security that are “armed” to counter such threats? It will provide many benefits to society, some of which include more technical jobs (boost in economy just there alone), protection of proprietary data, and most importantly the protection of the consumer’s privacy.
Rogers says it’s a loser’s strategy. I disagree. Many militaries throughout the world have produced effective results using small teams in combat. Even with these small teams, there was constant, effective communication with a higher headquarters. If these cyber security teams were designed with the structure reporting to a centralized authority, the corporations could further assemble a coordinated counter assault using the support of other such teams in a flanking (I use flank since they will remain outside the corporate network) maneuver.
At the same time, I’m not saying let Big Brother in. More like Black Water.
Anonymous
Heck yeah! What’s wrong w/ a cyber shoot-out? It’s ‘victim-less’ according to a lot of law makers. Heck, it’s already like the wild west out there, and none of the multi-nation organizations seem to give a rat’s hiney. These ig’nant law makers have no g-d clue what admins go through, and they certainly don’t do jack to reduce the advantages of the attackers. Yep, it’s definitely time for a little ‘vigilante justice’… if nation leaders don’t want to do something about it, we should.
Eman Ymton
It’s blatantly obvious that law makers do not care about the resources companies are losing to the lawlessness on the internet. Despite companies spending loads of money, all the advantage is still on the attackers. And despite the technical advantages, there are no legal deterrents. Yes, it is the equivalent of the wild west, and back then sometimes armed vigilantes needed to rise up and put a stop to the harm being done. Companies and people are tired of being victims and law enforcement should have seen this coming…
Paul Ducklin
The words “it’s blatantly obvious” almost always attract my attention, and not just because of the pleonasm. (Something that is blatant is obvious by definition.)
And in this case…I think you are being more than just a bit harsh on law enforcement. You should start listening to the Chet Chat podcast. We’ve had “Crime and Punishement” sections regularly *and* frequently of late, where we talk about busts, convictions and sentencing for cybercrimes – especially when complex, multi-jurisidictional operations are concerned.
https://nakedsecurity.sophos.com/?s=sscc
Robert Scroggins
why don’t we let businesses/organizations report the cyber attack incident(s) to a governmental agency/body that, within well-established guidelines, decides what action to take and see to it? It would be sort of like a cyber FBI.
Ian
By the time the business reports it and the governmental agency responds, the attack will either be already over or knee deep in data. Relying on human intervention to third parties is no better than what is in place now.
Steve
As if we didn’t already have enough over-funded, ever-growing, ineffective governmental bureaucracies that mainly serve to further their own existence!
Anonymous
Given the use of bot nets comprised of enterprise servers to launch malicious attacks, especially DDos attacks, automated hack backs lacking forensic investigation are going to create havoc. You can blame the companies owning the zombie server, but that will flow downhill to the Sys Admins.
snackmouse
I would think that nailing hackers with a honeypot, at least, vs. the law trying to nab them after the fact, would be a no-brainer.
Spryte
As was said so eloquently in many another article, “What could go wrong?”
Cynical
This sort of “gung-ho” attitude doesn’t surprise me at all. But as the ex FBI guy mentions, companies could wind up in over their heads.
We still have to remember that many companies especially those who have sales fronts rely solely on the web and an escalation of a battle of wills could easily end up with sites taken down via DDos retalliation.
Then of course there’s the cost of upgrading hardware as neccessary and no doubt larger IT departments would end up having staff who work on just this.
Ultimately just like guns in the US, it would lead in my opinion to an escallation and in this case of cyber hostility, costing companies more and more money. As let’s face it, if an attacker has that amount of gall in the first place, is it likely he/she would easily give up or perhaps see it as a challenge?
Peter
As much fun as this sounds, it is also the most naive comment I have ever heard come from anybody in the security industry ever. It’s seems pointless to even highlight the many many scenarios where this would make matters worse.