Zarate, an advisor to the administration of President George W. Bush, believes that the government should “deputize private companies to strike back against cyberattackers as a way to discourage widespread threats against the nation’s businesses,” as IT World reports.
Speaking on Monday at a forum on economic and cyberespionage hosted by a think tank called the Hudson Institute, Zarate said that since many businesses have limited options for defending their networks, the country should start developing “aggressive” means to discourage cyberattacks, or what he referred to as “tailored hack-back capabilities”.
These would take the form of “cyberwarrants,” he said, that would grant private companies license to…
protect its system, to go and destroy data that's been stolen or maybe even something more aggressive.
Our attack surface grows ever larger with more and more internet-connected devices, Zarate said.
Meanwhile, there’s a growing gap between the billions of dollars that businesses pour into cyberdefense vs. attacks that are developed on a shoestring, he said.
Focusing on vulnerability mitigation has been a “fool’s errand,” he said:
Economically, we've responded in the worst possible way. We've sunk billions of dollars of our budget into the least probable method of success. We are bleeding ourselves dry with our response.
Not everybody agreed that businesses wouldn’t get kicked to the curb if they turned from a defensive game plan to an offensive one wherein they detect threats and “hack back.”
Mike Rogers, a former Republican congressman from Michigan and former FBI agent who was also a speaker at the event, said that, given the many attacks coming from other nations, many businesses would wind up in over their heads in an escalating conflict.
That’s a loser’s strategy, he said:
When you decide you're going to breach territorial jurisdiction and go after someone, you have opened up a can of worms which is well beyond the scope of your threat.
Besides, not all companies are going to prove adept at tracking down the culprits behind an attack, he said:
Some can do it very, very well. Some don't have a clue of how to do it, but that wouldn't stop them from [responding] anyway. How do you contain that?
Indeed. How exactly would companies fight back, anyway and what are these “aggressive” means?
Once offense becomes the best defence why not just retaliate first?
And if it’s OK for private companies to go on the offensive what adversary won’t believe that companies who strike back, no matter how honourable or dishonourable their cause may be, aren’t modern day East India Companies acting as proxies for the government?
Countries like the US are still embroiled over real, bona fide intelligence agencies having overstepped their surveillance activities. Many of us don’t even trust our own government, post-Snowden, let alone companies acting at arms length with their blessing.
Whilst there’s still so much of work to do getting basic security in order and attitudes to user privacy straightened out let’s keep this Pandora’s box closed.
Image of hacking courtesy of Shutterstock.com.