Is a good offense? If you or your company has been a victim of cyber-crime, I am sure you have had fantasies about back-hacking the perpetrators back to the stone age. Or having some sort of magic button phone app that would do the same thing.
Currently, the bad guys are running the offense, 24/7/365. The good guys are limited to defense only. There is a third option. In military terms, it is called a counter-offensive. Basically, after you are done taking a pounding as a defender, you amass your forces, and attack. In the world of cybersecurity, starting a counter-offensive is currently illegal. The question is: should it be legal under certain circumstances?
I just finished reading two great articles about the movement in cybersecurity from a purely defensive posture, to one that has elements of the counter-offensive in them. The first is a new article from TechRepublic titled “Can deterrence counter the threat of cyberweapons?” The other is a post from the Infosec Institute published in 2013 titled ” The Offensive Approach to Cyber Security in Government and Private Industry.”
In the first article, Dorothy Denning recommends a posture of deterrence. We are familiar with deterrence in the form of “mutually assured destruction.” It is the major deterrent to nuclear war. Dorothy suggests ways that we can create a deterrent environment for cyber-attackers, by making it too costly to continue an attack, or by providing serious penalties that would server to discourage attack.
The second article looks at the issue confronting governments and private industry if we were to develop a policy of permitting counter-attacks in certain situations. To be sure, the US government and many others do in fact have offensive cybersecurity groups such as the US Cyber Command. Extending this counter-attack capability to private businesses has not happened to a large extent, although the Japanese appear to be in the forefront of this effort.
Some of the issues that are being considered:
- If a company loses some data to a breach, should they have the right to break into the attacker’s computer to recover the data or destroy it so the attackers cannot use it or sell it?
- Should it be legal to use spearphishing and malware against suspected perpetrators to track their activity and discover their location?
- What about using software tools to back trace a connection through an anonymizing service such as TOR?
To be sure, some of these tools probably exist and are being used by agencies such as the NSA. Perhaps similar tools are also being used by private security firms to aid their clients in discovery of the attack, recovery of the stolen information, and pinpointing the location of the cyber-attacker.
This is certainly an interesting subject, and one we are likely to hear more about.
- Dorthy Denning – Cybersecurity’s next phase:Cyber-deterrence
- TechRepublic – Can deterrence counter the threat of cyberweapons?
- Infosec Institute – The Offensive Approach to Cyber Security in Government and Private Industry