Cyber-attacks against companies, organizations and governments have hit an unprecedented high. The ease with which hackers can launch multiple attacks has also increased. Hacking has become big business with nation-states, terrorist groups, organized crime and others capitalizing on the theft of information (trade secrets, technology, intellectual property, others) and disrupting businesses they are in competition with. Are the current defenses working? Unless you live in a shoe box you realize, especially based on daily news reports, that the cyber war appears to be one the good guys are losing.
A change is needed because the problem has gotten out of hand. Current laws hinder organizations from defending themselves while at the same time facilitating the efforts of hackers. So, rather than jumping to the conclusion that any action to defend your organization beyond the currently accepted techniques is illegal, a discussion needs to be started and moved forward about better and more effective options. It appears it has.
In a recent Washington Post article[1] the issue of defending outside of one’s network and possibly entering the server of another, active defense, was raised. Again the knee jerk reaction is that it’s illegal, but the conversation continued.Â
“[It is] important to enable companies whose computer networks are targeted by criminals and foreign intelligence services to detect who’s penetrating their systems and to take more aggressive action to defend themselves,  said Steven Chabinsky, a 17-year FBI veteran who stepped down this month as the FBI’s top cyber lawyer.   The article continued with Stewart A. Baker, a former senior Homeland Security Department official stating, “The issue . . . is that entering another party’s server and deleting or encrypting data could, under some circumstances, violate a number of state and federal laws — including those against computer fraud or trespassing.â€Â “But, he said, there is a legal argument to be made that such an action is a reasonable defense of one’s property. Though common in other contexts, that defense has yet to be tested in the cyber area in court.â€
Top officials and leaders in this area predict growth as companies decide enough is enough. “Former CIA director Michael V. Hayden has said that given the limits of the government in protecting companies in cyberspace, he expects to see the emergence of a “digital Blackwater,†or firms that hire themselves out to strike back at online intruders.â€
I agree, this is exactly where we are headed and the discussion must go further. Based on current laws, technology and state of affairs there is much more companies and organizations can do to defend themselves. I am not advocating vigilantism, but a military-like operation that helps leaders of organizations walk through possible tools and techniques while evaluating risk, liability and legal issues every step of the way in an effort defend their most precious assets.
That is why Davi and I will be presenting at several upcoming conferences, including ISSA and RSA, a practical and legal approach to Active Defense. I look forward to seeing you there.
[1] Nakashima, Ellen, “Cybersecurity should be more active, official says,†The Washington Post – National Security (September 16, 2012)
This is William Gibson’s ICE (Intrusion Countermeasure Electronics) discussion emerging as themed in his Neuromancer Sci-Fi novel from 1984. However, note that Gibson distinguishes between ICE and Black ICE, where the latter actively seeks to destroy or incapacitate the offending intruder. ICE measures may merely reduce offending systems’ functionality until they remove the malware they are trying to spread.