Does Best Cybercrime Defense Include Some Offense?
It is known in the industry as "active defense" or "strike-back" technology, and Reuters' Joseph Men says that can range from "modest steps to distract and delay a hacker to more controversial measures," like hiring a contractor to hack the hacker -- something that could violate the laws of the U.S. or other countries.
Shawn Henry, former head of cybercrime investigations at the FBI who recently cofounded a new cybersecurity company CrowdStrike to help companies respond to, as well as defend against, hackers, told Menn: "Not only do we put out the fire, but we also look for the arsonist."
This, say some experts, is a bad idea that amounts to vigilante justice, and will just lead to an escalating battle between hackers and companies that the hackers are sure to win. John Pescatore, formerly with the National Security Agency and Secret Service, who now leads research firm Gartner's Internet security practice, told Reuters, "There is no business case for it and no possible positive outcome."
At least one famous example from about 18 months ago was security consultant HBGary Federal. CEO Aaron Barr said he had identified leaders of the hactivist group Anonymous and would sell their names to clients including the FBI. In response, Anonymous hacked HBGary, and posted more than 50,000 of its private emails. Barr resigned about a month later, at the end of February.
Still, there are some supporters of "strike back." Dr. Patrick Lin, director of the Ethics and Emerging Sciences Group at California Polytechnic State University, made what he called the "stand-your-cyberground" argument April 30 in The Atlantic.
While the focus of that article was the U.S. government being too constrained by international law to lead cyberdefense against foreign attacks, Lin told CSO at the time that self-defense is a basic right, authorized by the Second Amendment. He said it helped deter outlaws during the "Wild West" era. During modern times, commercial ships under attack from pirates are allowed to shoot and kill them, and bank security guards are allowed to shoot robbers, he said.
The same principle applies here, Lin said this week. While he agrees that escalation is a possibility, there would also be, "the deterrent to others to not cyberattack a company that could plausibly respond in kind," he said.
"It's also reasonable to think that failing to respond to a cyberattack is an incentive for hackers to continue, if not escalate, their activities. This is a reason why bad neighborhoods tend to get worse -- they can, given the absence of reliable law enforcement or self-defense.