Should best cybercrime defense include some offense?

A growing number of U.S. companies have concluded that in their battle against hackers, the best defense has to include some offense.

It is known in the industry as "active defense" or "strike-back" technology, and Reuters' Joseph Men says that can range from "modest steps to distract and delay a hacker to more controversial measures," like hiring a contractor to hack the hacker -- something that could violate the laws of the U.S. or other countries.

Shawn Henry, former head of cybercrime investigations at the FBI who recently cofounded a new cybersecurity company CrowdStrike to help companies respond to, as well as defend against, hackers, told Menn: "Not only do we put out the fire, but we also look for the arsonist."

This, say some experts, is a bad idea that amounts to vigilante justice, and will just lead to an escalating battle between hackers and companies that the hackers are sure to win. John Pescatore, formerly with the National Security Agency and Secret Service, who now leads research firm Gartner's Internet security practice, told Reuters, "There is no business case for it and no possible positive outcome."

At least one famous example from about 18 months ago was security consultant HBGary Federal. CEO Aaron Barr said he had identified leaders of the hactivist group Anonymous and would sell their names to clients including the FBI. In response, Anonymous hacked HBGary, and posted more than 50,000 of its private emails. Barr resigned about a month later, at the end of February.

Still, there are some supporters of "strike back." Dr. Patrick Lin, director of the Ethics and Emerging Sciences Group at California Polytechnic State University, made what he called the "stand-your-cyberground" argument April 30 in The Atlantic.

While the focus of that article was the U.S. government being too constrained by international law to lead cyberdefense against foreign attacks, Lin told CSO at the time that self-defense is a basic right, authorized by the Second Amendment. He said it helped deter outlaws during the "Wild West" era. During modern times, commercial ships under attack from pirates are allowed to shoot and kill them, and bank security guards are allowed to shoot robbers, he said.

The same principle applies here, Lin said this week. While he agrees that escalation is a possibility, there would also be, "the deterrent to others to not cyberattack a company that could plausibly respond in kind," he said.

"It's also reasonable to think that failing to respond to a cyberattack is an incentive for hackers to continue, if not escalate, their activities. This is a reason why bad neighborhoods tend to get worse -- they can, given the absence of reliable law enforcement or self-defense.

"I don't see how doing nothing will de-escalate a situation like this," Lin said. "A hacker is not like the angry drunk who will eventually run out of steam and pass out or sober up. If cyberattacks are still profitable, then they will continue or increase."

However, Rebecca Herold, an information security, privacy and compliance consultant who goes by the name "The Privacy Professor," stands with those who say the best defense is simply better defense. Layered security, she said, will make it difficult enough for hackers to look elsewhere.

There could be multiple unintended consequences of retaliation, she said. "Becoming what I call a boomerang cyber-attacker in response to being attacked could end up doing your own systems, your data and reputation harm, not to mention innocent victim systems," she said. "The bad guys, if they're smart, will lead you to other networks, not their own."

Herold said businesses focused on getting revenge on hackers "end up taking resources away from important business activities, and will likely leave gaps in security elsewhere."

"Plus, networks are now so complex, and consist of so many components, that a lot can go terribly wrong if an organization starts trying to have automated defensive cyber attacks on attackers," she said. "Many would likely end up being the Barney Fife of the cyberworld, shooting themselves in their own cyber foot and having their digital bullets taken away by regulatory oversight agencies after bad things have happened."

Herold said also that counterattacks wouldn't deter hackers. "If hackers know you will counterattack, that would likely attract more harmful types of hackers who are looking for the thrill of a conquest and subsequent bragging rights," she said.

Patrick Lin still argues that weakness is more of an invitation to hackers than a show of strength. "Perhaps some hackers will take [a counterattack] as a challenge, but they're not so much the rational adversary, who is motivated by profit," he said. "Just as some hackers and muggers may strike back harder if the victim resists or fights back, this minority group shouldn't drive policy that's otherwise reasonable and potentially more helpful than not."

In the case of modern-day pirates, Lin argues that allowing commercial ships to countrerattack has not caused an escalation of conflict, "and it's hard to see why it would."

"Why shouldn't ships be able to defend themselves against pirates?" Lin said.

He agrees that letting law enforcement handle crime is best. "But in the case of cyber, there is no reliable law enforcement, and there isn't even an 'authority' we can appeal to," since there is a continuing debate in Congress over whether the Department of Defense or Department of Homeland Security should oversee cybersecurity laws.

Cyberattacks on industry amount to "a potential powder keg, and something is going to happen if government doesn't intervene and establish law," Lin said.

Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts