Best defense against cyberattacks is good offense, says former DHS official

To prevail in the cybersecurity war, defense is not enough.

That has been the mantra of former Department of Homeland Security (DHS) official Stewart Baker for some time. But he will now be taking that message to Congress.

Baker, who was first assistant secretary for policy at DHS under President George W. Bush and is now a partner at the Washington D.C. law firm Steptoe & Johnson, wrote in the Steptoe Cyberblog last week that he will soon testify before the House Homeland Security Committee on cybersecurity.

"Probably the most important point I'll be making is a simple one," he wrote. "We will never defend our way out of the current cybersecurity crisis. That's because putting all the burden of preventing crime on the victim rarely succeeds."

"The obvious alternative is to identify the attackers and punish them," he wrote.

This has been Baker's theme. This past June, in an article titled, "Taking the offense to defend networks," he noted that an increasing number of U.S. companies are retaliating against attacks with so-called "active defense" or "strike-back" technology, including dubious legal measures like "hiring contractors to hack the assailant's own systems."

That's because "current defenses have failed against a cadre of state-sponsored attackers ...." he wrote.

But is that really feasible, in an environment where attackers can cover their tracks by moving from server to server and country to country in virtual space? Is it legal for a private enterprise, even if it is responding to an attack, to enter another party's server without authorization and then delete or encrypt data?

Baker acknowledged that some counterattacks by enterprises could violate some state and federal laws, including those against computer fraud and trespassing.

[See also: Organized cybercrime revealed]

But he said he believes there is a legitimate legal argument that taking such action would be a reasonable defense of one's property. He compared it to hiring a private investigator to find a kidnapped child, or sending out a posse to capture or kill a murderer. None of those, he said, amounts to vigilante justice.

And in his most recent blog post, he wrote that it is much more feasible now than in the past to track and identify attackers. It is unfortunate that some experts have given up on retribution because they believe attribution is too difficult, he said.

"Investigators no longer need to trace each hop the hackers take," he wrote. "Instead, they can find other ways to compromise and then identify the attackers, either by penetrating hacker networks directly or by observing their behavior on compromised systems and finding behavioral patterns that uniquely identify the attackers."

Some experts agree. Steven Chabinsky, a 17-year FBI veteran who until earlier this month was the agency's top cybersecurity lawyer, said Congress should focus more on deterrence than trying to eliminate vulnerabilities.

The Boston Globe reported that Chabinsky said he believes "laws should enable companies whose computer networks are targeted by criminals and foreign intelligence services to detect who is penetrating their systems and to take more aggressive action to defend themselves."

Former CIA director Michael Hayden has said it is no surprise, given the limited protection government provides in cyberspace, to see a "digital Blackwater," or firms that contract to retaliate against cyberattackers.

Joel Harding, a former military intelligence officer and information operations expert, said the Internet is "not as anonymous as it once was, and with new developing standards and sensors, it will be much more difficult to disguise one's identity. "

"Being reactive only delays the inevitable," Harding said. "And corporations can be more nimble and flexible in their response. Sometimes the response is legal, often not."

But one thing is certain: Baker's testimony will not end the debate. For every expert who agrees, there is one who doesn't, including one of his own law partners, Michael Vatis, who was founding director of the National Infrastructure Protection Center at the FBI.

In a response to Baker on the same Steptoe Cyberblog, Vatis wrote that using, "things like honeypots and deception within your own network seems perfectly legal, and unlikely to hurt any innocent bystanders. Things get dicey, though, when one talks about damaging a bad guy's computer."

Vatis is not nearly as optimistic as Baker about the ability to identify and track sophisticated attackers. He said the private sector would be able to identify only "low-grade attackers."

Even if a victim does identify an attacker, "there's still a very high chance of collateral damage to innocent bystanders. Attackers can hide behind, and launch their attacks from, innocent servers," Vatis wrote.

Jeremiah Grossman, founder and CTO of WhiteHat Security, said both government and the private sector "absolutely have not gotten better at identifying and tracking hackers. It's gotten harder. Particularly because if the bad guys know how to hide, they can."

Grossman agrees that defense against cyberattacks is not enough. "The concept that [Baker] is proposing has been a topic of discussion for some time in the security community but still has yet to be fully realized," he said. "This is how everyone already treats every other crime, such as those in the physical world, and we should try to do the same with the digital world, as the line between two continues to blur."

Amir Orad, CEO of NICE Actimize, which specializes in financial crime, risk and compliance, said taking the offense is "valuable and should be part of your tool kit, but I don't think it will be very efficient. Who is the target? Who are you going to attack?"

Orad said it is important to define what is meant by offense. If it is simply to take down a bad guy's computer, "that will only slow down an attack by a few minutes," he said. While that has some value as a tactical move, it doesn't win the battle, he said. "I can hijack 10,000 computers and have them attack a Fortune 500 company."

Deterrence, he said, is better than defense. "Instead of blocking an attack, you make them not want to attack you," Oradsaid. "You make them turn to somebody less painful to attack."

That would take different forms for different enemies, he said. For organized crime, it would mean better coordination between the private and public sectors (something the various proposed cybersecurity bills in Congress had sought to address).

But so far, he said, many enterprises are loath to share information about attacks with the government, or even to say that they have been attacked.

Stewart Baker said some of that hesitancy is justified. "Complaining to the FBI and CCIPS (Computer Crime and Intellectual Property section of the Department of Justice) about even a state-sponsored intrusion is like complaining to the DC police that someone stole your bicycle," he wrote. "You might get a visit from the local office; you might get their sympathy; you might even get advice on how to protect your next bicycle. What you won't get is a serious investigation. There are just too many crimes that have a higher priority."

Orad said he agrees that government should be more aggressive in "patrolling" the nation's cyber borders. But, that kind of monitoring immediately raises privacy and civil liberties concerns, which he agrees "is a very delicate balance."

But he said the alternative to being "proactive" is simply to wait for a call from a company that has already been attacked.

Orad said the key is to learn what will keep an adversary "from sleeping at night." In the case of a nation-state, it might be as simple as the public relations damage from exposing what it is doing.

Jeremiah Grossman promotes the concept of "Hack yourself first," or hiring hackers to expose vulnerabilities in your systems. "This is he same method Google, PayPal, Facebook, Mozilla, etc. used as part of their security program," he said. "For a few hundred to a few thousand dollars, you can take some serious vulnerabilities in your system off the market and avoid a damaging breach."

Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts