Private retaliation in cyberspace a 'remarkably bad idea'

The best strategy to protect corporate jewels from cyber thieves is to build a strong defense, security experts say

Despite the growing threat of state-sponsored cyberattacks launched from China and other countries, U.S companies should not be allowed fight back on their own, security experts say.

Such corporate counterstrikes would undermine U.S.-led efforts to develop international cyberspace standards and norms while exposing American companies to retaliatory strikes.

"This is a remarkably bad idea." said James Lewis, senior fellow and director of the technology and public policy program at the Center for Strategic and International Studies in Washington. "It would harm the national interest."

In commentary released by the CSIS this week, he said, "Our goal is to make cyberspace more stable and secure, not less. Endorsing retaliation works against that goal in many ways, all damaging."

Lewis was in responding to a Commission on the Theft of American Intellectual Property report last week that floated the idea of letting private companies retaliate against cyberthieves as a means of curbing IP theft.

The commission, co-chaired by Dennis Blair, former U.S. director of National Intelligence and Jon Huntsman, former U.S. ambassador to China, contends that current laws and trade agreements have failed to curb IP theft by state sponsored cyber groups, so U.S. companies should be allowed to respond on their own.

The report made clear that at some point in the future, companies should have the option of disabling or destroying hacker networks, or planting malware on them.

Lewis dismissed all such suggestions as bad ideas.

The U.S., he said, is currently trying to get countries to agree that longstanding international laws should be extended to include cyberspace. For instance, the U.S has been working to build consensus around the notion that governments are responsible for the actions of their citizens.

Lewis noted that the U.S. government is a leading backer of the Budapest Convention on Cybercrime, which prohibits private retaliation in cyberspace. Under the convention, a victim of a retaliatory attack could bring suit against a U.S. company in American courts, or seek extradition of those responsible for such attacks.

Private retaliation would undercut U.S. efforts to get China, Russia and other countries to hold their citizens accountable for cyberattacks against U.S. companies, Lewis said.

Any U.S. refusal to cooperate with a Chinese request for help investigating a retaliatory attack, for instance, could prompt China to refuse to cooperate with the U.S. on cybersecurity issues, he said.

"In a contest over who can go further in violating the law, despite the bluster of some in the high-tech community, private citizens are no match for the Russian mafia, the Russian Federal Security Service, or the People's Liberation Army in China. This is not a contest American companies can win," Lewis said.

Retaliatory attacks launched by companies without strong technology skills or judgment could lead to considerable collateral damage, he said.

"A nation has sovereign privileges in the use of force. Companies do not," argued Lewis, who chaired a committee that developed a set of cybersecurity recommendations for President Barack Obama during his first term.

Companies should focus more on shoring up their defenses, rather than on retaliation, said John Pescatore, director of emerging security trends at the SANS Institute. "The idea has no business or security merit, which is why even though it comes up every five years or so, it never gets adopted."

At the end of the day, a company that cannot adequately defend itself is hardly likely to be in a position to launch an effective counterattack, he said.

"Think about it. If you can't protect yourself in the first place, putting your resources towards retaliation means less resources on protection -- and more attacks against you. Not a smart mix," Pescatore said.

Richard Stiennon, principal at security consultancy IT-Harvest, agreed that companies should avoid the temptation to take on cyberattackers directly. "The realm of cybercrime and cyber espionage is already a free for all. Adding well meaning but easily misguided corporate efforts would be a disaster," Stiennon said.

"It is frustrating that there are no cyber police you can call when you are attacked," he noted. The best that a company can do is to quickly determine the nature of an attack, the likely source, and the likely data target. Then, it must take steps to enhance its own security.

"Take an attack as a penetration test you did not have to pay for. Learn from it and grow your defenses," he said.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan, or subscribe to Jaikumar's RSS feed . His email address is

Read more about cyberwarfare in Computerworld's Cyberwarfare Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags Cybercrime and Hackingsecuritycyberwarfareintel

More about SANS InstituteTopic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jaikumar Vijayan

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts