A growing number of U.S. companies have concluded that in their battle against hackers, the best defense has to include some offense.
It is known in the industry as "active defense" or "strike-back" technology, and Reuters' Joseph Men says that can range from "modest steps to distract and delay a hacker to more controversial measures," like hiring a contractor to hack the hacker -- something that could violate the laws of the U.S. or other countries.
[ Prevent corporate data leaks with Roger Grimes' "Data Loss Prevention Deep Dive" PDF expert guide, only from InfoWorld. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]
Shawn Henry, former head of cybercrime investigations at the FBI who recently cofounded a new cyber security company CrowdStrike to help companies respond to, as well as defend against, hackers, told Menn: "Not only do we put out the fire, but we also look for the arsonist."
This, say some experts, is a bad idea that amounts to vigilante justice, and will just lead to an escalating battle between hackers and companies that the hackers are sure to win. John Pescatore, formerly with the National Security Agency and Secret Service, who now leads research firm Gartner's Internet security practice, told Reuters, "There is no business case for it and no possible positive outcome."
At least one famous example from about 18 months ago was security consultant HBGary Federal. CEO Aaron Barr said he had identified leaders of the hactivist group Anonymous and would sell their names to clients including the FBI. In response, Anonymous hacked HBGary, and posted more than 50,000 of its private emails. Barr resigned about a month later, at the end of February.
Still, there are some supporters of "strike back." Dr. Patrick Lin, director of the Ethics and Emerging Sciences Group at California Polytechnic State University, made what he called the "stand-your-cyber ground" argument April 30 in The Atlantic.
While the focus of that article was the U.S. government being too constrained by international law to lead cyber defense against foreign attacks, Lin told CSO at the time that self-defense is a basic right, authorized by the Second Amendment. He said it helped deter outlaws during the "Wild West" era. During modern times, commercial ships under attack from pirates are allowed to shoot and kill the hijackers, and bank security guards are allowed to shoot robbers, he said.
The same principle applies here, Lin said this week. While he agrees that escalation is a possibility, there would also be, "the deterrent to others to not cyber attack a company that could plausibly respond in kind," he said.
"It's also reasonable to think that failing to respond to a cyber attack is an incentive for hackers to continue, if not escalate, their activities. This is a reason why bad neighborhoods tend to get worse -- they can, given the absence of reliable law enforcement or self-defense.
"I don't see how doing nothing will de-escalate a situation like this," Lin said. "A hacker is not like the angry drunk who will eventually run out of steam and pass out or sober up. If cyber attacks are still profitable, then they will continue or increase."
