IDGs Network World Special Report:
Counterattack Vigilante Companies Strike Back at HackersWhen you detect a hacker assaulting your network, do you launch a counter attack? Many corporate vigilantes are doing just that sometimes with military efficiency and intensity and raising troubling policy and legal questions.
FRAMINGHAM, Mass. January 12, 1999 A new breed of corporate vigilantes is emerging in the war to fight hackers, according to a Special Report in this weeks edition of Network World, the nations leading newsweekly for enterprise network computing. These new vigilantes are not simply protecting their corporate networks from hackers, they are striking back with methods ranging from sending nasty E-mail messages warning of prosecution to physical violence with baseball bats.
Vigilantism is growing because of increasing frustration with law enforcement officials viewed as simply not up to snuff, said Winn Schwartau, a popular author, security expert and author of the Network World report. Schwartau also recently released survey on corporate vigilantism (http://www.infowar.com/NEW_IWC/breaking/vigsurvey/break_011299a_j.shtml).
"A surprising number of executives are saying that they may be left no choice but to take the law into their own hands," said Schwartau, chief operating officer of The Security Experts, a global security consulting firm, and president of Infowar.com. "The question really is: when law enforcement isnt up to the task; when cops refuse to cooperate or assist victims of computer crime; when the technical skills of the attacker and the victim are superior to the police: what is a company supposed to do? Can they, or should they, take the law into their own hands to protect themselves?"
Some clearly are.
A senior security manager at one of the nations largest financial institutions, Lou Cipher (a pseudonym) told Network World that law enforcement cant be trusted to thwart hacker attacks, so he and his colleagues are on their own and will protect themselves.
Cipher told Network World that his group has management approval to do "whatever it takes" to protect his firms corporate network. "We have actually gotten on a plane and visited the physical location where the attacks began. Weve broken in, stolen the computers and left a note: See how it feels?" Cipher said in the article. On one occasion, he continued, "We had to resort to baseball bats. Thats what these punks will understand. Then word gets around, and were left alone. Thats all we want, to be left alone. We have the right to self-help and yes, its vigilantism. We are drawing a line in the sand, and if any of these dweebs cross it, we are going to protect ourselves."
Schwartau interviewed dozens of companies for the Network World report, and although many said they are seriously considering implementing "strike-back" capabilities, most would not confirm that the measures are already in place.
"Im sure most companies would rather be sticking to their knitting and taking care of business rather than becoming vigilantes in the fight against hackers," said Paul Desmond, features editor at Network World. "So to me this story illustrates that law enforcement needs to dedicate far more resources to fighting cybercrime, in keeping with the growth of technology in the economy overall. For user organizations, its a Catch-22: do you risk the business or risk getting caught trying to protect the business?"
Companies are using many tactics to fight hackers, ranging from legally collecting data to identify hackers and then writing nasty E-mail messages warning of prosecution, to illegally sending hostile Java applets and using tools to crash the offending hackers browsers. Network World found two cases of even more aggressive vigilantism, where physical violence was used.
"Offensive information warfare is not a good thing period," Joseph Broghamer information assurance lead for the U.S. Navys Office of the Chief Information Officer told Network World. "You want to block, not punish. There is no technical reason to react offensively to a hacker attack." And law enforcement officials at least publicly, anyway go further: "If companies take any of these proactive defensive steps, they are taking a big chance, subject to criminal prosecution," Lt. Chris Malinowski of the New York Police Department told Network World. When not speaking for attribution, however, law enforcement officials say they cant handle the problem of hackers, according to Schwartau.
"Vigilantism really all comes down to a lack of national policy to recognize the threat," said Schwartau. "We've been telling Congress and lawmakers since 1990, and most of them still don't get it. Law enforcement is so far behind the curve, I wonder if they will ever catch up. Good luck to us all."
About Network World
Network World (http://www.nwfusion.com), is the nations only newsweekly shaping the future of network computing in the enterprise. Through its publishing, education and online products and services, Network World empowers Network IS professionals with the knowledge to deliver the open applications and infrastructure required to meet their evolving business needs.
About International Data Group
Network World, Inc., is a division of IDG, the worlds leading IT media, research and exposition company. IDG publishes more than 290 computer magazines and newspapers and 700 book titles and offers online users the largest network of technology-specific sites around the world through IDG.net (http://www.idgnet.com), which comprises more than 225 targeted Web sites in 55 countries. IDG is also a leading producer of 168 computer-related expositions worldwide, and provides IT market analysis through 49 offices in 41 countries worldwide. Company information is available at http://www.idgcorporate.com.
Network World and Network World Fusion are trademarks of International Data Group.
About The Tolly Group
The Tolly Group, based in Manasquan, NJ, is recognized worldwide for its expertise in assessing leading-edge technologies. For more information on The Tolly Groups services, visit its web site at http://www.tolly.com, email email@example.com, call 800-933-1699/732-528-3300, or fax.