Should best cybercrime defense include some offense?

Security experts warn 'active defense' or 'strike-back' tech could escalate battle between hackers and companies, however

A growing number of U.S. companies have concluded that in their battle against hackers, the best defense has to include some offense.

Corporate cybercrime costs skyrocket

It is known in the industry as "active defense" or "strike-back" technology, and Reuters' Joseph Men says that can range from "modest steps to distract and delay a hacker to more controversial measures," like hiring a contractor to hack the hacker -- something that could violate the laws of the U.S. or other countries.

Shawn Henry, former head of cybercrime investigations at the FBI who recently cofounded a new cybersecurity company CrowdStrike to help companies respond to, as well as defend against, hackers, told Menn: "Not only do we put out the fire, but we also look for the arsonist."

This, say some experts, is a bad idea that amounts to vigilante justice, and will just lead to an escalating battle between hackers and companies that the hackers are sure to win. John Pescatore, formerly with the National Security Agency and Secret Service, who now leads research firm Gartner's Internet security practice, told Reuters, "There is no business case for it and no possible positive outcome."

At least one famous example from about 18 months ago was security consultant HBGary Federal. CEO Aaron Barr said he had identified leaders of the hactivist group Anonymous and would sell their names to clients including the FBI. In response, Anonymous hacked HBGary, and posted more than 50,000 of its private emails. Barr resigned about a month later, at the end of February.

Still, there are some supporters of "strike back." Dr. Patrick Lin, director of the Ethics and Emerging Sciences Group at California Polytechnic State University, made what he called the "stand-your-cyberground" argument April 30 in The Atlantic.

While the focus of that article was the U.S. government being too constrained by international law to lead cyberdefense against foreign attacks, Lin told CSO at the time that self-defense is a basic right, authorized by the Second Amendment. He said it helped deter outlaws during the "Wild West" era. During modern times, commercial ships under attack from pirates are allowed to shoot and kill them, and bank security guards are allowed to shoot robbers, he said.

The same principle applies here, Lin said this week. While he agrees that escalation is a possibility, there would also be, "the deterrent to others to not cyberattack a company that could plausibly respond in kind," he said.

"It's also reasonable to think that failing to respond to a cyberattack is an incentive for hackers to continue, if not escalate, their activities. This is a reason why bad neighborhoods tend to get worse -- they can, given the absence of reliable law enforcement or self-defense.

"I don't see how doing nothing will de-escalate a situation like this," Lin said. "A hacker is not like the angry drunk who will eventually run out of steam and pass out or sober up. If cyberattacks are still profitable, then they will continue or increase."

However, Rebecca Herold, an information security, privacy and compliance consultant who goes by the name "The Privacy Professor," stands with those who say the best defense is simply better defense. Layered security, she said, will make it difficult enough for hackers to look elsewhere.

There could be multiple unintended consequences of retaliation, she said. "Becoming what I call a boomerang cyber-attacker in response to being attacked could end up doing your own systems, your data and reputation harm, not to mention innocent victim systems," she said. "The bad guys, if they're smart, will lead you to other networks, not their own."

Herold said businesses focused on getting revenge on hackers "end up taking resources away from important business activities, and will likely leave gaps in security elsewhere."

"Plus, networks are now so complex, and consist of so many components, that a lot can go terribly wrong if an organization starts trying to have automated defensive cyber attacks on attackers," she said. "Many would likely end up being the Barney Fife of the cyberworld, shooting themselves in their own cyber foot and having their digital bullets taken away by regulatory oversight agencies after bad things have happened."

Herold said also that counterattacks wouldn't deter hackers. "If hackers know you will counterattack, that would likely attract more harmful types of hackers who are looking for the thrill of a conquest and subsequent bragging rights," she said.

Patrick Lin still argues that weakness is more of an invitation to hackers than a show of strength. "Perhaps some hackers will take [a counterattack] as a challenge, but they're not so much the rational adversary, who is motivated by profit," he said. "Just as some hackers and muggers may strike back harder if the victim resists or fights back, this minority group shouldn't drive policy that's otherwise reasonable and potentially more helpful than not."

In the case of modern-day pirates, Lin argues that allowing commercial ships to countrerattack has not caused an escalation of conflict, "and it's hard to see why it would."

"Why shouldn't ships be able to defend themselves against pirates?" Lin said.

He agrees that letting law enforcement handle crime is best. "But in the case of cyber, there is no reliable law enforcement, and there isn't even an 'authority' we can appeal to," since there is a continuing debate in Congress over whether the Department of Defense or Department of Homeland Security should oversee cybersecurity laws.

Cyberattacks on industry amount to "a potential powder keg, and something is going to happen if government doesn't intervene and establish law," Lin said.

This story, "Should best cybercrime defense include some offense?" was originally published by CSO.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2012 IDG Communications, Inc.