I have written several times in the past here, here and here about the notion of taking cyber security on the offensive
James Anderson, president of Professional Assurance LLC, says that there is no evidence that governments can protect large firms from cyber attacks. “National security authorities may not even acknowledge that their interests align with a company that has suffered a cyber attack; therefore, companies must think about retaliation,” he says.
Should a company take retaliatory steps beyond simply increasing its own defensive perimeter? The answer depends on the seriousness of the attack and the potential threat from future attacks. Anderson says that simply turning over evidence to law enforcement may not save the company from future cyber attacks. But, if the attack had to do with a government’s critical infrastructure, authorities may take an interest; however, there are no established service levels for government response.
For example, Anderson says some activities that might be considered retaliatory are:
- legal information gathering to identify attackers,
- direct blocking of network traffic from specific origins,
- use of transaction identifiers that label the traffic as suspicious,
- placement of honeypots,
- identifying and actively referring botnet details for blacklisting or referral to authorities or industry associations, and
- certain types of deception gambits against suspected internal malefactors.
This is not the first time that I’ve heard the notion of retaliation using cyber space methods. There are two things wrong with this direction – a) retaliation and using cyber security methods to attack the attackers.
The notion that there are two separate universes, a physical universe and a cyber universe is wrong. There is one continuum of cyber space and physical space. Forget retaliation and go on the offensive. That means use counter terror techniques to discover hacker cells, infiltrate and disrupt them in the physical world. The problem of course is the price tag. It’s cheap to mount a cyber attack but if an attacker knew that they would lose their life if they attacked a US government installation with malware, a deterrent would be created.
Retaliation doesn’t create deterrence – at most, retaliation makes people angry. Just look at the reaction of Palestinian terrorists to Israeli retaliation raids.
Retaliation in cyber space is too late, too little. Instead – I call on the US and other governments to actively combat cyber terror with the same resolve that they attack physical world terrorists.
