There has been much discussion recently about the merits of private companies going on the offensive against cybercriminals. Some think it’s long overdue, while others fear a digital wild west, with cyber vigilantes running untethered. Current laws in the US largely limit companies to playing defense, with federal laws against invading someone’s computer. However, some specialist cybersecurity firms say that they can pursue criminals without launching their own attacks. The question is though, should they? Most cybercrimes in the US fall under the Computer Fraud and Abuse Act, a 1986 legislation that prohibits unauthorised access of computer systems. The law effectively places offensive cybersecurity actions solely in the hands of the federal government.
However, with the rapid rise in cyber attacks impacting entities globally, the question arises as to whether it’s perhaps often too late for businesses by the time the law effectively deals with cybercriminals. A case in point is with a ransomware incident, which when suffered by an organisation can cause severe business disruption, a loss of finances and bring to a halt business operations, with businesses often having to run against time to pay a ransom whilst trying to tend to the dire collateral damage caused. Businesses are stuck with the dilemma, whether they should pay the ransom (with no guarantee of resolving the situation) or wait. Often, the impact of the attack has already caused significant damage for a business by the time lawmakers come into the picture. It’s a complex issue, yet one that is relevant as we witness the rise of cyber attacks, and the importance of cyber resilience as we move forward. Some industry veterans on the other hand ponder whether private-sector operators could reduce the collateral damage and political instability, and how interventions might disrupt law enforcement or military operations” (James Rundle, Wall Street Journal). Read more here: https://www.wsj.com/articles/cyber-private-eyes-go-after-hackers-without-counterattacking-11634549400?page=1&mod=djemCybersecruityPro&tpl=cy
My LinkedIn network consists of industry professionals and business leaders, well-versed in cybersecurity, so I was curious to know their opinion on whether the private sphere should play the offensive and strike back at the threat actors. Here are the results:
- 33% of voters opted for a strong ‘No, leave it to the lawmakers,
- Nearly half (47%) took the tit-for-tat approach, and voted ‘Yes, go offensive if you can’, and
- 19% thought it was complicated and provided insightful reasons as to why below.
The results are quite interesting, perhaps reflecting the urgency with which private companies would seek to save their businesses versus the warnings and penalties imposed by authorities, urging them to let law enforcement and the relevant agencies do their job. It’s a multi-layered, complex issue indeed, and the comments left below reveal the complicated nature of ‘hitting back at hackers’ with great insight and food for thought, with ethical and philosophical reasoning coming into play.
Here’s a brief selection of the comments:
“Well, I think we should flip this question and ask what happens in the physical world? Are companies allowed to hunt down criminals or do they have to follow due processes to report a crime and let the law enforcement do its job? At the same time, do companies hire security people and put in security systems to protect and reduce risk? Do they insure themselves against those risks? The answer you are looking for is in all of those questions”.
“100%. The way I see it is the audit risk model and reducing the audit risk by putting in controls in place. Vigilante stuff can damage a brand and it’s not worth it. Being vengeful doesn’t pay off”
“Mahatma Gandhi’s quote: “An eye for an eye will leave the whole world blind”. I hope you got my opinion that it should not be allowed”.
“The risk of causing collateral damage to others is very high since attackers often use compromised infrastructure of their victims to launch and amplify attacks. Attribution is hard enough for government agencies, so I do not trust that a manager of a business with a bruised ego will show the restrain required before demanding retribution against the wrong target”.
“I think it’s more complicated than just a strike back and doing so could create a lot of new dangers that we don’t even know yet. The attackers tend to have more motivation and resources than the defenders in the first place”.
“Only go offensive if hacking is your line of business. I.e., white hackers with government support and backing. However, some hackers may have more experience and research-based methods not known to the wider audience, so there is a chance that there would be ongoing repercussions. Many businesses don’t want to deviate from their principal line of business, depends on how many attacks they have experienced”.
“Hackers typically use stolen systems anyway. Hacking back without damaging third-party systems as collateral is very hard. Instead of private companies going on the offensive against cybercriminals, maybe we should better train and pay our law enforcers. It’s their job. And vote in law makers”.
“The answer is simple. Imagine this had nothing to do with the cyber world. How would you answer? Nothing changes”.
The Risk(s) of Striking Back
Looking at the issue from a bird’s eye point of view, the majority view express a need to leave it to the lawmakers and the complexity involved when private companies strike back. Businesses taking matters into their own hands results in too many variables and unknown risk factors. The former director of the NSA and US military’s cybersecurity branch, Keith Brian Alexander, supports that private companies should not be allowed to hit back at the hackers; “If it starts a war, you can’t have companies starting a war. That’s inherently a governmental responsibility, and plus the chances of a company getting it wrong are fairly high”, citing the 2014 attack on Sony involving North Korea as an example and the potential for nation-state combat with consequences far beyond a hack.
So where should we draw a compromise, if any? One thing is for sure, the public and private sphere’s need to continue to work closely together to ensure effective solutions for entities impacted by a cyber attack, and businesses need to commit to upping their cyber resilience. Plus, the legislation must keep evolving with the ever-changing landscape to keep everyone safe, and the adversaries at bay.
What cybersecurity issues are you interested in knowing about? If you have any ideas, don’t hesitate to reach out.
Fortify your defences
No one vendor can stop all threats, so don’t leave your business exposed. If you are using Microsoft 365 or G Suite, you should also have third-party solutions in place to mitigate your risk. For example, using a specialist cloud email security solution like MailGuard to enhance your Microsoft 365 security stack.
For more information about how MailGuard can help defend your inboxes, reach out to my team at expert@mailguard.com.au.
Stay up-to-date with MailGuard's latest blog posts by subscribing to free updates. Subscribe to weekly updates by clicking on the button below.
