infoTECH Feature

August 04, 2015

Is it Time to Let Companies Shoot Back in Cyber Warfare?

Some of the greatest dystopian cyberpunk future tales, particularly those of William Gibson, envision a future where corporations staff militaries for use against a variety of enemies both foreign and domestic. The idea that such a future could come to pass would have seemed ludicrous until the recommendation of Juan Zarate emerged, suggesting that private companies should be “deputized” to strike back against cyberattackers.

Zarate served as the deputy national security advisor for counterterrorism as part of George W. Bush's administration, and pushed forth the idea of “deputy” companies having offensive capabilities as a means to discourage widespread threats against the United States' corporate ecosystem. Speaking as part of a forum at the Hudson Institute dealing with both cyber espionage and economics issues, Zarate suggested companies should be allowed to develop what he called “tailored hack-back capabilities,” which could then be used as part of a government-issued cyber warrant system to let a private company “...protect its system, to go and destroy data that's been stolen or maybe even something more aggressive.”

Zarate also pointed out that vulnerabilities are increasing over time, particularly as more devices are connecting to the Internet and thus providing more points of vulnerability. Zarate even had some support from Steven Chabinsky, CrowdStrike's chief risk officer, who pointed out that businesses are putting a whole lot of money behind defensive measures and still are fairly routinely getting hacked. Chabinsky went so far as to note “We've sunk billions of dollars of our budget into the least probable method of success.”

While there is a certain tempting logic in the words of Zarate and Chabinsky, a much darker possibility emerges: the potential for misuse. When corporations are handed these tools to go forth and take out attackers, how long until they decide that, say, a whistleblower who reveals a secret sweatshop—or exposes some other information about a corporation—is “stealing data” and uses these “hack-back” tools to wipe out the whistleblower's systems? Or worse, it's done “accidentally”, and with a shrug, the corporation writes a tiny check to “compensate” the victim's losses while not having to worry about unpleasant evidence coming back to bite. Plus there's the issue of jurisdiction to consider; while such a plan may work in the United States as a matter of federal law, hackers based anywhere from Toronto to Moscow wouldn't be subject to such laws, and companies using these tactics could face criminal charges.

Neither Zarate nor Chabinsky seem to note that there hasn't been a lot of effort placed in anything but perimeter defenses—encrypting data is a key point that often goes uncovered—and perhaps there's a middle ground yet to consider between poor perimeter defense and giving corporations license to hack. But Zarate and Chabinsky are both correct in noting that what's currently being done isn't working. There has to be a better way to protect our data—and it is, in the end, our data—from theft by outside sources. Giving corporations cyberpunk-style license to hack and destroy systems, however, may not be that way.




Edited by Dominick Sorrentino
FOLLOW US

Subscribe to InfoTECH Spotlight eNews

InfoTECH Spotlight eNews delivers the latest news impacting technology in the IT industry each week. Sign up to receive FREE breaking news today!
FREE eNewsletter

infoTECH Whitepapers