Best defense against cyberattacks is good offense, says former DHS official

An increasing number of U.S. companies are retaliating against attacks with so-called "active defense"

From Taylor Armerding, CSO:  To prevail in the cybersecurity war, defense is not enough.

That has been the mantra of former Department of Homeland Security (DHS) official Stewart Baker for some time. But he will now be taking that message to Congress.

Baker, who was first assistant secretary for policy at DHS under President George W. Bush and is now a partner at the Washington D.C. law firm Steptoe & Johnson, wrote in the Steptoe Cyberblog last week that he will soon testify before the House Homeland Security Committee on cybersecurity.

"Probably the most important point I’ll be making is a simple one," he wrote. "We will never defend our way out of the current cybersecurity crisis. That’s because putting all the burden of preventing crime on the victim rarely succeeds."

"The obvious alternative is to identify the attackers and punish them," he wrote.

This has been Baker’s theme. This past June, in an article titled, "Taking the offense to defend networks," he noted that an increasing number of U.S. companies are retaliating against attacks with so-called "active defense" or "strike-back" technology, including dubious legal measures like "hiring contractors to hack the assailant’s own systems."

That’s because "current defenses have failed against a cadre of state-sponsored attackers …." he wrote.

But is that really feasible, in an environment where attackers can cover their tracks by moving from server to server and country to country in virtual space? Is it legal for a private enterprise, even if it is responding to an attack, to enter another party’s server without authorization and then delete or encrypt data?

Baker acknowledged that some counterattacks by enterprises could violate some state and federal laws, including those against computer fraud and trespassing.

But he said he believes there is a legitimate legal argument that taking such action would be a reasonable defense of one’s property. He compared it to hiring a private investigator to find a kidnapped child, or sending out a posse to capture or kill a murderer. None of those, he said, amounts to vigilante justice. . . .

Former CIA director Michael Hayden has said it is no surprise, given the limited protection government provides in cyberspace, to see a "digital Blackwater," or firms that contract to retaliate against cyberattackers.

Joel Harding, a former military intelligence officer and information operations expert, said the Internet is "not as anonymous as it once was, and with new developing standards and sensors, it will be much more difficult to disguise one’s identity. "  (graphic: BusinessTech)

Image: businesstech%209%2026%2012%20active%20defense.jpg