Global Security, Privacy, & Risk Management

Offensive Cyber Attacks – A Dangerous Proposition December 8, 2012

Let me preface this by saying I have been outspoken about passive cyber defensive strategies and their failure.  You can read my paper: “Failed State of Security” to learn more.  On that note, Foxnews had a story today that had me scratching my head.  The recommendations were pedestrian at best, and dangerous in the most severe cases.  In short the article suggests that companies should take a more ‘offensive approach’ to preventing cyber attacks.  Some of the recommendations include:

“Misinformation campaigns” such as planting fake documents and data for criminals to steal.   As stated in the article: “One such strategy involves creating a disinformation campaign by distributing  fake documents throughout a company’s own network to confuse and potentially  misguide potential adversaries.”  Companies today have a difficult time managing their own ‘real’ documents.  This approach is inefficient, and bound to cause confusion among employees.  How do you differentiate between the “real” and the “fake” internally?

Jim Cilluffo, Director of George Washington Universitie’s Homeland Security Policy Institute stated in front of Congress: “We should provide opportunities and responsibilities to the private sector to  hack back,”   REALLY?  Vigilante justice is being proposed by a Director of a major universities’ homeland security institute?   We are going to trust commercial entities to use the authority to ‘hack back’ judiciously?  What about when they hack into a competitor and claim they were being hacked?  What if a company hacks into a personal computer and the person decides to exact revenge on their employees for the act by escalating the issue to violence?  Many of these ‘cyber criminals’ are associated with organized crime.  These are not the types of groups you generally want to attack.  This ‘mall cop’ mentality has not place in corporate America.

More disturbingly is the correlation between vigilante justice and bank robberies. “If someone were to rob a bank today, doesn’t the bank have a responsibility to  protect its customers and employees from someone armed? They don’t simply wait  until someone shoots innocent victims,” said Frank Cilluffo, director of George  Washington University’s Homeland Security Policy Institute.  The difference is stark.  A person walking into a bank with a weapon is a ‘clear and present danger’ to people’s safety.   A company being hacked may e angry, offended, insulted, etc. but the hacker is endangering a person’s safety in the same way a person with a gun would be.

While an executive order from the White House could be forthcoming, Cilluffo  said legislation from Congress would be far more helpful and could even  indemnify companies from lawsuits.

“We need to have these conversations because the current approach is doomed  for failure. We’re losing too much,” said Cilluffo.