The Cybersecurity Shift: The Best Defense Is a Good Offense
The U.S. federal government depends on the private sector to help protect critical infrastructure. That’s no small feat for utilities and companies to accomplish, given the increasing frequency, intensity and variations of attacks from nation states and bad actors. With frustrations running high, the idea of retaliating or attacking pre-emptively inevitably comes to mind. But the idea was tabled in the past due to several restrictive circumstances ranging from legal liabilities to technical difficulties. Now the battlefront is changing again, and so is the technology in the arsenal, reigniting dreams of shifting security from defense to offense.
“Twenty years ago, there were two worlds: the national security world, which faced sophisticated threats from other nation states, and the commercial world, which faced threats from low-level criminals and hobbyists,” said Henry Harrison, co-founder and CTO of cybersecurity firm Garrison. “For the commercial world, it was an innocent age, but that time has passed. Today, the threats have converged. Nation states do not restrict their activity to attacking other governments, and high-end criminals share many of the same sophisticated capabilities as nation states, due in part to the rise in technologies like AI. Commercial organizations are facing a dramatically different set of adversaries than they have in the past.”
War Fronts and Changing Rules of Engagement
Back in the 1990s and early 2000s, hackers earned their street cred by battling other hackers. Sometimes it was friendly fire met with an amused retort when successfully defended. Other times, it was a serious battle of wits and code designed to cripple or destroy the other side.
“The culture, laws and even the mythos of that era were much different than they are today,” said Scott Scheferman, senior director of global services and strategic adviser at Cylance. “Admins and hackers would openly brag about such encounters and wins with their peers and management.”
“The cat and mouse game was very much ‘on point’ then,” said Scheferman, who spent more than 17 years consulting for DoD/IC cyberoperations prior to joining the commercial side. “Attackers anticipated the return fire and would bait the original targets with honeypots, malicious files or simple readme.txt files akin to a ‘nice try.”
Since then, the war front has changed considerably. Scherferman says today’s hazards include, but aren’t limited to: liability, litigation, false flag attribution, legality, geo-political/nation-state level visibility and the incredibly complex “many-to-many” challenges on the technology, attribution, tools, policy and business risk level fronts.
Successfully maneuvering around those hazards to strike an opponent is almost impossible.
“In general, ‘hacking back’ is a bad idea for non-governmental entities,” said John Sheehy, director of strategic services at IOActive, “There are many reasons for this.”
First, Sheehy says, are the legal issues which are complex and easily snarled by extenuating circumstances. “This is further complicated by even moderately sophisticated attackers normally jumping through multiple jurisdictions and multiple third-party systems.”
But there are legal quagmires in U.S. jurisdictions that are highly problematic too.
“Over the years, law enforcement has not been consistent in its application of the Computer Fraud and Abuse Act, which is how they define hacking,” said Jonathan Couch, senior vice president of strategy at ThreatQuotient. “Organizations are given a little bit of leeway when they are …