Federal lawmakers remain at odds about how to deter cyber crime. Many in the security industry strongly advise against retaliation. Federal law bars any unauthorized computer intrusion, and it offers no exception for digital self-defense.
“I don’t think companies should be hiring gunslingers to fight back,” FireEye co-founder Ashar Aziz said. “Before we encourage every random company to hack, we have to look at what makes sense to disrupt cybercrime.”
Aziz and other information security experts promote what they say are smarter alternatives. For instance, companies can bolster security by creating multiple versions of sensitive data, with only one version being the legitimate one. In that case, attackers are likely to get their hands on worthless data rather than precious information.
Companies remain intrigued by the idea of shutting down an attacker’s system.
The report from the commission chaired by Huntsman and Blair notes that counterattacks have the potential to deter hackers because the cost of doing business rises. But the commission stopped short of recommending legalizing retaliatory hacking “because of the larger questions of collateral damage.”
Many cyberattacks rely on a network of computers. These infected machines might be owned by innocent Internet users who, for example, accidentally clicked on a bad link in their email. Surreptitiously accessing this computer violates federal law, even if it’s to update out-of-date software or remove the malicious program.
“If Honda comes over and attacks Ford, then Ford can’t send someone over to attack Honda,” said Anthony Di Bello, head of strategic partnerships at Pasadena, Calif.-based Guidance Software.
But some legal experts say it’s not so clear-cut. Under one legal argument, the hacker becomes subject to the rules and policies of the organization it attacks by virtue of connecting to that network. Counterattacks could be justified in the same way that an employer has the right to monitor activities on an employee’s work computer.