Worst idea, ever!

Blogs
(Image: Stockfresh)

7 August 2015

A former US government official has suggested it may be time for his erstwhile employers to deputise private companies to strike back against cyberattackers as a way to discourage widespread threats against the nation’s businesses.

Decrying the current strategy of increasing protection and vulnerability mitigation, the former deputy national security advisor for counterterrorism during President George W Bush’s administration (quelle surprise!), Juan Zarate, said that it had comprehensively failed.

“There are so many bad things about this idea, it is difficult to know where to begin”

Zarate likened this strategy to building a million dollar “10-foot wall … around your complex,” only for attackers get a $30 “15-foot ladder”

Now, let’s just let that concept sink in for a moment.

So this is ordinary companies, commercial citizens if you will, of the United States of America, being sanctioned by the US government to go out and pursue cyberattackers with offensive cyberweapons.

Stepping back for a minute and considering recent news from that grand old country, an armed citizenry, let alone, an armed police force, has panned out so well.

This is akin to the gun-toting nuts arguing that had the church-goers in Charleston been armed, they would not have been massacred.

But to look at this calmly for a moment, while providing Helen Lovejoy with a hot, sweet cup of tea, there are so many bad things about this idea, it is difficult to know where to begin, but let’s try.

Any state army, irrespective of the level of derangement of its leadership, political or otherwise, is usually bound by some rules of engagement. As has been seen with so many of the now pretty well researched state-sponsored hacker groups, the clandestine nature of these actions mean that it is prone to abuse as self-interest creeps in, with the profit motive uppermost, to the detriment of all else.

One need only look at the Aurora attacks, the Sony hack and many more to see that things can get quickly out of hand and those that may have appeared to be on a tight leash suddenly go off on one.

Without clear rules and public scrutiny, one company might interpret the rules of engagement one way, while another might do so in a vastly different manner. Legitimate targets and tactics would vary wildly and justifications may be weak to say the least. And what is to stop one entity declaring that the source of an attack was actually a rival and acting on that assertion?

This overall suggestion is ill conceived and doomed to bring disaster to an already unfortunate situation.

There is a reason why there are law enforcement agencies, who increasingly now operate in the cyberworld. While far from perfect, their experience, training and clear operating principles are there to ensure fairness and so far as possible justice. It is not a perfect system and often open to corruption, but it is vastly better than an armed vigilante situation where entities whose motivation is self-interest have an official blessing.

I’m not the only one who thinks so either. At the event where Zarate aired his misguided views, a former FBI agent and Republican congressman, Mike Rogers, also poured scorn on the proposal.

Striking back against cyberattackers in other countries is a “loser” of a strategy and could subject companies to criminal charges, said Rogers.

“When you decide you’re going to breach territorial jurisdiction and go after someone, you have opened up a can of worms which is well beyond the scope of your threat,” Rogers argued.

He also argued that companies’ ability to attribute the attacks is “all over the map”.

“Some can do it very, very well,” he said. “Some don’t have a clue of how to do it, but that wouldn’t stop them from [responding] anyway. How do you contain that?”

How indeed.

Read More:


Back to Top ↑

TechCentral.ie