Re: [ISN] Should the U.S. allow companies to ‘hack back’ against foreign cyber spies?

[InfoSec News <alerts () infosecnews org>]

Forwarded from: Richard Forno <rforno (at) infowarrior.org>

I gather we've got the whole who's-attacking-us cyber-attribution thing 
all figured out with absolute unmistakable 100% certainty? I had no 
idea.  Awesome!

If not, who's going to hold a US company liable for "collateral damage" 
in accidentally or mistakenly hacking/crashing some innocent person's 
computer/server?  Who gets held responsible for lost business revenues 
when a counter-attack disrupts/degrades/denies shared access on a 
colocated server or server farm?  Oh right .... accountability and 
quality-assurance in the name of "security" is an anathema these days.

It sounds good on paper, and moreso to the uninformed masses, and 
awesometastic to anyone in elected or appointed office, but where the 
rubber meets the road (or the 'bits meet the ether") things are a bit 
more complex.

But otherwise, sure .... let's go create a new Wild West --- isn't that 
what the Internet used to be called during the late 90s anyway?  Then 
we'd have a world of unaccountable vigilante cyber-justice and 
populations at the mercy of those who have the biggest cyber-guns and 
digital posses available to patrol and enforce their own brand of 
"justice."  I envision absolutely no problems with this idea and agree 
100% that it'll be great for cybersecurity, if not also society at 
large.  Go team, go.

This constant facepalming in response to "ideas for improving 
cybersecurity" is getting really tiring.

-- rick

---
Just because i'm near the punchbowl doesn't mean I'm also drinking from it.

On May 24, 2013, at 5:24 AM, InfoSec News <alerts () infosecnews org> wrote:

> http://www.washingtonpost.com/blogs/worldviews/wp/2013/05/23/should-the-u-s-allow-companies-to-hack-back-against-foreign-cyber-spies/
>
> By Max Fisher
> The Washington Post
> May 23, 2013
>
> Foreign hackers do remarkable damage by breaking into American 
> companies, stealing intellectual property worth enormous amounts of 
> money, swiping proprietary secrets for military technology or other 
> uses and, in the case of some recent Chinese attacks, even exposing 
> U.S. counterintelligence efforts. The Obama administration has made 
> clear that it takes the threat seriously and is escalating efforts to 
> stop it.
>
> One suggestion increasingly floated in the private sector is to allow 
> companies to “hack back.” Current U.S. law makes it illegal for 
> private firms to launch retaliatory cyberattacks, and the issue is 
> highly controversial. But it’s entering the mainstream.
>
> A new report, from a private commission on intellectual property theft 
> chaired by former U.S. ambassador to China Jon Huntsman and former 
> director of national intelligence Dennis Blair, raised the possibility 
> of changing the law to allow for hacking back. While it stopped short 
> of directly advocating such attacks, it did call for a milder, legal 
> form of hacking back and said the United States should consider 
> changing the law if other measures fail.
>
> It can be tough to talk about allowing corporations to run their own 
> mini cyberwars because, like hacking itself, no one is exactly sure 
> what sorts of norms will develop and where the technology will lead 
> us. The conversations tend heavily toward the hypothetical. Advocates 
> of “hacking back” point out that criminal and state-run hackers are 
> only getting better, and that because they risk little by attacking 
> purely defensive systems, they will simply persist until they succeed. 
> Opponents warn that such a serious escalation could erode what few 
> cyber-norms already exist, turning the Internet into a battlefield 
> where not just rogue states and freelance criminals, but a lot very 
> rich corporations, are invading privacy, stealing data and otherwise 
> hacking for the specific purpose of doing damage.
>
> [...]
> ______________________________________________
> Visit the InfoSec News Security Bookstore
> Best Selling Security Books and More!
> http://www.shopinfosecnews.org

______________________________________________
Visit the InfoSec News Security Bookstore
Best Selling Security Books and More!
http://www.shopinfosecnews.org