To prevail in the cybersecurity war, defense is not enough.
That has been the mantra of former Department of Homeland Security (DHS) official Stewart Baker for some time. But he will now be taking that message to Congress.
Baker, who was first assistant secretary for policy at DHS under President George W. Bush and is now a partner at the Washington D.C. law firm Steptoe & Johnson, wrote in the Steptoe Cyberblog last week that he will soon testify before the House Homeland Security Committee on cybersecurity.
"Probably the most important point I'll be making is a simple one," he wrote. "We will never defend our way out of the current cybersecurity crisis. That's because putting all the burden of preventing crime on the victim rarely succeeds."
"The obvious alternative is to identify the attackers and punish them," he wrote.
This has been Baker's theme. This past June, in an article titled, "Taking the offense to defend networks," he noted that an increasing number of U.S. companies are retaliating against attacks with so-called "active defense" or "strike-back" technology, including dubious legal measures like "hiring contractors to hack the assailant's own systems."
That's because "current defenses have failed against a cadre of state-sponsored attackers ...." he wrote.
But is that really feasible, in an environment where attackers can cover their tracks by moving from server to server and country to country in virtual space? Is it legal for a private enterprise, even if it is responding to an attack, to enter another party's server without authorization and then delete or encrypt data?
Baker acknowledged that some counterattacks by enterprises could violate some state and federal laws, including those against computer fraud and trespassing.
[See also: Organized cybercrime revealed]
But he said he believes there is a legitimate legal argument that taking such action would be a reasonable defense of one's property. He compared it to hiring a private investigator to find a kidnapped child, or sending out a posse to capture or kill a murderer. None of those, he said, amounts to vigilante justice.
And in his most recent blog post, he wrote that it is much more feasible now than in the past to track and identify attackers. It is unfortunate that some experts have given up on retribution because they believe attribution is too difficult, he said.
"Investigators no longer need to trace each hop the hackers take," he wrote. "Instead, they can find other ways to compromise and then identify the attackers, either by penetrating hacker networks directly or by observing their behavior on compromised systems and finding behavioral patterns that uniquely identify the attackers."
Some experts agree. Steven Chabinsky, a 17-year FBI veteran who until earlier this month was the agency's top cybersecurity lawyer, said Congress should focus more on deterrence than trying to eliminate vulnerabilities.
The Boston Globe reported that Chabinsky said he believes "laws should enable companies whose computer networks are targeted by criminals and foreign intelligence services to detect who is penetrating their systems and to take more aggressive action to defend themselves."
Former CIA director Michael Hayden has said it is no surprise, given the limited protection government provides in cyberspace, to see a "digital Blackwater," or firms that contract to retaliate against cyberattackers.
Joel Harding, a former military intelligence officer and information operations expert, said the Internet is "not as anonymous as it once was, and with new developing standards and sensors, it will be much more difficult to disguise one's identity. "
"Being reactive only delays the inevitable," Harding said. "And corporations can be more nimble and flexible in their response. Sometimes the response is legal, often not."
But one thing is certain: Baker's testimony will not end the debate. For every expert who agrees, there is one who doesn't, including one of his own law partners, Michael Vatis, who was founding director of the National Infrastructure Protection Center at the FBI.
In a response to Baker on the same Steptoe Cyberblog, Vatis wrote that using, "things like honeypots and deception within your own network seems perfectly legal, and unlikely to hurt any innocent bystanders. Things get dicey, though, when one talks about damaging a bad guy's computer."
Vatis is not nearly as optimistic as Baker about the ability to identify and track sophisticated attackers. He said the private sector would be able to identify only "low-grade attackers."
Even if a victim does identify an attacker, "there's still a very high chance of collateral damage to innocent bystanders. Attackers can hide behind, and launch their attacks from, innocent servers," Vatis wrote.
Jeremiah Grossman, founder and CTO of WhiteHat Security, said both government and the private sector "absolutely have not gotten better at identifying and tracking hackers. It's gotten harder. Particularly because if the bad guys know how to hide, they can."
Grossman agrees that defense against cyberattacks is not enough. "The concept that [Baker] is proposing has been a topic of discussion for some time in the security community but still has yet to be fully realized," he said. "This is how everyone already treats every other crime, such as those in the physical world, and we should try to do the same with the digital world, as the line between two continues to blur."
Amir Orad, CEO of NICE Actimize, which specializes in financial crime, risk and compliance, said taking the offense is "valuable and should be part of your tool kit, but I don't think it will be very efficient. Who is the target? Who are you going to attack?"
Orad said it is important to define what is meant by offense. If it is simply to take down a bad guy's computer, "that will only slow down an attack by a few minutes," he said. While that has some value as a tactical move, it doesn't win the battle, he said. "I can hijack 10,000 computers and have them attack a Fortune 500 company."
Deterrence, he said, is better than defense. "Instead of blocking an attack, you make them not want to attack you," Oradsaid. "You make them turn to somebody less painful to attack."
That would take different forms for different enemies, he said. For organized crime, it would mean better coordination between the private and public sectors (something the various proposed cybersecurity bills in Congress had sought to address).
But so far, he said, many enterprises are loath to share information about attacks with the government, or even to say that they have been attacked.
Stewart Baker said some of that hesitancy is justified. "Complaining to the FBI and CCIPS (Computer Crime and Intellectual Property section of the Department of Justice) about even a state-sponsored intrusion is like complaining to the DC police that someone stole your bicycle," he wrote. "You might get a visit from the local office; you might get their sympathy; you might even get advice on how to protect your next bicycle. What you won't get is a serious investigation. There are just too many crimes that have a higher priority."
Orad said he agrees that government should be more aggressive in "patrolling" the nation's cyber borders. But, that kind of monitoring immediately raises privacy and civil liberties concerns, which he agrees "is a very delicate balance."
But he said the alternative to being "proactive" is simply to wait for a call from a company that has already been attacked.
Orad said the key is to learn what will keep an adversary "from sleeping at night." In the case of a nation-state, it might be as simple as the public relations damage from exposing what it is doing.
Jeremiah Grossman promotes the concept of "Hack yourself first," or hiring hackers to expose vulnerabilities in your systems. "This is he same method Google, PayPal, Facebook, Mozilla, etc. used as part of their security program," he said. "For a few hundred to a few thousand dollars, you can take some serious vulnerabilities in your system off the market and avoid a damaging breach."