Best defense against cyberattacks is good offense, says former DHS official
Stewart Baker will make the case for retaliation before Congress, but debate continues in the security community
September 26, 2012 — CSO — To prevail in the cybersecurity war, defense is not enough.
That has been the mantra of former Department of Homeland Security (DHS) official Stewart Baker for some time. But he will now be taking that message to Congress.
Baker, who was first assistant secretary for policy at DHS under President George W. Bush and is now a partner at the Washington D.C. law firm Steptoe & Johnson, wrote in the Steptoe Cyberblog last week that he will soon testify before the House Homeland Security Committee on cybersecurity.
"Probably the most important point I'll be making is a simple one," he wrote. "We will never defend our way out of the current cybersecurity crisis. That's because putting all the burden of preventing crime on the victim rarely succeeds."
"The obvious alternative is to identify the attackers and punish them," he wrote.
This has been Baker's theme. This past June, in an article titled, "Taking the offense to defend networks," he noted that an increasing number of U.S. companies are retaliating against attacks with so-called "active defense" or "strike-back" technology, including dubious legal measures like "hiring contractors to hack the assailant's own systems."
That's because "current defenses have failed against a cadre of state-sponsored attackers ...." he wrote.
But is that really feasible, in an environment where attackers can cover their tracks by moving from server to server and country to country in virtual space? Is it legal for a private enterprise, even if it is responding to an attack, to enter another party's server without authorization and then delete or encrypt data?
Baker acknowledged that some counterattacks by enterprises could violate some state and federal laws, including those against computer fraud and trespassing.
[See also: Organized cybercrime revealed]
But he said he believes there is a legitimate legal argument that taking such action would be a reasonable defense of one's property. He compared it to hiring a private investigator to find a kidnapped child, or sending out a posse to capture or kill a murderer. None of those, he said, amounts to vigilante justice.
And in his most recent blog post, he wrote that it is much more feasible now than in the past to track and identify attackers. It is unfortunate that some experts have given up on retribution because they believe attribution is too difficult, he said.
"Investigators no longer need to trace each hop the hackers take," he wrote. "Instead, they can find other ways to compromise and then identify the attackers, either by penetrating hacker networks directly or by observing their behavior on compromised systems and finding behavioral patterns that uniquely identify the attackers."