by David Willson
On 16 January I did two webinars with Bright Talk. One titled, “Active Defense: It is Legal and Will It Actually Improve your Security?,” and the other a panel entitled, “The single greatest security challenges for 2013.”
Quick side note, due to my zeal for this topic I babbled on too long in the Active Defense webinar and ran out of time before getting to the meat of the issue. But I am going to do another on 13 March and will manage my time better. Anyway, Peter Judge moderated the panel for the other webinar and Active Defense was my portion.
We had a great discussion and I would encourage you to listen if you are interested. It can be found here: https://www.brighttalk.com/webcast/288/64057.
On 22 January Peter wrote an article for Tech Week Europe entitled, “Its Time to Test Active Defence in Court,” found here: http://www.techweekeurope.co.uk/comment/2013-time-to-test-active-defence-in-court-105048.
Although he got the facts correct and most of what I said in the webinar correct, the tone in which he portrays my comments I feel needs some clarifying. This is not me trying to pull myself out of the fire, since I have not seen any feedback from his article, but simply my clarification. So, now that I am done with my overly wordy intro, here we go.
To his first point, I agree that cyber crime victims are within their right to retaliate, but would preface this as any good attorney would with “it depends!” It depends on the facts and circumstances. For instance, if the attack is a one-time attack and is over, then you DO NOT have a right to retaliate.
Similar to when someone robs your house. If they are gone you have no right to pursue the burglar on your own. On the other hand, if you have been attacked repeatedly and are sure it continues or will happen again you have a right to defend yourself.
Okay, next comment, “Itching to test this in court.” Well, personally yes, but I did not say this, and other than my passion for trial work and arguing in court, no one likes to find themselves dragged into court. But, if the situation dictates that you must do something to protect your company, you have tried all other options and are interested in moving to the next level, then you have options.
Next: “. . . instead of putting in a “huge hodgepodge of security measures” to stop any threat.” Security is a MUST. Anti-virus, despite what Josh Corman says, is a MUST. Anything that can help protect your network and valuable information is a MUST. If you are going to move into Active Defense you MUST show that you have taken the high ground, done all you can, within reason, and taken an incremental approach slowly escalating as you collect the needed intel.
Next: “Persistent attacks may be bleeding hundreds of thousands of dollars from companies, and in that situation, they should be within their rights to respond, says Willson.” Yes, they should. If your company is losing 50 to 100 thousand dollars a week and you have done everything else you believe possible, to include called or considered calling law enforcement, to no avail, self-defense should be an option.
In the interest of time I will make this my last point. Peter claims that I said those whose networks have been hacked and are being used to attack others are not necessarily innocent victims. I agree, although this sounds rather ugly.
Let’s use a physical world example. Let’s say a bad guy has drugged and brainwashed your neighbor to believe he is a contract killer and his mission is to kill you. Even if you know this is fact and your neighbor is an innocent unknowing pawn, if he tries to kill you wouldn’t you defend yourself? You would likely try to diffuse the situation with the least amount of harm to your neighbor, but in the end if it is him or you unless you have a death wish it will be him.
Active Defense entails escalation, taking the minimal approach at first and slowly escalating with the leadership of the company, not the IT department, making informed decisions based upon risk, liability and legal issues. The nuclear weapon of cyber is your last resort if that is what the leadership decides to do.
So, there you have it. Obviously there are many more issues none of them black and white, and this is a very difficult problem. If it wasn’t there wouldn’t be so much debate about it.
One last point. Lately I have been reading a lot of articles, especially by attorneys saying things like, “it’s illegal, don’t do it, but, we are the experts and we can help you.” Help you do what? If they are not willing to explore the options then there is nothing for them to do. Also many articles lately have claimed that “attribution” is impossible. Stop it. If it was impossible no one would ever be arrested and prosecuted for hacking. It is difficult, but not impossible. So, keep an open mind, think outside the box, and have a nice day ;- ).