Slashdot Mirror
Counterterrorism Expert: It's Time To Give Companies Offensive Cybercapabilities
itwbennett writes: Juan Zarate, the former deputy national security advisor for counterterrorism during President George W. Bush's administration says the U.S. government should should consider allowing businesses to develop 'tailored hack-back capabilities,' deputizing them to strike back against cyberattackers. The government could issue cyberwarrants, giving a private company license 'to protect its system, to go and destroy data that's been stolen or maybe even something more aggressive,' Zarate said Monday at a forum on economic and cyberespionage hosted by think tank the Hudson Institute.
Everybody Hand Gun Tonite!
To Live and Die in L.A.!
They must obey the constitution... In theory, of course!
“He’s not deformed, he’s just drunk!”
No such much for the vigilante aspect but for the dynamism this would bring into play. Just like capitalism is supposed to be, if there's demand there will be competition in the suppliers for ever more escalating solutions.
... this isn't going to end well.
I'd expect such nonsense from a former employee of BushCheney Co. Would you also "deputize" a privately held corporation to get some F-16's and go bomb the attackers? It is virtually the same thing. I guess the BushCheney Corporation would have loved that.
Such attacks are attacks on U.S soil, and should therefore be handled by the military, and only the military.
Otherwise, this will create private, corporate owned, corporate sponsored armies. They will be, essentially, corporate warlords.
It's called a "Letter of Marque," and they've been used in places where governments can't enforce their sovereignty for centuries.
It usually doesn't turn out all that well, but may well be better than nothing.
He's accessing vons.com with Chrome and Adblock +, Privacy Badger, and Scriptblock. He's obviously a Chinese terrorist subverting our capitalist ways, reformat his hard drive!
Oh sure, let's trust the people who can't even protect their own networks to properly identify the perpetrators of a hack instead of some innocent bystander running a TOR exit node. I can't see any risks associated with that. No. Not at all... :(
I do not fail; I succeed at finding out what does not work.
That's the stupidest thing I've ever heard.
Giving private corporations the ability to identify anyone they don't like a "cyberattacker" and then attack them will be very dangerous. Imagine companies pursuing IP related complaints (whether real or imagined) being deputized to go after people and their systems in this manner. There are damn good historical reasons we have a legal system in place -- one of which is to the prevent abuses that vigilante systems foster.
This is a great idea. What on earth could possibly go wrong?!?! Lets give the power hungry, egotistical, anti-social network security "experts" who are in charge of creating the insecure networks the right to use "deadly force" against those they think might be responsible.
I can't wait for the fecal matter to hit the CPU fan when the wrong company is targeted for retaliation er I mean offense.
Given the attackers are probably not in the US, US law will not apply.
Also, who will be liable if an innocent party is harmed in error?
Privateers were abolished centuries ago, for good reason.
What could possibly go wrong?
This will be just like the privateers on the high seas. And we all know how well that turned out.
Yeah, and we should also give neighborhood watchmen guns. That's worked out so well.
that you are competent enough on the defensive side of things first and we'll talk about it.
When your company can't even be bothered to properly secure our personal information on your servers ( plaintext files . . . really ? ) what sort of insanity is it to even CONSIDER giving these very same folks offensive capabilities ?
It's like giving a shotgun to a monkey and hoping nothing bad comes of it :|
Seriously. . . . wtf ?
Companies have demonstrated how careful and responsible they are with the DMCA takedowns, so it's only logical that we allow them to go further and actively attack the evil-doers out there.
There are security models and systems perfected in the 1970s in response to the data processing needs of the air war in Viet Nam. There are commercially available systems which work for multilevel security. This model can be ported to the open source world, if enough people are interested. I'm waiting for the Genode project from Germany to get something I can use in the next few years, and I hope there will be others.
I hereby suggest we just eliminate the possibility of a cyber-war, instead of getting stuck in an arms race.
Let's look at something nobody does, which is look at evidence. OK, I know that sounds like a bad idea .. but anyways .. RIAA, MPAA, and SPA already does this exact same thing. They have ruined lives for no reason. What happens when the company hacks back and causes more damage than what was stolen? We don't let the victims decide punishments. If victims could decide punishment even petty thieves would be murdered. If you think that sort of draconian punishment helps a society, then you probably want to move to Saudi Arabia or ISIS.
Look up "letters of marque and reprisal", and perhaps "privateering", too.
I guess someone's been reading/watching too many cyberpunk books/movies. Vigilante justice seldom ends well. There's absolutely no evidence that just because to prepend "cyber" to the front of it that thing will turn out any different.
Two of my imaginary friends reproduced once
I see no reason to limit companies to cyber weapons. Once they have located an attacker, having privately owned armed drones would be very handy. if the attacker is a nation state, even more aggressive measures could be used. I can see aircraft carriers, and maybe even ballistic missile subs with corporate logos.
So if you make it look like someone else did it....
This is an incredibly stupid idea. Of course I'd love to sit back and watch the fireworks the first time someone attacks, say, Sony, and spoofs it so they think it was perpetrated by, let's say, Samsung. That would be amusing.
"Remember, there never were pineapple-almond cookies here."
...giving Disney and Sony permission to hack... That surely wont be abused, they never could get the idea to hack their Clients (errr, i mean, "victims") PC with rootkits and "Mouseware"...
So... for a long time, various encryption algos were considered weapons and subject to ITAR controls. The same is starting up again now.
So... if code can be a weapon, a (very) loose interpretation of the 2nd Amendment and some Castle Doctrine would already allow someone to hack back ...
Don't blame me, I voted for Kodos
Only corporations of s certain size will be allowed to do it. Someone with a small business who has no value to the gov will be punished.
by TheSpoom (715771) Uncaring Linux user here. I have nothing to add to this but please continue. *munches popcorn*
Add the right to bear DDoS and hack tools
Hacker breaks into MS' address space and launches an attack on Google. Google could then turn its guns on MS? What could possibly go wrong???
It's never been about the possibility of security though.
Since this is Slashdot, I'll explain with a car analogy. Lots of people die in car accidents, and we could easily stop that by doing things like a) Not use cars, b) not let them drive more than 20mph, etc... all sorts of things that would greatly interfere with the way people actually use cars to do stuff. Our cars also used to be a lot less safe too - at one point they didn't even come with seat belts.
As much as I'd love to see proper security implemented, it's just not going to realistically happen. Too many users (customers) don't want the hassles that come with serious security, and too many businesses aren't will to pay the up front costs for it (yet, at least). It's going to take some hard lessons before they start putting on seat belts, air bags, abs breaks, and the equivalents of everything else we've done (and are doing) to make cars safer. The Adama solution, as much as it makes sense from a security standpoint, doesn't take into account the needs of either the people using the stuff, or the people paying for the stuff. We need those people to understand and demand more secure features up front - and even then we're still only talking about reducing things to an acceptable/tolerable level, not eliminating them.
i always believed from day one with this crap to deal with a bot net hitting a big line open up with it like it was a howitzer.
When the government is too lazy or incompetent to find the person who killed your father, they can just give you permission to find the killer and bring whatever justice seems fair. I don't see how anything bad that can come of this, nor its cyberspace analogue.
what a very very bad idea.
If I have a company accidentally misidentify my network as an attacker, and 'bathack' me, vigilante style, am I allowed to then counter attack and destroy their customer database? are they then allowed to drive over and cut my fiber? Can I then drive to the home of their CEO and execute him in retaliation?
No this is an unbelievably stupid idea, presented by an unbelievably stupid person (Juan Zarate, who is this ass clown?)
HA! I just wasted some of your bandwidth with a frivolous sig!
Don jack into black ice mon, fry yo brain...
With the track record of idiotic moves by the government.
the software will be attacking every malware infested windows machine on the planet.
just sending a traffic blocking message to the router/switch/email server would make more sense to me.
I won't attack until I see the whites of there eyes.
attacking their computer automaticly is like the autonomous drone discussion.
I don't want somebodu elses crappy software shooting me or my computer remotely.
This isn't the Cold War and nukes man. Nobody is deathly afraid to resort to cyber attacks. If companies are given these tools they will use them wether it's appropriate or not. And since they've been given the tools they will act like it's their right to use them however they wish. There will be no adequate oversight or the original attacks wouldn't be a problem because they would have been stopped if there was.
There is no such thing as a cyberweapon. There is hacking/cracking and that is generally done through technical weaknesses and/or social engineering. There is no such thing as a cybertank or a cybergun, something that can actively break through something that it was not intended to go through. There is no software that can simply break through a web server by sheer force.
Using any kind of military jargon with what amounts to a technical capability of a piece of software is (car analogy) like telling us that foreign car mechanics and imported engines are capable of destroying our infrastructure and instead of fixing the engines or building our own to counteract it we have to deploy our own car mechanics and engines to foreign countries.
Using these analogies of cyberweapons with technical experts just sounds like a bunch of military people heard of the printing press and now they want to destroy people with paper cuts.
Custom electronics and digital signage for your business: www.evcircuits.com
Yes! Letters of Marque and privateers again.
Got to love it
We need to give them all....Windows 10! The most dangerous thing ever to happen to computers.
You have to be careful about letting perfect be the enemy of better. Sometimes you don't have a perfect solution to a problem, or even a good one. But you may have one that is better than what you have now. It then makes sense to go with that.
Now please note I'm not saying this is one of those cases, just that it is not political logic, but practical. If your current situation is awful and you can improve it to just bad, well that is worth doing.
So what happens when a company screws up and clobbers the wrong company (or individual)? Think about it: when your servers are being attacked, how certain are you as to who the culprit is? Are the cops (or the feds) really going to put their best manpower on vetting the work you've done to track down the baddies? Or will that be where they stick their less capable people?
Bottom line, if someone clobbers your company by mistake, whom do you sue?
linquendum tondere
You'd have to be a certain size to have the resources to mount the attack, to defend from counter attack, and to settle out of court when you (inevitably) attack an innocent target by mistake.
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
There are a number of problems with that proposal. There are existing laws in the United States that state hacking activities are illegal. Attribution of hackers involved in a data breach is extremely difficult. What burden of proof is required to 'prove' who was behind the attack? What happens if a company's hackers doesn't get it right and they hack the wrong company? What if CEO's are involved in a dust up - say about who has the best wireless coverage - and decide to use hacking to perform a massive DDoS against a competitors web sites? What if a baseball team gets upset that an opposing picture 'beans' one of their stars and decides to take out their response on the Internet using anonymous hackers paid with bitcoin?
Norton Utilities has always been considered *extremely* offensive antivirus software.
That all terrorist groups, Al qaeda, ISIS, etc , are all created and completely funded by the CIA/NSA (ie your tax dollars)
9/11 was an inside job
keep drinking your kool aid
... many businesses will end up out of their league in an escalating conflict ...
Yes, sounds like Mr. Smoke'm-out over here is definitely the terrorism expert.
From TFA:
Instead of focusing primarily on fixing vulnerabilities, businesses should turn toward deterring threats, including detecting attacks and responding to them, he said. There have to be penalties for attackers, Chabinsky added.
The problem with the logic here is, a company is trying to protect data that is worth, at least to them, possibly millions of dollars. The attacker can be using a crappy dell system and maybe a bot-net he acquired (somehow,) for a total cost of fuck all. Even if the company can respond and make the attackers gear explode (and really we are being very pie in the sky there aren't we) your still only inconveniencing the attacker fuck all. Even best case for the company with this response situation there is still very little for the attacker to loose for a possible great gain or great net result if the aim is sabotage. Moral problems aside, this does not make economic sense in the end, there is no deterrent in most cases.
The only recourse for them is to prevent the attack (i.e. fixing vulnerabilities) and report breaches to the authorities. Unless responses include international bounty hunters?
Besides the lack of any understanding of how technology works, are these people high?
Can't think of a starker admission that government is having trouble maintaining the rule of law. Which we already knew, but still it's interesting. Picture a graph, with time on the x axis, and "rule of law" on the y axis. In between "privateering times" and "now," there's a hill with a peak occurring sometime around 1950-1960, and now we're on the downhill side.
I wanna be a company.. I wanna be a company...
BTW Hudson Institute - right wing reactionary extemism in think-tank form brought to you by Olin, Koch, Scaife, Walton (Walmart) and featuring on its board Scooter (Plamegate) Libby, Dick Cheney and Richard Pearle.
http://www.sourcewatch.org/ind...
In both nations, if you are caught cracking against their nation, it will be extreme penalties (death in China).
OTOH, if you crack against the west, esp. America, and you share knowledge with their govs, then you are a hero and their gov will help train you.
... God Damn them all.
Give corporations the ability to wage war online with their own privately-branded malware....what could possibly go wrong?
Just cruising through this digital world at 33 1/3 rpm...
Good luck with that! There are no security models that will keep breaches from happening. Even the NSA couldn't keep Snowden for walking away with tons of highly secure data.
Great. Just what we need. If blanket C&D letters weren't bad enough.
"We have been attacked, they are stealing all our property, we are going to nuke everyone's computers to destroy the data they stole!!!11!!!"
"national security advisor for counterterrorism during President George W. Bush's administration"
You mean during 9/11.
"If any question why we died, Tell them because our fathers lied."
I saw the same shit with spam. I used to receive a lot of backscatter from some spammer using my E-mail address as a fake from address. I received a ton of threats, random DoS attacks, mailbombs, ping-floods, and a lot of stuff because various dipshits couldn't understand the basics about what an open relay was.
The more ironic thing was finding out that before the deluge happened, I got an extortion letter threatening that postmaster and other E-mail IDs on the web from the site would be used as fake originations.
So some business with the absolute bargain-basement IT staff, chock full of bargain-basement novices is going to decide if a compromised workstation the receiving department at another company is sufficient cause enough to shut that firm down? This would be like carpet-bombing an entire office building because a bank robber ducked into the building's lobby.
Here is where real/virtual separate and analogies doesn't work: It is not difficult to cover one's tracks, especially with how many botnets there are on dynamic IP address ranges.
serious Mark.. seriously?
It simply shouldn't be illegal. We should appeal the laws which ban DDoS attacks and exploitation of vulnerable systems. The US is merely creating an environment where those involved in such activities in other countries are put at an unfair advantage compared to those in in our country. This isn't a joke either. I'm totally serious. The money we're spending is just wasted on ineffective law enforcement action against our own citizens and does nothing to fix the problem. The blame should be placed where it is deserved: poor industry practices. The solution to the problem is fixing the holes in the system..
I cna't remember the article which sort of spoils this post but there's a technical fix for DDoS which ISPs are simply and webiste owners are simply not implementing. Maybe someone knows the article or set of facts I am forgetting and enlighten the rest of us.
Companies behave like sociopaths. The potential for abuse is monumental, no thanks.
Allowing companies/corporations to use these sorts of offensive tools, we know that's going to be abused. It wouldn't last a week before we'd be seeing attacks against competitors.
Where's the ten step booklet that tells you how to create a company then start legally hacking everyone?
This point is really the crux of the matter. But the larger point is; why have companies try and "attack" or hack someone who hacked them? Wouldn't they also then be guilty of hacking?
Did anyone really think this through?
The simple solution is to have an offensive hacking team, and have companies JUST CALL the experts and present their proof. Every company cannot be an expert, will not be an expert and can't afford to be an expert.
>>"ad space available -- low rates!!!"
What is the smart US company going to find in this mythical other territory that has super fast computer connections to the internet? ..
An empty house with optical thats for rent, owners on holiday and another deeper air gapped network? But the fast network has a computer connected 24/7 and is been used to store data... that was copied out hours or days ago
A small firm with optical networking that has an extra hidden box in its computer room? No storage, just the final hop to sneaker net... CCTV might help?
A sprawling university campus with optical that has one new allowed connection for a day?
Some connection from a network thats active on a building site thats been refurbished?
A nice suburban home with optical that has a new wifi network for a week?
What is the US expecting to find at the end of the network? An apartment building ip?
What can the US do with any tailored hack-back effort? The expected box, device, network, site is virtual over nations, locations. Its not the years of a 28.8 modem user at home with a one desktop computer and one phone line connected to an isp. The final hop is very now very complex.
With todays networks "data" is not on a harddrive on the end of a phone network. The data can be in different locations, physically, globally removed from a network in near real time..
The other aspect it that of national counter surveillance, honey pots to bait, lure and test a US "tailored hack-back".
What about "jurisdiction" surrounding ongoing local investigation and a private sector US tailored hack-back interfered with the local legal investigations?
How will the US even know what its connecting to globally for its private sector "cyberwarrants"? Local staff driving around looking for an ip network at a physical location?
Domestic spying is now "Benign Information Gathering"
Black Ice!
If I have a company accidentally misidentify my network as an attacker, and 'bathack' me, vigilante style, am I allowed to then counter attack and destroy their customer database? are they then allowed to drive over and cut my fiber? Can I then drive to the home of their CEO and execute him in retaliation?
No this is an unbelievably stupid idea, presented by an unbelievably stupid person (Juan Zarate, who is this ass clown?)
It is already happening thought remember when Microsoft stole via secret court order domain names for No-IP a dynamic DNS service domain name without warning and shutdown the whole service for weeks. Took out my access to my server and network when they did and hundreds of other of their customers as well.
Follow the funding and new US based systems been suggested. This is more about creating entire new security teams from the ground up that can 'respond'.
A US company would have to rent or buy into the new US security teams and ensure they had the latests products to reach around the world and report back the data was found and removed.
A new product to market with new cash flows. A new US system of cyberwarrants, private license issues from the US gov to cleared US brands only.
Global reach and no established foreign competition with mature products to compete with.
Domestic spying is now "Benign Information Gathering"
Someone stole my garden gnome. I think I know who it was. Can I burn down their house? Same kind of thing, except "without a computer".
Would be a lot easier to cover industrial espionage.
Here is Zarate being quoted in an article in Computerworld.com:
Focusing on fixing vulnerabilities is like building a "10-foot wall at the price of $1 million around your complex," he added. "Then, [the criminals] go out and purchase a 15-foot ladder for $30."
This is more evidence Zarate is living in an alternate universe or something. A few minutes searching via google found the cheapest ladder with a 15 reach starts around $150. $200 and up is more common. A longer search may find a cheaper ladder, it will be several times more than $30.
Is this the start of "laddergate?"
What will happen if the U.S. government, or a private corporation entitled to act on its behalf, commits acts of (cyber)war against people, companies, or government authorities in other countries? See how much bad publicity they got just for snooping German politicians phones. Imagine the backlash if they crashed some computer systems in national parliaments. Or major hospitals, actually killing people. Or messed with systems running national elections. Not to mention military targets.
What would be a correct, proportional, and reasonable response? Only a few countries will be crazy enough to declare war on US. But how about
economic sanctions, restricting travel and trade with the U.S., cancelling international treaties, and demanding the responsible parties extradicted to face trial in the affected countries?
So some business with the absolute bargain-basement IT staff, chock full of bargain-basement novices is going to decide if a compromised workstation the receiving department at another company is sufficient cause enough to shut that firm down? This would be like carpet-bombing an entire office building because a bank robber ducked into the building's lobby.
It's more like carpet-bombing a shoe store chosen more or less at random because you heard that, yesterday, a bank robber had run into one.
Even though, today, the same place he ran into yesterday might already be a café and not even be a shoe store any longer.
Il n'y a pas de Planet B.
This is a terrible idea. In most cyber attacks you have no idea who the source was, you can see the current proxy point, but that can change easily. And even if you sit down and eventually determine who the source was, it's too late to do something meaningful about it.
This is discussed at security conferences for the last few years, and is almost universally considered a stupid idea. Any small benefit you might get is vastly outweighed by the negatives.
Check out capability-based security.
It was researched and put to use sort of mid 80s and was used in a hybrid manner in the AS/400s. As a consequence, the AS/400 at least used to be known as pretty rock solid to cracking.
I seem to remember, but can't find again, a mention that with capability-based security it was proven theoretically to result in secure systems, as long as a given micro kernel was error-free. In contrast, with our current systems I believe no such proof is known (neither if security is provably possible or impossible).
All that data that companies have on me? I want to be able to destroy that data that belongs to me. It's being used for commercial reasons to make money off MY information. So what rules would I have to follow, or is it free for all and no problem with "collateral damage" or crime of "unauthorized computer access"?
Or will these companies have to worry about unauthorized computer access when they're cybercriming their "stolen" data back or removing a cyberthreat?
Time to eliminate microsoft then.
I'm looking forward (in a macabre, nihilistic sort of way) to the first corporate war that comes from legislation like this:
My sense of drama would like it to be an Apple vs Microsoft, but I think it more likely to be subsidiaries of large oil companies with security contractors from Microsoft or IBM; the initial attack being some sort of Phishing scam or unsecured access to login information, escalating into further petty intrusions, scaling up to truly massive full-scale DDOS, taking down huge swathes of countries' infrastructure while national governments sit powerless to intervene because this a#hole said it was okay to do it.
Are you listening, Hollywood?
It wouldn't last a week before we'd be seeing attacks against competitors.
It's not competitors I'd be worried about but the copyright trolls. Using their interpretation of copyright law practically everyone would be guilty of "stealing" their data in some form or other and so would be open to be hacked "just to check". The truly ironic thing of course is that by acting under a letter of marque they would actually be far more like a pirate than those they accuse.
Seriously though, its often the case that corporations are left without any viable legal recourse. China is not going to help an American company recover stolen information, and it's government may even be responsible. We already allow the use of force in self defence, against intruders, and at least in some States, to recover stolen property. I see no reason not to extend that to corporate persons. Especially when law enforcement can't fill the role.
How long till the MPAA or others start roaming through people's hard drives and deleting material that they feel is an "attack" on their industry, right? This is an awful idea because of the (practically guaranteed) likelihood of abuse.
That has to be the dumbest thing I've ever read ..
.. called for better cybersecurity tools"
"Zarate
How about not running Homeland Security on computers that can be hacked by opening an email attachment or clicking on a malicious URL.
If they aren't good enough to secure their own network, then they certainly aren't f***ing good enough to identify the true source of an attack and initiate countermeasures without significant collateral damage.
Putting a cyber-bomb imbedded in data, such that the internals know about it, and how to avoid it's consequences, but what the hacker tries to use the data, bye-bye server-hard drive-motherboard.
Taking the advice from someone from the GWB administration is something you might want to think long and hard about. You remember the folks that wangled a legal opinion to support their insane idea that waterboarding and the like was not torture? He's from that bunch.
CUR ALLOC 20195.....5804M
The correct approach is to use the government for defensive cyber capabilities. The NSA (and others) are focused almost entirely on offensive capabilities and weaponizing exploits that they discover. Instead, they should be reporting, patching, and/or issuing reports on their discoveries. There's no point in protecting 'Murican data if there's nothing left to protect because we're ignoring defense.
As far as their spying -- sorry, "collection" -- mission, they can still hack existing systems without using software exploits.
https://www.eff.org/https-everywhere
If you're connected to the Internet, your company SHOULD have an expert. Just like when your company has a car, it should have someone that regularly inspects and repairs them. If you have a small fleet, you hire someone on an as-needed basis, but when your fleet grows you may see that it's cheaper to have someone in-house.
People just think because computers are easy to use (and they are to an extent) that everything about it is easy.
Custom electronics and digital signage for your business: www.evcircuits.com
A decade ago I had a discussion with my then boss about how to respond to inbound attacks. It was clear then that the current methods of defense were wrong by any measure you care to use. They haven't gotten any better in a decade. They've only increased in cost and complexity. The basic failure can be demonstrated by the metaphor of feudal Europe, since I know all of you are aware of your western civ history. Our current defense methods are akin to various forms of dumping molten lead onto the Visigoths below are 'fortified' walls. The problem is that the Visigoths are already in our land, destroying things along their way to the castle. Of course the metaphor breaks down because these Visigoths replicate in place; get stronger, faster and more sinister in their siege weapons with nothing more than the passage of time and no matter how many we disable there are always more than there were a minute ago.
So what to do? Given that the attack is always through an intermediate entity, I propose using a biological analog to address it. Treat it is a diseased state and execute a vaccination. Since the intermediate system has already been compromised, as is demonstrated by the fact that it is currently an intermediate for an attack, it would be best to rest control of it from its current commander. We can certainly discuss what that means or how to accomplish it, but that is the best solution. Remove the Visigoths from battle rather than attempting to thwart their attack on us. The other side of this equation, and the thing its success depends on is automation. The takeover system must be able to respond to the attack within a few packets and rest control a short time later. Otherwise you have accomplished nothing. Waiting until the entire village is infected with Ebola before you send in the inoculant will only result in more deaths. Waiting for a human being to respond is similarly inappropriate in this situation.
This is not an attack. It is a method of removing resources from an attacker. If the takeover were done correctly, say leaving the affected machine in a state where it was no longer vulnerable to the exploit the attacker used originally to take control, you have in fact helped the Internet over all. You have inoculated another machine and the pool of available resources to attackers has diminished. If you can do it fast enough you can rest an entire farm from its nefarious controlling entity and put them back at square one. This method levels the playing field as every attack is therefore a chance to lose all your resources. It requires no coordination to execute, no notice since the machine is already infected, and there is no data breach involved.
The real question is can it be done?
Give me a minute.....
Another analogy is of a castle that only has defenses. Attackers can attack with little or no concern from being attacked. I don't think this is a best solution - but it is better to give a bully a black eye then to continually receive a wedgie.
Of course not. The plebs aren't deputized so they won't be allowed to defend themselves against our benevolent corporate leaders.
The RIAA and MPAA are drooling right now ...
All your bitcoin are belong to us.
Coming to a reality near you.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
They are not that stupid. The government, or rather the people actually involved with this stuff, KNOWS that there is no such thing as a "cyberweapon." It's just the marketing terms they use to get bigger contracts, funding, and staff from the government bureaucracy that can't and doesn't want to understand computers and the internet. The reason we hear about "cyberweapons" is because whatever some government bureaucrat hears is what it spits back out to the media and general public who ALSO can't and doesn't want to understand computers, but none the less has to justify the spending to. Basically, anyone capable of making your post is not the intended audience of that message.
However, that message is also what government bureaucrats think about when making decisions about computers and the internet and that's where we get dumb ideas like the summary from. That's how it was explained to them, and that's how they will apply what they know to it. So when you tell them: "Well many people and companies are being hacked into causing a lot of financial / trade secret / livelihood / etc. loss, something needs to be done about it." The government bureaucrat hears: "Well many people and companies are being attacked causing a lot of damage. Deploy the countermeasures!" We only have ourselves to blame for not forcing them to learn about the technology before setting them loose on it.
If anything, I would imagine if the idea in the summary was implemented, we would start having a lot of people complaining about connectivity loss and (hopefully not) data corruption. Eventually one of two things would happen: The government would resend this idea because it causes more damage than it fixes, or they would start demanding that computers have the anti-hacking stuff built in to thwart attackers before they can succeed. In any case if such an idea as in the summary were to be implemented, there would be a push by hackers to identify and patch any security holes used by the government and it's "deputized" companies both on their own equipment and their targets. In addition to using more secure systems in general for command & control. Maybe immediate offline backup for downloaded data as a fail safe against new kinds of counterattacks.
TL:DR This kind of legislation will not stop the current problems. It will just inconvenience everyone to make it look like the government is doing something while kicking the can down the street a little more so they can put off learning about the technology they have no clue about. Why? Because lazy.
Sound interesting; In fact a great number of Chinese are waiting for someone taking down the GFW, which is not really exist,
I wonder what will be done about the rats known as "mystery shoppers" - these are unemployed rat bastards that sign up to call Co. sales depts in certain all phone pro service industries and whose goal is to actually keep people on phone wasting the co's resources, while being paid for it.
And we are talking legitimate companies, providing legitimate, and oftentimes critically needed services (legal and financial help with debt and tax problems) thereby not just randomly attacking the 9 to 5 worker on phone, but actively depriving people who DO need help with serious problems ("payroll clerk just said 75% of my next check is going to IRS!!!!") and all because some rat someplace would rather burn his neighbor's crops than work on growing more of his own.
I say I wonder, because I don't see company owners too worried about it, phone labor is paid cheap, and people who really need help can just keep dialing until they get through apparently.
There are some serious resources being applied and wasted in all this, and apparently even with ALL the laws already in place, there is nothing illegal about someone, at the behest of and with the assistance of a third party often a competing company, posing as a legitimate consumer, providing 100% false information in a matter related to Federal taxes and/or major debt with Fed insured Banks, and this to an FTC regulated company in an industry requires extensive licensing, all with the malicious intention of tying up and wasting target company's resources, so as to gain a competitive edge in the marketplace.
No different than dumping a barrel full of live RATS on a farmer's fields in the middle of the night.
SARAVA!
Even the NSA couldn't keep Snowden for walking away with tons of highly secure data.
All too true