Slashdot Mirror
Counterterrorism Expert: It's Time To Give Companies Offensive Cybercapabilities
itwbennett writes: Juan Zarate, the former deputy national security advisor for counterterrorism during President George W. Bush's administration says the U.S. government should should consider allowing businesses to develop 'tailored hack-back capabilities,' deputizing them to strike back against cyberattackers. The government could issue cyberwarrants, giving a private company license 'to protect its system, to go and destroy data that's been stolen or maybe even something more aggressive,' Zarate said Monday at a forum on economic and cyberespionage hosted by think tank the Hudson Institute.
... this isn't going to end well.
I'd expect such nonsense from a former employee of BushCheney Co. Would you also "deputize" a privately held corporation to get some F-16's and go bomb the attackers? It is virtually the same thing. I guess the BushCheney Corporation would have loved that.
Such attacks are attacks on U.S soil, and should therefore be handled by the military, and only the military.
Otherwise, this will create private, corporate owned, corporate sponsored armies. They will be, essentially, corporate warlords.
It's called a "Letter of Marque," and they've been used in places where governments can't enforce their sovereignty for centuries.
It usually doesn't turn out all that well, but may well be better than nothing.
He's accessing vons.com with Chrome and Adblock +, Privacy Badger, and Scriptblock. He's obviously a Chinese terrorist subverting our capitalist ways, reformat his hard drive!
Oh sure, let's trust the people who can't even protect their own networks to properly identify the perpetrators of a hack instead of some innocent bystander running a TOR exit node. I can't see any risks associated with that. No. Not at all... :(
I do not fail; I succeed at finding out what does not work.
Giving private corporations the ability to identify anyone they don't like a "cyberattacker" and then attack them will be very dangerous. Imagine companies pursuing IP related complaints (whether real or imagined) being deputized to go after people and their systems in this manner. There are damn good historical reasons we have a legal system in place -- one of which is to the prevent abuses that vigilante systems foster.
This is a great idea. What on earth could possibly go wrong?!?! Lets give the power hungry, egotistical, anti-social network security "experts" who are in charge of creating the insecure networks the right to use "deadly force" against those they think might be responsible.
I can't wait for the fecal matter to hit the CPU fan when the wrong company is targeted for retaliation er I mean offense.
that you are competent enough on the defensive side of things first and we'll talk about it.
When your company can't even be bothered to properly secure our personal information on your servers ( plaintext files . . . really ? ) what sort of insanity is it to even CONSIDER giving these very same folks offensive capabilities ?
It's like giving a shotgun to a monkey and hoping nothing bad comes of it :|
Seriously. . . . wtf ?
Companies have demonstrated how careful and responsible they are with the DMCA takedowns, so it's only logical that we allow them to go further and actively attack the evil-doers out there.
There are security models and systems perfected in the 1970s in response to the data processing needs of the air war in Viet Nam. There are commercially available systems which work for multilevel security. This model can be ported to the open source world, if enough people are interested. I'm waiting for the Genode project from Germany to get something I can use in the next few years, and I hope there will be others.
I hereby suggest we just eliminate the possibility of a cyber-war, instead of getting stuck in an arms race.
Let's look at something nobody does, which is look at evidence. OK, I know that sounds like a bad idea .. but anyways .. RIAA, MPAA, and SPA already does this exact same thing. They have ruined lives for no reason. What happens when the company hacks back and causes more damage than what was stolen? We don't let the victims decide punishments. If victims could decide punishment even petty thieves would be murdered. If you think that sort of draconian punishment helps a society, then you probably want to move to Saudi Arabia or ISIS.
Look up "letters of marque and reprisal", and perhaps "privateering", too.
A Disney movie?
I guess someone's been reading/watching too many cyberpunk books/movies. Vigilante justice seldom ends well. There's absolutely no evidence that just because to prepend "cyber" to the front of it that thing will turn out any different.
Two of my imaginary friends reproduced once
I see no reason to limit companies to cyber weapons. Once they have located an attacker, having privately owned armed drones would be very handy. if the attacker is a nation state, even more aggressive measures could be used. I can see aircraft carriers, and maybe even ballistic missile subs with corporate logos.
So if you make it look like someone else did it....
I for one plan to change my business card to read Buccaneer instead of Engineer. Being a privateer did not end so badly for all of them.
Nullius in verba
I'm sure it would be used with the same level of integrity as the DMCA is.
"National Security is the chief cause of national insecurity." - Celine's First Law
Only corporations of s certain size will be allowed to do it. Someone with a small business who has no value to the gov will be punished.
by TheSpoom (715771) Uncaring Linux user here. I have nothing to add to this but please continue. *munches popcorn*
It's never been about the possibility of security though.
Since this is Slashdot, I'll explain with a car analogy. Lots of people die in car accidents, and we could easily stop that by doing things like a) Not use cars, b) not let them drive more than 20mph, etc... all sorts of things that would greatly interfere with the way people actually use cars to do stuff. Our cars also used to be a lot less safe too - at one point they didn't even come with seat belts.
As much as I'd love to see proper security implemented, it's just not going to realistically happen. Too many users (customers) don't want the hassles that come with serious security, and too many businesses aren't will to pay the up front costs for it (yet, at least). It's going to take some hard lessons before they start putting on seat belts, air bags, abs breaks, and the equivalents of everything else we've done (and are doing) to make cars safer. The Adama solution, as much as it makes sense from a security standpoint, doesn't take into account the needs of either the people using the stuff, or the people paying for the stuff. We need those people to understand and demand more secure features up front - and even then we're still only talking about reducing things to an acceptable/tolerable level, not eliminating them.
So... for a long time, various encryption algos were considered weapons and subject to ITAR controls. The same is starting up again now.
So... if code can be a weapon, a (very) loose interpretation of the 2nd Amendment and some Castle Doctrine would already allow someone to hack back ...
Even that very loose interpretation doesn't quite fit.
The second amendment after all only says we the people may posses weaponry, it isn't a blanket licence to shoot at just anyone willy nilly, let alone a license to kill someone.
At least so far it is still not illegal to simply own an exploit or its source code, which is a more fair comparison.
One might argue that it should/is legal to counter-hack a system, but to keep the comparison, only so long as they are the one that attacked you first.
The moment you attack some poor smuck infected with malware doing the attackers bidding, it is no different than pulling your legal to own and have firearm and shooting the mailman that brought the ransom note to your door.
That is murder far and clear even with the second amendment and castle laws.
Most attacks these days are carried out through such proxy systems, be they n00b level windows malware, or zero day exploits against a fully patched and updated system (which I don't think anyone can possibly blame the systems owner for), and should be just as illegal to attack them as to counter attack them.
Our fear is that won't be the case. Many innocents are at risk with this plan.
Not to mention, all a black hat hacker has to do is form a corporation, then wait for the inevitable botnet scans and "counter hack" all those infected zombies.
Now this law just made legal any hacking done by those with unsavory intentions. Yeay?
It's bad enough on the Internet these days, but this certainly will not make a climate I wish to be involved with at all.
When the government is too lazy or incompetent to find the person who killed your father, they can just give you permission to find the killer and bring whatever justice seems fair. I don't see how anything bad that can come of this, nor its cyberspace analogue.
That hasn't worked too well with the NSA. I can't imagine that a private corporation with a financial incentive would be able to restrain themselves from attacking their competetors once they were given the go-ahead to start lashing out when their network gets DDOSd.
If I have a company accidentally misidentify my network as an attacker, and 'bathack' me, vigilante style, am I allowed to then counter attack and destroy their customer database? are they then allowed to drive over and cut my fiber? Can I then drive to the home of their CEO and execute him in retaliation?
No this is an unbelievably stupid idea, presented by an unbelievably stupid person (Juan Zarate, who is this ass clown?)
HA! I just wasted some of your bandwidth with a frivolous sig!
There is no such thing as a cyberweapon. There is hacking/cracking and that is generally done through technical weaknesses and/or social engineering. There is no such thing as a cybertank or a cybergun, something that can actively break through something that it was not intended to go through. There is no software that can simply break through a web server by sheer force.
Using any kind of military jargon with what amounts to a technical capability of a piece of software is (car analogy) like telling us that foreign car mechanics and imported engines are capable of destroying our infrastructure and instead of fixing the engines or building our own to counteract it we have to deploy our own car mechanics and engines to foreign countries.
Using these analogies of cyberweapons with technical experts just sounds like a bunch of military people heard of the printing press and now they want to destroy people with paper cuts.
Custom electronics and digital signage for your business: www.evcircuits.com
We need to give them all....Windows 10! The most dangerous thing ever to happen to computers.
That hasn't worked too well with the NSA. I can't imagine that a private corporation with a financial incentive would be able to restrain themselves from attacking their competetors once they were given the go-ahead to start lashing out when their network gets DDOSd.
No, this could be great! We could appoint a secret TCP packet court, issue arrest warrants against packets of data and store them in privatized prison segmented storage on the NSA data center and put the cost on everyone's intertubes bill.
Then again, might just be easier to prosecute the builders of the federal reserve system on a Ponzi scheme, fine them the amount of gold they emptied the central banks of and then figure out if they belong in England, Germany or Mongolia. Let the decided country deal with them from there.
That article has been nuked.
One down, seven to go.
My sci-fi novel, Ghost Thief, is now available from Amazon.com.
This isn't a case of "perfect is the enemy of the better." This is a case of "something is the enemy of nothing" - which means that, in the minds of politicians, doing something is better than doing nothing even if that something is worse than useless. Even if doing the something in question makes matters worse (say, by allowing the RIAA to form a private army to kill "copyright thieves"), it is better than doing nothing as far as the politician is concerned because he can claim "I did something" when re-election comes around.
In related news, this kind of thinking is what led to the TSA "security." Doing "something" about security (everyone has to remove their shoes) trumps taking the time to actually consider risks and benefits.
My sci-fi novel, Ghost Thief, is now available from Amazon.com.
I saw the same shit with spam. I used to receive a lot of backscatter from some spammer using my E-mail address as a fake from address. I received a ton of threats, random DoS attacks, mailbombs, ping-floods, and a lot of stuff because various dipshits couldn't understand the basics about what an open relay was.
The more ironic thing was finding out that before the deluge happened, I got an extortion letter threatening that postmaster and other E-mail IDs on the web from the site would be used as fake originations.
So some business with the absolute bargain-basement IT staff, chock full of bargain-basement novices is going to decide if a compromised workstation the receiving department at another company is sufficient cause enough to shut that firm down? This would be like carpet-bombing an entire office building because a bank robber ducked into the building's lobby.
Here is where real/virtual separate and analogies doesn't work: It is not difficult to cover one's tracks, especially with how many botnets there are on dynamic IP address ranges.
Given that most "cyberattacks" are caused by crappy software, making software companies liable for their bugs looks like a better option to me.
Black Ice!
Yeah, some of them managed to make a fair amount of money before they ended on the gallows.
The authorities tended to put down their attack dogs once they'd become no longer expedient to keep around.
Il n'y a pas de Planet B.
It wouldn't last a week before we'd be seeing attacks against competitors.
It's not competitors I'd be worried about but the copyright trolls. Using their interpretation of copyright law practically everyone would be guilty of "stealing" their data in some form or other and so would be open to be hacked "just to check". The truly ironic thing of course is that by acting under a letter of marque they would actually be far more like a pirate than those they accuse.
And to carry on the analogy, the more successful ones will swallow up or destroy the less successful ones until you have a small handful at most of really massive ones who are accountable to no one.
The correct approach is to use the government for defensive cyber capabilities. The NSA (and others) are focused almost entirely on offensive capabilities and weaponizing exploits that they discover. Instead, they should be reporting, patching, and/or issuing reports on their discoveries. There's no point in protecting 'Murican data if there's nothing left to protect because we're ignoring defense.
As far as their spying -- sorry, "collection" -- mission, they can still hack existing systems without using software exploits.
https://www.eff.org/https-everywhere
Competitors? You act as it there is actual competition out there. Competition is a myth they use to sell capitalism with. Sure, the car wash place down the street may have competition, but not the multinationals. That's just another illusion they try to maintain.
What they will do is retaliate against whistleblowers and activists. They already look on people who tell the truth about them as terrorists, with the full support of their bought and paid for law enforcement allies.
Don't forget pirates and copyright infringers, whether those people are actually involved in such activity or not. They're already pursuing legislation that would criminalize interfering with their ability to make a profit.
"What the American public doesn't know is what makes them the American public." -Ray Zalinsky (Tommy Boy)