Should Private Companies Be Allowed To Hit Back At Hackers?

An anonymous reader quotes a report from Motherboard: The former director of the NSA and the U.S. military's cybersecurity branch doesn't believe private companies should be allowed to hit back at hackers. "If it starts a war, you can't have companies starting a war. That's an inherently governmental responsibility, and plus the chances of a company getting it wrong are fairly high," Alexander said during a meeting with a small group of reporters on Monday. During a keynote he gave at a cybersecurity conference in Manhattan, Alexander hit back at defenders of the extremely common, although rarely discussed or acknowledged, practice of revenge hacking, or hack back. During his talk, Alexander said that no company, especially those attacked by nation state hackers, should ever be allowed to try to retaliate on its own.

Using the example of Sony, which was famously hacked by North Korea in late 2014, Alexander said that if Sony had gone after the hackers, it might have prompted them to throw artillery into South Korea once they saw someone attacking them back. "We can give Sony six guys from my old place there," he said, presumably referring to the NSA, "and they'd beat up North Korea like red-headed stepchild -- no pun intended." But that's not a good idea because it could escalate a conflict, and "that's an inherently governmental responsibility. So if Sony can't defend it, the government has to." Instead, Keith argued that the U.S. government should be able to not only hit back at hackers -- as it already does -- but should also have more powers and responsibilities when it comes to stopping hackers before they even get in. Private companies should share more data with the U.S. government to prevent breaches, ha said.

Seriously?

[Excelcia]

Private companies should share more data with the U.S. government to prevent breaches, ha said.

Sharing data with the US government is going to PREVENT breaches?!?

This is akin to saying a gang raped woman should then go out and buy a pack of condoms to prevent an STI. The US government has been the source of more breaches than any other agency. Have we forgotten that it's a non-disclosed zero day vulnerability that the US government found, weaponized, and then let out into the wild that caused the single largest series of ransomeware attacks in history? The idea that the US government is in any way interested in preventing breaches is laughable. Sorry, folks are on their own.

Re:Sun Tzu

[PolygamousRanchKid+]

The art of war teaches us to rely not on the likelihood of the enemy's not coming, but on our own readiness to receive him; not on the chance of his not attacking, but rather on the fact that we have made our position unassailable.

In more modern times, Carl von Clausewitz taught us that "No campaign plan survives first contact with the enemy". You can firewall yourself up in a Maginot Line . . . but that won't help you when the enemy comes unexpectedly from behind via the Benelux Countries, and bites you in your ass.

More importantly, Clausewitz famously talked about the "Fog of War" . . . when a war breaks out, military commanders are relatively clueless to what is actually going on. Who is attacking? Where exactly? In what strength? International hacking incidents are even more opaque. Are those North Korean hackers? Russian political lackeys? Cash-strapped Nigerian Princes?

Yes, being aware of the threats, and more importantly, having plans and educated staff in place to handle the breach.

But penetrations will always happen . . . even simply with the ageless method of bribing a sysop.

Re:No

[Arzaboa]

Regular people can start a corporation in most states in the U.S. in less than 10 minutes.

--
"Would you like them in a tree?" - Sam-I-Am