Should Private Companies Be Allowed To Hit Back At Hackers?

An anonymous reader quotes a report from Motherboard: The former director of the NSA and the U.S. military's cybersecurity branch doesn't believe private companies should be allowed to hit back at hackers. "If it starts a war, you can't have companies starting a war. That's an inherently governmental responsibility, and plus the chances of a company getting it wrong are fairly high," Alexander said during a meeting with a small group of reporters on Monday. During a keynote he gave at a cybersecurity conference in Manhattan, Alexander hit back at defenders of the extremely common, although rarely discussed or acknowledged, practice of revenge hacking, or hack back. During his talk, Alexander said that no company, especially those attacked by nation state hackers, should ever be allowed to try to retaliate on its own.

Using the example of Sony, which was famously hacked by North Korea in late 2014, Alexander said that if Sony had gone after the hackers, it might have prompted them to throw artillery into South Korea once they saw someone attacking them back. "We can give Sony six guys from my old place there," he said, presumably referring to the NSA, "and they'd beat up North Korea like red-headed stepchild -- no pun intended." But that's not a good idea because it could escalate a conflict, and "that's an inherently governmental responsibility. So if Sony can't defend it, the government has to." Instead, Keith argued that the U.S. government should be able to not only hit back at hackers -- as it already does -- but should also have more powers and responsibilities when it comes to stopping hackers before they even get in. Private companies should share more data with the U.S. government to prevent breaches, ha said.

No

[sexconker]

No, not unless regular people are allowed to do the same.

Re:No

[Arzaboa]

Regular people can start a corporation in most states in the U.S. in less than 10 minutes.

--
"Would you like them in a tree?" - Sam-I-Am

Re:No

[ArmoredDragon]

No...We shouldn't allow vigilantism any more than we should allow companies to retaliate. However when they made this statement:

Instead, Keith argued that the U.S. government should be able to not only hit back at hackers -- as it already does -- but should also have more powers and responsibilities when it comes to stopping hackers before they even get in. Private companies should share more data with the U.S. government to prevent breaches, ha said.

I agree with all of this, but only under the condition that is done with a large dose of oversight and policies and protocols that are open to the public. None of this FISA/national security letter crap.

Terrible idea.

[Lordpidey]

One of the most BASIC things to do in hacking, is cover your traces by making it LOOK like you're someone else.

So, naturally the best way to harm corporation X, would be to hack corporation Y, but leave lots of evidence that it was corporation X, thus causing Y to attack X.

Re:Terrible idea.

[barc0001]

Also add to the fact that a lot of people are - to put it bluntly - stupid, and will probably misinterpret the source of an attack, launching a counterattack against an uninvolved 3rd party.

Re:Terrible idea.

[HermMunster]

Or they can feign ignorance and claim X did it just to get into X entity's systems.

Let's not forget that when these entities are hacked it is because they had no one paying attention to the vulnerabilities which resulted in their failure to apply patches.

Corporations need to hire someone that acts as a security officer that reviews and implements patches.

Re:Terrible idea.

[CanadianMacFan]

Or company X actually breaks into company Y but goes to them with made up data saying that company Z used systems from X to do it and then proposes that X and Y launch attacks against Z. Meanwhile Z hasn't done anything and gets attacked by two of it's competitors.

Re:Terrible idea.

[rtb61]

Cough, cough, why is it corporations always take actions and then work with lobbyist and corrupt politicians to try to make them legal, the criminal actions they have already taken. Forget about talking about what they will do, this is all about what they have already done and are trying to get away with. It basically creates an excuse for all sorts of criminals acts, why wait for an attack, when you can 100% with total ease and simplicity create the digital evidence for an attack and have it look exactly like a real attack and target that evidence at whom ever your wish, especially political activist organisations, unions, social groups and targeted individuals. Fabricate an attack, attack the claimed sourced, insert evidence at their location and then report it to the authorities with proof gained from their computer of the attack you crafted on your computers and the evidence you planted on their computer. All 100% corruptly legal, no thought of tainted evidence, no thought of well you have proven their computer could be hacked by hacking it for evidence and get out of jail free card when you get caught after their lives have been digitally destroyed. Now that is what they are aiming for and not just further salvoes in the world war three the corporate wars, much safer than the real thing and douche executives finally end up in each others cross hairs (seriously dangerous stuff for them, we only got to watch out for the cross fire).

Corporate executives playing digital wars, means snatching them up for a day allows enormous damage to be done to the enemy corporations. Tax haven accounts become an anathema for corporate executives because who is depositing money in that account and what digital keys will those executives be providing. Never forget one serious hack can cost one company billions whilst making another company billions from the fallout. Companies can be bankrupted, criminal activities of competitors can be exposed, corporate executives can be exposed for all sorts of sexual deviancies and then there is the mundane trade secrets, research and development, corporate economic strategies and investment strategies to be analysed.

There psychopathic greed means they wont be able to stop themselves, lust for power will push them, don't think so, just look at the last financial crisis, purposeful corruption from start to finish, including getting the slimy POS Uncle Tom Obama to roll over on all the corruption fully exposed. They will start killing each other, it is inevitable.

Re:Terrible idea.

[apoc.famine]

Likely hiring shadowrunners to do it.....

Oh hell no

[mhkohne]

These guys can't secure their servers in the most basic ways, and they want to be allowed to do their own target id (I'm supposed to believe they won't screw that up?) and then take offensive action?

They'll attack the right target perhaps 1 out of 20 events. They'll attack someone at random every so often and then say 'whoops! We screwed up! Sorry!'.

No, these corporate bozos are not the people we want dealing with such threats.

Sun Tzu

[Narcocide]

The art of war teaches us to rely not on the likelihood of the enemy's not coming, but on our own readiness to receive him; not on the chance of his not attacking, but rather on the fact that we have made our position unassailable.

Re:Sun Tzu

[PolygamousRanchKid+]

The art of war teaches us to rely not on the likelihood of the enemy's not coming, but on our own readiness to receive him; not on the chance of his not attacking, but rather on the fact that we have made our position unassailable.

In more modern times, Carl von Clausewitz taught us that "No campaign plan survives first contact with the enemy". You can firewall yourself up in a Maginot Line . . . but that won't help you when the enemy comes unexpectedly from behind via the Benelux Countries, and bites you in your ass.

More importantly, Clausewitz famously talked about the "Fog of War" . . . when a war breaks out, military commanders are relatively clueless to what is actually going on. Who is attacking? Where exactly? In what strength? International hacking incidents are even more opaque. Are those North Korean hackers? Russian political lackeys? Cash-strapped Nigerian Princes?

Yes, being aware of the threats, and more importantly, having plans and educated staff in place to handle the breach.

But penetrations will always happen . . . even simply with the ageless method of bribing a sysop.

Re:Sun Tzu

[boudie2]

Or as Mike Tyson used to say "Everyone has a plan until they get punched in the face."

Hell No!

[jwhyche]

No company should ever be allowed to take the law in to is own hands. Their response to any such issue should be to close the holes and repair the damage. Let law enforcement handle the rest.

That is unless we want a ShadowRun type society where corporations can field their own private police forces and armies. But if this came to pass I doubt we would get the magic that came with it.

NO, absolutely not.

[HermMunster]

They should be required to follow the law as any individual would be required. The last thing we need is for businesses to be above the law or rather to have laws applied differently to businesses than they are to individuals. If businesses can hit back then individuals suffering attacks should be able to hit back too.

I have bad memory, but...

[Locke2005]

Aren't their documented incidents of retaliation against hackers harming innocent third party internet businesses? That's why we let law enforcement hand out consequences instead of engaging in vigilante justice. (That being said the guys who chased after the Texas church shooter are awesome!)

No no no

[JustAnotherOldGuy]

Of course, this power would never, ever be abused, right? That would just never happen, right folks?

And if they accidentally nuke your PC and its data, well..."Oops, real sorry about that. No you can't sue us, it's totally legal! What's that? You want to sue? Great, we'll see your lawyer and raise you 50 lawyers with virtually unlimited funds. See ya in court, sucker."

No, they should not, because we all fucking know exactly what kind of abuse(s) this will lead to.

Seriously?

[Excelcia]

Private companies should share more data with the U.S. government to prevent breaches, ha said.

Sharing data with the US government is going to PREVENT breaches?!?

This is akin to saying a gang raped woman should then go out and buy a pack of condoms to prevent an STI. The US government has been the source of more breaches than any other agency. Have we forgotten that it's a non-disclosed zero day vulnerability that the US government found, weaponized, and then let out into the wild that caused the single largest series of ransomeware attacks in history? The idea that the US government is in any way interested in preventing breaches is laughable. Sorry, folks are on their own.

Re:Report to whom?

[Arzaboa]

You call the FBI.

You're not being "hacked" 1000 times a day because someone tried a new ID/PW combo, or ran a script of known vulnerabilities, or changed a URL.

--
"I will not like them Sam-I-Am" - Unknown