Private retaliation in cyberspace a 'remarkably bad idea'
The best strategy to protect corporate jewels from cyber thieves is to build a strong defense, security experts say
Computerworld - Despite the growing threat of state-sponsored cyberattacks launched from China and other countries, U.S companies should not be allowed to fight back on their own, security experts say.
Such corporate counterstrikes would undermine U.S.-led efforts to develop international cyberspace standards and norms while exposing U.S. companies to retaliatory strikes.
"This is a remarkably bad idea." said James Lewis, senior fellow and director of the technology and public policy program at the Center for Strategic and International Studies in Washington. "It would harm the national interest."
In commentary released by the CSIS this week, he said, "Our goal is to make cyberspace more stable and secure, not less. Endorsing retaliation works against that goal in many ways, all damaging."
Lewis was responding to a report from the Commission on the Theft of American Intellectual Property last week that floated the idea of allowing private companies retaliate against cyberthieves as a means of curbing IP theft.
The commission, co-chaired by Dennis Blair, former U.S. director of National Intelligence and Jon Huntsman, former U.S. ambassador to China, contends that current laws and trade agreements have failed to curb IP theft by state sponsored cyber groups, so U.S. companies should be allowed to respond on their own.
The report made clear that at some point in the future, companies should have the option of disabling or destroying hacker networks, or planting malware on them.
Lewis dismissed all such suggestions as bad ideas.
The U.S., he said, is trying to get countries to agree that longstanding international laws should be extended to include cyberspace. For instance, the U.S. has been working to build consensus around the notion that governments are responsible for the actions of their citizens.
Lewis noted that the U.S. government is a leading backer of the Budapest Convention on Cybercrime, which prohibits private retaliation in cyberspace. Under the convention, a victim of a retaliatory attack could bring suit against a U.S. company in federal court, or seek extradition of those responsible for such attacks.
Private retaliation would undercut U.S. efforts to get China, Russia and other countries to hold their citizens accountable for cyberattacks against U.S. companies, Lewis said.
Any U.S. refusal to cooperate with a Chinese request for help investigating a retaliatory attack, for instance, could prompt China to refuse to cooperate with the U.S. on cybersecurity issues, he said.
"In a contest over who can go further in violating the law, despite the bluster of some in the high-tech community, private citizens are no match for the Russian mafia, the Russian Federal Security Service, or the People's Liberation Army in China. This is not a contest American companies can win," Lewis said.
- Kicking the stool out from under the cybercrime economy
- Chinese man indicted over theft of Boeing C-17 secrets
- The making of a cybercrime market
- Arrests made after international cyber-ring targets StubHub
- International police operation disrupts Shylock banking Trojan
- Spamhaus pushes for arrests of alleged DDoS participants
- Accused Russian point-of-sale hacker arrested, will face U.S. charges
- No-IP regains control of some domains wrested by Microsoft
- Microsoft legal action cramping other hacking campaigns, Kaspersky says
- Microsoft admits technical error in IP takeover, but No-IP still down
- Transforming Information Security: Future-Proofing Processes This report provides a valuable set of recommendations from 19 of the world'd leading security officers to help organizations build security strategies for...
- The Evolution of Corporate Cyberthreats Cybercriminals are creating and deploying new threats every day that are more destructive than ever before. While you may have more people devoted...
- 3 Questions to Ask Your DNS Host about Lowering DDoS Risks Neustar has had wide-ranging conversations with clients wanting to know how they can optimize protection as DDoS attacks increase in frequency and size.
- The Danger Deepens: 2014 Neustar Annual DDoS Attacks and Impact Report This report compares DDoS findings from 2013 to 2012, based on a survey of 440 North American companies, including 139 businesses delivering technology...
- Establish Cyber Resiliency: Developing a Continuous Response Architecture Many enterprises fail to proactively prepare the battlefield for a data breach by only leveraging outdated techniques that focus on the perimeter or...
- An Incident Response Playbook: From Monitoring to Operations As cyber-attacks grow more sophisticated, many organizations are investing more into incident detection and response capabilities. In this webcast, learn how to develop... All Cybercrime and Hacking White Papers | Webcasts