Private retaliation in cyberspace a 'remarkably bad idea'
The best strategy to protect corporate jewels from cyber thieves is to build a strong defense, security experts say
Computerworld - Despite the growing threat of state-sponsored cyberattacks launched from China and other countries, U.S companies should not be allowed to fight back on their own, security experts say.
Such corporate counterstrikes would undermine U.S.-led efforts to develop international cyberspace standards and norms while exposing U.S. companies to retaliatory strikes.
"This is a remarkably bad idea." said James Lewis, senior fellow and director of the technology and public policy program at the Center for Strategic and International Studies in Washington. "It would harm the national interest."
In commentary released by the CSIS this week, he said, "Our goal is to make cyberspace more stable and secure, not less. Endorsing retaliation works against that goal in many ways, all damaging."
Lewis was responding to a report from the Commission on the Theft of American Intellectual Property last week that floated the idea of allowing private companies retaliate against cyberthieves as a means of curbing IP theft.
The commission, co-chaired by Dennis Blair, former U.S. director of National Intelligence and Jon Huntsman, former U.S. ambassador to China, contends that current laws and trade agreements have failed to curb IP theft by state sponsored cyber groups, so U.S. companies should be allowed to respond on their own.
The report made clear that at some point in the future, companies should have the option of disabling or destroying hacker networks, or planting malware on them.
Lewis dismissed all such suggestions as bad ideas.
The U.S., he said, is trying to get countries to agree that longstanding international laws should be extended to include cyberspace. For instance, the U.S. has been working to build consensus around the notion that governments are responsible for the actions of their citizens.
Lewis noted that the U.S. government is a leading backer of the Budapest Convention on Cybercrime, which prohibits private retaliation in cyberspace. Under the convention, a victim of a retaliatory attack could bring suit against a U.S. company in federal court, or seek extradition of those responsible for such attacks.
Private retaliation would undercut U.S. efforts to get China, Russia and other countries to hold their citizens accountable for cyberattacks against U.S. companies, Lewis said.
Any U.S. refusal to cooperate with a Chinese request for help investigating a retaliatory attack, for instance, could prompt China to refuse to cooperate with the U.S. on cybersecurity issues, he said.
"In a contest over who can go further in violating the law, despite the bluster of some in the high-tech community, private citizens are no match for the Russian mafia, the Russian Federal Security Service, or the People's Liberation Army in China. This is not a contest American companies can win," Lewis said.
- International police operation disrupts Shylock banking Trojan
- Spamhaus pushes for arrests of alleged DDoS participants
- Accused Russian point-of-sale hacker arrested, will face U.S. charges
- No-IP regains control of some domains wrested by Microsoft
- Microsoft legal action cramping other hacking campaigns, Kaspersky says
- Microsoft admits technical error in IP takeover, but No-IP still down
- QuickPoll: Why hasn't Windows XP come under attack from hackers?
- Cybercrime losses top $400 billion worldwide
- U.S., foreign agents disrupt Gamover Zeus botnet
- LulzSec leader sentenced to time served after cooperating with police
- Is Your Credit Card Data Safe from Hacks? News of recent credit card hacks has rocked consumer confidence. Even talk of a security breach can bring on a PR firestorm. What...
- Protecting Your Mid-Size Business from Today's Security Threats Think you're too small to get hacked? Think again.
- CSO QuickPulse IT Security: Midsize Businesses Face Enterprise This survey finds that midsize firms lack understanding of vulnerabilities, and need comprehensive security tools.
- The Importance of Reputation Proactive enterprise security involves turning data into actionable information--that's where reputation comes in.
- PST Archiving: What is it and How is it Done? Learn more about what PST data is, the risks relating to it, and how the new PST Archiving feature in the Simpana 10...
- HP DevOps KnowledgeVault This interactive resource focuses on the evolution taking place in the world of software development, specifically the Agile development framework, and the gap... All Cybercrime and Hacking White Papers | Webcasts
Computerworld has launched its annual search for outstanding IT leaders who align technology with business goals. Nominate a top IT executive for the 2015 Premier 100 IT Leaders awards now through July 18.