Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
Security Businesses Privacy The Military United States

Should Private Companies Be Allowed To Hit Back At Hackers? (vice.com) 141

An anonymous reader quotes a report from Motherboard: The former director of the NSA and the U.S. military's cybersecurity branch doesn't believe private companies should be allowed to hit back at hackers. "If it starts a war, you can't have companies starting a war. That's an inherently governmental responsibility, and plus the chances of a company getting it wrong are fairly high," Alexander said during a meeting with a small group of reporters on Monday. During a keynote he gave at a cybersecurity conference in Manhattan, Alexander hit back at defenders of the extremely common, although rarely discussed or acknowledged, practice of revenge hacking, or hack back. During his talk, Alexander said that no company, especially those attacked by nation state hackers, should ever be allowed to try to retaliate on its own.

Using the example of Sony, which was famously hacked by North Korea in late 2014, Alexander said that if Sony had gone after the hackers, it might have prompted them to throw artillery into South Korea once they saw someone attacking them back. "We can give Sony six guys from my old place there," he said, presumably referring to the NSA, "and they'd beat up North Korea like red-headed stepchild -- no pun intended." But that's not a good idea because it could escalate a conflict, and "that's an inherently governmental responsibility. So if Sony can't defend it, the government has to." Instead, Keith argued that the U.S. government should be able to not only hit back at hackers -- as it already does -- but should also have more powers and responsibilities when it comes to stopping hackers before they even get in. Private companies should share more data with the U.S. government to prevent breaches, ha said.

This discussion has been archived. No new comments can be posted.

Should Private Companies Be Allowed To Hit Back At Hackers?

Comments Filter:
  • No (Score:5, Interesting)

    by sexconker ( 1179573 ) on Monday November 06, 2017 @08:06PM (#55502989)

    No, not unless regular people are allowed to do the same.

    • Ha! Regular people aren't people. Not real people, anyway, like corporations are. :D

    • Re:No (Score:4, Informative)

      by Arzaboa ( 2804779 ) on Monday November 06, 2017 @09:20PM (#55503339)

      Regular people can start a corporation in most states in the U.S. in less than 10 minutes.

      --
      "Would you like them in a tree?" - Sam-I-Am

    • Re:No (Score:4, Interesting)

      by ArmoredDragon ( 3450605 ) on Tuesday November 07, 2017 @01:51AM (#55504331)

      No...We shouldn't allow vigilantism any more than we should allow companies to retaliate. However when they made this statement:

      Instead, Keith argued that the U.S. government should be able to not only hit back at hackers -- as it already does -- but should also have more powers and responsibilities when it comes to stopping hackers before they even get in. Private companies should share more data with the U.S. government to prevent breaches, ha said.

      I agree with all of this, but only under the condition that is done with a large dose of oversight and policies and protocols that are open to the public. None of this FISA/national security letter crap.

    • by mwvdlee ( 775178 )

      Vigilante justice never goes wrong.

  • Terrible idea. (Score:5, Insightful)

    by Lordpidey ( 942444 ) on Monday November 06, 2017 @08:09PM (#55503005) Homepage
    One of the most BASIC things to do in hacking, is cover your traces by making it LOOK like you're someone else.

    So, naturally the best way to harm corporation X, would be to hack corporation Y, but leave lots of evidence that it was corporation X, thus causing Y to attack X.
    • Re:Terrible idea. (Score:5, Insightful)

      by barc0001 ( 173002 ) on Monday November 06, 2017 @08:19PM (#55503051)

      Also add to the fact that a lot of people are - to put it bluntly - stupid, and will probably misinterpret the source of an attack, launching a counterattack against an uninvolved 3rd party.

      • Or they can feign ignorance and claim X did it just to get into X entity's systems.

        Let's not forget that when these entities are hacked it is because they had no one paying attention to the vulnerabilities which resulted in their failure to apply patches.

        Corporations need to hire someone that acts as a security officer that reviews and implements patches.

    • Re:Terrible idea. (Score:4, Interesting)

      by CanadianMacFan ( 1900244 ) on Monday November 06, 2017 @10:49PM (#55503707)

      Or company X actually breaks into company Y but goes to them with made up data saying that company Z used systems from X to do it and then proposes that X and Y launch attacks against Z. Meanwhile Z hasn't done anything and gets attacked by two of it's competitors.

    • by rtb61 ( 674572 )

      Cough, cough, why is it corporations always take actions and then work with lobbyist and corrupt politicians to try to make them legal, the criminal actions they have already taken. Forget about talking about what they will do, this is all about what they have already done and are trying to get away with. It basically creates an excuse for all sorts of criminals acts, why wait for an attack, when you can 100% with total ease and simplicity create the digital evidence for an attack and have it look exactly l

    • That strategy has been around for a long time in many forms, and has a name:

      "Let's you and him fight."

    • One of the most BASIC things to do in hacking, is cover your traces by making it LOOK like you're someone else.

      Right, and the Russian hacked the Elections, because their fingerprints were all over it ... right .. right ...

      {tapping mic} Is this thing on?

    • by antdude ( 79039 )

      Like this BASIC code?

      10 HOME
      20 PRINT "HACK THE PLANET"
      30 GOTO 20

  • Absolutely! We can treat this as an assault, in that the aggressor loses the legal ground and the victim has a reasonable defense. Even when the defense is an offensive response.
    • You of course are forgetting that many hacks involve breaching someone else to use as a stepping stone, or misdirection like DDOS floods from innocent 3rd parties via reflection amplification attacks. Both of which would only allow the retaliating company to strike at people who are also being victimized.

      Terrible idea.

      • Iâ(TM)m not forgetting anything. Youâ(TM)re assuming that Iâ(TM)m advocating blindly attacking targets. There is a process to an investigation, trynfollowing first. Just as a defense to an assault can land you in jail, responding aggressively and at the wrong individuals can have the same consequences. Look before you leap.
        • Let's not kid ourselves. If this goes through a lot of the counter attackers aren't going to be the sharpest knives in the block. For example would you trust... say... Equifax's IT team (the same ones who couldn't have Steve install a patch) to properly ID the correct target before taking action? Me neither. On the plus side, their attack would almost certainly be ineffective, perhaps even unnoticed as it fails so there is that too...

          • You make a good point, but why would you combine of legality of a response, with the ineptness of token examples? I personally would like to have the freedom to respond in kind, even if others canâ(TM)t be trusted to do the same.
          • by Bert64 ( 520050 )

            Most attacks that get noticed are ones that failed...

  • ..you can't have companies starting a war. That's an inherently governmental responsibility, and plus the chances of a company getting it wrong are fairly high

    s/responsibility/profit center/

  • Oh hell no (Score:5, Insightful)

    by mhkohne ( 3854 ) on Monday November 06, 2017 @08:14PM (#55503025) Homepage

    These guys can't secure their servers in the most basic ways, and they want to be allowed to do their own target id (I'm supposed to believe they won't screw that up?) and then take offensive action?

    They'll attack the right target perhaps 1 out of 20 events. They'll attack someone at random every so often and then say 'whoops! We screwed up! Sorry!'.

    No, these corporate bozos are not the people we want dealing with such threats.

    • by AHuxley ( 892839 )
      If a fictional cyber movie script was been written?
      A lone individual with skills sits between two nations.
      Private sector staff with contacts in the their respective govs/mil watch as a flood of packets move in and out of the a set ip.
      Is it a staging server or a real person in real time using a powerful home computer?
      Private sector hack back is attempted.
      Support is requested from state, federal gov cyber services in both nations as the hack backs start.
      Finally the security services are asked for thei
    • by dysmal ( 3361085 )

      They'll attack the right target perhaps 1 out of 20 events. They'll attack someone at random every so often and then say 'whoops! We screwed up! Sorry!'.

      Meantime if you're the one that accidentally gets attacked and they'll tie your ass up in litigation so long that SCO vs IBM will finally be resolved.

  • The art of war teaches us to rely not on the likelihood of the enemy's not coming, but on our own readiness to receive him; not on the chance of his not attacking, but rather on the fact that we have made our position unassailable.

    • Re:Sun Tzu (Score:4, Informative)

      by PolygamousRanchKid ( 1290638 ) on Monday November 06, 2017 @08:47PM (#55503193)

      The art of war teaches us to rely not on the likelihood of the enemy's not coming, but on our own readiness to receive him; not on the chance of his not attacking, but rather on the fact that we have made our position unassailable.

      In more modern times, Carl von Clausewitz taught us that "No campaign plan survives first contact with the enemy". You can firewall yourself up in a Maginot Line . . . but that won't help you when the enemy comes unexpectedly from behind via the Benelux Countries, and bites you in your ass.

      More importantly, Clausewitz famously talked about the "Fog of War" . . . when a war breaks out, military commanders are relatively clueless to what is actually going on. Who is attacking? Where exactly? In what strength? International hacking incidents are even more opaque. Are those North Korean hackers? Russian political lackeys? Cash-strapped Nigerian Princes?

      Yes, being aware of the threats, and more importantly, having plans and educated staff in place to handle the breach.

      But penetrations will always happen . . . even simply with the ageless method of bribing a sysop.

  • Hell No! (Score:5, Insightful)

    by jwhyche ( 6192 ) on Monday November 06, 2017 @08:15PM (#55503031) Homepage

    No company should ever be allowed to take the law in to is own hands. Their response to any such issue should be to close the holes and repair the damage. Let law enforcement handle the rest.

    That is unless we want a ShadowRun type society where corporations can field their own private police forces and armies. But if this came to pass I doubt we would get the magic that came with it.

  • I practice the art of counter hacking on occasion but do it comfortably behind a slew of different proxies or remote shell accounts that are not registered directly to my employer. That way my employer maintains plausible deniability and cannot be held accountable for anything I do. However, I do have a unspoken agreement with upper management that I am allowed the latitude required to mitigate any and all attacks possible. So if that means knocking off sites with enormous packet floods or even exploiting t

    • by Bert64 ( 520050 )

      So someone attacks you using the same precautions of going through third parties...
      You attack those third parties, but going through different third parties yourself.
      Those third parties attack your third parties thinking they're being attacked.
      And we end up with such a mess...

      How can you positively identify who the attacker is if they're going to route the attack via other systems? Who's to say you aren't attacking some innocent third party?

  • In the same sentence? From the guy who perjured himself in congress? Hackback is a bad idea for those who might get the wrong target, sure. But the crowd that gets our guys, as well as guilty and innocent around the world killed and maimed for obscure ends in the pursuit of the petrodollar...shouldn't be doing that either. Just fix your bugs and holes and let it all bounce off. You need to do that anyway.
  • by Anonymous Coward

    This is just asking for trouble, in the same way any home-grown attempts to control crime tend to be.

    Look, you want to have a gun for self-defense? You can make that argument, but this is like saying you can go hunting the guys who robbed you.

    • You need to have not just a gun, but also a good spot to bury bodies and the ability the keep your mouth shut! I'm pretty sure criminals don't file a flight plan before invading homes, so nobody knows where they disappeared. And it's not like they're going to park right in front of the house they're breaking into.
  • What is this, the laziest application of Betteridge's law of headlines in /. history? Of course not. Vigilantism is _never_ a good idea. It takes years of training and constant surveillance to apply force and violence even as evenly as police do and let's face it, they screw it up all the time. You want some random yahoo who's probably mad as hell their severs just got DDOS'd doing it?
    • by sconeu ( 64226 )

      Vigilantism is _never_ a good idea.

      Unless you wear a cool suite with a cowl shaped like bat-ears and a cape... and use lots of cool tech.

    • Vigilantism is never a good idea - unless there's no one around to help.

      That is, if you're in some far-flung backwater and the cash-strapped police station is 500 miles away, then kicking the shit out of some burglars isn't such a bad thing to do - because for all intents and purposes there is no law enforcement in your location (if the crime committed against you goes unanswered, then so will the crimes you're committing). However, if said police are in the neighbourhood but failing to act, then that's no

  • by HermMunster ( 972336 ) on Monday November 06, 2017 @08:29PM (#55503103)

    They should be required to follow the law as any individual would be required. The last thing we need is for businesses to be above the law or rather to have laws applied differently to businesses than they are to individuals. If businesses can hit back then individuals suffering attacks should be able to hit back too.

  • by Locke2005 ( 849178 ) on Monday November 06, 2017 @08:29PM (#55503107)
    Aren't their documented incidents of retaliation against hackers harming innocent third party internet businesses? That's why we let law enforcement hand out consequences instead of engaging in vigilante justice. (That being said the guys who chased after the Texas church shooter are awesome!)
  • Lets fry their cerebellum. #WilliamGibson
  • No no no (Score:4, Insightful)

    by JustAnotherOldGuy ( 4145623 ) on Monday November 06, 2017 @08:34PM (#55503137)

    Of course, this power would never, ever be abused, right? That would just never happen, right folks?

    And if they accidentally nuke your PC and its data, well..."Oops, real sorry about that. No you can't sue us, it's totally legal! What's that? You want to sue? Great, we'll see your lawyer and raise you 50 lawyers with virtually unlimited funds. See ya in court, sucker."

    No, they should not, because we all fucking know exactly what kind of abuse(s) this will lead to.

  • Seriously? (Score:3, Informative)

    by Excelcia ( 906188 ) <kfitzner@excelcia.ca> on Monday November 06, 2017 @08:40PM (#55503161) Homepage Journal

    Private companies should share more data with the U.S. government to prevent breaches, ha said.

    Sharing data with the US government is going to PREVENT breaches?!?

    This is akin to saying a gang raped woman should then go out and buy a pack of condoms to prevent an STI. The US government has been the source of more breaches than any other agency. Have we forgotten that it's a non-disclosed zero day vulnerability that the US government found, weaponized, and then let out into the wild that caused the single largest series of ransomeware attacks in history? The idea that the US government is in any way interested in preventing breaches is laughable. Sorry, folks are on their own.

    • While the Vault 7 release was bad, it was the CIA who did that. You can't even get departments within the same company to talk to each other so what makes you think different departments of the Government are any better. I doubt the CIA told the NSA and CERT that it was holding onto these exploits. Also, CERT does good work.
  • Yes
  • He makes for a bad argument. First, except for N. Korea, every single other country would rather not admit they were behind the cyber attack and given the US's military strength, they will deny deny deny. No way they will admit would EVER hit back with military might.

    But while proof of ID is impossible in hacking, suspicion is easy and usually accurate. When it comes to hacking, it's not that hard to tell who did it by examining motives. When the government hits back, everyone knows it's the government

  • If I'm attacked by a gunman, I can call police, who will then call military as needed, and my government will defend me. So give me the number of the person I'm to call when my company is being hacked. I'll happily call it. . .a few thousand times a day.

    • You call the FBI.

      You're not being "hacked" 1000 times a day because someone tried a new ID/PW combo, or ran a script of known vulnerabilities, or changed a URL.

      --
      "I will not like them Sam-I-Am" - Unknown

      • Of course I am. When the traffic spike is such that it slows my servers to even think about responding to the request, or when I can't run anti-spam or greylisting on e-mail because there's an infinite amount of splash back, or when I get tens of thousands of ssh login requests per minute, it most certainly is. Ultimately, if I need to charge my legitimate clients because of traffic that isn't theirs, then it's an attack. It's an attack because I need to defend against it, otherwise I'll lose my business

        • What you are describing is a DDOS attack, and that is not being hacked. Cloudflare [cloudflare.com] may be able to help you with some of this.

          Here are multiple definitions of "hacking", as it refers to a computer:
          Cyber Law Definition [laws.com]Computer hacking refers to the practice of modifying or altering computer software and hardware to accomplish a goal that is considered to be outside of the creator's original objective. Those individuals who engage in computer hacking activities are typically referred to as “hackers.

          • "an agency tasked with this type of work" and "government agency" are two very different things. The latter is already paid for. That's the difference.

            By your definitions, I am being hacked -- I'm just successfully defending against it. That doesn't change what they are doing. It's the "attempted" version. And it very much counts.

            You're saying that I need to spend thousands of dollars before I can go to the FBI. That's useless. For thousands of dollars, I can attack back too. For thousands of dollar

            • Exactly. Your focus should be on commercial. That is why we have government agencies. Let them do the hack back, criminal investigation or whatever they deem appropriate. You still will need to provide the logs, just like you would need to provide the video surveillance if they broke into your business.

              People buy locks to deter people from walking into their house uninvited. People buy fences to keep people out of their property. This is why we have have authentication challenges on the internet.

    • by Anonymous Coward

      If I'm attacked by a gunman, I can call police

      I hope you never get attached by a gunman. If you live long enough to make a call, you will be shot before the police arrive in 5 to 30 min. Unless, of course, you happen to be with me and I get a shot off with my legally concealed handgun while he's shooting at you first.

      • Pro-tip for readers: "attacked" is spelled differently than "shot". A gunman can attack without shooting. And you're an idiot for walking around with a loaded gun in my house or almost anywhere else.

  • No. Absolutely not. We do not want corporations to have offensive capabilities that are beyond the legal system. How do we know that the corporation will only retaliate against a real perpetrator? What checks would there be on their paramilitary power?

    It's bad enough that we have transnational corporations with what amounts to their own private armies. Don't give them more power under any circumstances. If they don't like the response that the FBI, Interpol and other law enforcement agencies are makin

  • I can easily imagine such a retaliatory attack to go awry in a big way with all kinds of collateral damage.

  • Attribution is extremely difficult, especially if all you have to go on is forensic artifacts which are easily forged. I don't believe any private organization is going to be in a position to arrive at an attribution that would legitimize a hack back situation. That doesn't mean I don't believe in active defense. Beacons in documents, etc. which let you know if/when/where they have been opened is one thing. Launching a cyber assault based on that is another.

    Hell, even most governments, short of corroborati

  • As I was reading this, I was trying to figure out where Alexander was going with it. Then I read the last sentence - "Private companies should share more data with the U.S. government to prevent breaches, ha said.". I guess "Let us fight back for you" is the new version of "Think of the children" or "Stop terrorists"?

  • Long time ago in the newsgroups. Programmers came into Alt.Cracks (where their programs were cracked) and uploaded Trojans, Virus's and huge text files titled as a book of some sort. The text files were just to waste bandwidth. They read well for awhile (few sentences) then just went south, no matter where one started. I wish I'd of saved one now, the largest piece of nonsense I've come across.

  • Just imagine a company like Equifax going on the offensive: I would estimate a 95% chance that they would be utterly ineffective, with a 5% chance of them screwing up something they have not already broken. The black hats would have a field day getting companies to attack one another, vital infrastructure, or - for bonus points - themselves.

    The one thing companies need to do right now in this domain is to get serious about practicing good security, and if they do, the issue of retaliation will be moot.

    • Well, Equifax still has no real idea of who actually attacked them in the first place, nor did they notice when it was actually happening. So any company like them would first have to seriously up their IDS first to even begin to be able to do any kind of real-time "attack back". My personal bet is China; only because it seems the second team was "state level"...Russia hacks for political reasons and China hacks for financial reasons. That the hacked info still hasn't shown up anywhere yet is far more wo
  • by AHuxley ( 892839 )
    What does the "private company" expect to find in 2017?
    An ISP ip connected to one user and their own desktop computer downloading files in real time?

    An interesting person is going to use a staging server with a fast connection and the secure storage to compress, sort, decode, look, compress encrypt the files gathered.
    The files will then be passed onto a fourth party and become harder for a later investigation to connect back to any sites, people, ISP, ip.

    The days of a 56k modem, a desktop computer, a
  • I feel completely certain that given this ability that corporations would never use this ability to hurt critics, business rivals, individuals who they think might be violating their terms (even if unpublished) or any other person or piece of equipment that is internet connected. Corporate entities never do any wrong and always respect the law and the right of others.
  • Private companies should share more data with the U.S. government to prevent breaches, ha said.

    How does THAT sound like a good idea? The NATIONAL SECURITY AGENCY can't even keep it's own data secure, let alone other government agencies with other data. The only thing sharing more data with them will do is encourage more hacking of the government because it is easier than hacking the actual companies

  • Are you fucking nuts? You want to hand the same corporations that sue grannies that don't even own a computer for downloading death metal songs the right to hack anything they want with impunity?

    Isn't it bad enough that they can abuse the legal system that way?

  • Using the example of Sony, which was famously hacked by North Korea in late 2014, Alexander said that if Sony had gone after the hackers, it might have prompted them to throw artillery...

    Except 'someone' did gone after the hackers (not specific target but North Korea) and DDoS their internet [news.com.au]. Still no artillery thrown, so better use a different example.

    It's funny though, this article wanted you to pick yes or no, but you can't pick yes. That's because if they can hack back, they wouldn't have gotten hacked in the first place. So we're left with no, not because they aren't allow but because they don't know how to hack back.

  • And stop taking legal action against the people who tried to help you in the first place. Give them a reporting system and free stuff instead and all your security problems will be located in about 10 minutes.

  • Nobody should be allowed to do that, neither private companies nor law enforcement. It's called due process under judicial oversight.
  • "Alexander said that if Sony had gone after the hackers, it might have prompted them to throw artillery into South Korea once they saw someone attacking them back"

    Throw artillery? That would be a good trick. I have a mental image of brawny NK soldiers hefting howitzers over the DMZ into South Korea.

    Doesn't anyone now know how artillery works? I think the submitter meant "fire artillery".

  • "you can't have companies starting a war. That's an inherently governmental responsibility" I would argue that it's the government's responsibility to prevent war when possible and never to start one!
  • by whitroth ( 9367 )

    Some half-wit multinational tells their new hire with a cert in security to hack back... and the fool doesn't begin to have the experience to distinguish between a direct malicious actor and someone's grandparent's infected home computer, and the fry it, along with all their pics of their kids and grandkids, and they have lost everything, and don't know why. Certainly, they won't know who to sue for that action....

  • And double Fuck No!

    This is a laughably bad introduction chapter to a cyberpunk dystopian hellscape where corporations employ their own hit-squads, hackers, and armies.

    There's no real difference from breaking into a hotel lobby at night and trashing it, peeking a the guest registry, and robbing the cash drawer. Should corporations be able to break into a person's home, trash it, peek at their mail, and rob their wallet? Just because they suspect you might have been the one to throw paint around in their lo

Someday your prints will come. -- Kodak

Working...