In light of unprecedented attacks by cybercriminals against
businesses that span every industry, experts in information
technology and data security are debating whether it is time to
fight back -- to hack the hackers.
As the founder and CEO of Wisegate, a private, expert
peer group for senior-level IT executives, I get to work with some
of the best and brightest and have a ringside seat at the
high-profile discussions that unfold at major security venues
like the annual RSA
Conferences. Among Wisegate members, chief information security
officers (CISOs) and senior security professionals from brand-name
companies and government agencies who are discussing this issue,
one solution stands out clearly: industry collaboration.
"Hacker groups and disruption of business have reached an
all-time high and no longer can be ignored," said cyber
intelligence expert Jeff Bardin, chief intelligence strategist at
Treadstone 71. "We want
to get the adversary to understand that if they launch an attack
against a company, there will be costs to pay."
In Wisegate, those not in favor of going on offense raise the
issue of attribution as a major factor why this tactic won't work.
They say it is too difficult to pinpoint the location and source of
many cyberattacks. Yet many security experts point out that there
are "offense-like" tactics that can drive up the cost of hacking
into a corporate network and, if deployed properly, could
discourage hackers enough to have a major impact on the threat
"Interesting questions are being raised about how far businesses
can go and what types of attacks can actually be effective," said
Martin Zinaich, a Wisegate member who is information security
officer of the City of Tampa, Florida. "It doesn't necessarily have
to go from nothing to launching a full-out assault against
cybercrime infrastructure. It could be much more subtle things like
feeding the bad guys misinformation or doing your own
|Source: Wisegate (April
A recent Wisegate poll captured the overall sentiment reflected
about the level of retribution security practitioners and their
companies are ready for. Forty percent of the IT security leaders
agreed "we should at least be discussing" fighting back; 30% were
not ready because "too many legal and ethical questions" are
unresolved; and 58% had not even begun discussing a counterstrike
Many Wisegate members believe there are other offensive security
measures that the good guys can leverage. Misdirection tactics can
be deployed by the most targeted companies, such as those in the
financial or defense sectors.
"We need to start thinking like our adversaries, to look at
different approaches and techniques to confuse an attacker," said
Wisegate member Tim McCreight, CISO for the Government of Alberta,
Canada. "We're looking at using ethical or 'white hat' hackers
to check our defenses, and we're approaching our program like we're
trying to break into our systems. We need to adopt this
mindset and keep focusing on risks."
Offensive security tactics may have drawbacks as well. Some
companies may want to refrain from specifically targeting hackers
or hacktivist groups because of the ethical and legal questions. In
addition, building and deploying phony systems and fake credentials
may be too costly.
Wisegate members say that part of the difficulty is that there
is no broad agreement on what "hacking back" means. Offensive
security is relatively undefined and the laws governing it are
|Source: Wisegate (April
I believe the lessons learned from this dialogue are critical.
While hot-button issues will be raised and flames fanned by the
media, it takes time to think through the best responses to issues
our IT organizations are facing. It takes time for the issues
to be raised in the trenches of organizations and for substantive
opinions to be developed.
But it is always the perfect time for the industry to
collaborate on what it means and what steps can be taken. The
threat is always evolving and always changing -- and therefore our
companies must be as well.
The most important key to fighting cyber crime will be
harnessing the collective intelligence of the good guys in our
industry. No matter what the hot-button topic may be, if we can
garner the collective intelligence of these practitioners, all
things are possible. In the case of counteracting the hackers,
technologies and methodologies to beat the bad guys are just a
Before founding the online IT community Wisegate, Sara Gates (firstname.lastname@example.org) worked
for start-up and large enterprise IT companies, including as vice
president of identity management at Sun Microsystems.