tl;dr: There is no business case for hacking back. [hr]
If you follow cybersecurity issues you cannot have missed all the talk over the last few months about how businesses that have been victims of cyber attacks have grown “tired of playing defense.” If you didn't know any better you’d think we were on the cusp of a new era where bad guys were finally going to start feeling unwelcome in cyberspace.
Don’t bet on it.
Let’s set aside the substantial legal issues surrounding private institutions “hacking back” against those who hack them. Let’s instead look at what we know about private organizations and cyber defense, which is what they've been doing for the past few decades. Let me know if any of this sounds familiar:
- “Security is a cost center.”
- “My security budget is a fraction of a fraction of the IT budget, which is a token amount of what every revenue-producing business unit gets.”
- “No matter how much we spend on security, we still get breached and still have to pay for incident response, credit monitoring, etc.”
Security products and services are expensive and they all fail to some extent. Security is not a core business process, so it is not respected or invested in as much as those parts of a business that generate revenue. Good security – sound policies and practices that do not impede business functions – is expensive and exceedingly difficult. All of these things are true, understood and accepted by both businesses and those they hire to defend them online. Yet despite all these givens, suddenly we are supposed to believe that private enterprise is going to readily accept the additional cost and labor (and liability) associated with building and maintaining an OFFENSIVE cyber capability?
Companies do cyber defense because they have to. There are laws and regulations that mandate certain types of enterprises meet minimum compliance standards (reminder: compliance != security). If there were no such requirements how many businesses would do cyber defense? How many would spend as much as they do now?
We have seen this before. Not on this scale, and not so public, but this sentiment of “I’m not going to take it anymore/going to do what’s right” has been heard in C-suites across the country for years. Vigilante sentiments last about as long as it takes for the Corporate Counsel to discretely cough, raise his hand, and point out the legal nightmare associated with such activities. There is a reason why “wipe and rebuild” is so popular: business exists to make profit, not find and prosecute bad guys.
Now, I am an advocate for a different way forward as far as offensive activity in support of national interests are concerned, but I harbor no illusions that BigCo, Inc. is suddenly going to start kicking digital *** and taking names. Such an approach is a terrible idea if for no other reason that it simply makes BigCo a target for retribution. And as a reminder: there are lot more bad guys out there than there are good guys, and BigCo's cyber defenses can’t handle the onslaught they face now. By all means, antagonize those who are already beating you and let me know how that works out.