I recently reviewed a video from Defcon 19. The video was of a panel speaking about the Anonymous / HBGary incident. Although the events are interesting enough, what was more interesting to me was the mention of offensive security. To drill down on this subject a bit more, a speaker had commented: defense is just not enough. Leaving out the extra explicative, I thought the speaker’s estimate of a defense only approach held some weight within the context of the discussion. However, in truth, the subject of hack-back is still quite taboo.
So, is it the legal structure regarding this topic that makes it so taboo, or the ambiguity of the target? What are the implications? Could a corporation accidentally set off a cyber flashpoint by attacking targets in other countries? And, is it an organization’s legal right, like an individual, to defend itself? Are UFOs real? I would assume today would be a good day to start talking about this subject. I don’t foresee the younger generation of students and researchers having the ability to constantly sit on their hands in a defensive posture, nor do I see an organization having the constitution to do the same. It is good to understand that if you have not looked at a college’s Information Security program lately then know this: colleges are teaching students to be both offensive and defensive operators.
Flash to the future. Imagine a scenario whereby an organization retaliates for trespassing. A few things could happen out of this. To begin with, due to the anonymity of cyberspace, they could hit the wrong target in retaliation and possibly stir up another “hornet’s nest”. This scenario has ultimately escalated the situation. Another scenario of a cyber flashpoint could result in a stalemate, whereby all parties involved are forced to deal with each other to resolve the issue. Possibly, during the course of the dialog, they realize that the flashpoint was actually created by an unknown insider(s) within the instigating organization; therefore, inadvertently discovering a malicious individual(s) in their midst. Would that be a good thing? Lastly, consider a flashpoint involving two or more enterprise size organizations resulting in the loss of massive amounts of data through the course of the conflict. Let’s assume that one of the organizations was a health care provider that now has lost its patient database. How does that affect the little girl battling cancer whose medical information is no longer available? There are dozens of cascading effects that could happen in the event of a cyber flashpoint. My point here is that: everyone wants to be the cowboy, but no one seems to be considering those caught in the middle; and, the power that automation and cyberspace has given us over those whose livelihoods reside in our care.
Another comment was made during the video: if someone breaks into my house I have the legal right to shoot them. In many states within the United States that might be the case, but how does that relate to transnational transactions? In another country is it considered trespassing just to get to the trespasser, and what implications arise when entering another countries cyberspace? Is cyberspace considered a sovereign domain? As in the above paragraph, I do not think that any of these questions can be answered with one simple solution. What is also interesting is that we typically consider an attack as something that was initiated by an entity. Rarely do we attempt to estimate whether or not the entity was the actual attacker or a separate entity within an entity; and, how you would determine which entity actually initiated the attack? Would you simply call the host owner(s) and ask them who did it? I was recently asked by my professor: how would you deal with jihadist terrorism? I explained: that due to the fact that jihadist terrorism is more like a franchise than a hierarchical group, each franchise must be assessed individually. I believe the same applies to the legality and legislation surrounding offensive cyber operations. However, this process can be very cumbersome. I believe there will be a vacuum that needs to be filled with regards to legal, legislative, and country correlation for quick reference and look-up by cyber security professionals; and, a need for individuals with the ability to generate positive value-added transnational relationships with foreign counterparts.
In the mean time, one possible interim solution I would suggest would be to fall back on the counter intelligence side of the intelligence profession. I would suggest that deception efforts are a good place to start with regards offensive security. Deception could be considered an offensive operation initiated by defensive personnel from an organizational stand point; and, as security professionals, we all know there are various ways to lead a would-be adversary down many fruitless rabbit holes (i.e. honeypot). However, when you consider deception from a profiteering perspective where and how would you apply it? I think it would be interesting to see how security companies begin to establish this as a service within the market. Security ads might read: John Doe Security – Making those believe what you want them too, while knowing all the while what you need to believe is true.