Dave Aitel, CEO and owner, Immunity, agreed that while the law is pretty clear in most cases, there has traditionally been some flexibility with interpreting it. "We’ve been using prosecutorial discretion to make it not such a big deal for when big companies break the law for what we think are pretty good reasons," Aitel said.
When Google played a little tit for tat with the Chinese, they weren't prosecuted. "On its face, what Google did was illegal," said Aitel. It's entirely possible but far less plausible that Google is not alone in its decision to retaliate against a known attacker.
Perhaps it is time for the larger industry to have an open and honest conversation about the proper and necessary role of offensive security and to consider broader interpretations of the law?
In a recent blog post, Aitel proposed, "We want to have a chilling effect on cyber economic espionage while providing the beginnings of the ability to deal with wide ranging international systemic threats such as the Mirai worm, leveraging the deep bench of penetration testing talent and resources available in the private sector to do this without impacting our intelligence community missions."
Aitel's proposition, if it comes to fruition, could create an arm of law enforcement that would build a reliable partnership between the government and the private sector. Short of that happening, though, should enterprises be engaging in offensive attacks?
"I do believe we should do it. I think people are doing it, and a lot of people are putting structure around that," said Bardin. Because security in the commercial sector is largely about passive defense, those teams that rank top in defense aren't leading in the league overall.
"It's not working," said Bardin, "this passive defensive model of sit, wait stop, limit data. Most people don't properly build their infrastructure, most developers don't build security in."
From his experiences in law enforcement, serving as a CSO, and working as a security consultant, Larry Johnson, CSO, Cybersponse said, "Offensive is the last resort."
One concern with counter striking is that there is nothing definitive, said Johnson, so they could end up in a game of whac-a-mole. "Yes, you could wipe them out, but they could pop up somewhere else. Nothing is ever 100 percent offensive."
What's more important is being able to gather intelligence, which is best done by involving law enforcement. "You could really end up starting a cyberstorm, so I recommend always involving law enforcement, particularly because of de-conflication," said Johnson.MORE ON CSO: From start to finish, inside a PayPal Phishing scam
Conflict resolution demands concession, and in most cases diplomacy wins over many other tactics. "Law enforcement will work with the company and shortly thereafter they can go offensive, but I'd never go offensive without law enforcement," Johnson said.
Sign up for Computerworld eNewsletters.
Enterprise Cloud Adoption: Key Trends and Considerations
Learn how enterprises will leverage cloud and digital transformation over the next 12 months, along with best practices to accelerate cloud adoption and growth.
Why Cloud-based Solutions like SaaS Makes Sense
Discover why more and more organisations are choosing SaaS solutions.
Essential Guide to Cybersecurity in Singapore
Download the most popular cybersecurity articles from CIO Asia to help you on your cybersecurity journey.