Dave Aitel, CEO and owner, Immunity, agreed that while the law is pretty clear in most cases, there has traditionally been some flexibility with interpreting it. "We’ve been using prosecutorial discretion to make it not such a big deal for when big companies break the law for what we think are pretty good reasons," Aitel said.
When Google played a little tit for tat with the Chinese, they weren't prosecuted. "On its face, what Google did was illegal," said Aitel. It's entirely possible but far less plausible that Google is not alone in its decision to retaliate against a known attacker.
Perhaps it is time for the larger industry to have an open and honest conversation about the proper and necessary role of offensive security and to consider broader interpretations of the law?
In a recent blog post, Aitel proposed, "We want to have a chilling effect on cyber economic espionage while providing the beginnings of the ability to deal with wide ranging international systemic threats such as the Mirai worm, leveraging the deep bench of penetration testing talent and resources available in the private sector to do this without impacting our intelligence community missions."
Aitel's proposition, if it comes to fruition, could create an arm of law enforcement that would build a reliable partnership between the government and the private sector. Short of that happening, though, should enterprises be engaging in offensive attacks?
"I do believe we should do it. I think people are doing it, and a lot of people are putting structure around that," said Bardin. Because security in the commercial sector is largely about passive defense, those teams that rank top in defense aren't leading in the league overall.
"It's not working," said Bardin, "this passive defensive model of sit, wait stop, limit data. Most people don't properly build their infrastructure, most developers don't build security in."
From his experiences in law enforcement, serving as a CSO, and working as a security consultant, Larry Johnson, CSO, Cybersponse said, "Offensive is the last resort."
One concern with counter striking is that there is nothing definitive, said Johnson, so they could end up in a game of whac-a-mole. "Yes, you could wipe them out, but they could pop up somewhere else. Nothing is ever 100 percent offensive."
What's more important is being able to gather intelligence, which is best done by involving law enforcement. "You could really end up starting a cyberstorm, so I recommend always involving law enforcement, particularly because of de-conflication," said Johnson.MORE ON CSO: From start to finish, inside a PayPal Phishing scam
Conflict resolution demands concession, and in most cases diplomacy wins over many other tactics. "Law enforcement will work with the company and shortly thereafter they can go offensive, but I'd never go offensive without law enforcement," Johnson said.
Sign up for Computerworld eNewsletters.
The Future of Retail in a Digital World
Retailers may face cyber attacks like any other industry, but steps can be taken to guard against cyber crime.
On Cloud Nine with IBM
Eric Schnatterly, Vice President IBM Systems for Cloud Platforms, Asia Pacific, talks about the company’s latest pipeline of innovation in the cloud and data space
Veeam Availability Platform Designs for Ransomware Resiliency Series
The threat of ransomware is real and should be top of mind for CIOs as well as technology administrators of all types. In this brief, Veeam® will share some key tips to add ransomware resiliency to provide the best levels of Availability for critical applications and data.
Financial firms can stay relevant by focusing on digitization, security and data quality
How can financial institutions be faster, smarter and more responsive? Find out how they can avoid the risk of becoming irrelevant with insights into digitization strategies, beefing up on data security and ensuring data quality.
Transforming Data protection with Integrations for Microsoft Azure and Microsoft Office 365
Veeam for the Microsoft Cloud provides a consolidated solution for virtual, physical and cloud-based workloads with integrations for Microsoft Azure and Office 365.