CybersecurityFormer DHS official says U.S. should go on cybersecurity offensive

Stewart Baker, the first assistant secretary for policy at DHS under President George W. Bush, has a straightforward theory when it comes to cyber security in the United States: “To prevail in the cybersecurity war, defense is not enough.”

PC Advisorreports that Baker will elaborate on his position in a testimonybefore the House Homeland Security Committee on cybersecurity.

“Probably the most important point I’ll be making is a simple one,” Baker wrote in a blog post. “We will never defend our way out of the current cybersecurity crisis. That’s because putting all the burden of preventing crime on the victim rarely succeeds.”

“The obvious alternative is to identify the attackers and punish them.”

Baker was quoted in an articleearlier this year saying that an increasing number of U.S. companies are retaliating against cyber-attacks with so-called “active defense” or “strike-back” technology including unusual measures like “hiring contractors to hack the assailant’s own systems.”

Thisis because “current defenses have failed against a cadre of state-sponsored attackers ….” Baker said.

Baker also acknowledged that counterattacks by companies can violate state and federal laws,including those against computer fraud and trespassing, but he believes that taking such actions is no different than self-defense of one’s property.

Baker said in a recent blogpost, that it is much easier to track and identify hackers than it was in the past. “Investigators no longer need to trace each hop the hackers take,” Baker wrote. “Instead, they can find other ways to compromise and then identify the attackers, either by penetrating hacker networks directly or by observing their behavior on compromised systems and finding behavioral patterns that uniquely identify the attackers.”

Jeremiah Grossman, founder of WhiteHat Security, does not agree with Baker, saying that the government and private sector “Absolutely have not gotten better at identifying and tracking hackers. It’s gotten harder, particularly because if the bad guys how to hide, they can.”

Grossman does agree with Baker in that defending against a cyber-attack is not enough. According to Grossman, the best way to protect a network is to use the “hack yourself first” approach; hiring hackers to expose vulnerabilities within your system.

“This is the same method Google, PayPal, Facebook, Mozilla, etc. used as part of their security program,” Grossman told PC Advisor. “For a few hundred to a few thousand dollars, you can take some serious vulnerabilities in your system off the market and avoid a damaging breach.”

“The concept that [Baker] is proposing has been a topic of discussion for some time in the security community but still has yet to be fully realized,” Grossman said. “This is how everyone already treats every other crime, such as those in the physical world, and we should try to do the same with the digital world, as the line between two continues to blur.”

Amir Orad, CEO of NICE Actimize,which specializes in financial crime, risk and compliance,thinks in order to start talking about taking an offensive to cyber attacks, we have to define what is meant by offense.

If it is simply just to take down a bad guy’s computer, “that will only slow down an attack by a few minutes,” Orad told PC Advisor. “While that has some value as a tactical move, it doesn’t win the battle, I can hijack 10,000 computers and have them attack a Fortune 500 company.”

According to Orad, deterrence is a better solution than attacking in retaliation.”Instead of blocking an attack, you make them not want to attack you,” Orad said. “You make them turn to somebody less painful to attack.”

One of the issues when it comes to cybersecurity is when private U.S. companies are attacked; they do not report it because they feel the government is not going to investigate the situation thoroughly.

“Complaining to the FBI and CCIPS (Computer Crime and Intellectual Property Sectionof the Department of Justice) about even a state-sponsored intrusion is like complaining to the DC police that someone stole your bicycle,” Orad told PC Advisor. “You might get a visit from the local office; you might get their sympathy; you might even get advice on how to protect your next bicycle. What you won’t get is a serious investigation. There are just too many crimes that have a higher priority.”