CybersecurityHow far should organizations be able to go to defend against cyberattacks?

By Scott Shackelford

Published 15 February 2019

Organizations can and should be encouraged to take passive defense measures, like gathering intelligence on potential attackers and reporting intrusions. But in my view they should be discouraged – if not prevented – from acting aggressively, because of the risk of destabilizing corporate and international relations. If the quest for cyber peace degenerates into a tit-for-tat battle of digital vigilantism, global insecurity will be greater, not less.

The deluge of cyberattacks sweeping across the world has governments and companies thinking about new ways to protect their digital systems, and the corporate and state secrets stored within. For a long time, cybersecurity experts have erected firewalls to keep out unwanted traffic and set up decoy targets on their networks to distract hackers who do get in. They have also scoured the internet for hints about what cybercriminals might be up to next to better protect themselves and their clients.

Now, though, many leaders and officials are starting to think about stepping up their defensive activities, by taking more active measures. An extreme option within this field of active defense is sometimes called “hacking back” into an adversary’s systems to get clues about what they’re doing, shut down the attack or even delete data or otherwise damage an attacker’s computers.

I have been researching the benefits and drawbacks of various active defense options with Danuvasin Charoen of the Thai National Institute of Development Administration and Kalea Miao, an undergraduate Cox scholar at the Indiana University Kelley School of Business. We have found a surprising number and variety of firms – and countries – exploring various ways to be more proactive in their cybersecurity practices, often with little fanfare.

Getting active
On the surface, it might seem like the proverb is right: “The best defense is a good offense.” The damage from cyberattacks can be enormous: In May 2017, a single incident, the WannaCry cyber attack, affected hundreds of thousands of systems around the world and caused more than US$4 billion in lost productivity and data recovery costs. One month later, another attack, called NotPetya, cost global shipping giant Maersk $300 million and reduced the company to relying on the Facebook-owned WhatsApp messaging system for official corporate communications.