Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Businesses Government Security The Internet

Counterterrorism Expert: It's Time To Give Companies Offensive Cybercapabilities 220

itwbennett writes: Juan Zarate, the former deputy national security advisor for counterterrorism during President George W. Bush's administration says the U.S. government should should consider allowing businesses to develop 'tailored hack-back capabilities,' deputizing them to strike back against cyberattackers. The government could issue cyberwarrants, giving a private company license 'to protect its system, to go and destroy data that's been stolen or maybe even something more aggressive,' Zarate said Monday at a forum on economic and cyberespionage hosted by think tank the Hudson Institute.
This discussion has been archived. No new comments can be posted.

Counterterrorism Expert: It's Time To Give Companies Offensive Cybercapabilities

Comments Filter:
  • by Narcocide ( 102829 ) on Monday August 03, 2015 @06:42PM (#50244673) Homepage

    ... this isn't going to end well.

  • uhhh, yeah (Score:4, Insightful)

    by Anonymous Coward on Monday August 03, 2015 @06:42PM (#50244677)

    I'd expect such nonsense from a former employee of BushCheney Co. Would you also "deputize" a privately held corporation to get some F-16's and go bomb the attackers? It is virtually the same thing. I guess the BushCheney Corporation would have loved that.

    Such attacks are attacks on U.S soil, and should therefore be handled by the military, and only the military.

    Otherwise, this will create private, corporate owned, corporate sponsored armies. They will be, essentially, corporate warlords.

  • by taustin ( 171655 ) on Monday August 03, 2015 @06:45PM (#50244695) Homepage Journal

    It's called a "Letter of Marque," and they've been used in places where governments can't enforce their sovereignty for centuries.

    It usually doesn't turn out all that well, but may well be better than nothing.

    • Letters of Marque and Reprisal, as I've heard it. And "reprisal" is certainly closer to the mark (no pun intended).

      • "Letter of Marque" is a shortened form, but still correct. And it was exclusively a nautical thing; I've never heard of anything really similar on land, probably because it would be even more dangerous there.

        • On land, the Kings and Queens of England had "trading companies".
          • by Anonymous Coward

            And let us not forget that it was giving tax CUTS to one of these trading companies that set of the Boston Tea Party.

            Yes, you read that right. They teach you in school that it started because of a tax on tea and they let that little mistruth simmer for a while to reinforce the 'taxes always bad' mentality. What really happened was there was a tax on tea allright, but that wasn't what got people upset.

            The British East India company had tea stores all over the Colonies, kind of like we have Wal-Marts. We a

      • "This person has been violating our copyrights which we view as a major cyber-attack. We've seized him and imprisoned him along with the other pirates in our private rehabilitation centers until they have been re-educated."

    • by Chris Mattern ( 191822 ) on Monday August 03, 2015 @07:35PM (#50245039)

      ...but may well be better than nothing.

      Ah, yes, politician's logic. "Something must be done. This is something. Therefore we must do it."

      • You have to be careful about letting perfect be the enemy of better. Sometimes you don't have a perfect solution to a problem, or even a good one. But you may have one that is better than what you have now. It then makes sense to go with that.

        Now please note I'm not saying this is one of those cases, just that it is not political logic, but practical. If your current situation is awful and you can improve it to just bad, well that is worth doing.

        • by Jason Levine ( 196982 ) on Monday August 03, 2015 @09:57PM (#50245857) Homepage

          This isn't a case of "perfect is the enemy of the better." This is a case of "something is the enemy of nothing" - which means that, in the minds of politicians, doing something is better than doing nothing even if that something is worse than useless. Even if doing the something in question makes matters worse (say, by allowing the RIAA to form a private army to kill "copyright thieves"), it is better than doing nothing as far as the politician is concerned because he can claim "I did something" when re-election comes around.

          In related news, this kind of thinking is what led to the TSA "security." Doing "something" about security (everyone has to remove their shoes) trumps taking the time to actually consider risks and benefits.

        • You have to be careful about letting perfect be the enemy of better.

          There are always 3 options:
          1. Be perfect
          2. Do something
          3. Do nothing

          The main problem with (Western) politicians is that they want to have an image of Strong and Decisive. They think that deciding to do nothing can look weak, and they often choose to just do something, not because it is the best option, but because it makes them look good. With elections coming up, that is important.

    • by gtall ( 79522 )

      No, it won't. Let's give MS free reign to screw with Google's systems (even more than they are) by claiming they were going after cyber miscreants. And when they get caught, they'll simply throw up their hands, rock back and forth like a guilty Gates, and give non-committal answers pointing at the law that allows them reprisals.

      Or how about giving that paradigm of virtue, Larry Ellison, the legal cover to commit sins against whomever he's worried about these days.

      The Beltway Bandits would be tripping over t

  • OMG!!! (Score:5, Funny)

    by Snotnose ( 212196 ) on Monday August 03, 2015 @06:45PM (#50244699)
    He's accessing vons.com with Chrome and Adblock +, Privacy Badger, and Scriptblock. He's obviously a Chinese terrorist subverting our capitalist ways, reformat his hard drive!
  • Oh sure (Score:5, Insightful)

    by msobkow ( 48369 ) on Monday August 03, 2015 @06:46PM (#50244705) Homepage Journal

    Oh sure, let's trust the people who can't even protect their own networks to properly identify the perpetrators of a hack instead of some innocent bystander running a TOR exit node. I can't see any risks associated with that. No. Not at all... :(

    • by Ichijo ( 607641 )

      Oh sure, let's trust the people who can't even protect their own networks to properly identify the perpetrators of a hack instead of some innocent bystander running a TOR exit node.

      Are you worried that they will be able to successfully attack anyone?

      • Re: (Score:3, Insightful)

        by jedidiah ( 1196 )

        They can certainly cause damage. Whether or not that will actually be the offending party is another matter entirely.

      • I'm worried that the only people they'll successfully attack are the innocent. The actual guilty parties will be well hidden and well protected.

    • Never mind that. They'll just sooner or later be ordered by their CEOs to use those capabilities against rival companies as a business strategy. The world will turn into a Cyberpunk game.
  • by mpthompson ( 457482 ) on Monday August 03, 2015 @06:47PM (#50244721)

    Giving private corporations the ability to identify anyone they don't like a "cyberattacker" and then attack them will be very dangerous. Imagine companies pursuing IP related complaints (whether real or imagined) being deputized to go after people and their systems in this manner. There are damn good historical reasons we have a legal system in place -- one of which is to the prevent abuses that vigilante systems foster.

    • If I have a company accidentally misidentify my network as an attacker, and 'bathack' me, vigilante style, am I allowed to then counter attack and destroy their customer database? are they then allowed to drive over and cut my fiber? Can I then drive to the home of their CEO and execute him in retaliation?

      No this is an unbelievably stupid idea, presented by an unbelievably stupid person (Juan Zarate, who is this ass clown?)
      • by mlts ( 1038732 )

        I saw the same shit with spam. I used to receive a lot of backscatter from some spammer using my E-mail address as a fake from address. I received a ton of threats, random DoS attacks, mailbombs, ping-floods, and a lot of stuff because various dipshits couldn't understand the basics about what an open relay was.

        The more ironic thing was finding out that before the deluge happened, I got an extortion letter threatening that postmaster and other E-mail IDs on the web from the site would be used as fake orig

        • So some business with the absolute bargain-basement IT staff, chock full of bargain-basement novices is going to decide if a compromised workstation the receiving department at another company is sufficient cause enough to shut that firm down? This would be like carpet-bombing an entire office building because a bank robber ducked into the building's lobby.

          It's more like carpet-bombing a shoe store chosen more or less at random because you heard that, yesterday, a bank robber had run into one.

          Even though, today, the same place he ran into yesterday might already be a café and not even be a shoe store any longer.

    • by AmiMoJo ( 196126 )

      It will just be used as way of fighting the on-going cyber cold war without taking military action. Corporate soldiers will do the actual fighting under the fig leaf of "defence", after some government agent launches a fake and ineffective attack on them.

    • Giving private corporations the ability to identify anyone they don't like a "cyberattacker" and then attack them will be very dangerous. Imagine companies pursuing IP related complaints (whether real or imagined) being deputized to go after people and their systems in this manner. There are damn good historical reasons we have a legal system in place -- one of which is to the prevent abuses that vigilante systems foster.

      Time to register as an LLC! Then all my hacking will be nice and legal.

  • Great idea (Score:5, Interesting)

    by cdrudge ( 68377 ) on Monday August 03, 2015 @06:47PM (#50244725) Homepage

    This is a great idea. What on earth could possibly go wrong?!?! Lets give the power hungry, egotistical, anti-social network security "experts" who are in charge of creating the insecure networks the right to use "deadly force" against those they think might be responsible.

    I can't wait for the fecal matter to hit the CPU fan when the wrong company is targeted for retaliation er I mean offense.

    • Re: (Score:3, Informative)

      Retaliation? This would essentially declare a new er of corporate v corporate cyber warfare with no holds barred and a referee paid by the highest bidder.
    • by forand ( 530402 )
      I know you are using, the now meaningless, quotes around "deadly force" but do tone down the hyperbole. While it seems to be an ill-conceived idea to empower corporations to retaliate against perceived attackers it is not "deadly" in any sense (unless of course it is some other stupid corp who placed life critical equipment on the internet).
      • What about hospitals? Power companies? Other vital services? We are seeing a growth in networks that can be life and death connected to the Internet. They could become collateral damage.
      • Someone doesn't have to actually die for this to be regarded as retarded. A lot of companies would be financially fucked if they lost their connection to the net for too long, or lost enough data that they would have to take days to rebuild it from logs, backups etc. Loss of reputation etc etc all could sink a company rather rapidly meaning that no one died as a direct result, but a lot of people could end up jobless all because some "security expert" thunk that jew were haxoring me!
        This is a fucking re
      • by cdrudge ( 68377 )

        I put it as "deady force" to mean the digital equivalent. What else would you call killing an attack against your server(s) if you're deputized?

        From the summary:

        The government could issue cyberwarrants, giving a private company license 'to protect its system, to go and destroy data that's been stolen or maybe even something more aggressive,' Zarate said Monday

        What does "go and destroy data" mean? What does "something more agressive". If Company A attacked Company B, and Company B retaliated, how far shoul

  • Prove to me (Score:5, Insightful)

    by nehumanuscrede ( 624750 ) on Monday August 03, 2015 @06:49PM (#50244749)

    that you are competent enough on the defensive side of things first and we'll talk about it.

    When your company can't even be bothered to properly secure our personal information on your servers ( plaintext files . . . really ? ) what sort of insanity is it to even CONSIDER giving these very same folks offensive capabilities ?

    It's like giving a shotgun to a monkey and hoping nothing bad comes of it :|

    Seriously. . . . wtf ?

    • Afterthought:

      This is coming from a counter-terrorism " expert ". :|

      Dear Anti-Terrorist Experts:

      We won't tell you how to do your jobs if you agree to keep your $boogeymanofthemonth sensationalism and " The sky is falling " mentality out of ours.

      • Obviously, you don't understand the job of a "counter-terrorism expert." His job is to stir up as much fear of terrorism as possible to secure more anti-terrorism funding for his group.

        Wait, you wanted actual anti-terrorism planning with actual weighing of costs vs. benefits? *bursts into laughter*

    • Would you also say that a homeowner can't use force against an intruder because they forgot to lock the back door? That they should just sit in a corner feeling foolish while their possessions are hauled away and their wife raped?
  • This is a great idea (Score:5, Informative)

    by GrumpySteen ( 1250194 ) on Monday August 03, 2015 @06:50PM (#50244751)

    Companies have demonstrated how careful and responsible they are with the DMCA takedowns, so it's only logical that we allow them to go further and actively attack the evil-doers out there.

    • Any company that wants access to offensive cyber capabilities should, under no circumstances, be allowed to have them.
    • I can see it now:

      RIAA: "We shot the dirty pirate who was pirating 'Uptown Funk."
      People: "Um, that person just tweeted 'Heading Uptown and saw a chipmunk.'"
      RIAA: "Close enough. You can never be too careful."

  • by ka9dgx ( 72702 ) on Monday August 03, 2015 @06:50PM (#50244757) Homepage Journal

    There are security models and systems perfected in the 1970s in response to the data processing needs of the air war in Viet Nam. There are commercially available systems which work for multilevel security. This model can be ported to the open source world, if enough people are interested. I'm waiting for the Genode project from Germany to get something I can use in the next few years, and I hope there will be others.

    I hereby suggest we just eliminate the possibility of a cyber-war, instead of getting stuck in an arms race.

    • by Fire_Wraith ( 1460385 ) on Monday August 03, 2015 @07:28PM (#50244993)
      It's never been about the possibility of security though.

      Since this is Slashdot, I'll explain with a car analogy. Lots of people die in car accidents, and we could easily stop that by doing things like a) Not use cars, b) not let them drive more than 20mph, etc... all sorts of things that would greatly interfere with the way people actually use cars to do stuff. Our cars also used to be a lot less safe too - at one point they didn't even come with seat belts.

      As much as I'd love to see proper security implemented, it's just not going to realistically happen. Too many users (customers) don't want the hassles that come with serious security, and too many businesses aren't will to pay the up front costs for it (yet, at least). It's going to take some hard lessons before they start putting on seat belts, air bags, abs breaks, and the equivalents of everything else we've done (and are doing) to make cars safer. The Adama solution, as much as it makes sense from a security standpoint, doesn't take into account the needs of either the people using the stuff, or the people paying for the stuff. We need those people to understand and demand more secure features up front - and even then we're still only talking about reducing things to an acceptable/tolerable level, not eliminating them.
    • Good luck with that! There are no security models that will keep breaches from happening. Even the NSA couldn't keep Snowden for walking away with tons of highly secure data.

    • by AHuxley ( 892839 )
      Follow the funding and new US based systems been suggested. This is more about creating entire new security teams from the ground up that can 'respond'.
      A US company would have to rent or buy into the new US security teams and ensure they had the latests products to reach around the world and report back the data was found and removed.
      A new product to market with new cash flows. A new US system of cyberwarrants, private license issues from the US gov to cleared US brands only.
      Global reach and no establi
  • Evidence (Score:4, Insightful)

    by backslashdot ( 95548 ) on Monday August 03, 2015 @06:52PM (#50244775)

    Let's look at something nobody does, which is look at evidence. OK, I know that sounds like a bad idea .. but anyways .. RIAA, MPAA, and SPA already does this exact same thing. They have ruined lives for no reason. What happens when the company hacks back and causes more damage than what was stolen? We don't let the victims decide punishments. If victims could decide punishment even petty thieves would be murdered. If you think that sort of draconian punishment helps a society, then you probably want to move to Saudi Arabia or ISIS.

  • by Nethemas the Great ( 909900 ) on Monday August 03, 2015 @06:59PM (#50244815)
    I guess someone's been reading/watching too many cyberpunk books/movies. Vigilante justice seldom ends well. There's absolutely no evidence that just because to prepend "cyber" to the front of it that thing will turn out any different.
  • by joe_frisch ( 1366229 ) on Monday August 03, 2015 @06:59PM (#50244819)

    I see no reason to limit companies to cyber weapons. Once they have located an attacker, having privately owned armed drones would be very handy. if the attacker is a nation state, even more aggressive measures could be used. I can see aircraft carriers, and maybe even ballistic missile subs with corporate logos.

    • Once they have located an attacker, having privately owned armed drones would be very handy. if the attacker is a nation state, even more aggressive measures could be used.

      The Trans-Pacific Partnership gives them the right to use "even more aggressive measures". It's called "corporate sovereignty" and it will be our undoing. Basically, it says that a corporation can sue governments for damages for any law that might conceivably cost them money.

      We already have a mercenary military. Imagine the armies t

  • by viperidaenz ( 2515578 ) on Monday August 03, 2015 @07:00PM (#50244823)

    So if you make it look like someone else did it....

  • This is an incredibly stupid idea. Of course I'd love to sit back and watch the fireworks the first time someone attacks, say, Sony, and spoofs it so they think it was perpetrated by, let's say, Samsung. That would be amusing.

  • So... for a long time, various encryption algos were considered weapons and subject to ITAR controls. The same is starting up again now.

    So... if code can be a weapon, a (very) loose interpretation of the 2nd Amendment and some Castle Doctrine would already allow someone to hack back ...

    • Under the castle doctrine you can't attack someone who is not on your premises or engaged in an attack. They have to be either in your castle or attacking it. Furthermore, if they are attacking from outside .. you can't fire haphazardly hurting bystanders. When you hack back, you could very well end up flooding networks and slowing the internet for everyone.

    • by dissy ( 172727 )

      So... for a long time, various encryption algos were considered weapons and subject to ITAR controls. The same is starting up again now.

      So... if code can be a weapon, a (very) loose interpretation of the 2nd Amendment and some Castle Doctrine would already allow someone to hack back ...

      Even that very loose interpretation doesn't quite fit.

      The second amendment after all only says we the people may posses weaponry, it isn't a blanket licence to shoot at just anyone willy nilly, let alone a license to kill someone.

      At least so far it is still not illegal to simply own an exploit or its source code, which is a more fair comparison.

      One might argue that it should/is legal to counter-hack a system, but to keep the comparison, only so long as they are the one that attacked you first.

      The moment you

  • let me guess (Score:4, Insightful)

    by future assassin ( 639396 ) on Monday August 03, 2015 @07:16PM (#50244925)

    Only corporations of s certain size will be allowed to do it. Someone with a small business who has no value to the gov will be punished.

  • When the government is too lazy or incompetent to find the person who killed your father, they can just give you permission to find the killer and bring whatever justice seems fair. I don't see how anything bad that can come of this, nor its cyberspace analogue.
  • by guruevi ( 827432 ) on Monday August 03, 2015 @08:08PM (#50245253)

    There is no such thing as a cyberweapon. There is hacking/cracking and that is generally done through technical weaknesses and/or social engineering. There is no such thing as a cybertank or a cybergun, something that can actively break through something that it was not intended to go through. There is no software that can simply break through a web server by sheer force.

    Using any kind of military jargon with what amounts to a technical capability of a piece of software is (car analogy) like telling us that foreign car mechanics and imported engines are capable of destroying our infrastructure and instead of fixing the engines or building our own to counteract it we have to deploy our own car mechanics and engines to foreign countries.

    Using these analogies of cyberweapons with technical experts just sounds like a bunch of military people heard of the printing press and now they want to destroy people with paper cuts.

    • This point is really the crux of the matter. But the larger point is; why have companies try and "attack" or hack someone who hacked them? Wouldn't they also then be guilty of hacking?

      Did anyone really think this through?

      The simple solution is to have an offensive hacking team, and have companies JUST CALL the experts and present their proof. Every company cannot be an expert, will not be an expert and can't afford to be an expert.

  • Yes! Letters of Marque and privateers again.

    Got to love it

  • We need to give them all....Windows 10! The most dangerous thing ever to happen to computers.
  • So what happens when a company screws up and clobbers the wrong company (or individual)? Think about it: when your servers are being attacked, how certain are you as to who the culprit is? Are the cops (or the feds) really going to put their best manpower on vetting the work you've done to track down the baddies? Or will that be where they stick their less capable people?
    Bottom line, if someone clobbers your company by mistake, whom do you sue?
  • Norton Utilities has always been considered *extremely* offensive antivirus software.
  • I wanna be a company.. I wanna be a company...

    BTW Hudson Institute - right wing reactionary extemism in think-tank form brought to you by Olin, Koch, Scaife, Walton (Walmart) and featuring on its board Scooter (Plamegate) Libby, Dick Cheney and Richard Pearle.

    http://www.sourcewatch.org/ind... [sourcewatch.org]

  • Give corporations the ability to wage war online with their own privately-branded malware....what could possibly go wrong?
  • What is the smart US company going to find in this mythical other territory that has super fast computer connections to the internet?
    An empty house with optical thats for rent, owners on holiday and another deeper air gapped network? But the fast network has a computer connected 24/7 and is been used to store data... that was copied out hours or days ago ..

    A small firm with optical networking that has an extra hidden box in its computer room? No storage, just the final hop to sneaker net... CCTV might
  • It's about time we proved Gibson right!

    Seriously though, its often the case that corporations are left without any viable legal recourse. China is not going to help an American company recover stolen information, and it's government may even be responsible. We already allow the use of force in self defence, against intruders, and at least in some States, to recover stolen property. I see no reason not to extend that to corporate persons. Especially when law enforcement can't fill the role.

  • How long till the MPAA or others start roaming through people's hard drives and deleting material that they feel is an "attack" on their industry, right? This is an awful idea because of the (practically guaranteed) likelihood of abuse.
  • That has to be the dumbest thing I've ever read ..

    "Zarate .. called for better cybersecurity tools"

    How about not running Homeland Security on computers that can be hacked by opening an email attachment or clicking on a malicious URL.
  • Taking the advice from someone from the GWB administration is something you might want to think long and hard about. You remember the folks that wangled a legal opinion to support their insane idea that waterboarding and the like was not torture? He's from that bunch.
  • by StikyPad ( 445176 ) on Tuesday August 04, 2015 @09:11AM (#50248449) Homepage

    The correct approach is to use the government for defensive cyber capabilities. The NSA (and others) are focused almost entirely on offensive capabilities and weaponizing exploits that they discover. Instead, they should be reporting, patching, and/or issuing reports on their discoveries. There's no point in protecting 'Murican data if there's nothing left to protect because we're ignoring defense.

    As far as their spying -- sorry, "collection" -- mission, they can still hack existing systems without using software exploits.

To stay youthful, stay useful.

Working...