‘Yes! We want to get ’em back! They hacked our network and that has cost our company millions of dollars!’ That is probably how many seasoned CIO, CTO or other members of a company’s C-Suite would like to respond after a major cyber breach has been discovered and announced to the public. It has been a recurring question for years in the cyberspace domain. However, the question asked is ‘What happens if these companies strike a nation state with an all-out cyber-assault?’ If a company did strike out on their own in order to retaliate against a nation state, that very company could cause a very severe U.S. national security incident. The launched cyber-attack could start the next kinetic world war. Yes, the cause and effect of such a kinetic response would be based on the severity of the damage caused to that state actor. However, nonetheless, there would be other consequences.
A company’s cyber counter-strike operation could also undermine any U.S. diplomatic efforts through different U.S. agencies such as the State Department and of course the Department of Defense. Although, it may sound like a great strategy to the company’s C-suite executives, it is definitely a very bad idea! The recent cyber-attacks on Sony Picture Entertainment (SPE) caused a very sporadic incident response on behalf of Sony. The Sony SPE executives had their techs immediately respond to the cyber-attacks by launching their own major distributed denial of service attack (DDOS) against the nation state of North Korea. It was a very dangerous game to play. The retaliation shows again how cyber capability can be used asymmetrically by individuals. It is now a very dangerous environment in which to operate.
The idea of private cyber retaliation was proposed as only an idea by a special commission to study the effects of private intellectual theft and to recommend mitigation towards these thefts by means of cyber espionage and theft. The whole idea of this concept works against other efforts by U.S. departments and agencies where they are trying to stabilize and make the cyber space domain a safe environment for all to operate. James Lewis, who is a senior fellow and the director of technology and public policy program at the Center for Strategic and International Studies (CSIS), an international think-tank located in Washington, D.C., has stated and argued: “A nation has sovereign privileges in the use of force. Companies do not.” The argument made here is very important. Lewis has based the entire principal on who has the right to strike by cyber means and who would be responsible for that strike if it were to be carried out.
Unfortunately, at this time companies do not have an incident response go-to team for enforcement within cyber-space. Companies have to take responsibility for strengthening their own cyber defense policies and monitor the behavior of possible insider threats.
Yes, there are computer emergency response teams (CERT), even on an international basis; however, they are only around for analysis, sharing and distributing the threat information so that the cyber-attack does not happen to others in the U.S. and abroad. Companies need to learn how to report to these CERT teams, be vigilant about sharing the data with collecting authorities and follow the correct cybersecurity best practices to ensure that their systems are safe from any other future cyber-attacks that may occur.
Private retaliation in cyberspace a ‘remarkably bad idea’
U.S. urged to let companies ‘hack-back’ at IP cyber thieves