The Hill has a piece today that talks about the Department of Defense sending up smoke screens around strike-back telling businesses that they might be violating yet to be defined rules of engagement in cyberspace. This is ill advised but not for the reasons the Defense Department talks about here. Defense should be educating businesses and not warning them about the possible policy violations that don't exist.
Striking back against hackers is dangerous, for sure, but the policies of the UN and treaties between countries are hardly the reasons. First, Defense has not been striking back at hackers and that is why too many of them are still hacking businesses. They do it with impunity. Defense does not feel a need to stop activities against commercial businesses, and they are probably justified in feeling that way. Our military is not tasked with protecting businesses very often, though they do have the "commerce" clause that justifies them defending trade routes and commerce. Nobody in the Federal government is charged with offensive actions to reduce the impact of hackers on US businesses. That could be corrected, but it has not been.
So, when hackers hack businesses there is nobody to hack them back to discourage the action in the future. Some businesses go to Congress over this and try to get legislation that will authorize that kind of activity, when that too is not a very good approach. Congress hates getting involved in this kind of thing, and has yet to pass legislation that would authorize strike-back. Congress does not want to authorize anything with potential liability attached to it. If a business does strike back, they are on their own and suffer the consequences of retaliation alone. This is ridiculous on both sides.
If someone is going to stop hackers by disrupting their operations, we should designate an agency to do it, task them to do it, and prioritize the groups that we are going to hack-back on. The activity does not have to be as overt as strike-back. It can be covertly done so that hackers do not know what is happening to them, or who is doing it. We disrupt and deny hackers the ability to continue unrestrained. The Dutch have an interesting way of doing this by disrupting the websites that distribute tools that hackers use. We need to do a lot more of the same kinds of things which businesses that have been hacked can help with.
Second, businesses need to get their act together so they don't need so much defending. Some of the companies that complain about government support don't do enough for their own protection - and I could name some big companies that habitually lose their designs and personal data. Before you get help, do something for yourselves.
No comments:
Post a Comment