Rethinking Cybersecurity, Retribution, And The Role Of The Private Sector

In upcoming testimony before the House Homeland Security Committee, I'll be assessing the Department of Homeland Security, with particular focus on cybersecurity. Probably the most important point I'll be making is a simple one:

We will never defend our way out of the current cybersecurity crisis.

That's because putting all the burden of preventing crime on the victim rarely succeeds.

The obvious alternative is to identify the attackers and punish them. Many information security experts have given up on this approach. As they point out, retribution depends on attribution, and attribution is difficult; attackers can hop from country to country and from server to server to protect their identities.

I think this skepticism is outmoded, however.

Our intelligence on cyberattacks has gotten a lot better.

Investigators no longer need to trace each hop the hackers take. Instead, they can find other ways to compromise and then identify the attackers, either by penetrating hacker networks directly or by observing their behavior on compromised systems and finding behavioral patterns that uniquely identify the attackers.

No one can function in cyberspace without dropping bits of identifying data here and there. If the good guys' security is inherently flawed, so is the bad guys'. If we exploit their bad security systematically, we should be able to put attribution — and retribution — back at the center of our response to cyberattacks.

Since nothing else is likely to work, we need to pursue this possibility with vigor. We should take the offense, surrounding and breaking into hacker networks to gather information about what they're stealing and who they're giving it to. That kind of information will help us prosecute criminals and embarrass state-sponsored attackers. It will also allow us to tell the victim of an intrusion with some precision who is in his network, what they want, and how to stop them. DHS's intelligence analysis arm should be issuing more such reports and fewer bland generalities about terrorism risks for local law enforcement agencies.

If we're going to do this, though, we can't rely exclusively on government. Sure, governments have resources and authorities beyond those of any single company. But in aggregate, it's the private sector that is losing the most and that has the most resources to put into locating and punishing the attackers. In my private practice, I advise a fair number of companies who are fighting ongoing intrusions...