A recent interview with former Chairman of the Joint Chiefs of Staff Adm. Mike Mullen brought up some interesting comments on offensive cybersecurity. US Cyber Command has been elevated to its own combatant command, but should the government green light companies the ability to hack back when attacked?
Mullen answered that question by saying that before we can know the answer to that question, we need better communication between private companies and the government. The key point of contention is privacy and the balance of it with security.
I haven’t seen a path where I could authorize a company, say, Sony Pictures, to respond to the North Korean government. So what about responding to criminal hackers? There is a heated debate about that, about what we should authorize, and what’s OK. That’s an open question. I don’t think there is much wisdom in letting private entities respond offensively to state-sponsored cyber intrusions.
Military training teaches that until the enemy starts to pay a price, they more or less have an open runway to continue their attacks. Mullen says that a response is required when defined lines have been crossed.
[What about recovery after your network is hacked? Uplogix can help!]
This shows the current challenge of offensive cybersecurity — defining these line and the appropriate responses. When you add in that threats are individuals, state-sponsored hackers and vague mixes of the two; working for profit or countries that can be both enemies and trading partners makes definition of any kind of set lines very difficult and controversial.
When it comes to cybersecurity, will the best defense be a strong offense?