Business owners who are worried about becoming the next victim of a data breach have been advised against being tempted into firing first against their adversaries.
Respected cybersecurity journalist Graham Cluley acknowledged that the idea of “active cyber defence” is a compelling one – with business owners and the white-hat experts in their employ preventing would-be hacks from getting anywhere with attacks of their own.
However, Cluley warned against it, suggesting that such measures would be better left to the authorities. He wrote for BitDefender: “If you found a sleepy grizzly bear in your back garden would you seriously consider poking it with a stick? Or would you feel more comfortable informing the authorities so they could deal with it instead?”
Such measures, he goes on to explain, could start a war of attrition between businesses and hackers, with the cybercriminals looking to strike back harder. What’s more, companies may not be fully aware of what they’re getting themselves into before they’re already too deep. A target, for example, may actually be part of a wider state-sponsored campaign with more money and resource behind it than first thought. Also, the hack is unlikely to have originated from where it may first appear, with misdirection a relatively simple process in the cybercrime world.
For companies that take the law into their own hands, they may eventually end up getting in over their heads and calling upon the authorities to help out after it becomes too much. However, their initial preventative measures may have deleted key evidence that could have otherwise been used to identify the black-hat hackers and stop them from carrying out further attacks.
Cluley has the backing of large tech firms, with rivals Google and Microsoft teaming up earlier this year to encourage US lawmakers to veto a change to the law that would make pre-emptive hacks legal in the state of Georgia. They claimed it would turn the area into “a laboratory for offensive cybersecurity practices that may have unintended consequences and that have not been authorized in other jurisdictions.” They went on to argue that it “could easily lead to abuse and be deployed for anti-competitive, not protective purposes.”
The effort was rewarded in May when Republican Gov. Nathan Deal vetoed the cyber crimes bill.