, , , , ,

keyboard grenadeDoesn’t it just seem obvious that at some point, to protect our digital selves, we’ll have to fight back?  Firewalls and anti virus software are like fences – merely obstacles.  Leaving the porch light on and locking your door is no doubt wise.  Thieves target easy prey.  You don’t have to out run the bear, just your buddy.  The metaphors advising essential layers of protection are endless, but by now everyone should understand that absolutely no one is entirely safe from online intrusions.  Lest we all agree to simply run around naked, data privacy requires more than protection; we need to increase the risk/reward ratio of cyber attacks with a strong deterrent.

We’re building a fence along our border with Mexico – which is to say that’s a problem we don’t really care to see fixed.  Where American lives and real money are on the line, we deter attack with our armed forces.  The best defense is a good offense.  Cyber theft is starting to become real money.  It’s one thing for a credit card company to build fraud into its business model.  Not every business can do that.  The potential losses aren’t always known.  The information age is rapidly approaching its kairotic moment.  If we can’t control technology, then we might as well reboot ourselves back to the dark ages before cyber extremism launches us into the stone age.

I’m proposing the ability to respond to hacking efforts with intrusion countermeasures electronics.  ICE.  There are other terms for this but I like the literary reference from Tom Maddox and William Gibson.  The concept is an active defense that strikes back.  Currently there is very little risk to deter internationally remote cyber criminals.  This proposal is not new, the concept has been around since Burning Chrome and Neuromancer.  Black ICE takes it further by suggesting the response actually include deadly force.  Assuming that’s even possible.  So why are we not enacting an idea that’s older than the Internet?

Consider what we learned recently from the Sony attack, ostensibly by North Korea.  I have to use the adjective ostensibly, not because the FBI has yet to make their proof public, but because other agencies believe they have evidence demonstrating this is an inside job.  Point being, certainty is difficult in proving the source of cyber attacks.  So much can be spoofed.  IP addresses.  So much more is circumstantial and inferred.  This type of malware was used by this cyber warrior previously against that target.  The more sophisticated the attacker, the more likely they have obscured their tracks if not framed another source.  The level of certainty required in a U.S. civil court of law is virtually impossible.

Given that, you can be certain responding with a counter attack is illegal.  And your response will leave undeniable evidence.  No corporate legal team will approve counter attacks.  They would be complicit.  There is also the risk of escalating the conflict.  I don’t subscribe to that fear personally, but it doesn’t matter.  No legal entity can perform counter attacks.  It’s simply not allowed.  Only governments can respond with intrusion countermeasures.  Israel is transparent about this.  You can only hope the U.S. does it.  Deterrence requires we do so in a public and comprehensive manner.

Perhaps the government could outsource this to corporate ethical hackers like they do some military security now.  Regardless, I think this cost should come out of our defense budget.  I haven’t put any thought into how we should triage attacks.  Should our response to an attack against a small startup be as severe as that of a Fortune 500 company?  Should we discriminate at all.  Is our first level of response a denial of service attack or do we erase attacker hard drives?

The technology for countermeasures will be interesting.  The solution might require a government layer of software on every citizen’s computing device, much as we run anti virus now.  That’s a scary thought.  Worse than NSA snooping would be having to call the gov’t helpdesk when a software patch crashes your machine.  That Obama is responding with Executive orders now to the Sony hack tells me what direction we’re headed.  Could be years given the pace of political policy-making.  Could be months given the pace of technological progress.