If your organization is hit by a cyber-attack, turning the matter over to the authorities is the appropriate course of action. But, if you’re able to stop the attack yourself by taking out the hacker’s servers, should you hit back at the hackers?
When companies are hit by cyber-attacks, some may feel – with good reason – that they have no recourse other than to strike back. Law enforcement’s response can be lumbering and, currently, there are few options for collaborating with others on cyber-security challenges. Yet, before you try to take out a perpetrator’s servers, consider the risks. Increasingly, attacks are launched from within IT environments of legitimate organizations that may have no idea they’ve been breached. Striking back may help stop an attack in progress, but it also could have unintended consequences. Given these considerations, are there times when hitting back at hackers is the more effective response?
Explore all sides below by clicking on each button:
Kelly Bissell, Principal, Deloitte & Touche LLP
As tempting as it may be to respond to cyber-attacks by disabling the servers from which they are launched, organizations should only hit back at hackers by working through legal channels and with the appropriate law enforcement officials. In fact, the law may soon require nothing less: In 2011, the SEC Division of Corporate Finance issued guidance that, if enacted into law, will require companies to report cyber-attacks to the government.1
Some private sector organizations have expressed concerns that such reporting requirements may lead to their servers being seized as part of an investigation, or lead to brand and reputation issues if news of an attack is made public.
While such concerns are understandable, I believe that the government’s proposed requirements may actually lead to a new public/private partnership that might address the private sector’s concerns and make it possible to address cyber-crime more effectively. Here’s how it could work: The private sector, working with law enforcement, could establish a clearing house that aggregates information on the cyber threats that companies across the United States encounter. This clearing house should analyze the collected data and share it with federal law enforcement officials, who could then act on it. Furthermore, when hackers launch an attack against a particular company, the clearing house – acting as a monitoring agency of sorts – could alert other companies in the same sector that they may be vulnerable. Collaborating in this way, the public and private sectors could identify the bad guys, develop a greater understanding of where and how they operate and thwart attacks the moment they commence.
There have been many attempts at this (e.g., FBI InfraGard, Secret Service Electronic Crime Task Force (ECTF)). The one thing that has often been a strain in these relationships is that it is a one-way street when it comes to information sharing. Private sector pumps in data and the government uses it, but is very limited in sharing with companies. The new public/private clearinghouse should be a two-way street.
Clearly, it is likely to take significant coordination to make a public/private partnership on this scale work. But with the frequency of cyber-attacks increasing each year, a concerted effort may be among the most effective alternatives to having each company striking back angrily at hackers and, by doing so, potentially making a bad situation worse. Like my mom always said, “two wrongs do not make a right.”
Library: Deloitte Debates
Services: Consulting
Overview: Technology
Conversations on this debate may lead in many directions. We encourage spirited debate and varying perspectives but honesty, decency and mutual respect are essential. Please remember:Keep your entries succinct and on topic.Don’t post confidential information.Don't use names of companies or individuals.Use appropriate language and refrain from attacking others.Comments will be reviewed prior to posting.We reserve the right to edit, remove or not publish comments at our discretion.As used in this document, “Deloitte” means Deloitte LLP and its subsidiaries. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.
No comments:
Post a Comment