Cyber crime cost the world economy $400bn in 2014, according to a report by McAfee. Whilst this only represents a small percentage of the global GDP, it’s a significant number.
Meanwhile, the continuing increase in attacks represents a fundamental risk to many companies, having a tangible impact on share prices and the global economy. At a national level, governments are coming under increasing attacks that threaten critical infrastructure. On the flipside, some governments are becoming far more active in conducting cyber attacks, seeking to disrupt rivals’ economic and military capabilities. But enough is enough.
Cyber criminals have it easy – they can strike a corporation with very little risk of being caught and prosecuted, particularly when operating within multiple legal jurisdictions. National governments, and the international community have failed to provide a way in which these criminals can be identified and brought to justice, leaving corporations – some of which provide critical services – at the mercy of attackers and with few options for response. Indeed, thanks to current UK legislation, businesses are being prevented from even basic measures that could have a major impact on their ability to respond to cyber attacks, requiring them to defend with both arms tied behind their back.
We spend time, effort, and money educating students and IT workers in how to carry out cyber attacks so that we can better understand how to defend against them. But what if we were to put these skills into practice? Why shouldn’t companies, which may be under sustained attack for months with no hope of a criminal prosecution bringing the perpetrators to justice, be allowed to quickly neutralise the threat by destroying the attacker’s capability?
Responding to cyber attacks involves many specialist teams. There is the triage team, which analyses how the attack is affecting the organisation and how best to prevent or at least reduce damage caused by the attack. Forensic analysts then examine how the attack was carried out and attempt to gather evidence to enable prosecutions. Lastly, the defensive security teams use the information provided by the other teams to try to prevent the organisation from being attacked in the same way again.
Hypothetically (and bear with me because this is a bit radical), but what if an offensive security resource, whose job it was to identify the perpetrators of the attack and destroy their capability to continue the attack, were to be included in these teams? These would be highly skilled practitioners capable of sophisticated cyber attacks in their own right and, crucially, able to categorise different types of attacker. Large organisations may feel this is something they could do themselves. Smaller organisations would almost certainly want to engage someone else to do this for them, in the same way that incident response is currently handled.
Attacker identification would be crucial if this approach was taken on board. Organisations responding offensively to an attack need to be sure that they will not accidentally harm an innocent third party – which may be being used as a proxy – or accidentally attack a foreign government. There are clear risks associated with carrying out a cyber attack that must always be weighed up, particularly when being carried out in pursuit of legal aims.
But responding in kind to cyber attacks, could make them significantly more costly and risky to carry out by hitting the perpetrators where it hurts most – their pockets. Most cyber crime is an economic activity, carried out by criminal organisations that have well-developed corporate structures. If attacks like these could be seen to be more risky and less economically viable, the perpetrators could be made to think twice before launching an attack.
As things stand, businesses and citizens cannot rely on the legal system preventing, or even punishing, cyber attacks. As the volume of attacks grows, something drastic needs to change to make cyber crime more costly to the perpetrators and reduce the impact on people and organisations just trying to go about their lawful business. Now, in the long term, clearly a “Wild West” approach to cyber justice is not sustainable, and the risks of escalation are obvious. However, it is clear that the current situation requires a radical response in lieu of a coherent global approach to cyber crime.
Slipping the leash off corporate cyber security teams is one potential answer to consider.