Skip to main content
banner image
venafi logo

The Cyber Vigilante: Avoiding a Wild-West Mentality That Complicates Security

The Cyber Vigilante: Avoiding a Wild-West Mentality That Complicates Security

cyber vigilante
June 20, 2017 | Eva Hanscom

In late May, Representative Tom Graves (R-GA) released an updated draft of the controversial Active Cyber Defense Certainty Act (ACDC). If enacted, the law would allow organizations who have been victims of cyber crime to conduct their own attack-back strategies to identify assailants, stop adversaries and/or retrieve stolen files.

The legislation has been met with skepticism from security professionals and officials alike. In a recent article for CSO Online, Ira Winkler wrote that the ACDC would make the threat landscape more complex and dangerous for cyber attack victims.

According to Winkler: “The reality, though, is that most victims are ill-equipped to deal with an incident and even less equipped to hack another organization without creating damage. It is reminiscent of the scene in The Dark Knight, where Batman points out to the would-be vigilantes that he is wearing bulletproof armor.”

The ACDC would complicate everything from the attribution process to digital infrastructure and third-party relationships. “A website can be hacked and used to launch attacks, but the website is hosted on AWS,” Winkler writes. “Would Amazon then be justified in hacking the victim again to stop the attack against the hosted website?”

Overall, some politicians, like Tom Graves, celebrate the image of the cyber vigilante: a person who takes cyber security into his or her own hands. Meanwhile, on the opposite side of the coin, other officials are doing everything in their power to curb it.

For example, effective security technology, such as encryption, is consistently threatened. Former FBI Director James Comey was a prominent critic of encryption and often discussed inserting backdoors into private technologies. Internationally speaking, France’s new president, Emmanuel Macron, and the UK’s Thersa May have both vowed to regulate encryption for national security purposes.

Ultimately, encryption breaking seeks to discourage what officials see as criminal vigilantism. Government officials view encryption technology as a way for bad actors to hide their misdeeds from law enforcement. In their minds, back doors would jeopardize dangerous vigilantism.

However, this perception is unrealistic. Unfortunately, we often see digital spaces as the Wild West: there are no rules, regulations or borders online. Everyone is out for himself or herself and the person with the most weaponry is on top. This perception is unrealistic. In reality, the cyber security landscape is much more complicated. A “shoot first, ask questions later” mentality can cause more problems than solutions

So, it's important that we avoid the celebration (or subsequent condemnation) of the cyber vigilante. We cannot give organizations free reign to actively launch an attack on any perceived threat. But, on the other hand, we cannot take away necessary components of their security technologies.

We have the capacity understand the principals of cyber security enough to be able to craft this effective legislation. But first, officials must throw out their preconceived notions of vigilantism. At this point in time, both the ACDC and the call for backdoors are based on an unrealistic perception of cyber space and its actors. Thus, both propositions would cause much more harm than good to the digital realm.

If we can move past the image of the cyber vigilante, perhaps we can begin a meaningful conversation on how to support cyber attack victims and encryption. Until then, we need to go back to the drawing board.

Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

man sitting on chair and thinking

Venafi Study: Are Financial Service Organizations More Likely to Suffer Certificate-Related Outages?

accessec, APIIDA, Crypto4A, Difenda

Six Groundbreaking Machine Identity Protection Developers Gain Funding

code signing certificates, Code Signing, Stuxnet, ShadowHammer

Study: How Well Are You Protecting Code Signing Certificates?

About the author

Eva Hanscom
Eva Hanscom

Eva Hanscom writes for Venafi's blog and is an expert in machine identity protection.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more
Chat