Army Gen. Paul Nakasone, head of US Cyber Command, recently spoke about cyber threats to a congressional subcommittee. According to Nakasone, cyber attacks from nation state actors, like Russia, North Korea and Iran, have increased in sophistication and intensity; some even breached critical naval systems. As a result, the general recommended the United States become more prepared to aggressively strike back their assailants.
Simply put, this is a very tense time for the cyber security industry. At this year’s RSA conference, Venafi wanted to see how security professionals are responding to cyber war threats and offensive hacking proposals. We evaluated the opinions of over 500 convention attendees and the results were quite interesting. For example, 87% of the respondents say the world is currently in the middle of a cyber war.
“It’s clear that security professionals feel under siege,” said Kevin Bocek, vice president of security strategy and threat intelligence at Venafi. “With the increasing sophistication and frequency of cyber attacks targeting businesses, everyone is involved in cyber war.”
Participants were also asked about who should be allowed to participate relatiatory hacking actions, and the results were slightly mixed. For example. 72% believe nation-states should have the right to “hack back” by targeting cyber criminals who level attacks on their infrastructure.
Meanwhile, 58% believe private organizations have the same right to “hack back.”
Currently, the Computer Fraud and Abuse Act prohibits many retaliatory cyber defense methods, including accessing an attackers computer without authorization. The Active Cyber Defense Certainty (ACDC) Act addresses active cybersecurity defense methods and was introduced to the U.S. House of Representatives in October 2018.
The ACDC Act proposes “to provide a defense to prosecution for fraud and related activity in connection with computers for persons defending against unauthorized intrusions into their computers.” As we saw with Nakasone’s recent subcommittee meeting, these proposals should become more common in the future.
“Today, private companies do not have a legal right to actively defend themselves against cyberattacks,” Bocek added.
“Even if this type of action were to become legal, most organizations are too optimistic about their abilities to target the correct intruder. Even with the most sophisticated security technology, it’s nearly impossible to be certain about attack attribution because attackers are adept at using a wide range of technologies to mislead security professionals.”
“For many organizations, it would be better to focus on establishing stronger defense mechanisms. We’ve seen excellent growth in cloud, DevOps and machine identity technologies that allow digital business services to be restarted in the event of a breach, effectively delivering a knockout blow against attackers,” Bocek concluded.