Although much of the recent buzz surrounding cyber attacks has highlighted the possibility of retaliation, the million-dollar question remains: How do you strike back when you do not know who your enemy is?
“The simple answer is that you can’t, and the longer answer is that it’s really hard and will probably take more time and money than you want to spend,” writes Dr. Charles Palmer on The IBM Institute for Advanced Security Expert Blog.
Palmer, who serves as IBM Research’s CTO of security and privacy, recalls how he attended a meeting with security professionals in the late 1990s to discuss cyber crime and hacking.
While these particular individuals were working to implement various capabilities offered by the Internet, they were not comfortable with the thought of someone being able to “mess with . . . their web pages, systems or networks,” Palmer said.
At one point in the discussion, Palmer said, someone suggested “well, if we find someone’s been messing around with our stuff, we ought to just send some of our boys out to pay him a little visit and take a baseball bat to his computer.”
The discussion that ensued could as easily be taking place today, Palmer noted, raising the question: If attackers mess with your “cyber stuff,” how do you get back at them?
In short, you really can’t, Palmer says. He lays out the problems with retaliation and the difficulties with tracing cyber attacks. First, it can be “extraordinarily” hard to link an attack back to a specific machine. Second, identifying the attacker is difficult: If the machine has been traced back to the public library, “you probably shouldn’t assume it was the librarians,” Palmer writes.
And the third question to ask is, what action to take after the attacker has been identified?
“If you use the perp’s computer for batting practice, he/she can always buy a new computer more easily than you can repair your website or your brand,” Palmer notes. “If you choose a less physical approach and aim all your computers at his/hers and ‘hack ‘em back,’ the same reality remains: It does no good in the long run.”
Palmer concludes the best approach to take is “not to throw stones toward where you thought the attack came from” and to chalk the event up to another lessons learned.
“If the damage is discernible and notable, law enforcement could be brought in,” he said. “If it came from a business partner or supplier, then maybe they should lose some status with your company. If it came from an internal department, perhaps they need a careful audit. If it came from a competing entity, such as another company or government, then perhaps more public pressure would be productive. Most of the time, however, the best path is to learn from the incident and move on.”