sss78 - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

Active defense: The perils of cybervigilantism

Legally ambiguous active defense strategies are risky -- and costly -- for businesses, but could the benefits outweigh the drawbacks? In this #CIOChat recap, participants highlight the hazards of hacking back.

If your organization is planning to implement an active cyberdefense strategy, be prepared to walk a legal tightrope. When it comes to hacking back, the lack of legal precedent has created a lot of gray areas, as attorney Randy Sabett recently explained to SearchCIO. As such, it's important to tread carefully when developing an active defense strategy.

A good first step in a hacking back approach is to do your research and know the dangers and drawbacks ahead of time, which can aid CIOs in avoiding legal -- and moral -- pitfalls.

In SearchCompliance's recent #GRCChat, participants examined the risks of pursuing active cyberdefense.

What are the risks of proactive security? Could companies face compliance and/or legal problems because some methods are illegal?

As the saying goes, the higher the risk, the higher the reward -- and hacking back is not without its fair share of risks. The legal perils most often cited are associated with the Computer Fraud and Abuse Act (CFAA), which focuses on unauthorized access, and the Electronic Communications Privacy Act (ECPA). But because the lines of these laws are not clearly drawn in terms of active defense, "It is very hard to interpret under existing law what's OK and what's not," according to Sabett. #GRCChat-ters agreed that there are unknowns when it comes to hacking back and were quick to point out the dangers:

As one participant pointed out, legality is not the only issue to consider when deciding whether to hack back -- ethics and potential bad publicity must also be considered. Vigilantism isn't always a good look for companies, according to chatters:

The perceived value of hacking back must also be weighed against the cost. Active cyberdefense is not cheap and, for some, is hard to justify given the already-increased risk. But is the cost of hacking back inconsequential when compared to the value of the data it might help protect? Participants discussed the expenses and manpower needed to drive an active defense strategy:

With new cyberthreats emerging regularly, the demand for new and effective security measures continues to rise. With higher demand for security, one might expect more funding, but that's not necessarily the case, according to one #GRCChat-ter:

Would you consider an active defense strategy? Why or why not? Sound off in the comments section below.

Next Steps

For more on active defense strategies, check out our other #GRCChat installments on the perks and the pitfalls of hacking back, advice on when to go on the offensive and the future of active cyberdefense. Then head over to SearchCIO to further explore the legal limitations of hacking back. Finally, over on SearchSecurity, hear one CTO's take on the effectiveness of active defense strategies.

Dig Deeper on Vulnerability assessment for compliance

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

What are the biggest risks of active defense strategies?
The biggest risks of proactive defense strategies involved with hacking back focus on illegalities of hack processes coupled by the company's ethics and reputation. Companies risk getting into legal perils associated with Computer Fraud and Abuse Act (CFAA), an instrument of law that focuses on unauthorized access. Companies also risk  perilous situations with the Electronics Communications Privacy Act (ECPA), but these laws aren't clear on what's right or what's wrong in terms of active defense.
Yes e48489, it's interesting that companies that are just fighting back against hacking could end up facing compliance violations. I'm wondering if lawmakers will start to consider this issue in the future, and accommodate proactive "hack back" efforts as data security vulnerabilities increasingly become a problem at corporations.

Active defense strategies biggest achilles heel is that while an IT department is being proactive and focused on defending systems and facilities, a lesser threat might saunter in unfettered. The best way to mitigate this is by having a balanced and well-thought-out approach to securing your enterprise.

I believe a better use of IT and security resources would be to spend invest time fixing the low-hanging fruit on their networks that the criminal hackers are going after in the first place. Vigilantism is no doubt fun and cool but so is knowing that you have a network environment that's resilient to whatever is thrown your way.
I agree with Kevin. In most cases, there are plenty of simple fixes (simple being relative, but in the grand scheme, yes) that can be applied based on a basic security audit. Covering those areas will make one's organization a less attractive target in the first place. From there, keep working up and get the users involved in helping keep their networks and resources secure. Once that's all done, then start seeing if you can handle being ultra-adaptive or outsmart the baddies. First principles first, though :).