If there's a "marquee case" where "someone takes the bullet" in a court battle arguing for the ability to strike back in active defense, then the result might be to raise awareness that could get Congress to modify current law. He added that Microsoft has shown some success in lawsuits oriented toward dismantling botnets around the world by going after individuals running them and also revealing their identities.
"We need to get some deterrence," said Alperovitch. It's his opinion that nation-state industrial espionage that occurs over the Internet, often linked to China, is simply something that for political reasons the U.S. government does not want to take on as a public issue now. Despite the huge number of computer intrusions blamed on Chinese attackers stealing U.S. data from corporations and government over the past few years, the U.S. government is not motivated to make waves over it. "On the nation-state side, the government is locked in inaction," said Alperovitch.
Hacking back at servers where you think attacks have originated violates the law and "you don't get much out of it," said Alperovitch. Active defense, he said, is better understood as "offensive tactics" that could involve everything from attempting to get stolen data back to legal action and public relations-oriented actions to expose the identities of attackers in full and their motivations.
Although there's certain to be debate, CrowdStrike is starting with the basic belief that the private sector has the authority "to go into a server to get that data back," said Alperovitch. He said there's a common-law precedent, and an affirmation defense under the law. But the usual circumstances would be that you'd first call the FBI or other law enforcement and have them try and take action, but "if the government and law enforcement is unwilling or unable to take that action, you can," he said. "It's defense of property," along with the idea, "I'm holding you until the law arrives." He said there's a lot of precedent in the legal system for this, but it hasn't really been done before for cyberattack response and he acknowledges that court rulings would be uncertain.
In terms of active defense, there are also techniques related to deception that could come into play that are akin to distributing disinformation in order to fool an attacker. He said this could go way beyond honeypots, which he says aren't usually effective because they are hard to make realistic. Though he declined to divulge some details, he said the best types of counterattack deceptions are those in which disinformation is very targeted toward an attacker and you try to limit the spread. Here, too, the issue of both public relations and legal fallout exist because active defense tactics that go awry could have negative consequences for companies and governments.
Sign up for Computerworld eNewsletters.