"I can see the pressures building on them to engage in active or offensive cyber defence": Michael Hayden, former head of the NSA and CIA. Photo: Reuters
Security experts have warned private companies not to retaliate against cyber attackers, amid fears conflicts could escalate without government involvement.
Despite recent moves by governments globally to better notify companies of potential threats online, experts warned that the difficulty of accurately pinpointing an actual attacker could lead to false accusations or targets.
The warnings come after US lobby group the Commission on the Theft of American Intellectual Property began a push to legalise online counter-attacks by private companies after accusations that the US government's diplomatic efforts to curb the attacks had failed.
"If counter-attacks against hackers were legal, there are many techniques that companies could employ that would cause severe damage to the capability of those conducting IP theft," the lobby stated in May report. "These attacks would raise the cost to IP thieves of their actions, potentially deterring them."
Similar calls were made at an Australian security conference the same month by former McAfee executive Dmitri Alperovitch, the author of a key 2011 report which identified targeted attacks on public and private sector companies.
But security executives and field experts have since issued strong warnings against such actions.
"I can see the pressures building on them to engage in active or offensive cyber defence," said general Michael Hayden, the former head of the CIA and NSA, in an interview with The Australian Financial Review this month.
"But I am not yet convinced they should be doing it. One would hope that over time they can work with government to get more comfort about their cyber security."
He said the potential implications for civil liberties and lack of legal defences were major obstacles to private companies taking vigilante action.
"The problem is that whereas your government and mine have very clear rules and roles for defending us across land, sea and air, they don't yet in cyber," he said. "Firms are far more on their own in the cyber domain than they are in the physical domain."
The Bank of England's head of security, Don Randall, similarly backed private companies relying on authorities.
"If I throw a stone at you, you throw a stone at me, when's it going to stop?" he said. "And how do you know the 'hack back' is not actually an inducement to dig in deeper. Where's the control around that?"
Mr Randall, a former police officer and one-time managing director of JPMorgan Chase, is known for establishing Project Griffin in the UK, a public-private partnership that saw financial sector companies in Britain become a private counter-terrorism surveillance force from 2004.
Sign up for Computerworld eNewsletters.