Corporate Vigilantism Survey Results
By Winn Schwartau
In late October of 1998, I approached Network World (one of the magazines I write for) with a project idea: let’s examine the status of corporate vigilantism. (See the results of that research at www.nwfusion.com/news/0111vigilante.html . Network World is also hosting a Forum on the article and vigilantism: www.nwfusion.com/forum/vigilante.html)
To clarify the point, I used the example of Lou Cipher, a senior security executive at a major US financial institution. It seemed that Cipher took hackers and their deeds very seriously. In response to hackers and their actions against his company, he took a strong "Strike Back" attitude – going as far as wielding baseball bats against alleged cyber-attackers who don’t take electronic hints.
The Pentagon had just used on-line "Strike Back" techniques against the Electronic Disruption Theater, a self styled group of hacktivists who had targeted a Pentagon web site for disruption. The Strike Back responses are caused by intense frustration.
- Hacking events are increasing by huge numbers
- The assaults are becoming more aggressive and hostile
- The attack tools are automated and require little technical skills
- Political and social motivations have invited cyber-civil disobedience.
- Investigation of hacking events is very difficult
- Law enforcement is not up to the task of investigating cyber crimes for lack of manpower, resources and interest.
- Corporate America distrusts law enforcement to prosecute and keep any investigations secret.
I began the article by talking to a number of associates in various fields to get their reactions to the concept of vigilantism, either by the government or corporations. I spoke with CEOs, analysts, the military, financial firms, manufacturing companies, foreign governments and intelligence agencies, security professionals and hackers.
In an attempt to get law enforcement reactions and comments to Corporate Vigilantism, the results were less than satisfactory. The Department of Justice offered a "no comment" on most questions. The Department of Defense said they had nothing to say on the issue and refused to comment in any way. The FBI stated they did not maintain statistics on computer crime and refused to respond to any questions. The Secret Service said they would respond to a faxed query, but to date, they too have not responded. European police agencies, however, did respond as did some local US police organizations. This lack of openness underscores the understandable attitudes which have triggered the advent of Corporate Vigilantism. Many of the interviewees blame law enforcement’s arrogance and apathy for the rise of people taking the law into their own hands. Historically there is precedent; after the US Civil War, many law enforcement duties were carried out private firms such as Pinkerton.
On the other hand, the public law enforcement position is a dichotomy which is sure to encoura	ge more vigilantism. When I speak with law enforcement officials casually, and for background only, to a man and woman, and from every single agency, they all responded very favorably to the concept of Corporate Vigilantism. "There is no other way. You have no choice if you expect results." Most indicated they understood and favored electronic responses if they had high confidence that the right people were identified. Fewer police favored a physical response to serious on-line attacks when all else failed. Most of those interviewed also said they would "look the other way" if a company was found defending itself in such a way. But, because such actions technically break the law, they cannot formally approve or endorse vigilantism in any shape, way or form.
It became apparent very early in the interview process that the subject of Corporate Vigilantism is an emotional one to say the least. There is a complete spectrum of opinion, and much of that diverse opinion is very strong indeed.
I found that the military, more so than not, is much more pacifist oriented than not. They favor law enforcement intervention rather than strike back vigilantism by far, and diplomacy for international cooperation rather than unregulated response. Corporate officials had a wide spectrum of attitudes, but many of them clearly feel that their primary responsibility is to their companies and their assets. If that protection requires them to step outside of the law in order to stop criminals in their actions, many executives feel the potential for effective protection is well worth the low risks.
I personally spoke with about seventy people and recorded their comments, the vast number of which cannot be quoted by name. The aggressive law enforcement officials want to keep their jobs and the executives do want to turn their companies into electronic targets any more than they already are. So, they insisted on anonymity, too.
But then there’s Lou Cipher, the baseball bat wielding financial executive. My editors at Network World were worried about him. "Is he real?" "Are you really sure about him?" The editors finally spoke to him; he provided them with his real name and corporate affiliation, but because of his aggressive stance, that information, too, will remain – as promised – protected.
The emotionalism was intense. At Comdex, I discussed the issue with countless folks, who echoed the range of opinion I had already found. In Europe, I spoke with defense agencies and techno-spies who felt in no uncertain terms that vigilantism was an appropriate response to protect their national security. Remember that Yeltsin’s Russia has said "information warfare is second only to nuclear warfare and we will respond to any such attack in an appropriate manner." (paraphrased.) More recently, the Russians have been calling for an international confab to discuss common goals and defenses against information and cyber-warfare. Insiders in Washington say it’s because the Russians are so far behind the curve in IW and offensive hacking development that they hope to declare peace before a new and potentially costly cyber-arms-race begins. Some experts say China is launching the world’s lar vgest offensive hacking operation in an effort to bolster their own international cyber-presence; note that they just sentenced a hacker to death for on-line theft.
As I further investigated self defense, I decided to send out a list of questions to some acquaintances. And this is where my ‘caveat emptor’ begins.
The Corporate Vigilantism Survey was not conducted in any formal way. It did not use a statistically balanced approach or neutral questions to get a baseline; it was not a scientific study. The results are correlated from hundreds of responses we received to the survey. Many of the answers we received to many of the questions were long answers and we needed to read/analyze the thoughts and comments to fit the "Yes", "No," and "Maybe/Sometimes" categories in the results below.
We are in the process of developing new Vigilante and other surveys in cooperation with government, international agencies and academic institutions. Please stay in touch with www.infowar.com to keep up with the latest findings.
- Recently the Pentagon responded to a series of attacks [by the Electronic Disturbance Theater] by striking back at them with software which disabled the attackers’ browsers. Is this a good thing?
- Should companies respond to hacker attacks by attacking them back?
- Do you consider a single "Ping" an attack?
- Is a port scan an attack?
- Does a subtle "mapping" of your networks constitute an attack?
- If an attack comes from outside the USA, should a company respond with offensive software?
- Do you agree that responding with offensive software is the electronic equivalent of removing weapon from an attacker in the physical world?
- Is there a line to be drawn as to when a person or a company has the right to strike back at an attacker?
- The US govt. is developing offensive software. Should it be used?
- Several foreign companies and countries have said they will strike back at US locations if they identify the attack as from within the United States. Should they do this?
- One financial institution has said it will "use every means at our disposal to protect our assets." They have built strike-back offensive capabilities. Does your company have offensive software or plan to use such techniques?
- Is a physical response to an electronic attack appropriate?
- If you found yourself the victim of a retribution attack, would you respond with offensive software?
- Should child porn sites be "fair game" for on-line assaults?
- Are there any other sites might be OK to attack?
Copyright Stuff: This data is owned by Winn Schwartau and Infowar.Com.Ltd. It may be used, reproduced and distributed by anyone, for free, in full or in part, in hard copy or electronic format, as long as there is no subsequent charge, unless it is part of a value-added information product. Full attribution is to be given: (C) 1998-1999, Winn Schwartau and.Infowar.Com, Ltd, www.infowar.com The Network World vigilante article is located at www.nwfusion.com/news/0111vigilante.html. Please adhere to their copyright notice.
Infowar.Com, Ltd. email@example.com