Big Mouthed Sailor
I've long had a big mouth and in my drinking days in the Navy it often landed me in trouble. One night while on a training detachment in New Orleans I found myself with a handful of Sailors and Marines at a local bar. I (as usual) had had too much to drink and decided to entertain myself by picking on a particularly tough Gunnery Sergeant. As everyone looked on I began telling off color (outright offensive) jokes about the Marine Corps. They started with run of the mill belittling jokes. This made Gunny uncomfortable. When I started railing on the Commandant, his teeth started grinding. I continued to get bolder with my comments and the faithful Marine began to turn red. I knew that a jab from his off hand would be enough to land me in a medical bay but I wasn't worried. The regulations required the senior Marine to keep his cool even when being berated by an arrogant and drunken Sailor. The chain of command would deal with him harshly if he lashed out at me. So I continued to dig in. Then I turned my jokes to the comeliness of his wife. As I began the first punch line of that first joke everything turned to slow motion. Gunny jumped up so quickly that his chair flew half way across the bar. His right arm began to come back for a haymaker of punch that was soon to end my life (and my inappropriate jokes.) I realized then it was time to utilize my most skilled military maneuver: rapid retreat. I ducked and began running until I was four blocks out of the French Quarter.
When Hitting Back is Off Limits
In a recent article in the Washington Post it was revealed that the US Department of Defense is proposing policy change that would allow them to "strike back" against cyber assailants. Undoubtedly there will be a good bit of "high road" debate opposing such discussions with cliches like "we're above that kind of action" or "we shouldn't stoop to their [hackers] level." But this proposed policy is well overdue. In physical security if individuals or nation-states were lobbing grenades as US protected property we would be enraged to find the military taking "the high road." We would expect the military to "neutralize the threat" as quickly as possible. Somehow we've bought into the philosophy that those same laws don't apply in cyberspace. There are digital assets that belong the US citizens and companies under constant threat from state sponsored and criminally funded sources. When I swore an oath of enlistment in the military service I said I would "defend [the nation] against all enemies foreign and domestic." That is what the military and law enforcement is supposed to do both on the street and on the wire.
The problem I caused in the bar with the good Gunnery Sergeant was allowed because the chain of command that was supposed to protect him had created a "soft" policy that didn't protect him against my attacks and also removed his ability to protect himself. He was expected to "be tough" and weather the attacks. Enterprise networks find themselves in a much more serious situation with hackers. The government, unwilling to use cyberforce are allowing an uncounted number of cyberattacks to go unchecked. Laws forbid enterprise from striking back against their attackers. This allows the hacker equivalents of 125 pound loud mouth Sailors to terrorize honorable and strong Marines. It allows the weak and manipulative to become strong. It is possible for an otherwise powerless, loser to make a damaging blow to a global enterprise. The Internet has been often compared to the "Wild West" because of it's apparent lawlessness. I am a firm believer in the government protecting it's citizenry and believe sustained vigilantism scars a society, but unchecked lawlessness is the worst of options. The FBI is getting better and better at tracking down cybercriminals in the real world and putting handcuffs on them. The problem is in the proportion of criminals getting away to those being arrested is staggering.
DoD starting to strike back against hackers is an essential step in remedying a long unchecked problem of cyberthugs getting away with crimes. It should be broadened to include law enforcement and authorized security devices on enterprise systems that "bite back" when intruders are attempting to break in. If we stand by and take the cyberattacks without retaliation, we empower the worst kind of behavior. If we begin to swing back there is a reasonable expectation that the most base of hackers will be running out of the French Quarter and will begin to rethink their lives.
Update 8/21/2012: Wired reports DoD research & discussion of cyberwarfare: http://www.wired.com/dangerroom/2012/08/plan-x