Skip to main content


How 2020 Presidential Candidates Can Guard Against Cyberattacks

The 2016 presidential election witnessed unprecedented Russian cyberattacks and disinformation campaigns designed to disrupt the U.S. electoral system by influencing public opinion. The Russian goal is intended to destabilize the U.S.  through ideological activism, advancing their interest and further their political agenda. Their methods compromised computer systems of candidates and political parties using the exfiltrated data to spread disinformation and influence presidential elections.

On January 6, 2017, the U.S. Director of National Intelligence released a declassified report “Assessing Russian Activities and Intentions in Recent U.S. Elections.” According to the report, Vladimir Putin ordered a massive campaign orchestrating attacks from multiple fronts that involved spreading pro-Trump propaganda on social media to hacking the Democratic National Committee (DNC). Their methods resulted in massive data breaches within the DNC that included access to John Podesta's email f…

Should a Company Retaliate Against Cyberattacks?

Organizations who consider retaliating against attackers is an on-going debate that always pops up whenever a major breach occurs such as the Sony breach and WannaCry ransomware among others. In these incidences, many called for hitting back since they seem to perceive only the technology industry has the means to go after them doing a better job than the overburdened government agencies. 

Legal Considerations

Today, organizations are not allowed to perform retaliation against the perpetrators, unleashing the so-called offensive security measures can trigger international incidences as acts of war if state actors are involved.  Actions like these invite counter-retaliation by the adversaries that will spiral out of control with devastating consequences. The Computer Fraud and Abuse Act (CFAA) in the United States and similar legislation in other nations make such actions illegal for individuals and organizations to access computer systems they do not own.

The Chief Information Security Officer and senior management should be well aware that attacking anyone in reprisal with relative impunity no longer exists.  We now face a proliferation of cyberweaponry, and it is Congress that has the constitutional authority to declare war be it kinetic or cyber.  Numerous countries have invested in offensive cyber weapons with impressive results. 

For instance, the Russians and Chinese are masters of cyber attacks, regularly penetrating critical infrastructure both public and private.  North Korea has significant cyber capabilities, as demonstrated by several Pyongyang-launched attacks that caused significant disruptions to the South Korean economy as well as orchestrating the Sony breach. Iran and their proxies launched perhaps the most striking example of the ability of a hostile government to strike at the United States military. These actors were able to penetrate into the Marine Corps and Navy intranet system via an unsecured public portal taking several months to eradicate the malware.

Companies should never consider going beyond their own network boundaries to attack perpetrators crashing their servers or by breaching and deleting the stolen data. Most cybersecurity and legal experts will advise against it, but individual lawmakers have differing opinions on the restrictiveness on current regulations.  For example, Georgia Congressman Tom Graves introduced the Active Cyber Defense Certainty Act (ACDS) that would allow victims of cyber attacks to infiltrate the perpetrators to gather intelligence to share with law enforcement and disrupt their activities. This bill is a terrible idea as it allows companies to retaliate against an adversary without government direction and it is no different from what the Russians are doing.

The Road Ahead

Currently, most security executives are concerned with trying to reduce cyberattack risks, proposals to legalize retaliation by hacking back will encourage escalating cyber conflict.  Executives with the implicit assumption that an offense is the best defense see offensive tactics different from defensive measures. However, they are the same since the tools used in a cyber attack like encryption and network monitoring bear almost no resemblance to the tools used to attack computers, such as botnets and phishing. While hackers use these tools for malicious reasons, cybersecurity professionals use them to find vulnerabilities. Legalizing hacking back would conflate those two domains and, in doing so, likely make it that much harder to distinguish between the good and bad actors.

The Chief information security officers have, for decades, played defensive security and protection. But in the world of risk management, the CISO’s role is evolving from security expert to business strategist as new technologies and threats are changing the risk landscape daily. They can no longer hide behind technology, and those who can ally security efforts with the business strategy and articulate the business justifications will be successful.

Organizations are now turning to a more holistic risk management-based approach to privacy and security, and security executives are expected to lead in these new directions. Changes in the CISO’s reporting structure is changing where several now report both to the CIO and the Chief Risk Officer or the Chief Compliance Officer. Some expect that in the future they may not report up through the CIO at all.

The shift from guardianship to governance creates tensions with legal teams concerned with decisions addressing known risks can remove plausible deniability in cases where security incidents do occur. Absolute security is not a compliance requirement where specific regulations require organizations to assess risk and document the rationale behind their responses. Most legal teams consider unaddressed risk leaves the organization open to liability in case of an incident. Addressing the legal dangers requires communication and close collaboration between the CISO’s team and the legal team to determine that risk documentation is appropriate and adequate to protect the organization.