Vigilantism and retaliation have a deep and undeniable appeal. The ability to right a wrong committed against you or your community, precisely proportionate (or not, as the case may be) to the damage suffered, without having to delay gratification or appeal to a higher authority, which more or may not have demonstrated itself ill-equipped or otherwise unwilling to establish or enforce justice and order. The primal satisfaction of personally exercising power over another person—another person who started it, who deserves it, no less. Few impulses are better calculated to our animal brains than that, especially in times of danger and strife (such as that which the New York Post and Eric Adams insist New York is suffering). Hell, come November, Adams will be elected mayor of this fair city against the nominal opposition of an actual vigilante.
Unlike the streets and subways of New York, however, the Internet really is a miasma of hazard crawling with bad actors, and the legitimate authorities seem powerless to stop it (although their follow-up is better than expected) beyond placing it near the top of lists and thinking very hard about what to do about it. This has led some members of the World’s Greatest Deliberative Body to throw their hands up and say, let the victims handle this.
Sens. Steve Daines (R., Mont.) and Sheldon Whitehouse (D., R.I.) introduced a bill on June 30 that would require the U.S. Department of Homeland Security to study the risks and benefits of allowing companies to take action against hackers in the event of an attack…. “The Colonial Pipeline ransomware attack shows why we should explore a regulated process for companies to respond when they’re targets,” Mr. Whitehouse said in a statement.
There is certainly something appealing about the idea of Colonial Pipeline going out there and extracting an eye or a tooth or 75 bitcoins from DarkSide and all others who might wrong it. It’s just that, much as there’s a good reason governments tend to frown on vigilantism and guard their monopolies on the legitimate use of force, and much like arming private Americans with more guns than there are people makes it much, much more likely that one will find oneself on the wrong side of one, it turns out that deputizing private companies as America’s cybersecurity police and encouraging them to build up teams of in-house counterhackers is perhaps not the best idea.
“So many things could go wrong, and very little can actually go right,” said Anup Ghosh, a former program manager at the Defense Advanced Research Projects Agency, or Darpa, part of the Defense Department./Mr. Ghosh, now the chief executive of cybersecurity firm Fidelis Cybersecurity Inc., said that for a company, even deciding whom to counterattack is fraught with risks, given the difficulties of attributing attacks to individuals, gangs or nation-states. Introducing the private sector into the cyberwarfare arena also has national-security implications, he said, such as disrupting intelligence operations that companies might not know about….
Incomplete or inaccurate information could also lead to collateral damage at other companies, said Jacob Williams, a former Defense Department cyber analyst who is now the chief technology officer of incident-response firm BreachQuest Inc. Hackers often mask their presence by launching attacks through legitimate servers, which might be vital to other companies’ operations, he said./“While law enforcement can easily see that a server is shared through executing a subpoena, offensive security teams have no such tool available,” he said. “Even assuming a private hosting server, should private organizations be allowed to compromise the victim again in the name of security?”
For more of the latest in litigation, regulation, deals and financial services trends, sign up for Finance Docket, a partnership between Breaking Media publications Above the Law and Dealbreaker.