This post is meant to be overly controversial, but it’s also meant to make people think. Please take that for what it’s worth. My most recent publisher said that I shouldn’t make excuses before I say something, but in this case, I think it’s warranted because it’s a little out there, but I also think it’s a topic worth discussing. Please bear with me.
Looking back in American history, there have been a few significant military losses of recent years. We could easily call Korea a loss, and Vietnam was the worst “police action” in American history. Afghanistan is a tossup, and only time will tell. However, I think there is a perception that there is no way the United States could ever have won those wars. That’s just not true.
The United States has a wide variety of unconventional weapon options and military tactics that it never used. For instance, we never ventured north of a certain line in Vietnam, but only for political reasons. We also never used nuclear, or non-nuclear WMD’s. The United States stockpile of biological, radiological and chemical weapons is unrivaled by any country it has ever gone to war with since WWII. But it never chose to unleash those weapons or pursue those tactics, and ultimately the US lost. But more interestingly, the US chose to lose.
I think this analogy speaks nicely to a computer security problem regarding crime in general. There are a set of options that we as computer security practitioners have at our disposal but we also have chosen not to use them. I would say that in well over three quarters of the attacks that I am aware of, it is trivial to find the person who is responsible for them. Sure, that could change and yes, it’s easy to frame people for crimes they did not commit, but for the moment, let’s just pretend that that statistic was valid.
There are two ends of the spectrum of punishment. On one end we have capital punishment - the ultimate result. It’s pretty much a guarantee that their life of crime is concluded upon their death (barring time delay attacks which are incredibly rare). Most people don’t believe in capital punishment for any purpose other than extreme cases and still I would say there is no clear consensus about when it should be used. However, there is no debate about the finality and clear effects of capital punishment.
On the other end of the extreme we can do absolutely nothing, or worse yet, reward the attacker for their actions in some way. I would argue that more often than not the second is the option we as a security community take. When we are aware of a problem we either do nothing at all because we believe it won’t actually work against our systems, or we block the attackers, under the false premise that that will stop them. In reality it only makes them stronger because they now know how our defenses work, which they can either try to circumvent later or use as knowledge against other targets elsewhere.
Only in the most extreme cases do we actually bother to track down, locate, arrest and prosecute attackers. And even then the penalties are usually only a few years in jail. Most experts believe that jail is not an effective rehabilitation habitat. While it’s admittedly unclear what the effect is on computer criminals, it’s certain that it is not an effective deterrent given how much computer crime occurs.
Now let’s imagine for a moment that we were decide that capital punishment were a reasonable solution to a problem, because it was an actual deterrent. I know people who care a lot more about their life than they do about jail time, so it’s not an unrealistic assumption. Let’s take a small slice of computer crime, that’s considered by almost everyone to be a minimal offense but also highly annoying - spam.
A few years ago a spammer was killed with a hammer. Now let’s say whether by vigilante justice or state sponsorship, once a week a spammer was killed in the same way, as a symbol to all other spammers everywhere - keep it up and you’re going to end up like this. It’s a terrible fiction I’m spinning here, I know, but I honestly believe it would reduce the amount of spam far more than the amount that was generated by the deceased spammers alone. It would actually have the effect most punishment is designed to have - it would be a deterrent. Although, admittedly it’s gruesome and unrealistic.
So on one end of the spectrum we have nothing which is what we are primarily doing now, and on the other a punishment that outweighs the crime. (Technically, we actually are doing something - we are making it less financially viable for the attack to be profitable by reducing the amount of spam that gets through, but we are a long way from succeeding, unfortunately). In the same way that the US wasn’t about to start using thermonuclear weapons in Vietnam and Korea and most likely won’t in Afghanistan either, we as a society aren’t going to start killing spammers at any rate necessary to act as a proper deterrent. Now I told you all of that so that I could get to the real meat of the matter. What is the proper proportionate response to computer crime to act as a deterrent?
There was an interesting section of a book (the title is escaping me as I write this) that described things that were off limits in a pen test. Things like rubber hose cryptanalysis are apparently not allowed during a pen test (although if anyone wants me to beat them up to see if I can get their password out of them, just let me know - I’ll give you a discount too). It’s funny but it’s also true. In the real world that is an option, just not one that many people use.
So things that are typically off the table that we don’t talk about as a real option are things like kidnapping loved ones, extortion, torture, and of course capital punishment. While all real actual options, we have tied our own hands and said we aren’t allowed to use them. We also take other options off the table, like hacking into people who hack into us, DoSing them and so on. We aren’t even allowed to fight back! So the real heart of the matter is what is the right response to a packet bound for your network that intends to do you harm? Should we keep ignoring it or should we instead track the originator to the ends of the planet and enact a gruesome deterrent for the greater good of all humanity?
No, put your gun down, I’m not saying we should go on a spammer killing spree, although I’d be plenty happy to use my rubber hose on them every once in a while. Perhaps instead of killing people we should make it a priority to actually pursue attackers instead of defending ourselves in a reactionary manner. My friend Mike Rothman is fond of saying “REACT FASTER”, but maybe reacting isn’t enough. Maybe we as a society are missing the most important dimension of this whole thing by focusing on reacting instead of going on the offensive.
We actually pursue shoplifters and put them in handcuffs, which in terms of monetary loss can pale in comparison to a computer criminal’s potential. Shoplifting is a relatively petty crime too, yet the consequences are so severe compared to the crime itself and with the wide proliferation of modern loss prevention technology most people don’t shoplift. Maybe if more people were actually forced to face the consequences of their computer crimes all over the world, it would have the effect the laws were intended to have - which is to limit the breadth and scale of the crime itself.
Until something like that happens, I find it difficult to believe we will ever see a real decline in computer crime. I know one thing for certain - what we’re doing now isn’t working.