A new breed of corporate vigilantes are emerging in the war to fight hackers, according to a Special Report in this week's edition of Network World, the nation's leading newsweekly for enterprise network computing. These new vigilantes are not simply protecting their corporate networks from hackers, they are striking back with methods ranging from sending nasty E-mail messages warning of prosecution to physical violence with baseball bats.
Vigilantism is growing because of increasing frustration with law enforcement officials viewed as simply not up to snuff, said Winn Schwartau, a popular author, security expert and author of the Network World report. Schwartau also recently released survey on corporate vigilantism (http://www.infowar.com/NEW_IWC/breaking/vigsurvey/break_011299a_j.shtml).
"A surprising number of executives are saying that they may be left no choice but to take the law into their own hands," said Schwartau, chief operating officer of The Security Experts, a global security consulting firm, and president of Infowar.com. "The question really is: when law enforcement isn't up to the task; when cops refuse to cooperate or assist victims of computer crime; when the technical skills of the attacker and the victim are superior to the police: what is a company supposed to do? Can they, or should they, take the law into their own hands to protect themselves?" Some clearly are.
A senior security manager at one of the nation's largest financial institutions, Lou Cipher (a pseudonym) told Network World that law enforcement can't be trusted to thwart hacker attacks, so he and his colleagues are on their own and will protect themselves.
Cipher told Network World that his group has management approval to do "whatever it takes" to protect his firm's corporate network. "We have actually gotten on a plane and visited the physical location where the attacks began. We've broken in, stolen the computers and left a note: `See how it feels?'" Cipher said in the article. On one occasion, he continued, "We had to resort to baseball bats. That's what these punks will understand. Then word gets around, and we're left alone. That's all we want, to be left alone. We have the right to self-help - and yes, it's vigilantism. We are drawing a line in the sand, and if any of these dweebs cross it, we are going to protect ourselves."
Schwartau interviewed dozens of companies for the Network World report, and although many said they are seriously considering implementing "strike-back" capabilities, most would not confirm that the measures are already in place.
[Yet Schwartau is willing to report that they are in place, when the companies would not confirm it.]
"I'm sure most companies would rather be sticking to their knitting and taking care of business rather than becoming vigilantes in the fight against hackers," said Paul Desmond, features editor at Network World. "So to me this story illustrates that law enforcement needs to dedicate far more resources to fighting cybercrime, in keeping with the growth of technology in the economy overall. For user organizations, it's a Catch-22: do you risk the business or risk getting caught trying to protect the business?"
Companies are using many tactics to fight hackers, ranging from legally collecting data to identify hackers and then writing nasty E-mail messages warning of prosecution, to illegally sending hostile Java applets and using tools to crash the offending hackers' browsers. Network World found two cases of even more aggressive vigilantism, where physical violence was used.
[Of course, Network World will not back this claim, only publishing what "Lou Copher" told them without evidence.]
"Offensive information warfare is not a good thing ... period," Joseph Broghamer information assurance lead for the U.S. Navy's Office of the Chief Information Officer told Network World. "You want to block, not punish. There is no technical reason to react offensively to a hacker attack." And law enforcement officials - at least publicly, anyway - go further: "If companies take any of these proactive defensive steps, they are taking a big chance, subject to criminal prosecution," Lt. Chris Malinowski of the New York Police Department told Network World. When not speaking for attribution, however, law enforcement officials say they can't handle the problem of hackers, according to Schwartau.
"Vigilantism really all comes down to a lack of national policy to recognize the threat," said Schwartau. "We've been telling Congress and lawmakers since 1990, and most of them still don't get it. Law enforcement is so far behind the curve, I wonder if they will ever catch up. Good luck to us all."