IDG's Network World Special Report: Counterattack - Vigilante Companies
Strike Back at Hackers
(Business Wire; 01/12/99)
FRAMINGHAM, MASS. (Jan. 12) BUSINESS WIRE -Jan. 12, 1999--

A new breed of corporate vigilantes are emerging in the war to fight hackers,
according to a Special Report in this week's edition of Network World, the
nation's leading newsweekly for enterprise network computing. These new
vigilantes are not simply protecting their corporate networks from hackers, they
are striking back with methods ranging from sending nasty E-mail messages
warning of prosecution to physical violence with baseball bats. 

Vigilantism is growing because of increasing frustration with law enforcement
officials viewed as simply not up to snuff, said Winn Schwartau, a popular
author, security expert and author of the Network World report.  Schwartau also
recently released survey on corporate vigilantism

"A surprising number of executives are saying that they may be left no choice
but to take the law into their own hands," said Schwartau, chief operating
officer of The Security Experts, a global security consulting firm, and
president of "The question really is: when law enforcement isn't up
to the task; when cops refuse to cooperate or assist victims of computer crime;
when the technical skills of the attacker and the victim are superior to the
police: what is a company supposed to do? Can they, or should they, take the law
into their own hands to protect themselves?"  Some clearly are. 

A senior security manager at one of the nation's largest financial institutions,
Lou Cipher (a pseudonym) told Network World that law enforcement can't be
trusted to thwart hacker attacks, so he and his colleagues are on their own and
will protect themselves. 

Cipher told Network World that his group has management approval to do "whatever
it takes" to protect his firm's corporate network. "We have actually gotten on a
plane and visited the physical location where the attacks began.  We've broken
in, stolen the computers and left a note: `See how it feels?'"  Cipher said in
the article. On one occasion, he continued, "We had to resort to baseball bats.
That's what these punks will understand. Then word gets around, and we're left
alone. That's all we want, to be left alone. We have the right to self-help -
and yes, it's vigilantism. We are drawing a line in the sand, and if any of
these dweebs cross it, we are going to protect ourselves." 

Schwartau interviewed dozens of companies for the Network World report, and
although many said they are seriously considering implementing "strike-back" 
capabilities, most would not confirm that the measures are already in place. 

[Yet he is willing to report that they ARE in place, when the
companies would not confirm it..]

"I'm sure most companies would rather be sticking to their knitting and taking
care of business rather than becoming vigilantes in the fight against hackers,"
said Paul Desmond, features editor at Network World. "So to me this story
illustrates that law enforcement needs to dedicate far more resources to
fighting cybercrime, in keeping with the growth of technology in the economy
overall. For user organizations, it's a Catch-22: do you risk the business or
risk getting caught trying to protect the business?" 

Companies are using many tactics to fight hackers, ranging from legally
collecting data to identify hackers and then writing nasty E-mail messages
warning of prosecution, to illegally sending hostile Java applets and using
tools to crash the offending hackers' browsers. Network World found two cases of
even more aggressive vigilantism, where physical violence was used. 

[Of course they will not back this claim...]

"Offensive information warfare is not a good thing ... period," Joseph Broghamer
information assurance lead for the U.S. Navy's Office of the Chief Information
Officer told Network World. "You want to block, not punish.  There is no
technical reason to react offensively to a hacker attack." And law enforcement
officials - at least publicly, anyway - go further: "If companies take any of
these proactive defensive steps, they are taking a big chance, subject to
criminal prosecution," Lt. Chris Malinowski of the New York Police Department
told Network World. When not speaking for attribution, however, law enforcement
officials say they can't handle the problem of hackers, according to Schwartau. 

"Vigilantism really all comes down to a lack of national policy to recognize the
threat," said Schwartau. "We've been telling Congress and lawmakers since 1990,
and most of them still don't get it. Law enforcement is so far behind the curve,
I wonder if they will ever catch up. Good luck to us all."