Citizens should not be surprised about the government’s approach
on this. As stated in the article, the government does not want you to
defend yourself, either with firearms or even in the cyberworld. Please
read this interesting take on defending your own businesses and networks.
Original Posting from Volokh.com
Computer Security: When Seconds Count, the FBI is Years Behind
Ellen Nakashima of the Washington Post has
another ground-breaking article on novel approaches to network defense. I’ve
blogged before about honey tokens , deceptive files that leave hackers with false data while flagging the
intrusion to defenders. Nakashima’s article suggests that their
use is growing, as other defensive techniques prove ineffective:
Brown Printing Co.,…began planting fake data in Web servers to lure
hackers into “rabbit holes” in the hopes of frustrating them
into giving up. The bait was varied — including bogus user log-ins
and passwords and phony system configuration files. Anyone who took it
was being watched by Brown, their computer locations tagged and their
“We’re taking the hackers’ strengths and we’re
making it their weaknesses,” said Nathan Hosper, a senior information
technology officer at Brown. “They get caught up in this cycle of
So far, so good. What’s sad is the FBI’s reaction, which will
be familiar to those who know how big city police departments view homeowners
who use guns to defend themselves:
U.S. officials and many security experts caution companies against taking
certain steps, such as reaching into a person’s computer to delete
stolen data or shutting down third-party servers.
Those actions probably would violate federal law, FBI officials said. The
bureau also warns that the use of deceptive tactics could backfire —
hackers who identify data as bogus may be all the more determined to target
the company trying to con them.
Actually, I’m being too kind to the FBI. If you call 911 to report
a home invasion, at least the police will send someone to your house who
is armed and ready to take on the intruder. (Whether they’ll arrive
in time is a different question, leading to the familiar saying, “When
seconds count, the police are just minutes away.”)
If you call the FBI to report a network intrusion, though, you’ll
get a stifled yawn and a request to meet with your CEO for relationship
building purposes. Given the government’s feeble capabilities against
cyberespionage, discouraging corporate self-help is particularly irresponsible.
Not everything the bureau said was wrong. Shutting down third party servers
probably is illegal under the Computer Fraud and Abuse Act. In contrast,
I doubt that companies are acting unlawfully when they delete
their own files from a hackers’ computer,
though I recognize that Orin Kerr has a different view, and the Justice Department may be closer to Orin than to me on this.
But I don’t know anyone who thinks that it violates federal law to
deploy honeytokens on your own network. So when FBI officials caution
that using deceptive files that way could make you more of a target, they
aren’t giving legal advice. They’re giving “leave it
to the FBI” advice, in a field where leaving it to the FBI is a
recipe for failure.
Also, I suspect they’re talking through their, uh, hats. In what
way will deploying fake files “backfire”? OK, fake files may
not work forever; the hackers may come back and look harder for the real
stuff, but is that really a reason not to deploy them?
Let’s perform a thought experiment: In option A, you don’t
use fake files, so bad guys who break into your network steal your data.
In option B, you do deploy fake files, so the bad guys steal bad data,
and you find out that you’re a target whose current security isn’t
sufficient. After that, either the bad guys are fooled by the bad data
and they waste time and money acting on it, or they figure out that it’s
bad data and they have to go back and find the real data on a system that
you’ve had time to harden. And the FBI thinks that option B is the
one that might “backfire”?
(I recognize that it’s also possible that the hackers will get mad
about being fooled and will destroy files or take other retaliatory actions
that they wouldn’t take if they got the good stuff right away. But
I’m skeptical. First, that’s a big escalation in tactics that
we haven’t seen yet from cyberspies, probably for good reason. Second,
that would be astonishing advice from a law enforcement ageny, the equivalent
of: ”Better let these criminals steal you blind; otherwise they
might burn down the store” or “Cooperate with hijackers so
they don’t have to kill any hostages” or “Resisting
a rapist will only get you beaten, stabbed or shot.” If that’s
the FBI’s official position on cybercrime, it means they’ve
officially given up.)