The suggestion that the UK should take a much more active approach to cyber security – essentially meaning we should strike first at potential cyber criminals – is a complex issue but one that should be taken seriously, according to security firm Sophos.
Earlier this year a report by The Intelligence and Security Committee said that current measures in place are at an "early stage" and give the UK’s enemies an advantage.
"Twenty months into the National Cyber Security Programme, there appears to have been some progress on developing cyber capabilities," the report, released in July 2012, said. "However, cyber security is a fast-paced field and delays in developing our capabilities give our enemies the advantage. We are therefore concerned that much of the work to protect UK interests in cyberspace is still at an early stage."
One of the suggestions was to strike first at potential cyber criminals, taking them out of action before they have a chance to launch a cyber attack against UK businesses or critical infrastructure.
While the idea was criticised at the time, James Lyne, Sophos director of technology strategy, has told CBR that it should not be ruled out.
"It’s a very complex issue," Lyne told CBR. "I definitely think we should evaluate and assess going down that line rather than being purely defensive, as the industry has been for a long time. We should think about it because threats we’re seeing at the moment are increasingly and at the moment the odds of getting caught as a cyber criminal a very low. It’s very much a case of crime does pay."
"Being offensive could enable us to get much close to actually finding these people, stopping them and putting them in jail," Lyne added.
However, Lyne also issued a word of warning. "There are legal, ethical, moral and technical questions about how far you should go. I think we should go some of the way. I wouldn’t leave it alone altogether but I think we need to very cautiously draw those boundaries," he said.
For example it would be possible to essentially play the cyber criminals at their own game by using the same exploit kits to plant malware on their machines that could reveal details about them.
"It’s definitely not legal; there is potential for collateral damage and you are aiding and abetting the distribution of malware," Lyne said. "But you could potentially put your finger on a malware author responsible for significant sums of malicious code and a significant amount of damage."
"Maybe that’s a good thing. I don’t have the answer but I think we should investigate the issue. But we need specifics and very tight boundaries legally, ethically and morally," he concluded.
At the time of the Committee’s report, the security industry reacted rather negatively, with experts suggesting it could backfire on UK authorities.
According to Paul Davis, director of Europe at FireEye, pre-emptive action risks, "an unnecessary cyber war from escalating as a result of knee-jerk actions against supposed hackers."
Ross Brewer, managing director and vice president, international markets, LogRhythm, agreed: "While it’s clear that cyber war seems likely, pushing for the active disruption of ‘enemy’ networks may be a step too far."
"Rather than engaging in such antagonistic pre-emptive cyber attacks – which would no doubt only incite more damaging and sophisticated attacks on the UK’s cyber infrastructure – the move to an ‘active defence’ system simply requires truly proactive protection of Britain’s own networks," he added at the time.