Online businesses need citizens' arrest powers: Alperovitch

Former McAfee Threat Research vice-president Dmitri Alperovitch has called for greater powers for private companies, saying that they should be allowed to make citizens' arrests and limited retaliatory action against hackers.

As a US commission debates whether companies should be allowed to retaliate against hackers , CrowdStrike co-founder and CTO Dmitri Alperovitch believes that more companies should be taking matters into their own hands with what they can already do.

Dmitri Alperovitch. Image: Michael Lee/ZDNet

Speaking at AusCERT 2013 at the Gold Coast, Queensland, the former McAfee Threat Research vice-president said that companies could use deception, misinformation, and malware to raise the bar against adversaries.

He said that when it comes to targeted attacks, adding layers of defence only delays the inevitable, since the return that hackers obtained — intellectual property that can sell for millions, if not billions — makes it worth taking the time and effort to defeat them. Worse still, Alperovitch said that defenders are losing the arms race against hackers, since defences tend to cost much more than attackers' offensive techniques and weapons.

To balance the engagement, Alperovitch said that there are a number of tools that businesses could use to throw off their attackers, even while remaining within the law. One such tool is the use of misinformation.

Alperovitch said that if, for example, Boeing were hacked, it could leave blueprints for its aircraft that would contain subtle flaws or inefficiencies that make building the aircraft a complete waste of time for the competition. Similarly, false information could be used to throw off foreign intelligence agencies that may have many more times the resources than a company, allowing them to balance the attack in their favour.

"There is nothing more impactful to an intelligence agency than not being able to trust your sources," he said.

Another tactic that companies could employ is the online equivalent of the dye pack used in banks to identify robbers. Businesses could bait attackers into infecting themselves with malware purposefully placed on their servers, disguised as company documents, he said. Such malware could then phone home or alert authorities.

"The goal of the dye pack blowing up is not to harm anyone. It is really to highlight that burglar with blue dye so they can be attributed; so that the police can catch them."

Alperovitch acknowledged that these methods could be considered to fall into a legal grey area, and called for companies to have greater powers, especially when they can see a crime occurring.

He highlighted that the online world has no equivalent concept of a citizen's arrest, where if law enforcement is not immediately available, good samaritans can detain alleged criminals with reasonable force.

"What do you want as the response from the good samaritans that are on that street [during a mugging]. That they would rush to the phone and call the police to tell them that someone just stole a wallet and stand by waiting for the police to arrive while the guy disappears?

"The concept of the private sector taking action makes total sense to us. We do this all the time."

To take this further and escape the legal grey area, Alperovitch said that legislation needs to catch up to enable the private sector to act.

"We need to have an open discussion with our policy makers about the authorities that need to be granted for the private sector — limited authorities with oversight and perhaps certifications and the rest."

On Wednesday, retired US Marine Corps Lieutenant Colonel Bill Hagestad warned that should retaliatory action be left to businesses, it could lead to the privatisation of war . He worried that providing greater powers to commercial enterprises could create "a dangerous game" that no one likes the outcome of.