Security product uses military doctrine to hurt hackers

Symbiot, a Texas-based security company, plans to release a corporate defence system that fights back against distributed denial-of-service and hacker attacks by launching counterstrikes.Security experts are expressing alarm at the company's plans for the product, set for release at month's end.

Symbiot, a Texas-based security company, plans to release a corporate defence system that fights back against distributed denial-of-service and hacker attacks by launching counterstrikes.

Security experts are expressing alarm at the company's plans for the product, set for release at month's end.

Mike Erwin, Symbiot's president, and Paco Nathan, its chief scientist, are preparing for the release by posting a set of "rules of engagement for information warfare" on the company's Web site. They say such rules should be part of corporate security policy to help companies determine their exact response to an incoming attack.

"Until today, security solutions have been totally passive in nature. Merely erecting defensive walls around the perimeter of an enterprise network is not an adequate deterrent," said Erwin, who asserts that offensive tactics must be part of a complete defense.

Symbiot, located in Austin, said it bases its theory on the military doctrine of "necessity and proportionality," which means that the response to an attack is proportionate to the attack's ferocity. According to the company, a response could range from "profiling and blacklisting upstream providers" to launching a distributed denial-of-service (DDoS) "counterstrike."

Security experts, however, see problems in such a strategy.

Graham Titterington, principal analyst at Ovum, said "such a counterattack would not be regarded as self-defence and would therefore be an attack. It would be illegal in those jurisdictions where an antihacking law is in place."

He added that because many hacking and DDoS attacks are launched from hijacked computers, the system unlikely find its real target. "Attacks are often launched from a site that has been hijacked, making it an unwitting and innocent--although possibly slightly negligent---party," Titterington said.

Richard Starnes, director of incident response at Cable & Wireless, said he would not employ an "active defense technique," because there are legal and ethical issues involved. He also said he would not be happy about any product "specifically designed to launch attacks" being put into commercial production.

Starnes said it would be easy to hit the wrong target. And even if it were the right target, there could be collateral damage. "You may be taking out grandma's computer in Birmingham that has got a 100-year-old cookie recipe that has not been backed up," Starnes said. "The attack could also knock over a point of presence, so you are not only attacking the target but also the feeds before them--this means taking out (Internet service providers), businesses and home users."

Jay Heiser, chief analyst at information technology risk management company TruSecure, said he expects the product to have an "emotional appeal," which, he says, is "a very bad criterion for choosing risk-reduction measures."

"There is no evidence that this is the most effective way to deal with the problems, and there is quite a bit of historical precedence that indicates it is totally counterproductive," Heiser added.

Governments could soon be using hacker tools for law enforcement and the pursuit of justice, according to an expert on technology-related law. Joel Reidenberg, professor of law at New York-based Fordham University, said denial-of-service attacks and packet-blocking technology will likely be used by nation-states to enforce their laws. This could even include attacks on companies based in other countries, he said.