> telling businesses to 'hack back' is inviting them to raise private armies
> That sort of thing does, however, to fit with the present administration's ideology
These kinds of firms (usually branded as boutique consultancies) have already existed in the OffSec space for over a decade now in most countries and with tacit approval of their law enforcement agencies.
It was BSides this weekend and RSAC right now so you will bump into plenty of them walking around Moscone.
That made sense when it was just businesses defending their own operations from criminals, akin to banks having to use armed guards to move cash and bullion around. But when it's businesses defending against state-sponsored actors in the context of an actual shooting war, that's very different.
> That made sense when it was just businesses defending their own operations from criminals, akin to banks having to use armed guards to move cash and bullion around.
That's a rather crude analogy which misses the major dangers of vigilante hacking. A better analogy is allowing private guards to shoot you on suspicion of you having stolen their money based only on a claim that the money found in your wallet might be theirs.
To understand the problem, think of vigilante justice where some person/group assumes the roles of police, judge and executioner, circumventing due process which is due for a reason.
What happens if a corp doesn't like what you have on your website, spoofs some logs as if coming from it and then hacks the site to disable your ability to communicate?
Well, in that case you're toast. You may go to the judge, pay lawyers and waste your life on lawsuits fighting against a corp with a lawful reason to hack you because if this becomes law, you will be guilty until proven innocent - that's very costly and hard to do. Your chances of successful will be virtually zero meaning the corps get a license to silence you with impunity.
Most APTs companies are already dealing with are either directly state-sponsored or state-permitted as has been seen with tr fairly common Cyrillic, Simplfied Chinese, and Hebrew keyboard checks that have become fairly common in offensive payloads, so the division you are making has been nonexistent for decades.
This is just a tacit admission of a practice that has been occurring under the radar for years now.
Anyway, it's actually bad if there's been a problem for years, and the way it becomes widely known is by Authority(TM) legitimizing it instead of trying to stamp it out.
Russia, China, India, Singapore, Israel, South Korea, and Japan don't cooperate on stamping out these kinds of operations. Even EU states likes Italy, Czechia, Poland, Hungary, and Greece have continued to allow these kinds of organizations to operate and proliferate capabilities, so much so that the European Parliament attempted an investigation that was promptly ignored by those states because "national security" falls under national sovereignty.
When it's morals versus national security, national security always wins, and no country will leave capabilities unused in the interest of maintaining a moral high-ground.
> the way it becomes widely known
It has been widely know in the security industry for years.
> That sort of thing does, however, to fit with the present administration's ideology
These kinds of firms (usually branded as boutique consultancies) have already existed in the OffSec space for over a decade now in most countries and with tacit approval of their law enforcement agencies.
It was BSides this weekend and RSAC right now so you will bump into plenty of them walking around Moscone.