|General James E. "Hoss" Cartwright|
"Right now we have the worst of worlds," said Cartwright. "If you want to attack me you can do it all you want, because I can't do anything about it. It's risk free, and you're willing to take almost any risk to come after me."
The US, he said, "needs to say, 'if you come after me, I'm going to find you, I'm going to do something about it.' It will be proportional, but I'm going to do something ... and if you're hiding in a third country, I'm going to tell that country you're there, if they don't stop you from doing it, I'm going to come and get you."
General Cartwright's opinion that the best cyber defense is a good offense is a throwback to his honorable career as a Marine waging war in on a physical battlefield. Unfortunately, that strategy doesn't work in cyberspace. It's ironic that Dell Secureworks has come out on Cartwright's side in this debate since Dell is heavily invested in its operations in China. Secureworks' engineers would make a better use of their time by creating a way to test Dell servers for backdoors than trying to get legal permission to attack Chinese hacker crews that they suspect are behind espionage attacks against U.S. corporations.
Calls to action are good and appropriate for a problem as serious as IP theft has become and the frustration at the lack of effectiveness of what we're currently doing is certainly understandable. The problem is that the outlet for that frustration is being directed in a harmful, not helpful, way. Giving the green light to U.S. industries to "go after" groups that they perceive as bad actors is akin to vigilantism and could easily trigger a war that spills over into actual bombs and bullets instead of bits and bytes. Further, any Information Security outfit that believes that the problem is solely China doesn't have a clue about the nature of the environment that they're supposed to be operating in. Besides Russia and North Korea, U.S. allies like France, Germany, and Israel are benefiting from acts of cyber espionage against the U.S. too and if they're smart about it (and they are), they'll leave evidence which implicates China. General Cartwright's calls for offensive action simply plays into the hands of those States' strategies of misdirection and obfuscation.
A smarter and more effective alternative is to switch from network-centric to data-centric protective mechanisms. If you want to keep your valuable data from being stolen, you first have to start monitoring it. Threatening China or any other country is just wasting valuable time and making the person doing the threatening look ineffective.
Attribution: Vital for Offense, Irrelevant for Defense