ENFORCEMENT: A RANT FROM MAD MAX
How does a CISO do his job without the ability to enforce retribution on The Bad Guys? No matter how diligent the Chief Information Security Officer, the myriad products foisted upon an organization make it impossible to plug all the holes. So why not plug the Bad Guys?
Current cybersecurity laws in the US make retribution impossible. Even paying an offshore entity to go after and punish the bad guys is problematic, as the money trail will eventually lead to the CISO's organization. Because the organization with whom the CISO contracts said retribution is in a position to blackmail its customer. Which it will eventually be forced to do as part of a plea bargain with international authorities.
My suggestion is that an "extra-legal" cyber insurance company (possibly based in a country without any formal extradition treaties) put together a…and I use this term on purpose…hit squad to wreak shit rain on cybercrooks. What kind of shit rain, you ask?
- Track down the culprits.
- Use non-lethal but remarkable physical measures, such as kneecapping in a public restaurant against the crook(s) with some signature move that can be attributed to the hit squad.
- Steal all the Bad Guy's assets as part of it's funding (possibly sharing with the country that hosts the hit team's organization.
- Destroy the homes of the criminal(s).
- Salt the earth.
- And then go after the families of the bottom dwellers in as public a fashion as possible.
Yep, this is my rant. No, it ain't ever going to happen. Alas, all I can truly do on this blog is to publicly shame companies and their vendors who make the CISO's job harder. And while I'm at it, I can shame the U.S. Congress for being dumber than a bag of hammers.