To fight cyber crime, we need swords, not just shields

For three decades after the Cold War ended, Americans lived with confidence that their lives and assets were protected by the unchallenged U.S. military and the deeply established rule of law. That era is over.

We’re now engaged in asymmetrical warfare, fighting super-empowered individuals and groups that are wreaking havoc on American society from abroad.

Relentless cyberattacks over the past year have exposed the confidential personal information of at least half of all Americans; undermined faith in fundamental pillars of our democracy; and penetrated the electronic fortresses protecting some of our most highly-classified secrets.

Just as the U.S. military has overhauled its defense strategy to boost cybersecurity’s role, we need a new strategy for protecting American individuals, businesses and other organizations from cyberthreats.

Our decades-old cybersecurity model, focused almost entirely on passively blocking malicious software and spam, is broken and beyond repair. It is time to embrace a new approach: turning the tables on the attackers and making them pay. It’s called active defense.

Cybercrime’s lure of huge potential profits and relatively little risk attracts people who would rob banks if they could do it without a gun and a getaway car. Cybercriminals are rarely apprehended and brought to justice. We must increase the cost and risk to criminals by empowering businesses and other civilian organizations to fight back.

The recent Senate confirmation of Kirstjen Nielsen as secretary of Homeland Security may put a sympathetic ear at the top of our nation’s security establishment. Ms. Nielsen was a senior fellow at the Center for Cyber and Homeland Security (CCHS), which last year published an extensive report detailing how federal agencies and Congress can open a space for active defense.

“The long-term strategic response must include a cyber deterrence strategy that actually denies benefits and imposes costs,” the CCHS report said. “Imposing real costs on these criminals is crucial to removing critical talent from cybercrime circles and to deterring individuals from engaging in such crime.”

It’s an area mired in controversy, but it needn’t be. We aren’t advocating vigilantism. We need to draw a distinction between cyber-offense (often called “hacking back”) and active defense. Here’s where to draw the line: Private actors shouldn’t be allowed to destroy or disrupt the external networks, equipment or data of people they believe to be criminals.