The NSA program dubbed MonsterMind is dangerous in that it would enable automated retaliation against machines that launch cyber attacks with no human intervention, meaning that such counterattacks could hit innocent parties.
MonsterMind came to light through a Wired magazine interview with former NSA sysadmin Edward Snowden, who stole and publicly released thousands of NSA documents.
The problem with any such retaliation, automated or otherwise, is the collateral damage it could cause by striking against the apparent source but instead hitting machines that had been compromised and used by the attackers, says security expert Bruce Schneier. He was speaking at the recent Black Hat 2014 before the Wired story broke, but he addressed the same issue.
"It's too easy to get it wrong and to go after innocents," he says, especially since attackers commonly mask their location by working through unwitting proxies. And, he says, it's often difficult or impossible to determine conclusively whether the traceable source is the actual source.
Despite the risks involved, he says the practice is becoming more common, which he called a dangerous trend, although he didn't cite specific cases of strike-back going awry.
A more measured approach where forensics determine for sure where attacks originate is the right way to go, he says. "Vigilante justice tends not to work well," he says.
More important for attacked organizations is responding quickly to minimize damage. Forget about keeping attackers off your networks; concentrate on what you're going to do about it once the networks are breached, Schneier says.
"In general the attacker with more resources [than the victim] is going to get in," he says. "It's a matter of containing some of the damage."
The trick is formulating a response quickly and executing effectively while automating as much as possible in order to reduce the risk of human error, he says.
More than with other security activities, incident response requires more human intervention, so it's important to develop effective incident response tools to help out. "People are our biggest security problem," he says, "but you can't fully automate response. You can't cut people from the loop."