How ethical are private investigation firms?

by CXOtoday News Desk    Nov 01, 2013

cyber detective

Mounting cases of cyber attacks are stirring up a debate about how best to combat cyber-offenders. One emerging school of thought maintains that companies ought to be allowed to guard themselves more forcefully by “hacking back” - to engage private investigation firms to track down and deal with intruders on the companies’ behalf.

However, there is a great possibility that encouraging digital vigilantes will only make the chaos worse. Letting companies employ hired guns to retaliate against cyber criminals is a sure-shot recipe for pandemonium. The role of private investigative firms, therefore, becomes critical.

On condition of anonymity, an online investigator conceded that companies have taken actions that violate laws in the country, such as hacking into the perceived assailant’s own systems. To salvage data and leave Trojan horses of their own.

“The underlying idea is revenge, which arguably justifies these actions. This is a clear cut case of security through absurdity, where two wrongs supposedly make a right. We are getting to a point where it is just back and forth retaliatory hacking of each other. The chances for escalation and collateral damage increase in this never-ending game,” the investigator said.

These investigative firms provide clients with a menu of active responses that, in most cases, hinge on the unethical. Is there an authorisation for proactive private-entity attacks? And, if yes, then what are the guidelines? And are the private investigative firms adhering to it?

One of the widely publicised investigative and management services based out of Mumbai is the Chetan Dalal investigation and management services, which openly highlights hacking and Trojan horses as one of its areas of services. Interestingly, one of its directors, K K Mookhey, is the founder of the Institute of Information Security that runs hacking courses. It is a thought-provoking combination, as providing investigative services with a rich background in the tools of hacking would be most convenient. Whether there is anything wrong in what the agency does is subject to research and investigation.

Not just CDIMS, but other agencies have also been known to employ contentious tools and techniques, like the ‘software for data extraction analysis’ and ‘audit investigation software’. The lack of a central monitoring system is one of the biggest loopholes that can easily be exploited for nefarious purposes.

A greater clarity is needed about exactly what digital tools can be used to combat hackers. The goal should be to make cyberspace more stable and secure. An industry expert said companies should focus a lot more on defense and actual cyber-security, and not just offense and attacks, which is what they are doing most of the time.

One of the primary roles of government is to protect people’s lives and property. If incidents of cyber crimes are rampant, then the government has an obligation to stop it. They should not leave it up to private investigative agencies to do the job for the aggrieved parties. The majority of this ‘hacking’ is accessing inadequately secured infrastructure. Some believe it makes sense to pass a law requiring companies to implement decent security.