As is the case with most aspects of business these days, the first issue is cost. If a company doesn’t already have a lot of “black hatters” on staff, it’s either going to have to hire some or outsource the jobs. I intend no offense to people (like my brother) in the security-for-hire business, but I have my doubts about this kind of contracting. Machiavelli described consultants like this:
“Disunited, ambitious, without discipline, unfaithful; gallant among friends, vile among enemies; no fear of God, no faith with men; and one defers ruin insofar as one defers the attack; and in peace you are despoiled by them, in war by the enemy.”
He was referring specifically to mercenaries, but I think the rule holds true.
While contract law has come a long way since Niccolo’s day, such a scenario is akin to giving someone with a profit motive a “send me to jail free” card. Best case scenario there? A major expose by the press and a knock on the door by one or more law enforcement agencies.
And if a company had to do this work in house, would it really be prepared to build its own war machine?
“Designing, implementing and launching a successful cyberattack against a high value target (i.e. not Grandma’s home computer) is a non-trivial task, requiring months or years of effort by highly specialized talent,” according to Nate Kube, founder and CTO of Wurldtech Security Technologies.
If you believe offense is the best defense then these sort of attacks would be an ongoing expense.
Now let’s assume such an attack is successful. A company would have to be absolutely dead-certain it has the right source of the attack. (Or it would have to be run by sociopaths who really don’t care about anyone else.) Spoofing, masquerading and multi-national server hopping make it very easy for the innocent to appear guilty.
Even if a company could somehow get all that right (and it doesn’t turn out that it’s going up against the Russian or Chinese governments) it would have to be ready for an attack to boomerang.
“Containment of an attack is next to impossible,” says Kube. “More commonly either the attack gets into the wild accidentally and damages the originator too like Stuxnet did; or a target discovers the attack and repurposes it for its own use, as has happened with Flame.”
So the worst outcome may be if a counter-attack effort succeeds.
Finally and probably most importantly I don’t believe this happens a lot (if at all) because it’s impossible to see what the company gets out of it. Revenge is a powerful motive but good luck selling it to the CFO. War gets a lousy ROI. That’s why we leave it up to governments.