[This post expresses the personal opinion of the author and is not an official statement representing the Honeynet Project.]

At the AusCERT 2013 conference, Dmitri Alperovich called for debate about, “the kinds of actions that infosec professionals are allowed to take against attackers.” I agree with Dmitri, and in fact I made the same call, at the same conference on May 23, 2005! (AusCERT invited me to speak on an emerging topic and I chose to speak for the first time publicly at AusCERT 2005 about the Active Response Continuum research I had been doing with funding from Cisco.) As one of the world’s foremost experts on this topic, with over two decades of security operations experience, I welcome Dmitri to the debate. :)

This is a response to a CSO Online blog post by Jeff Bardin ("Caution: Not Executing Offensive Actions Against Our Adversaries is High Risk," November 2012.), which is a rebuttal to a blog post by Jody Westby on Forbes online (“Caution: Active Response to Cyber Attacks Has High Risk.”) Mr. Bardin is obviously playing on words in the title and I seriously doubt he believes that it is higher risk to not take aggressive actions than is to do so. His post does not contain a reasoned proposal for how to change or work within existing legal and ethical norms to allow aggressive actions directed at computer network attackers. It is instead a strident endorsement of a vaguely defined “new approach” of counter-attack using simplistic arguments based on emotion and a desire for retribution (an unethical position to take), lacking sufficient discussion of appropriate “rules of engagement,” principle-based ethical justifications of any type beyond basic “right of self-defense” arguments, and including no oversight mechanisms to minimize the potential for abuse or collateral damage. This response is quite long, including not only Mr. Bardin’s own words for context but also many references to materials apropos to the topic that Mr. Bardin does not provide in his post.