My take as an attacker: it goes directly against the security 101 of "defence in depth". Sure, we only have to win once for a specific step, but then there are more steps to complete for us to reach our goal. This is the same for most occupations that I can think of anyway, no one reaches their goal with one step.
I understand that this can be taken to mean there are multiple avenues to achieve a certain objective (e.g. I can find a password on disk multiple ways), but I still wouldn't agree. Develop a defence that makes sense (e.g. MFA is a good mitigation for password theft). Detect / alert on the usage rather than the endless list of methods to retrieve a password.
It's still a "loss" from the defenders perspective even if someone can't compromise other systems. The defenders still need to assess the damage, fix the vulnerability, and verify that nothing was compromised regardless of what protections are in place.
For example, maybe the attacker is after trade secrets but compromises the CMS (content management system) of your public website. It has no connection to your intranet, but they were able to change download links and inject scripts for visitors of your website. Still a "win" as they now have a place to pivot from or just use to their liking. It gives the attacker options while your system is left weakened with less options.
I wonder if this could change if our governments' policy was to hunt would-be hackers to the ends of the earth.
(Note: I genuinely have no idea if that would be done outside of an authoritarian / autocratic regime. So I'm not remotely advocating it at this point.)
Hackers are global, though, and no matter what country you’re in, almost certainly the vast majority of hackers attempting to attack you are doing so from outside your country. Enforcing laws on a global scale is extremely difficult and almost impossible to do effectively.
You both have a point, so I would word it in a different way: if we devoted enough resources to track hackers down no matter where, could we lessen their impact? It would take a crazy amount of resources, like sending in infiltration teams into hostile countries. It is technically possible, but where is the balancing point?
What will you do when you find them? if you find one in say France, the French will deal with it and attacks stop. However most attacks are tracedto North Korea or Russia where they don't care and so you can't do anything.
> I wonder if this could change if our governments' policy was to hunt would-be hackers to the ends of the earth.
"Security" has a cost. The only question is whether the cost of security exceeds the cost of lack of security. Currently, lack of security has very little cost.
It would be easier and more effective to start putting CEOs in jail for security breaches of personal information. Suddenly the executive suite would be very interested in security and would start spending an appropriate amount of money on it.
- some hackers are state actors, and pointing the finger to North Korea won't help much
- some live in precarious conditions from the start, in areas where gov is unreliable. Even if you catch a bunch of them, it might not disuade others to try their chance if there's no other obvious jackpot to them.
- When the risk increases the reward can also increase as the barrier to entry is that much higher. You get a hacker scene with more high profile, super professional actors that will get more organized. Think "war on drug" style of underground actors building cell networks to manage their operations.
They already do something like this, but only for pirates (the computer kind). That's because Hollywood makes a credible story that illegal copying of movies loses the USA billions of dollars. It also helps they pay millions to politicians. You don't pay millions to politicians to enhance the credibility of your story that personal data theft costs the USA billions.
