Would you ever be comfortable with the government taking a direct action to address vulnerabilities in your networks?

2k views8 Comments

Board Member, Advisor, Executive Coach in Software, Self-employed
Under certain circumstances taking some level of action seems appropriate, but blocking the entity from being on the Internet would be a more appropriate action than actively hacking the system, adding and removing code. Back in my Intel days, I got a call from somebody at the Pentagon. I didn't believe who it was so I called around until I could validate the caller. They said Intel systems were attacking them because we’d had a couple systems taken over by a bot that was part of something going against the Pentagon, so they needed me to act. We were able to deal with it, and I probably would have been irritated had they just shut me off.

Another scenario occurred that did take Intel offline, and it was done by a private company. Going into earnings release one quarter, we're offline to upload certain things to the NASDAQ system. NASDAQ had basically blacklisted the Intel domain it was coming from. They took action to prevent us from doing what we needed to do. Once we sorted it out I was pretty irritated with NASDAQ, but I understood their reasons because they’d received a trigger of potential maliciousness and needed to protect the NASDAQ system. In essence, they disabled my ability to execute a business process to protect Intel.
Managing Partner & CISO in Software, 11 - 50 employees
It changes the dynamics of cybersecurity to have someone say—under color of law—we're going to access your system without your approval, or even without your knowledge. If the FBI had just blocked the domains they targeted from connecting to the internet, it would have forced the system owners to take action. They’d be like, “Our system is down. We need to respond or fix this issue.” Domains have been seized by the FBI before, it happens to sites doing some form of human trafficking, or other illegal activity, like Silk Road. The government uses the established laws to take them down.

If my fridge at home is compromised through hacking, can the Feds walk in and take it from my house? They shouldn't be able to. That seems like it would be a violation regardless of some broad subpoena. I try to translate what this would look like physically and it doesn't make sense to me.
1 3 Replies
Board Member, Advisor, Executive Coach in Software, Self-employed

If you believe the context that they attempted some reach out, then there was some potential attempt at a lockdown. I think the question becomes if somebody responded, but didn't respond timely or said no thanks.

Member Board of Directors in Finance (non-banking), 201 - 500 employees

In the case of the colonial pipeline incident, I wouldn't mind the government taking action on the pipeline owner because of the tremendous impact on the broader population. When thinking about this FBI action, we can't use examples where the impact is benign. I think it's reasonable to expect the government to say, “We expect this level of security and investment. We're holding the board of this pipeline responsible.”

Managing Partner & CISO in Software, 11 - 50 employees

These are privatized services and companies. If this were a nationally-owned pipeline it would be dramatically different, but Colonial Pipeline isn’t even publicly traded. If the government doesn't want to be so dependent the option is to nationalize these things. And we don't want nationalized critical services.

CIO in Software, 5,001 - 10,000 employees
It becomes a question of my liberties as a person or as a company. To what extent can the government tell me what to do? And can they take that action on my behalf? What rights do I have? How far is their reach, and under what circumstances does it take effect? Am I able to opt out or opt in?
3 2 Replies
Managing Partner & CISO in Software, 11 - 50 employees

Being able to opt in would have been great, but companies didn't even have a way to opt out. If somebody finds malicious intellectual property, or some errant, illegal files on any of those servers then it's easy to say, "Well, I'm not the only one who had access to this." The government could have had access to it. I think it should have been an opt in because you can't even opt out.

Board Member, Advisor, Executive Coach in Software, Self-employed

If an opt-in is the right way to do it, does it make sense that if you are causing harm or have a high potential to cause harm for others, you either opt in to the government taking you offline, or you're liable for the harm that you might create? And if you do create harm you're billed for it. You could argue that there could be an opt-in to just be on the Internet.

Content you might like


Yes, but third & Nth parties are still a concern39%



Don't know1%



API security is our top priority8%

Very high48%




API security is not at all a priority for us1%



CTO in Software, 201 - 500 employees
Without a doubt - Technical Debt! It's a ball and chain that creates an ever increasing drag on any organization, stifles innovation, and prevents transformation.
Read More Comments
47k views133 Upvotes324 Comments

Community User in Software, 11 - 50 employees

organized a virtual escape room via https://www.puzzlebreak.us/ - even though his team lost it was a fun subtitue for just a "virtual happy hour"
Read More Comments
13.5k views27 Upvotes67 Comments