Fighting back: Is the time for defensive IT security policy over?

Is it time to move away from defence-based protection of our data and IT systems and fight back against those who would use computers to  compromise power, water, communication and transportation infrastructure?

It is becoming increasingly clear that there are two distinct camps when it comes to how best address the growing cyber threats we face daily:  The defenders are committed to putting up strong barriers and frustrating the attackers’ attempts to gain entry.  This approach is recommended by the defenders regardless of the types of information or systems at risk. Even the banking industry subscribes to the strong defence approach. The defensive strategy has resulted in a significant business sector providing products and services of a defensive nature.  These same companies also remove those invasive attackers who ultimately make it through the perimeter defenses.

A new and growing camp is calling  for an attack strategy. Some recent stories give some insight into this movement: From this week’s Financial Times “ UK becomes first state to admit to cyber attack capability”;  From ZDNet “ Cyber defence to become cyber-attack as France gets ready to go on the offensive.”

In the United States, Congress is hearing presentations from senior security experts in support of attack and consequence.  The technology now exists to identify the source of attacks and destroy them. Even individuals can arm themselves with weaponry capable of bringing down someone trying to hack them.  Countries are developing cyber warriors within their armed forces.  It is only a matter of time before these units engage in a cyber-arena.

Cybercrime of all types, from Web site hacking to societal infrastructure intrusion, is on the rise. In a May 23, 2014 report on recent testimony before the House Counterterrorism and Intelligence Subcommittee, FBI assistant director Joseph Demarest is quoted in testimony stating that “the frequency and impact of cyber-attacks on our nation’s private sector and government networks have increased dramatically in the past decade and are expected to grow exponentially.”  In an Aug. 18 report, the Canadian Press states that up to 56 per cent of Canadian businesses are victims of cyber-crime.  And in an earlier 2012 story, U.S. News reported that American nuclear warhead facilities were dealing with up to 10 million attacks every day – that’s right million.

So who has it right?  Defensive proponents present their case based on past practice and the difficulty of identifying the actual origin of a cyber attack.  From an ethical perspective they express concern over the collateral damage that would occur to innocent computer owners whose machines have been compromised by cyber criminals.  They are also concerned about escalation resulting from an engagement model. Attack proponents link their argument to the approach currently taken against criminality in all other areas of society.  They also argue that the technology necessary to pinpoint the source of an attack is improving rapidly.  Furthermore they point to the move by major countries to develop cyber warfare units within their military.  They strongly argue that the current defensive approach is failing us and the risk is becoming greater as we consolidate huge amounts of data on computer systems and link them through big data initiatives.

There is growing concern over the security of our critical personal and government information.  We regularly hear of criminals in all areas other than cybercrime being caught and punished.  In the not too distant future I expect this will lead to a growth in frustration that will drive the attack agenda.  Whatever approach finally rules the day, you know that the debate will continue.

I invite you to scroll down to the comments section and share your thoughts and comments on defense vs offense as a security strategy.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada
Dave O'Leary
Dave O'Leary
Dave is a founding managing partner of REDDS Venture Investment Partners ( His career in post-secondary education included roles as CIO, Vice-President and acting President. Dave is a member of the Practitioner Board of the Association for Computing Machinery. He chairs the ACM Practitioner Board Marketing Committee and is also a second term member of the Board's Professional Development Committee. (ACM - Association for Computing Machinery--official IFIP international member representative, largest and most respected international computing science, research, education, innovation professional association well known for their AM Turing Award (Nobel of computing) with 1 million USD prize, 1.5 millions user digital library, 2 million reach, learning center, Applicative conference, Queue magazine, 200 conferences/events, 78 publications/news, 37 Special Interest Groups). He is a board director of the Global Industry Council and the immediate Past President of the Canadian Information Processing Society of British Columbia. Dave is co-founder and director of an ISV computer technology business and is currently leading and advising start ups in the USA, China, Europe, and Canada. He serves as a task force member of the Institute of Electrical and Electronics Engineers (IEEE) and is the past chair of the Canadian National Council of Deans of Information and Communications Technology. He served two terms as a director of the Canadian National Information and Communications Technology Sector Council advising on National technology and economic strategy. Dave has appeared as a panel member in a number of Microsoft webcasts and has presented globally on the business and technical impacts of technology in training. He is the recipient (2002) of the highest national award for leadership in post-secondary education.

Featured Download

IT World Canada in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Latest Blogs

Senior Contributor Spotlight