Is it time to move away from defence-based protection of our data and IT systems and fight back against those who would use computers to compromise power, water, communication and transportation infrastructure?
It is becoming increasingly clear that there are two distinct camps when it comes to how best address the growing cyber threats we face daily: The defenders are committed to putting up strong barriers and frustrating the attackers’ attempts to gain entry. This approach is recommended by the defenders regardless of the types of information or systems at risk. Even the banking industry subscribes to the strong defence approach. The defensive strategy has resulted in a significant business sector providing products and services of a defensive nature. These same companies also remove those invasive attackers who ultimately make it through the perimeter defenses.
A new and growing camp is calling for an attack strategy. Some recent stories give some insight into this movement: From this week’s Financial Times “ UK becomes first state to admit to cyber attack capability”; From ZDNet “ Cyber defence to become cyber-attack as France gets ready to go on the offensive.”
In the United States, Congress is hearing presentations from senior security experts in support of attack and consequence. The technology now exists to identify the source of attacks and destroy them. Even individuals can arm themselves with weaponry capable of bringing down someone trying to hack them. Countries are developing cyber warriors within their armed forces. It is only a matter of time before these units engage in a cyber-arena.
Cybercrime of all types, from Web site hacking to societal infrastructure intrusion, is on the rise. In a May 23, 2014 report on recent testimony before the House Counterterrorism and Intelligence Subcommittee, FBI assistant director Joseph Demarest is quoted in testimony stating that “the frequency and impact of cyber-attacks on our nation’s private sector and government networks have increased dramatically in the past decade and are expected to grow exponentially.” In an Aug. 18 report, the Canadian Press states that up to 56 per cent of Canadian businesses are victims of cyber-crime. And in an earlier 2012 story, U.S. News reported that American nuclear warhead facilities were dealing with up to 10 million attacks every day – that’s right million.
So who has it right? Defensive proponents present their case based on past practice and the difficulty of identifying the actual origin of a cyber attack. From an ethical perspective they express concern over the collateral damage that would occur to innocent computer owners whose machines have been compromised by cyber criminals. They are also concerned about escalation resulting from an engagement model. Attack proponents link their argument to the approach currently taken against criminality in all other areas of society. They also argue that the technology necessary to pinpoint the source of an attack is improving rapidly. Furthermore they point to the move by major countries to develop cyber warfare units within their military. They strongly argue that the current defensive approach is failing us and the risk is becoming greater as we consolidate huge amounts of data on computer systems and link them through big data initiatives.
There is growing concern over the security of our critical personal and government information. We regularly hear of criminals in all areas other than cybercrime being caught and punished. In the not too distant future I expect this will lead to a growth in frustration that will drive the attack agenda. Whatever approach finally rules the day, you know that the debate will continue.
I invite you to scroll down to the comments section and share your thoughts and comments on defense vs offense as a security strategy.