Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Playing cyber defense is not enough to win

Kacy Zurkus | Dec. 8, 2016
Sometimes offensive attacks are a necessary part of the game.

While the San Francisco 49ers are leading the NFL in defense, the New Orleans Saints currently hold the number one slot for total offense. In the overall league rankings, though, neither of those two teams rank in the top 10. 

What's the takeaway? Winning isn't strictly about strong offense or impenetrable defense. NFL league leaders advance to the top because they know how to balance the two; they know how to play the game.

To address the growing number of attacks on the US government and private sector systems, President-elect Donald Trump's cybersecurity plan aims to, "Develop the offensive cyber capabilities we need to deter attacks by both state and non-state actors and, if necessary, to respond appropriately."

The proposition begs the question of whether the security industry needs to consider whether preemptive, offensive cyber attacks are the wave of the future.

Jeff Bardin, CIO of Treadstone 71, said that counterstriking is being done to some degree, though quietly. "In cybersecurity, if the team is only focused on defense, they will never be able to score. They can't win the game," said Bardin.

Those using offensive attacks do so quietly because, "The cyber laws are not clearly defined," Bardin said. "The government makes counterstrikes because they are defending the country under the laws of warfare, but they won't defend against civilian infrastructure."

Private citizens have the right to defend themselves and their homes against criminals, but "If a person tries to break into your 'cyber house', the law hasn't been clearly defined," said Bardin.

If, however, offensive attacks are viewed through a cyber/property perspective, rather than a legal perspective or even a capabilities perspective, it is reasonable to believe that offensive hacks fall within the confines of the wider idea of self defense.

In their 2011 research paper, "Mitigative Counterstriking: Self-defense and Deterrence in Cyberspace," arguing for the use of active defense, Professor Jay P. Keban and Carol M. Hayes, University of Illinois wrote, "Passive defense methods are not used consistently enough to have a perfect deterrent effect, and are all but useless against attacks utilizing zero-day exploits."

The problem with commercial offensive cyber attacks is that no private enterprise wants to talk about (or admit to using) the strategy for fear of legal liability issues. Keban and Hayes argued, "Mitigative counterstriking is also legally justifiable under several areas of domestic and international law, and can be made consistent with other areas of law by amending the law or by reinterpreting it."

"In cybersecurity, if the team is only focused on defense, they will never be able to score. They can't win the game."
Jeff Bardin, CIO of Treadstone 71  


1  2  3  Next Page 

Sign up for Computerworld eNewsletters.