The hard truth is that perfect cyber security is a myth, and the current situation favors a more offensive approach than a defensive one. Increasingly, both the armed forces and businesses are practicing the concept of “active defense,” a military term that refers to efforts to thwart an attack by attacking the attackers. However popular it has become, active defense—divorced from a corresponding strategic understanding—is an alarming trend.
Three strategic elements are needed in order to succeed in the current cyber security reality. First, you have to build as preventive of a defense as possible, based on the security level needed for your activities. In many cases basic protections are enough. According to Verizon, more than 95 percent of intrusions succeed because the infiltrating defense is too weak and overly straightforward. Too many networks have poor cyber defense and some lack even the most basic protection. However, in more demanding security environments, e.g. critical infrastructure, a very high level of security level is needed, and there must be a sound understanding of the required defensive performance.
Second, despite your best defensive efforts, intrusions will occur in cyberspace, so you must have resilience. That is the ability to withstand attacks and failures, to mitigate potential damage, and to recover quickly. You have to be prepared for the “world of bytes” to not always work satisfactorily, and for both intentional and unintentional disruptions.
Third, you need offense. This means you must possess an offensive mindset in order to locate vulnerabilities in your defense, to train your personnel in the right way, and to improve your resilience. Passive “bunker mentality” defense is no longer a successful option in the dynamic cyberspace environment. In order to find vulnerabilities it can even be useful to hire outside help to try to hack your own systems.
Military officials now openly say they are developing offensive cyber capabilities. If a military organization wants to be a strong and credible player, it must possess offensive cyber capabilities and announce them publicly as an essential component of deterrence.
Additionally, there has been extensive discussion about the concept of active defense, which means not just defending your systems and information, but also striking back – sometimes even with a preemptive strike. However, this aggressive trend is worrisome. Nation states in particular are growing more aggressive in their actions and rapidly developing more and more sophisticated – and destructive – offensive cyber capabilities. The era of the Code War is upon us and the cyber arms race is on. “Cyber” has become the “fifth domain of warfare.” In the future, the world’s cyber forces will take even more aggressive stances.
But it is not only nation states that are using active defense. Preventing attacks against corporate networks is increasingly difficult, and attackers currently have a strategic and tactical advantage. This is causing companies to become more aggressive and fight back against cybercriminals and cyber espionage attempts. Companies are frustrated by their inability to stop sophisticated hacking attacks, so some companies have started to take retaliatory action.
Active defense is becoming a common course of action in cyber security beyond governments and the armed forces. An offensive mindset is needed in the corporate sphere in order to build a strong defense, but it is alarming when companies start to actively use strike-back technology. Some companies are already hiring outside contractors to hack back to assailants. One very controversial trend is the prevalence of firms that offer offensive cyber services and are contracted to retaliate against hackers.
One of the reasons why companies conduct active defense is to create a deterrent. Companies want to show attackers that they are both capable and willing to fight back if they are attacked. The attribution of cyber attacks is still a problem, thus companies are starting to use different tactics in order to reveal information about their intruders.
The offensive use of cyber security capabilities leads to many questions, such as where the dividing line is between defense and attack given the intrusive tracking and testing tools used by network forensic scientists. The moral and legal issues involved include whether it is right to launch a counterattack to identify an attacker, if not to stop an attack. Despite these still unanswered questions, existing laws lack the capability to regulate key aspects of active defense.
A more comprehensive question concerns our general mindset of how we should behave in cyberspace. It seems that, even though we are incredibly dependent on the digital world of bits and bytes, cyberspace is a kind of new “Wild West” where everyone is doing more or less what they want.
We cannot solely focus on increasing offensive activities in cyberspace. Fighting fire with fire will lead us to a dangerous future. As has been the case many times in the history of the physical world, offensive actions can quickly lead to greater problems. The danger of escalation is always present. In today’s digitally interconnected world there is also a huge potential for unpredictable side effects and collateral damage from aggressive actions.
Strategic cyber understanding is essential. Unfortunately, cyber security issues today are primarily thought of as technical questions and considered from a technology-first point of view. Only a strategic approach can enable societies and companies to gain the advantage over cyber attackers. At both the state level and in the boardroom we need to ask the crucial question: Why? Decision-makers need to understand why cyber security is needed, what characterizes the threat landscape, what the real risks from cyber attacks are, what offensive capabilities are appropriate, and what level of cyber security is required for a successful and resilient system. Only by thinking strategically can we make the right operational decisions and create the best technical solutions.
As the security industry continues to create technological solutions without clear strategic goals, we are wasting resources and failing our organizations and our people. Until decision-makers understand the strategic requirements for building resilient defense systems, we are likely to experience escalation, resulting in damage to livelihoods and lives, from the excesses of active defense.