Perfect cybersecurity is a myth. Defenders face an asymmetric strategic challenge. In the current environment, the concept of “active defense” has gained popularity among armed forces and some companies. Active defense is a military term that refers to efforts to thwart an attack by attacking the attackers.
Armed forces are currently openly saying that they are developing offensive cyber capabilities. The reality is that if a military organization wants to be a strong and credible player in today, it must possess offensive cyber capabilities, and announce them publicly as an essential component of deterrence. There has also been extensive discussion about the concept of active defense, which means not just defending your systems and information, but also striking back—sometimes even with a preemptive strike.
The current aggressive trend in the world of cybersecurity is worrying. Nation states in particular are getting more aggressive in their actions and rapidly developing more sophisticated—and destructive—offensive cyber capabilities. The era of the Code War is upon us. The cyber arms race is on and nation states are employing the principle of active defense. In future, the world’s cyber forces will take a more aggressive stance than we have previously seen.
But not only nation states are using active defense. Preventing attacks against corporate networks is increasingly difficult and, at this time, the strategic and tactical advantage lies with the attackers. Companies are starting to be more aggressive, especially to fight back against cybercriminals and cyber espionage attempts. Companies are frustrated by their inability to stop sophisticated hacking attacks, and some companies have already started to take retaliatory action.
An offensive mindset is needed in the corporate sphere in order to build strong defense, but it is alarming when companies start to actively use strike-back technology. Some companies are already hiring outside contractors to hack back at assailants. One very controversial trend is the prevalence of firms that offer offensive cyber services, and are contracted to retaliate against hackers. Active defense is becoming a common course of action in cybersecurity beyond governments and the armed forces.
One of the reasons why companies conduct active defense is to create a deterrent. Companies want to show attackers that they are capable and willing to fight back. The attribution of cyber attacks is still a problem; thus companies are starting to use different tactics to reveal information about their intruders.
The offensive use of cybersecurity capabilities leads to many questions and consequences: Where is the dividing line between defense and attack with the intrusive tracking and testing tools used by network forensic scientists? Of course, there are also moral and legal issues involved. Is it right to launch a counterattack to identify an attacker? Existing laws lack the capability to regulate key aspects of active defense.
A more comprehensive question concerns our general mentality: How should we behave in cyberspace? At this moment it seems that even if we are incredibly dependent on the digital world of bits and bytes, cyberspace is a kind of new “Wild West” where everyone is doing more or less what they want.
We cannot solely focus on increasing offensive activities in cyberspace. Fighting fire with fire will lead us to a dangerous future. As has been the case on many occasions in the history of the physical world, offensive actions can easily lead to greater problems, and the danger of escalation is always present. In today’s digitally interconnected world there is also huge potential for unpredictable side effects and collateral damage from aggressive actions.
Strategic cyber understanding is essential. Unfortunately today’s cybersecurity issues are primarily thought of as technical questions and considered from a technology-first point of view. Only a strategic approach can enable societies and companies to gain the advantage over cyberattackers. At state level and in the boardroom we need to ask: Why? Decision-makers need to understand why cybersecurity is needed, what characterizes the threat landscape, what the real risks are from cyberattacks, what offensive capabilities are appropriate, and what level of cybersecurity is required for a successful and resilient system. Only by thinking strategically can we make the right operational decisions and create the best technical solutions.
While the security industry and security decision makers continue to create technological solutions without clear strategic goals, we are wasting resources and failing our organizations and our people. Until decision makers have an understanding of the strategic requirements for building resilient defense systems, we are likely to experience escalation, and damage to livelihoods and lives, from the excesses of active defense.
The post Active Defense: Fighting Fire With Fire Leads to a Dangerous Future appeared first on McAfee.