February 18, 2013

Offense and Defense In Cybersecurity

estimated reading time: 1 minute and 56 seconds.

In sports, often the best defense is a good offense. Any Colts fan during the Peyton era understands this all too well. In sports like football, basketball, and soccer, when you’re on offense, the other team is forced to play defense. Teams can score on offense, but as a general rule, they can’t on defense.1 The whole game is different when your team is playing defense rather than offense.

Computer security experts have traditionally been “on defense” in the sense that they have spent the vast majority of their resources on passive protection measures. However, that may change. Some security experts want to do more; they want to go on offense. NPR recently covered a this movement in computer security. Their story was prompted by President Obama’s State of the Union speech, which mentioned his recent executive order on the topic.

Going on ‘offense’ may seem totally reasonable on the surface. It’s hard not to fight back when your organization is under attack. Besides, computer security is asymmetrical: it’s much, much easier to attack than to defend. An attacker only needs to find a single flaw in the defense that allows them access to what they need, whereas a defender has to patch every flaw and repel every attack. Who wouldn’t want to turn those tables?

Well, actually, I wouldn’t.

I’m not alone in that opinion. Gary McGraw points out that this is essentially vigilante justice. Consider this: often defenders simply cannot be sure who attacked them. An attacker could lauch their attack from other compromised systems, which might mean that well-planned counter-attack was directed at another victim. This is the nature of vigilante justice.

Endorsing this system creates perverse incentives in the market. Imagine your company just discovered a major security flaw in a widely used piece of software. If you’re suddenly in the business of ‘offense’ you may find it worthwhile to keep that little nugget to yourself, thereby weakening anyone who doesn’t know about the flaw. This is a bad place for us to be collectively. Responsible disclosure is hard enough without adding this complexity to the mix.

Computer security is a hard problem, but this ‘solution’ makes the problem worse.

  1. In football, the defense can score, but even bad offenses typically outscore the best defenses.