Summary: The US government appears to assume that — as with nuclear war — “the best defense is a strong offense” Cybersecurity expert Emilio Iasiello asks if this makes sense with cybersecurity, given the difficulty of identifying the attacker (attribution) and striking back at them (often amorphous non-state actors).
By Emilio Iasiello
Posted at Dead Drop (of the LookingGlass Cyber Threat Intelligence Group)
2 December 2015. Posted with his gracious permission.
The volume of cyber incidents that have impacted the United States has caused more than just economic damage, it has become so mainstream that it has become a daily reality and accepted course of action. A recent article posed the question if advanced persistent threat activity – a sloppy term that refers to suspected nation state or nation state-sponsored cyber operations – has become the new normal. The sheer volume and magnitude of cyber espionage activity attributed to these groups has escalated to such a degree that they are ceasing to instill the same concern as they did just a few years earlier.
The problem is that the frequency of these events, the escalating damages and data stolen, and the lack of the perpetrators suffering any real consequences is causing calls to improve cyber security procedures to fall on deaf ears.
Instead of focusing on trying to actually improve security, which means having dedicated professionals engaged in daily activities of mitigating cyber threats, we seek to develop advanced cyber weaponry and instill a cadre of “cyber warriors” to take care of the bad guys. There seems to be growing support for this hacking-back approach as part of a cyber war pre-emption plan to bolster our cyber defenses. The idea is that while it is generally believed that the United States has advanced cyber weapons, until they are actually deployed, their deterrence value won’t be realized. In other words, when a bully sees how hard we punch, he may move on to someone else.
However, such an approach, while aspirational, is actually limited. The diverse threat actor landscape consists of various levels and numbers of state and non-state actors. And while it may make sense on a political level to go after those individuals who conduct high-profile attacks that steal millions of dollars or puts millions of personal identifiable data at risk, improved cyber weaponry at the national level cannot be leveraged by most organizations and individuals.