Fighting fire with fire will lead us to a dangerous future

The hard truth is that perfect cyber security is a myth and the defender faces an asymmetric strategic challenge. In this reality the concept of “active defense” has become widely used in relation to armed forces and by companies. Active defense is a military term that refers to efforts to thwart an attack by attacking the attackers.

Armed forces are currently quite openly saying that they are developing offensive cyber capabilities. The reality is that, if a military organization wants to be a strong and credible player in today´s military battlefield, it must possess offensive cyber capabilities, and announce them publicly as an essential component of deterrence. There has also been extensive discussion on the concept of active defense, which means not just defending your systems and information, but also striking back – sometimes even with a pre-emptive strike.

The current aggressive trend in the world of cyber security is worrying. Nation states in particular are getting more aggressive in their actions and rapidly developing more and more sophisticated – and destructive – offensive cyber capabilities. The era of the Code War is upon us. The cyber arms race is on and nation-states are employing the principle of active defense. In future, the world’s cyber forces will take a more aggressive stance than previously seen.

But it is not only nation-states that are using active defense. Preventing attacks against corporate networks is increasingly difficult and, at this time, the strategic and tactical advantage is with the attackers. So, companies are starting to be more aggressive, especially to fight back against cybercriminals and cyber espionage attempts. Companies are frustrated by their inability to stop sophisticated hacking attacks, and some companies have already started to take retaliatory action.

An offensive mindset is needed in the corporate sphere in order to build strong defense, but it is alarming when companies start to actively use strike-back technology. Some companies are already hiring outside contractors to hack back to assailants. One very controversial trend is the prevalence of firms that offer offensive cyber services, and are contracted to retaliate against hackers. Active defense is becoming a common course of action in cyber security beyond governments and the armed forces.

One of the reasons why companies conduct active defense is to create a deterrent. Companies want to show attackers that they are capable and willing to fight back – if they are being attacked. The attribution of cyber attacks is still a problem, thus companies are starting to use different tactics in order to reveal information about their intruders.

The offensive use of cyber security capabilities leads to many questions and consequences: “Where is the dividing line between defense and attack with the intrusive tracking and testing tools used by network forensic scientists?” Of course, there are also moral and legal issues involved. Is it right to launch a counter-attack to identify an attacker, if not to stop an attack? It is important to notice that existing laws lack the capability to regulate key aspects of actively defense.

A more comprehensive question concerns our general mentality: How should we behave in cyberspace? At this moment it seems that, even if we are incredibly dependent on the digital world of bits and bytes, cyberspace is a kind of “New Wild West” where everyone is doing more or less just what they want.

We cannot solely focus on increasing offensive activities in cyberspace. Fighting fire with fire will lead us to a dangerous future. As has been the case on many occasions in the history of the physical world, offensive actions can easily lead to great problems and the danger of escalation is always present. In today’s digitally interconnected world there is also huge potential for unpredictable side effects and collateral damage from aggressive actions.

Strategic cyber understanding is essential. Unfortunately today cyber security issues are primarily thought of as technical questions and considered from a technology-first point of view. Only a strategic approach can enable societies and companies to gain the advantage over cyber attackers. At state level and in the boardroom we need to ask: Why? Decision-makers need to understand why cyber security is needed, what characterizes the threat landscape, what the real risks from cyber attacks are, what offensive capabilities are appropriate, and what level of cyber security is required for a successful and resilient system. Only by thinking strategically can we make the right operational decisions and create the best technical solutions.

While the security industry and security decision-makers continue to create technological solutions without clear strategic goals we are wasting resources and failing our organizations and our people. Until decision-makers have an understanding of the strategic requirements for building resilient defense systems we are likely to experience escalation, and damage to livelihoods and lives, from the excesses of active defense.

Find Jarno on LinkedIn

Start a conversation with Jarno on Twitter

Read previous content from Jarno