John PescatoreQ: Is cybersecurity more like football, where offense and defense alternate, or like soccer or hockey, where pretty much both occur simultaneously?
A: Neither. Cybersecurity is like protecting your house from criminals or the weather – there is no offense.
This week, Sherry Ramsay, director of NSA’s Threat Operation Center, spoke at an AFCEA conference:
She related that while discussing cyber defense with her counterparts in New Zealand, she described the change in tactics as the difference between playing football and playing soccer. While the former involves offensive and defensive teams taking the field separately, the latter calls on offensive players to go on the defense as soon as possession of the ball changes sides. The New Zealanders agreed that a change has taken place but said that cyber defense today more resembles rugby.
There are two major problems with this analogy:
- For private industry, there is no cyber-offense. We are always goalies, never forwards or blindside winger scrummie flybacks, or whatever they are called in rugby. Only government agencies will ever be in the business of cyber offense.
- While knowledge of threats is definitely a key component to cybersecurity, those who are good at developing threats are invariably not the best at defining the best defense against threats.
Back in the Internet bubble years, the old version of this was “shouldn’t we hire hackers to be our CISO’s, since they know the threats the best?” Um, no – that was a dumb idea then and it is a dumb idea now. I can break my PC very easily – but if you hire me to run your desktop operations to keep all your 5,000 PCs running you are an idiot. It would be like hiring a demolition derby driver to run an automotive repair shop.
At the government level, there is bigger issue of mingling national intelligence and defense agencies (who have been doing cyber offense for years, but have not been doing a bang-up job in protecting their own unclassified networks) in domestic affairs. We saw the downside of doing this back in the Nixon days – which caused an overreaction to handcuff the intelligence agencies too much in the long run.
There is a reason why we don’t use the Department of Defense or NSA or the CIA to prevent crime. They aren’t good at it, and the long term consequences would be worse than the impact of the ongoing crime.
There is definitely a need for threat information flow from those who are creating them to those who are protecting against them – but mingling the two will lead to loss of capabilities in both areas.
Category: Uncategorized Tags:
7 responses so far ↓
1 Stiennon December 7, 2009 at 12:17 am
I remember visiting Entrust’s offices in Ottawa back when you worked there John. My guide walked me down a hallway. In a hushed voice he said: “Over here is out team of cryptographers. And on the other side our cryptanalysts.” Same thing. Defender versus attacker. Two different minds.
2 William Hugh Murray, CISSP December 7, 2009 at 11:18 am
I love it. Not only to I agree with the premise but I love the examples and analogies.
3 Free (Sort of) Intrusion Detection (Sort of) For the States! December 17, 2009 at 8:05 am
[...] cybersecurity offense and defense is aways a bad idea. Repeating from an earlier post: … while CNCI has some good points (like reducing the number [...]
4 Larry Dietz December 22, 2009 at 1:26 pm
John – a well argued technology point – but let’s not forget about legal offense and defense. If the organization intends to pursue civil remedites against the perp that would be legal offense. Legal defense might include working with law enforcement to maximize organizational goals and optimize the amount of time and resources working with law enforcement.
5 John Pescatore December 22, 2009 at 2:09 pm
Oh, you lawyers!
I think what you describe is more incident response than offense. The real issue is those that are good at developing threats are generally not good at developing defenses against those threats *and* that enterprises will never need to develop threats.
I guess the analogy would be that criminals don’t make the best lawyers but I can see that opens up a wide range of lawyer jokes…
6 DHS Takes Steps In The Right Direction February 3, 2010 at 7:54 am
[...] idea. This is why trying to mix cyber-offense and cyber-defense on the government side is such a bad idea. Information ownership is power, especially when it comes to justifying next year’s budget [...]
7 Tony Smit June 19, 2010 at 7:13 pm
For cyberoffense to be effective, you have to know your target. The problem for most businesses and consumers, the criminals keep moving around. And many operate behind a wall of botnets. So most cannot afford to go “on the offensive” anyway.
I think what others mean about cyber offense resembling
Football (American) : how a cyber attack drops off after an initial rush, which gives the defender some time to analyze the attack and prepare blocking.
Soccer : how a cyber attack penetrates a business’s computer and then the business rapidly attempts to penetrate the cyber attack to thwart it.
Rugby : after a cyber attack the business attacks back attempting to disable parts of the botnet that originated the attack. If a computer has been compromised (unknowingly to the owner) by criminals, it can be compromised again (unknowingly to the owner) by the victims.
Since criminals often front their operations with legitimate businesses, like using laundromats to launder money, a legitimate business might also be the vector for cyber attacks (such as malware propagation or DDOS attacks) while appearing itself to be the victim of a criminal offense.
So if your computer ever starts running really slow, you might be in a war between criminal elements, botnet versus botnet, Spy vs Spy !
I just had to enter a comment after seeing the Captcha was
“daunted another”
Leave a Comment