ISC: Outshare or Die

Johannes Ullrich has a piece in the SANS Internet Storm Center Diary that I’m sure will provoke much discussion. Entitled “Out-Share or Die”, Ullrich posits that Information Security professionals must learn to collaborate and share information in order to protect their environment from the attackers. There are many parts of this article, some I agree with and some I don’t. In this post I comment on a single sentence that sparked some thought.
Ullrich quotes Clausewitz in his book “On War” as saying “Defense is the stronger form of waging war”. Not having read Clausewitz, I have no idea if this is in context or not. But I can ask, is this truly analogous to Information Security? A war can be prevented by having a strong military and a demonstrated willingness to use it. How does that translate to information security? The Cold War was won with a peace through strength plan implemented by Ronald Reagan. The missile race initiated the concept of mutually assured destruction. How does that translate to information security? Intrusion Defense Systems, Firewalls and Anti-virus do not strike fear in the hearts of hackers the way the Strategic Defense Initiative struck fear in the hearts of America’s enemies.
Ignoring the thrill-seekers, today’s computer attackers are more like the Russian Mafia. (Wait, in many cases today’s attackers are the Russian Mafia.) They are like terrorists. They have time and resources to keep prodding until they find an opening. They only have to win once, defense has to win every time. A strong defense deters rational people who are afraid of reprisal. In the world of computer attacks a strong defense is necessary, but bringing these people to justice will do more to deter. This role belongs to law enforcement and potentially to the military if it can be proved that a nation-state initiated a computer attack on our interests.

One Comment

  1. I believe both Clausewitz and Sun Tzu imagined large force on force actions.
    What we have today, in many cases, are very small, highly trained attackers going after very specific targets.
    If you were to imagine that a plane and a computer are the same thing, you can see that no amount of defense has accurately protected our aircraft from distruction. The attackers will find a way through, and you will not be able to provide sufficient defense.
    The attacks that were thwarted in the UK were not thwarted by defense, they were thwarted by offense. We were actively monitoring communication channels and links. We were infiltrating the enemy lines… We were on the offense.
    I believe strong security involves a combination of defense and offense.
    When your offense isn’t breaking into an attacker’s network, they should be breaking into your own, so they can tell you what the attacker knows.
    And then there’s misinformation (honeypots). That’s a whole other topic ๐Ÿ™‚

Comments are closed.