NPR did a story about the idea of “Active Defense” which basically boils down to attacking the people who (may have) attacked you. (Key question: who is it that REALLY attacked you and how do you know that?) At Synopsys, we believe this is a recipe for disaster. The last thing we need in computer security is a bunch of vigilante yoo-hoos and lynch mobs. Rule of law anyone?I talked all about this in my SearchSecurity column in November: Proactive defense prudent alternative to cyber warfare (November 1, 2012)
In fact, I have been a vocal opponent to the Cyber War drum beating that seems to pervade Washington. Here’s what I had to say to Threatpost about the issue (warning: poor sound quality): Gary McGraw on Cyber war and the Folly of Hoarding Cyber-Rocks
I have also been voicing these thoughts at think tanks like CNAS and in academic venues. Here are three pointers to recent talks:
For what it’s worth, I am going to be on a panel about this at a private event during RSA with the founders of CrowdStrike on the opposing side. Should be interesting. Given their dunderheaded philosophy, maybe I should bring a security detail along.
If you feel as strongly as we do about this issue, please send this to your representatives. They need to read it:
Separating the Threat from the Hype: What Washington Needs to Know About Cyber Security in AMERICA’S CYBER FUTURE: SECURITY AND PROSPERITY IN THE INFORMATION AGE VOLUMES I AND II, Center for a New American Security (June 2011).