Software Integrity

 

‘Active defense’ is irresponsible

NPR did a story about the idea of “Active Defense” which basically boils down to attacking the people who (may have) attacked you. (Key question: who is it that REALLY attacked you and how do you know that?)  At Synopsys, we believe this is a recipe for disaster. The last thing we need in computer security is a bunch of vigilante yoo-hoos and lynch mobs. Rule of law anyone?I talked all about this in my SearchSecurity column in November: Proactive defense prudent alternative to cyber warfare (November 1, 2012)

In fact, I have been a vocal opponent to the Cyber War drum beating that seems to pervade Washington. Here’s what I had to say to Threatpost about the issue (warning: poor sound quality): Gary McGraw on Cyber war and the Folly of Hoarding Cyber-Rocks

I have also been voicing these thoughts at think tanks like CNAS and in academic venues.  Here are three pointers to recent talks:

  1. Dartmouth: Cyber War, Cyber Peace, Stones, and Glass Houses
  2. King’s College London: Cyber War, Cyber Peace
  3. Univ. of Michigan: Cyber War, Cyber Peace, Stones, and Glass Houses

For what it’s worth, I am going to be on a panel about this at a private event during RSA with the founders of CrowdStrike on the opposing side. Should be interesting. Given their dunderheaded philosophy, maybe I should bring a security detail along.

If you feel as strongly as we do about this issue, please send this to your representatives. They need to read it:
Separating the Threat from the Hype: What Washington Needs to Know About Cyber Security in AMERICA’S CYBER FUTURE: SECURITY AND PROSPERITY IN THE INFORMATION AGE VOLUMES I AND II, Center for a New American Security (June 2011).