Home page logo

securecoding logo Secure Coding mailing list archives

"Active Defense" is Irresponsible
From: Gary McGraw <gem () cigital com>
Date: Wed, 13 Feb 2013 14:27:39 -0500

hi sc-l,

This morning, NPR did a story 
<http://www.npr.org/2013/02/13/171843046/victims-of-cyberattacks-now-going-on-offense-against-intruders> about the idea 
of "Active Defense" which basically boils down to attacking the people who (may have) attacked you.  (Key question: who 
is it that REALLY attacked you and how do you know that?)  At Cigital, we believe this is a recipe for disaster.  The 
last thing we need in computer security is a bunch of vigilante yoo-hoos and lynch mobs.  Rule of law anyone?

I talked all about this in my SearchSecurity column in November: Proactive defense prudent alternative to 
 (November 1, 2012)

In fact, I have been a vocal opponent to the Cyber War drum beating that seems to pervade Washington.  Here's what I 
had to say to Threatpost about the issue (warning: poor sound quality): 

I have also been voicing these thoughts at think tanks like CNAS and in academic venues.  Here are three pointers to 
recent talks: http://www.ists.dartmouth.edu/events/abstract-mcgraw.html

FWIW, I am going to be on a panel about this at a private event during RSA with the founders of CrowdStrike on the 
opposing side.   Should be interesting.  Given their dunderheaded philosophy, maybe I should bring a security detail 

If you feel as strongly as we do about this issue, please send this to your Representatives.  They need to read it:
Separating the Threat from the Hype: What Washington Needs to Know About Cyber 
Security<http://www.cigital.com/papers/download/mcgraw-fick-CNAS.pdf> in AMERICA'S CYBER FUTURE: SECURITY AND 
II<http://www.cnas.rsvp1.com/node/6405?mgh=http%3A%2F%2Fwww.cnas.org&mgf=1>, Center for a New Amercian Security (June 

What's the alternative to throwing rocks?  Making sure our houses are not glass by building security in.


company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com

Secure Coding mailing list (SC-L) SC-L () securecoding org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates

  By Date           By Thread  

Current thread:
  • "Active Defense" is Irresponsible Gary McGraw (Feb 13)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]