How an Active Defense Is Better Than Going on Offense
The title of Nawaf Bitar’s speech at the RSA Conference today was certainly intended to capture attention: “How the Next War Will Be Fought in Silicon Valley.” I made a point of tracking him down to talk about it.
Bitar (pictured below) is a senior vice president and head of the security business unit at Juniper Networks. And it doesn’t take much time talking with him to realize that he’s someone who sees the potential for real danger in all the hacking that’s taking place in the world.
As we’ve gotten used to the frequent disclosures about the National Security Agency and other aspects of daily life where the privacy of our personal information comes to mean less and less each day, people often say they’re outraged. Rarely do they do anything about that outrage, he told me.
He believes you should be as protective of your information as you are of your family and your money. “Our information,” he said, “is something that is getting away from us. It’s extraordinarily important to protect it in the same way before it’s too late.”
He worries about unintended consequences. Cyber attacks are a lot more dangerous now than they used to be. What years ago caused annoyances can now cause actual damage. Case in point: Stuxnet, the Trojan that was used to attack the Iranian nuclear program. It caused several centrifuges to spin out of control and explode.
“We’re starting to head down a path where attacks actually pose the risk of a loss of life,” he said. “If an enemy shot down a passenger jet, we’d go to war. What if an enemy compromised the air traffic control system and caused two planes to collide? Would we go to war then?”
He suggests instead a new kind of “active defense,” one that makes it more difficult for attackers to get what they want.
For instance, in “intrusion deception,” when a machine is attacked it acts as though it has been compromised, but fake files and information are given to the attacker. A hacker might be tricked into thinking he has taken a file containing passwords, and which looks legit, but which is actually fake. “He might then spend eight hours trying to decrypt the passwords,” Bitar said. “That’s eight hours he’s not getting back, and it’s a way of starting to disrupt the economic model of hacking.” Several Juniper products use the technique, he said.
But there’s a fine line between an active defense and going on the offense, and that’s one that Bitar believes governments and corporations shouldn’t cross. There’s always an urge to “hack back,” he said, and it should be resisted.
“There’s the possibility for a lot of unintended consequences. People can be hurt,” he said. “There’s legal and ethical considerations. And you just never want to give up the moral high ground.”
Update: Here’s a video of Bitar’s speech at RSA. It’s about 20 minutes long.