“The defensive form in War is … a shield formed of blows delivered with skill.”
— Carl von Clausewitz, On War

“The best defence is a good offence.” The popular saying has been variously attributed to world champion boxer Jack Dempsey and legendary NFL coach Vince Lombardi, but it is equally applicable to cyber defence.

Normally, an effective defence is never passive. It not only blocks an attack, but also has the agility, power and wit to seize the initiative and defeat not only the attack, but the attacker.

Cyber defence as practised today tends to be passive. As a generalization, we build barriers around our networks, wait for the attack to come, and clean up afterwards. As Members of Parliament on the U.K. Intelligence and Security Committee argued in their recent annual report, defending against cyber attacks is not enough; “there are also opportunities for our intelligence and security agencies and military which should be exploited in the interests of UK national security,” including active defence, exploitation, disruption, information operations and military effects.

In keeping with Lombardi’s quote, we must do better, and without drawing a flag on the play.

The defensive model
A common security model used (with some variations) by a number of commercial, government and military organizations consists of four parts: Protect; Detect; React; and Restore. At the risk of oversimplifying, Protect means to build, fortify or reinforce something so it is resilient to attack. Detect means to discover an attack in sufficient time to be able to do something useful about it. React is the actual defensive battle: actions taken to defeat the attack. Restore involves repairing damage done during the attack.

In execution, these elements occur more or less sequentially. However, designing a successful defence requires a different approach. It must focus on React, and let requirements for Protect, Detect and Restore flow from the needs of a vision of the engagement to be fought. This vision must be based on an accurate estimate of the way the attack will unfold, based on predictive intelligence.

A defensive system, therefore, needs first to consider React and Detect. Protect provides the effects demanded by the design for battle, typically delaying or limiting attack options to those that fit the defensive scheme. Restore, finally, not only repairs but also provides feedback based on an analysis of the action to adjust the scheme for the next attack.

An intelligence capability
Detect has two roles. Strategically, it provides predictive intelligence on which the designer can base a defensive scheme. This requires a firm grasp of the opponent’s methods of operation and an ability to predict future methods out to a useful time horizon. Tactically, it triggers immediate actions in the design for battle that will allow the defender to be proactive enough to defeat the attack. Key to success here is being able to detect an attack in time to allow the React function to be successful.

Most cyber attacks are not detected until long after they have taken place. While the attacker’s exploitation can last a significant time, the battle was lost long ago – before it had a chance to take place. Our time-scales are very short – small fractions of a second. It is likely that we will need to place our sensors not only inside our system, but also well outside our perimeter to give us the reaction time we need to fight the battle: cooperation with others in the community will be critical. Otherwise, we end up skipping the React function altogether and going straight to Restore to try to clean up the mess.

Where the threats are constantly changing, a longer-term intelligence capability allows us to anticipate new attacks and evolve our defensive scheme to meet them. To be effective, getting this information into the hands of key defenders is essential; having it sit in the hands of the intelligence staff is not useful. Difficult or not, it is nonetheless necessary to develop this capability so we can avoid the historical problem of being well-prepared for the last war, but not for the one about to be imposed on us.

An operations capability
While all parts of the model are important, fighting and winning the battle is the core function. It is by no means certain that our cyber defenders have approached designing the defence with a clear vision of how this engagement will take place. We must create a design, incorporating the effects created by our obstacles and the warning allowed by advanced detection systems to allow the right actions to be taken – by humans or by computers – at the right time to avoid the attack or defeat it.

In general, our understanding of how to defend develops alongside our understanding of how to attack. Yet in Canada, we have no acknowledged offensive cyber capability outside a minimal penetration testing or “ethical hacking” presence. Most cyber defenders have no opportunity to participate in this activity, and so their understanding of the attacker’s options tends to be restricted by lack of experience and training.

This situation also leads to a passive mind-set, a recipe for failure in a defensive battle. Development of a true offensive cyber capability would allow our defenders to improve their skills and understanding of their craft, to the benefit of our cyber defences in general.

What are the issues?
Why are we not doing all of this now? First, accurate predictive intelligence is hard. There are too many potential adversaries with their own security measures and too little intelligence capability suited to this purpose. Second, there are huge policy issues with overt offensive action. Both legal and practical factors are a long way from being resolved. In the same vein, the scale of action and the authority of the actor need to be considered – we do not expect the average citizen to take up arms against a burglar, nor do the police normally arrive with guns blazing. Lastly, today we have barely enough institutional capacity to do the easy part – fortify our systems – and in no way enough to design and execute a more effective defence.

Conclusion
Cyber defence has for too long focused on deployment of obstacles that are certain, with time, to be breached by our attackers – at the expense of the ability to create a vision of the defensive battle and a design to conduct it successfully. We have maintained a passive psychology, reacting to old attack methods too late, and applying costly countermeasures that may or may not be useful against future attacks.

We need to focus on our operations and intelligence capabilities so we can design effective and proactive defences that have a better chance of success, and we need to imbue our defenders with the offensive spirit necessary to build a “shield of blows delivered with skill.”

Colonel (Ret’d) Bruce Jackson served in a number of positions dealing with information operations. He consults in the areas of strategic planning and IT security.