paint-brush
Cyber Warfare, Self-Defense and the Defender’s Dilemmaby@kwistech
821 reads
821 reads

Cyber Warfare, Self-Defense and the Defender’s Dilemma

by John KwissesDecember 1st, 2022
Read on Terminal Reader
Read this story w/o Javascript

Too Long; Didn't Read

I do have to admit that I like the concept of cyber-self-defense, but in my opinion, it is just not feasible to do. There are just too few professionals, too many insecure devices, and too much at risk if individuals or companies started 'hacking back.' It is with this that the Defender's Dilemma will always exist: the attackers will always be one step ahead of the defenders.

Companies Mentioned

Mention Thumbnail
Mention Thumbnail
featured image - Cyber Warfare, Self-Defense and the Defender’s Dilemma
John Kwisses HackerNoon profile picture


After pondering, researching, and a few glasses of wine, I've decided to do an analysis on cyber warfare…


As I currently live in Canada, I will be writing on this topic from a Canadian perspective. Like most things in Canada, we take our guidance from the United States, and our approach to cyber security is no different. The United States has numerous laws and regulations surrounding the lawful and unlawful use of computers throughout the country. I listed some of these in my last blog post titled The Age of Cyber Warfare, so I won't reiterate them here.


I do, however, want to reiterate that the misuse of systems can cause a fallout greater than one might imagine. When I first entered the cyber security field, I was tasked to help my team develop and implement a vulnerability management program. Like most things in information technology, one has to learn quickly and be comfortable with not knowing what your next task will be. In such situations, Google and Youtube become your best friends.


As I gathered all the necessary information to get started, it was only a matter of time before I was inundated with the various laws and regulations surrounding the program. For example, did you know that it's illegal to probe a system if you do not have permission from the system owner to do so?

A good friend of mine sent me his daughter's master's thesis as he read my last cyber warfare post. The thesis titled Canadian Hack-Back?: A Consideration of the Canadian Legal Framework for Private-Sector Active Cyber Defence, is a good read and one of the only academic papers I've come across on this subject. During her research, the author comes across the term Active Cyber Defence ("ACD") which seems to have as many definitions as one can come up with. However, she defines ACD as "any non-governmental response to cyber threats or intrusions using technical means, when that response has effects outside the defender's own network." With this definition, every action that a defender would take would be classified as ACD, including investigating an infiltrating system. Note that I bring her thesis into this post, not as a criticism or appraisal, but simply to highlight how complex this topic can get.

As I'm not a lawyer by any stretch of the imagination, I will leave the rest of the legal discussions to the professionals. However, as cyber security now touches every part of our lives, cyber security professionals now have to be trained to abide by all of these laws and in order to provide competent service to their clients. This gradually grows to become a vital flaw in the cybersecurity space: there is a lack of experienced, competent, and qualified cybersecurity professionals. Imagine having to secure anything and everything that has a chip, that is sensitive in nature, and involves people who are just as flawed as I am...


As any cyber security professional will know, cyber security falls roughly into 8 domains:

  1. Security and Risk Management

  2. Asset Security

  3. Security Architecture and Engineering

  4. Communications and Network Security

  5. Identity and Access Management

  6. Security Assessment and Testing

  7. Security Operations

  8. Software Development Security


Each domain contains subsections that cover the people, processes, and technology of an organization. Some of these sections contain areas that you may not think are associated with cyber. For example, did you know that fire suppression, floodplain mitigation, and outdoor lighting can be classified under cyber security? Neither did I, until I realized that a system can't be secured if it's on fire, waterlogged, or stolen under the cover of night. Suffice it to say that cyber security involves many areas each of which should be secured by an experienced professional.

Cyber Security Defense

As we start to grasp how broad cyber security really is, we can start to understand how important it is to avoid attacks on our systems in the first place. However, it seems we are facing an uphill battle and every step forward is met with resistance.


There are a few items that weaken our cyber security posture right out of the gate. For one, the new computer that you purchase from a reputable store is not as secure as you think. For example, have you ever noticed programs installed on your computer that you do not want like a trial version of an antivirus program or gaming suite? This is called bloatware and opens up your computer to attacks. What about the 'Location Services' and the AI Voice Assistant 'Cortana' on Windows? These services can expose your physical location as well as have Microsoft fingerprint your voice pattern. Disable these services to reduce your attack surface.


Another issue is that the majority of smart devices such as smartwatches and smart TVs are vulnerable to basic cyber attacks. These devices are typically not as secure as laptops or desktops as security is not the first consideration in the making of these devices. An extreme but good example of this is the cyber attack that occurred through a casino's fish tank sensor.


One more point to consider is that computer users are not typically cyber-aware. For example, did you know that you can experience thousands of cyber-attacks without even realizing it? This can be done through phishing emails, denial of service attacks, and data breaches (e.g., the Equifax data breach of 2017). Not to mention that most people reuse weak passwords for most of their accounts. You are guilty, and so was I a number of years ago. Please do me, and the rest of society, a favor and stop using '123456' as your one and only password.


I think it's safe to say that the odds are against us. However, there has been some progress toward a cyber-secure world in the past few years due to the increasing cost of cyber attacks. There is hope, but there's still a lot of work to do in this regard. So if you are interested in switching into the world of cyber security, now is a good time.

Cyber Security Offense

As we enter the topic of offensive tactics, it's important to note that any attack invites a response from the victim. A physical assault on someone invites retaliation in the form of self-defense which can range from a simple blow to a strike that can kill.


With this in mind, there are two questions I want to discuss:

  1. If a cyber-attack occurs on our systems, do we have the right to respond in self-defense?

  2. If we have the right to respond in self-defense, to what extent can we respond?


In the physical world, if we are provoked or harmed by another person, we as a society have decided on an acceptable response through self-defense. If a person attempts to hurt me, I have the right to defend myself. And even though I have the right to defend myself, it is up to me at that time to decide if I act on this right. As someone who is currently learning a martial art, all I have to say is I will respond to an attack in some capacity. You have been warned.


In the digital world, however, the issue of self-defense becomes very complex. For starters, you can never be 100% sure of who harmed you (or committed a cyber attack on your system). Most cyber-attacks take place from a compromised system of an innocent third party and not the actual attacker's machine. This is by design as it becomes hard if not impossible to figure out the who, what, when, where, why, and how of the attack. And so even if you had the capacity to launch a full-scale cyber-attack against the perpetrating system, you may be attacking an innocent bystander causing them to take action against your systems... a self-fulfilling prophecy.

Another issue is that a cyber attack can do significant damage to a system, causing unforeseen consequences as the attacked system may be connected to hundreds, if not, thousands of other systems, both in technology and in the geopolitical world. For example, if a cyber-attack was successful in shutting down an oil pipeline, a nation may be without oil until the affected systems can be safely turned back online. The Colonial Pipeline Ransomware Incident is an example of this as the Southeastern United States experienced an oil shortage due to the attack.


The third issue with retaliation is that of liability and the possibility of escalation. Who is liable for the damages caused by the retaliation? Even if the cyber-attack damaged the attacker's systems, who's to say that they will not respond in kind? If the retaliation is not done by a professional, then the possibility of an attacker finding out who you are and what systems to attack is almost guaranteed. Are you prepared to handle a full-scale cyber-attack on not only your systems but your identity, family, and friends? Who knows to what extent the attack will go to?


I think it's safe to say that most people are not prepared for this amount of fallout.


For argument’s sake, let's say the answer to our first question posed is yes. The next question is to what extent can we respond to a cyber attack? We can do the most basic response in the form of probing a system to see if it's on or off. We can also commit a full-scale denial of service, ransomware, or brute-force attack on the perpetrator's systems. Where do we draw the line? Or the better question is what is the appropriate response for each attack we experience?


If we detect an attacker scanning our systems for vulnerabilities, would it be appropriate to do the same? What about if an attacker sends a phishing email to our email addresses, can we then try to scam them in some way? Can we conduct a phishing attack if we are hit with a ransomware attack? I think you can see where I'm going with this, there is no good answer to this question. The truth is that we will never have all of the information necessary to 'safely' conduct a cyber-attack on a perpetrating system. The questions are endless and we haven't even talked about the morality and ethics of it all. I will leave that topic for another day.

Closing Thoughts

I do have to admit that I like the concept of cyber-self-defense, but in my opinion, it is just not feasible to do. There are just too few professionals, too many insecure devices, and too much at risk if individuals or companies started 'hacking back.' It is with this that the Defender's Dilemma will always exist: the attackers will always be one step ahead of the defenders. The only case that I could see 'hacking back' as an option is if the world's population was at risk through a World War-like event. In this case, normal life for everyone would be disrupted and it wouldn't really matter that cyber-attacks were occurring as there would be more pressing matters to attend to such as nuclear fallout, starvation, murder, and disease. Let's pray it does not come to that...


Anyways, I hope that this provides useful to those of you who read my blog. I always say that I didn't choose this career, it choose me. I will continue to write about the topics that matter to me and that I believe provides value to society.


As always, I'm available if you have any questions, comments, or concerns about what I write.


Peace, love, and all that happiness stuff!



Also published here.