Monday, June 13, 2005

Self Defending Networks, Aggressive Network Self-Defense, and Vigilantes on the net

Today is the one-year anniversary of my interview with NewScientist magazine on what, at the time, was the highly controversial subject of "countermeasures" technologies. The interview was one of many I did with Symbiot in response to the March 2004 release of the company's iSIMS (intelligent Security Infrastructure Management Software) technology.

I wanted to take a moment today to look back on the last year and review what has happened with the idea of "countermeasures" in general. In short, in the span of one year the world seems to have shifted from despising the concept to embracing it. Perhaps this is due in part to Symbiot's efforts with the OpenSIMS project to create an open source security infrastructure management system that serves as the framework for such technologies. By creating the project in the open source community with the Apache Software Foundation, perhaps some amount of credibility was given to the original concepts Symbiot created related to "countermeasures".

Want examples? Well in the last year Lycos launched it's now infamous "Make Love Not Spam" campaign, O'Reilly publishing started distributing the Syngress title, "Aggressive Network Self-Defense", and Cisco started product placement of "Self Defending Networks" on Fox. However, a great deal of this started with a discussion of "Vigilantes on the net" .

To really understand what has happened in the last year, we should look at the history of "striking back". Let's start with an understanding that the idea is not new. In December of 1999 Conxion, Inc. launched "counter strikes" against a denial of service attack on the World Trade Organization (WTO). This is probably the first documented incident of "counter measures" being used by a corporation in response to a network based attack. The event was the first in a "counter measures time-line" that shows the increasing interest, support, and controversy surrounding such technologies.

A glance at this timeline makes it clear that the idea of "striking back" has been around for some time. However, it is important to understand that I am not advocating striking back in all cases. I am a strong proponent of countermeasures being defined as a set of graduated responses that include (but are not limited to) "Strike Back" capabilities. This is evident in Symbiot's now famous (or infamous depending on your point of view) white paper "On the Rules of Engagement for Information Warfare.".

Personally, I would argue the concepts behind "countermeasures" started with the first attack on a network-based asset. It's also clear from the timeline that industry visionaries like Bruce Schneier (opposed to the idea) and Tim Mullen (a strong supporter) had given great thought to the idea of "striking back" far before Symbiot came along.

However, it can be argued that Symbiot brought this issue to the forefront and sustained visibility in the media long enough to help drive change in the industry and, more importantly, getting people to debate the subject. I see this as a result of our interviews, conferences, and white papers. Of course, it didn't hurt that so many are so polarized and passionate about the subject.

So one year to the day since my New Scientist interview explaining countermeasures, they have been publicly deployed by major corporations, shown helping counter terrorist attacks on our popular TV shows, become a popular topic in the technology press, and remain the subject of a heated (and healthy) debate. I like to think that Symbiot played a positive role in bringing this issue to the forefront and helping people understand what countermeasures really mean.

In my opinion, countermeasures aren't unjust and unfeasible; on the contrary, they're inevitable. However, to create effective countermeasures that everyone can agree to, a "Community Centric" approach to security has to exist. This means putting aside some of the differences that plague this debate and focusing on what is possible if people on both sides worked together towards a common goal. I mean hey, the hacking community does this far better job of collaboration than their counterparts in computer and network security. Until we work together, we're doomed to rebuild after each attack only to be attacked again and repeat the entire process over and over and over. Collaboration on the part of the world's security experts and authorities will put us on the right path to making the Internet a safer place for everyone.

Who knows—in the not so distant future, "countermeasures" (not "Strike Back" capabilities) may end up being a feature we all look for before deploying any security software. Perhaps tools with these features will come from collaborative efforts between the open source and security communities; which would give everyone equal input on their design, functionality, and ultimately their deployment. In the end a more secure, reliable, networking infrastructure is in the best interest of society as a whole. That's why I've made it one of my goals to do everything I can to move people towards a "Community Centric" approach to securing the assets we all depend on.