In Cybersecurity, is a good offense the best approach?

General James Cartwright, commander of the Strategic Command (STRATCOM) thinks so. Last month he gave testimony to the House Armed Services Committee indicating that a "purely defensive posture poses significant risks" (link via a Wired article by Bruce Schneier). Cartwright is of the opinion that the U.S. needs to be able to fight its cyber adversaries "when necessary, to deter actions detrimental to our interests."

I have no problems with offensive strategies for computer systems defense under the right circumstances. However, when a military commander starts discussing offensive strategies, I get a littled worried. STRATCOM is responsible for planning and directing cyber defense strategies for the Department of Defense. When STRATCOM's commander discusses offensive measures as a defense, you have to wonder how measured an offensive response would be.

The Department of Defense is a very large government entity comprising both the military (all branches) and several civilian agencies (or joint agenices, both civilian and military). DoD also has some of the most sensitive government information on its networks. The sensitivity of data as well as the nature of DoD make it a prime target for cyber attacks, but is unilateral offense a good strategy?

Due to the complexity of some sophisticated computer based attacks, it is not always possible to know where an attack originates or the intent of the attack. If offensive tactics are to be taken in some events, what is to say that the processes and procedures for responding will be sufficient for every type of attack? When those processes and procedures are insufficient, who will make the decision to attack or not?

Particularly worrying to me is the prospect that a US citizen's computer will be attacked or that a country with which the US has a shaky relationship will be attacked. What happens if DoD is wrong? Diplomatic relations with an entire country could be compromised because DoD chose to launch an offense against an attacker or who they thought was the attacker. An attacked country could possibly view an offensive attack as an act of war.

While I agree that sometimes offensive strategies are necessary in computer defense, there are far too many gray areas for our government organizations to be making offensive moves. Fighting back is not the only answer to defense. The government is riddled with computer security problems, as evidenced by the FISMA report cards (DoD got a grade of D in 2003 and 2004). It would be prudent for DoD to fix its basic security issues before it goes on the offense.