SINGAPORE--Developing cyberoffensive capabilities may be increasingly relevant for governments in order to deter attacks and protect their infrastructure.
This is especially critical facing a wave of "next generation" adversaries amid the rise of the Internet of Everything, said Anthony Bargar, former security advisor at the United States' Office of the Secretary of Defense. He was speaking at industry conference GovWare here on Wednesday.
Bargar noted the increasingly pervasive interconnectivity raised the risk of critical infrastructure being paralyzed by cyberattacks. For example, power grids would soon be connected to the Internet to form smartgrids, and everything including even toasters would soon have IP addresses, he noted.
"The industry isn't catching up fast enough to that level of security," said Bargar. He explained priorities have always been userbility versus cost, leaving security as an afterthought.
Offense is the best defense
"Cyberdeterrence is the new cold war reality," he noted, adding there will be increasingly more state-sponsored attacks, insider threats and attacks aiming for cyberdestruction.
"You deter people by having an offensive capability."
U.K. Defence Secretary.
Bargar's comments come just days after the United Kingdom emphasized the need for a offensive capability to deal with cyberthreats, adding cyberdeterrence to nuclear deterrence.
U.K. Defence Secretary Philip Hammond told the Mail: "You deter people by having an offensive capability. We will build in Britain a cyberstrike capability so we can strike back in cyber space against enemies who attack us."
Echoing those views, Tony Chew, director specialist advisor at the Monetary Authority of Singapore, said cyberattacks have become increasingly favored by adversaries as they were covert and minimized collateral damage. He pointed out there were even commercial firms now offering cyberoffense for hire such as Vupen.
"If you are going to fight you cannot just be defending, you must have capability of launching the first strike," said Chew, during a separate keynote at GovWare.
According to Bargar, it is not realistic to expect to be able to afford to defend everything, so it will be important to outline a list of critical assets to prioritize. He noted most business continuity plans were built around natural disasters, but it was necessary to start thinking in terms of cyber-resilience.
Cyber-resilience is being able to recover quickly through cyberconflict to a trusted environment, explained the former advisor to the Office of the Secretary of Defense. Ways to improve resiliency include mapping the network, the complex cascade effects and single points of vulnerability, he said. Staff should also conduct exercises together under serious IT degradation.