Talk:Proactive cyber defence

Computer Security: Computing High‑importance

This article is within the scope of WikiProject Computer Security, a collaborative effort to improve the coverage of computer security on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.Computer SecurityWikipedia:WikiProject Computer SecurityTemplate:WikiProject Computer SecurityComputer Security articles

High

This article has been rated as High-importance on the project's importance scale.

This article is supported by WikiProject Computing.

Things you can help WikiProject Computer Security with:

Article alerts will be generated shortly by AAlertBot. Please allow some days for processing. More information...

Answer question about Same-origin_policy
Review importance and quality of existing articles
Identify categories related to Computer Security
Tag related articles
Identify articles for creation (see also: Article requests)
Identify articles for improvement
Create the Project Navigation Box including lists of adopted articles, requested articles, reviewed articles, etc.
Find editors who have shown interest in this subject and ask them to take a look here.

Military history: Technology

This article is within the scope of the Military history WikiProject. If you would like to participate, please visit the project page, where you can join the project and see a list of open tasks. To use this banner, please see the full instructions.Military historyWikipedia:WikiProject Military historyTemplate:WikiProject Military historymilitary history articles

This article has been checked against the following criteria for B-class status:
Referencing and citation: criterion not met Coverage and accuracy: criterion met Structure: criterion met Grammar and style: criterion met Supporting materials: criterion not met

Associated task forces:
/
	Military science, technology, and theory task force

Internet Low‑importance

	Internet portal This article is within the scope of WikiProject Internet, a collaborative effort to improve the coverage of the Internet on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.InternetWikipedia:WikiProject InternetTemplate:WikiProject InternetInternet articles
Low	This article has been rated as Low-importance on the project's importance scale.

The content of this article has been derived in whole or part from David McMahon. Permission has been received from the copyright holder to release this material . Evidence of this has been confirmed and stored by VRT volunteers, under ticket number 2008070210016247.
This template is used by approved volunteers dealing with the Wikimedia volunteer response team system (VRTS) after receipt of a clear statement of permission at permissions-enwikimedia.org. Do not use this template to claim permission.

Wiki Education Foundation-supported course assignment[edit]

This article was the subject of a Wiki Education Foundation-supported course assignment, between 17 May 2021 and 31 July 2021. Further details are available on the course page. Student editor(s): Fsharbi. Peer reviewers: Jacovar, AbleArcher99.

Above undated message substituted from Template:Dashboard.wikiedu.org assignment by PrimeBOT (talk) 07:14, 17 January 2022 (UTC)[reply]

untitled[edit]

The composite definition to proactive cyber defence quote David McMahon's book of the same name with full copyright permission under GFDL. — Preceding unsigned comment added by Grammaton (talk • contribs) 15:59, 2 July 2008‎

Cleanup[edit]

What do we do with this page?

It has too many references which can't easily be checked as they're not linked to online versions
The term may not meet WP:GNG, although cyber defence itself (currently a redlink) probably does.
It was flagged as a potential copyvio, but has the OTRS confirmation above
It could be pared down and merged, but what if all those references support the topic? And what is a viable destination article?

Thanks. -- Trevj (talk) 13:55, 26 June 2012 (UTC)[reply]

@Trevj:, I went looking for a cyber defense article, and found this abomination instead. "Active cyber defense" is an Orwellian double-speak euphemism for cyber-offense, so exactly the opposite of cyber defense. This needs to be fixed. It think the first thing to do is to remove the redirect, which I'll do now, but then we should get an actual cyber defense article going. I'm up for doing some work on it. Bill Woodcock (talk) 09:55, 25 June 2021 (UTC)[reply]

Also, hello @Fsharbi: and welcome! You may want to take this as a starting point for your research if you're going to work on improving this article (which very much needs it!). I'm sure many of us would be happy to help you, or discuss changes you propose to make, here on the talk page. Good luck! Bill Woodcock (talk) 10:02, 27 June 2021 (UTC)[reply]

@Bwoodcock: The problem with trying to find a better name for this article is trying to work out what the scope is. "Proactive" might be a reaction to "reactive", but it's still superfluous redundant repetitive jargon, that seems to mean "actively active" - as opposed to "inactively active"? The article currently meanders among poorly defined terms and is hard for me to make sense of. My guess is that it does seem to refer to something like "cyber offence as a means of cyber defence". Boud (talk) 20:15, 24 January 2022 (UTC)[reply]

@Boud:, well, first of all, I'd advocate moving the article from "Proactive cyber defence" (redundant pro- prefix and British spelling, 13,000 hits on Google) to the more common "Active cyber defense" (33,000 hits on Google). In the British-versus-American thing I'd go with American because this idiocy is way more common among jingoistic American hawks than anywhere else. The phrase itself is a term-of-art, akin to "the best defense is a strong offense." Whether it's bullshit or not is orthogonal to whether it's a phrase that exists that should be defined. If we stick with this phrase as the title of the article, I think that defines the scope, regardless of what bloviation may currently populate the article. So, what do various folks think it means? Here, the US National Security Agency (notably responsible for offense, rather than defense or "security" per se) takes a very grown-up-pants conservative view:^[1]

"...synchronizing the real-time detection, analysis and mitigation of threats to critical networks and systems. While ACD is active within the networks it protects, it is not offensive and its capabilities affect only the networks where they have been installed by network operators and owners."

That definition flies in the face of common understanding by the people who most frequently wield the phrase, and they'd look at that and do the "wink, wink, nudge, nudge" thing. Here's DARPA's original description of the origination of the concept:^[2]

"DARPA’s Active Cyber Defense (ACD) program is designed to help reverse the existing imbalance by providing cyber defenders a 'home field' advantage: the ability to perform defensive operations that involve direct engagement with sophisticated adversaries in DoD-controlled cyberspace. Created in December 2012, the program seeks to develop a collection of synchronized, real-time capabilities to discover, define, analyze and mitigate cyber threats and vulnerabilities. These new proactive capabilities would enable cyber defenders to more readily disrupt and neutralize cyberattacks as they happen. These capabilities would be solely defensive in nature; the ACD program specifically excludes research into cyber offense capabilities."

This "but we're not talking about offense" is evident in many sources. For instance,^[3]

"Active Cyber Defense involves no intrusion into hostile or non-cooperating networks or systems, but focuses entirely on the defended networks, and is thus not to be confused with active defense."

I think that's a particularly weak distinction, if "active cyber defense" is supposed to mean defense, while "active defense" is supposed to mean offense.

If we look at how the term's private-sector exponents use it, we tend to find clearer definitions. This fairly comprehensive one from Fortinet^[4] begins:

"Active defense is the use of offensive tactics to outsmart or slow down a hacker and make cyberattacks more difficult to carry out."

Hmmm.

The more sources I read, the more nuanced my view of the matter is becoming. Perhaps the grownups communicate about this idea in writing, while the "contractors" communicate verbally and with the annoying "nudge, nudge, wink winks." It seems like there's plenty of material to support a definition something like "Active cyber defense is the use of automation in the real-time analysis of cyber-attacks and the application of such automation to a network's defensive posture." That would be starkly contrasted with "hackback" (we should perhaps reference this relevant article-section), which may need its own article, and with methods of cyber-deterrence, which do not meet this characterization of being automated, interactive, and real-time. Bill Woodcock (talk) 09:56, 25 January 2022 (UTC)[reply]

References

^ "Active Cyber Defense (ACD)". US National Security Agency.
^ "Active Cyber Defense (ACD)". US Defense Advanced Research Projects Agency.
^ "Glossary: Active Cyber Defense". The CyberWire.
^ "CyberGlossary: Active Defense". Fortinet.

Related terms[edit]

...which we should be cognizant of in approaching any cleanup of this, and related pages:

Hackback
Active Cyber Defense (or "Defence")
Proactive Cyber Defense (or "Defence")
Cyber Defense
Cyber Deterrence
Cyber Offense
Cyber Attack

I guess I would argue that "proactive" and "active" aren't worth distinguishing between. "Active" is clearly the more common of the two, and "proactive" doesn't seem to be clearly defined, but instead seems to be plagued with buzzwords. I would say that "active cyber defense" is a term-of-art which distinguishes the automated real-time subset of "cyber defense" and should probably be subsumed as a section within an article on the latter. I would draw a clear distinction with "cyber deterrence" which is the (truly proactive) prior deterrence of potential attacks, within the cyber realm. I would also draw a clear distinction with "hackback", or vigilanteism, which I would categorize as the subset of cyber attacks which are motivated by revenge. I would say that a "cyber attack" is an instance in which a cyber offensive capability is applied, while "cyber offense" is the capability to attack within the cyber domain.

My conclusion is that we need at least three articles here:

Cyber Defense (subsuming "active" and with a redirect from "proactive")
Cyber Deterrence (discussing things that are done to dissuade potential attackers prior to an attack)
Cyber Offense (subsuming "attack" and "hackback")

Does that make sense to folks? Bill Woodcock (talk) 10:22, 25 January 2022 (UTC)[reply]

Also, I checked and Fastily had created a Hackback draft which was subsequently deleted... I checked with the undeletion folks, and they said that it was an empty article, so not a useful starting point. Bill Woodcock (talk) 07:44, 28 January 2022 (UTC)[reply]

[1] "Active Cyber Defense (ACD)". US National Security Agency.

[2] "Active Cyber Defense (ACD)". US Defense Advanced Research Projects Agency.

[3] "Glossary: Active Cyber Defense". The CyberWire.

[4] "CyberGlossary: Active Defense". Fortinet.

[1]

[2]

[3]

[4]