Modern field guide to security and privacy

Opinion: Cybersecurity needs an offensive playbook

In order to beat malicious hackers, the cybersecurity community must develop innovative approaches for deploying – and automating – offensive strategies to find and fix software vulnerabilities.  

Photo by Ann Hermes/The Christian Science Monitor
The DARPA Cyber Grand Challenge at DEF CON 24 was the first all-machine hacking Capture The Flag tournament with automated systems.

What do recent political hacks, the massive cyberattacks that took down a wide swath of the internet, and digital assaults on a portion of the Ukrainian power grid have in common?

All of them reveal that attackers are far ahead of defenders when it comes to digital security. But with global investment in cybersecurity expected to top $1 trillion over the next five years, why are the government agencies and companies charged with defending public networks and corporate systems so far behind?

It's simple: Cybersecurity defenders aren't playing enough offense.

The traditional way of thinking about cybersecurity has been that you can only have good a digital defense if you "build secure from the ground up." But this approach assumes a perfect world where everyone constructs bulletproof computer programs. That's a fantasyland.

Instead, cybersecurity is more like sports. You have to excel at both offensive and defensive strategies to win.

This doesn't mean that information security firms and independent researchers should start launching attacks on adversaries. But the good guys need to be more aggressive about finding and fixing vulnerabilities in systems and networks before malicious hackers uncover and exploit them.

Think about it this way: Defensive teams in sports improve their skills by practicing against offensive teams, studying their plays, and understanding their approaches. We need this kind of tactic for improving cybersecurity across the board. 

In the digital security business, the skill set between offensive and defensive groups are strikingly similar. Both sides want to discover flaws first. But to build more robust offensive teams – for seeking out vulnerabilities in government or business networks – and defensive ones – for building the barriers and fighting off the malicious hackers – we need to invest more heavily in automation.

We need automatic tools that play offense – tools that can check every program, system, and piece of critical infrastructure for flaws. These will become more essential as the number of hackable devices – cars, medical equipment, industrial machinery, and home electronics – is exploding.

Many wireless routers, for instance, are laden with security bugs. There are hundreds of different routers, and examining each one for security flaws by hand is not possible. But we could program computers to hunt down those bugs.

Earlier this year, the cybersecurity community witnessed its equivalent of the moon landing: The Defense Advanced Research Projects Agency (DARPA) showed that computers are capable of autonomously deploying offense and defense in battles between supercomputers. The event dubbed the "Cyber Grand Challenge" paved the way for a new era of machines defending against computer attacks.

During the challenge that took place over nearly 10 hours in a Las Vegas conference hall, seven competing computer systems autonomously detected, evaluated, and patched software vulnerabilities before other competing systems had a chance to exploit them in a classic cybersecurity exercise known as Capture the Flag. It was the first all-computer hacking contest, and its success illustrated the potential of automation in cybersecurity. 

Right now, most companies rely on a small number of security analysts to test their products, so countless vulnerabilities go unnoticed. The Cyber Grand Challenge showed that in the not-too-distant future, it will be possible for companies to use automated tools to find and fix software vulnerabilities much faster, and at scale.

Even though cybersecurity automation will eventually make everyone safer, we still need skilled engineers to build these kinds of systems. The computer security field is projected to grow 50 percent faster than computer science in general, and more than 200 percent faster than average jobs. And demand is quickly outpacing supply.

Burgeoning efforts within government, from foundations, and private sector to focus on innovation and training are helping. We need more smart people building automatic systems that can work harder and faster – on both defense and offense – than even the most skilled hackers. 

David Brumley is the director of CyLab Security and Privacy Institute and the Bosch Distinguished Professor in Security and Privacy Technologies at Carnegie Mellon University. He's also chief executive officer of ForAllSecure. Follow him on Twitter @thedavidbrumley.

You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to

QR Code to Opinion: Cybersecurity needs an offensive playbook
Read this article in
QR Code to Subscription page
Start your subscription today