Is cyber-offense the answer?

Private-sector companies spend billions of dollars each year on cybersecurity to keep the bad guys out of their systems, but their efforts are often exercises in futility as the tools and capabilities of cyber threats continue to increase.

Verizon's 2013 Data Breach Investigations Report (DBIR) puts the increased threat in perspective, containing data on 47,000 cyber-security incidents and 621 confirmed data breaches reported by 19 worldwide partners, including the U.S. Secret Service. Twenty percent of reported private-sector breaches – 70 percent of breaches are discovered by third parties, by the way – were perpetrated by state-affiliated actors such as China, according to DBIR, and most often driven by financial motives.

And as Steven Chabinsky, senior vice president of legal affairs and chief risk officer of Crowdstrike told an audience at an FCW cybersecurity briefing Sept. 12 in Washington, D.C., the bigger that companies and federal agencies build their walls, the taller ladders these adversaries come up with to scale them.

"The bad guys don't give up," said Chabinsky, specifying that attacks are often perpetuated by the same parties. Yet strong defenses and big data analytics for situational awareness do little to curb outside threats or reduce or eliminate future threats.

Chabinsky recommended a different course of action, calling for the government to go on the offensive with diplomatic, informational, military, economic and law enforcement threat-deterrence options, in addition to private sector civil remedies.

"The government had better get a handle on threat deterrence. The private sector has had enough," Chabinsky said. "We need to shift to threat deterrence." 

Chabinsky's comments differed from those expressed at the same briefing by Thomas Rid, author of "Cyber War Will Not Take Place." Chabinsky argued that, without more credible U.S. deterrence, cyber-attacks and their consequences could indeed rise to a level of cyber-war.  

Rid, citing the "black budget" leaked by former National Security Agency contractor Edward Snowden, said the U.S. government already spends too much money on offensive cybersecurity tactics. More money, he said, should go toward defending existing networks.

Note: This story was updated on Sept. 17 to clarify Chabinsky's emphasis on threat deterrence.