Talk:Proactive cyber defence

Wiki Education Foundation-supported course assignment
This article was the subject of a Wiki Education Foundation-supported course assignment, between 17 May 2021 and 31 July 2021. Further details are available on the course page. Student editor(s): Fsharbi. Peer reviewers: Jacovar, AbleArcher99.

Above undated message substituted from Template:Dashboard.wikiedu.org assignment by PrimeBOT (talk) 07:14, 17 January 2022 (UTC)

untitled
The composite definition to proactive cyber defence quote David McMahon's book of the same name with full copyright permission under GFDL. — Preceding unsigned comment added by Grammaton (talk • contribs) 15:59, 2 July 2008‎

Cleanup
What do we do with this page? Thanks. -- Trevj (talk) 13:55, 26 June 2012 (UTC)
 * 1) It has too many references which can't easily be checked as they're not linked to online versions
 * 2) The term may not meet WP:GNG, although cyber defence itself (currently a redlink) probably does.
 * 3) It was flagged as a potential copyvio, but has the OTRS confirmation above
 * 4) It could be pared down and merged, but what if all those references support the topic? And what is a viable destination article?
 * , I went looking for a cyber defense article, and found this abomination instead. "Active cyber defense" is an Orwellian double-speak euphemism for cyber-offense, so exactly the opposite of cyber defense. This needs to be fixed.  It think the first thing to do is to remove the redirect, which I'll do now, but then we should get an actual cyber defense article going.  I'm up for doing some work on it.  Bill Woodcock (talk) 09:55, 25 June 2021 (UTC)
 * Also, hello and welcome!  You may want to take this as a starting point for your research if you're going to work on improving this article (which very much needs it!).  I'm sure many of us would be happy to help you, or discuss changes you propose to make, here on the talk page.  Good luck! Bill Woodcock (talk) 10:02, 27 June 2021 (UTC)
 * The problem with trying to find a better name for this article is trying to work out what the scope is. "Proactive" might be a reaction to "reactive", but it's still superfluous redundant repetitive jargon, that seems to mean "actively active" - as opposed to "inactively active"? The article currently meanders among poorly defined terms and is hard for me to make sense of. My guess is that it does seem to refer to something like "cyber offence as a means of cyber defence". Boud (talk) 20:15, 24 January 2022 (UTC)
 * , well, first of all, I'd advocate moving the article from "Proactive cyber defence" (redundant pro- prefix and British spelling, 13,000 hits on Google) to the more common "Active cyber defense" (33,000 hits on Google). In the British-versus-American thing I'd go with American because this idiocy is way more common among jingoistic American hawks than anywhere else. The phrase itself is a term-of-art, akin to "the best defense is a strong offense." Whether it's bullshit or not is orthogonal to whether it's a phrase that exists that should be defined. If we stick with this phrase as the title of the article, I think that defines the scope, regardless of what bloviation may currently populate the article. So, what do various folks think it means? Here, the US National Security Agency (notably responsible for offense, rather than defense or "security" per se) takes a very grown-up-pants conservative view:
 * "'...synchronizing the real-time detection, analysis and mitigation of threats to critical networks and systems. While ACD is active within the networks it protects, it is not offensive and its capabilities affect only the networks where they  have been installed by network operators and owners.'"
 * That definition flies in the face of common understanding by the people who most frequently wield the phrase, and they'd look at that and do the "wink, wink, nudge, nudge" thing. Here's DARPA's original description of the origination of the concept:
 * "'DARPA’s Active Cyber Defense (ACD) program is designed to help reverse the existing imbalance by providing cyber defenders a 'home field' advantage: the ability to perform defensive operations that involve direct engagement with sophisticated adversaries in DoD-controlled cyberspace. Created in December 2012, the program seeks to develop a collection of synchronized, real-time capabilities to discover, define, analyze and mitigate cyber threats and vulnerabilities. These new proactive capabilities would enable cyber defenders to more readily disrupt and neutralize cyberattacks as they happen. These capabilities would be solely defensive in nature; the ACD program specifically excludes research into cyber offense capabilities.'"
 * This "but we're not talking about offense" is evident in many sources. For instance,
 * "'Active Cyber Defense involves no intrusion into hostile or non-cooperating networks or systems, but focuses entirely on the defended networks, and is thus not to be confused with active defense.'"
 * I think that's a particularly weak distinction, if "active cyber defense" is supposed to mean defense, while "active defense" is supposed to mean offense.
 * If we look at how the term's private-sector exponents use it, we tend to find clearer definitions. This fairly comprehensive one from Fortinet begins:
 * "'Active defense is the use of offensive tactics to outsmart or slow down a hacker and make cyberattacks more difficult to carry out.'"
 * Hmmm.
 * The more sources I read, the more nuanced my view of the matter is becoming. Perhaps the grownups communicate about this idea in writing, while the "contractors" communicate verbally and with the annoying "nudge, nudge, wink winks." It seems like there's plenty of material to support a definition something like "Active cyber defense is the use of automation in the real-time analysis of cyber-attacks and the application of such automation to a network's defensive posture." That would be starkly contrasted with "hackback" (we should perhaps reference this relevant article-section), which may need its own article, and with methods of cyber-deterrence, which do not meet this characterization of being automated, interactive, and real-time. Bill Woodcock (talk) 09:56, 25 January 2022 (UTC)

Related terms
...which we should be cognizant of in approaching any cleanup of this, and related pages: I guess I would argue that "proactive" and "active" aren't worth distinguishing between. "Active" is clearly the more common of the two, and "proactive" doesn't seem to be clearly defined, but instead seems to be plagued with buzzwords. I would say that "active cyber defense" is a term-of-art which distinguishes the automated real-time subset of "cyber defense" and should probably be subsumed as a section within an article on the latter. I would draw a clear distinction with "cyber deterrence" which is the (truly proactive) prior deterrence of potential attacks, within the cyber realm. I would also draw a clear distinction with "hackback", or vigilanteism, which I would categorize as the subset of cyber attacks which are motivated by revenge. I would say that a "cyber attack" is an instance in which a cyber offensive capability is applied, while "cyber offense" is the capability to attack within the cyber domain.
 * Hackback
 * Active Cyber Defense (or "Defence")
 * Proactive Cyber Defense (or "Defence")
 * Cyber Defense
 * Cyber Deterrence
 * Cyber Offense
 * Cyber Attack

My conclusion is that we need at least three articles here:
 * Cyber Defense (subsuming "active" and with a redirect from "proactive")
 * Cyber Deterrence (discussing things that are done to dissuade potential attackers prior to an attack)
 * Cyber Offense (subsuming "attack" and "hackback")

Does that make sense to folks? Bill Woodcock (talk) 10:22, 25 January 2022 (UTC)

Also, I checked and Fastily had created a Hackback draft which was subsequently deleted... I checked with the undeletion folks, and they said that it was an empty article, so not a useful starting point. Bill Woodcock (talk) 07:44, 28 January 2022 (UTC)