From Colin Clark, Breaking Defense:  The private sector — and the government — must “exhaust” the use of traditional responses such as public shaming, criminal charges, diplomatic demarches, and sanctions “before we contemplate the dangerous possibility we might encourage vigilantism ,” the powerful deputy director of the National Security Agency says.

Chris Inglis offered an audience of several hundred gathered for the rare chance to hear a senior NSA official speak in public a carefully balanced view of how the US should manage its responses to cyber theft and espionage.

“At the end of the day, we need to do more than take the slings and arrows that come our way, going into a fetal crouch,” he said yesterday morning. “At the same time, we don’t want to encourage vigilantism. . . ."

“It’s almost impossible to achieve a static advantage in cyberspace – whether that’s a competitive advantage or a security advantage – when things change every minute of every hour of every day. And it’s not just the technology that changes; it’s the employment of that technology; the operations and practices,” Inglis said.

Current security practices at most companies and for most individuals rely on lists of malware and viruses. If a bad bit of code is spotted, then the attack is blocked. But that isn’t enough because attackers are launching attacks in depth, with attacks sometimes spread out across several years, originating from different servers and using different attack vectors. “If your security depends upon a static advantage and the static nature of compliance-based standards, your heart’s going to be broken on a fairly regular basis,” Inglis told the CSIS audience.  (photo: Herman Farrer/INSA)  (via Barry Pavel)

Image: insa%205%2022%2013%20-chris-inglis-insa-herman-farrer.jpg