On Monday, September 18th, 2011, security luminaries Winn Schwartau, Brandon Dunlap and J.J. Thompson began a conversation, that despite including me, began to generate interest throughout the combined ASIS 2011 and (ISC)2 World Congress events in Orlando. The initial question seems simple enough: In the real world if someone breaks into my house, I can defend myself. I can assault the person, or even shoot them if necessary should the threat be dire enough. Can the same principle be applied in cyber space? The answer as we discussed with each other over the next few days is harder to pin down, and opens an entire spectrum of possible responses and real world analogues.
The what-ifs led to questions about acts of war, the right to bear arms, and regional and philosophical differences in the tolerance of aggressive self-defense. Questions arose about the implications of anti-hacking laws, such as the Computer Fraud and Abuse Act. We discussed the obvious torch bearers of the establishment, famous and infamous security experts, not-for-profit training and certification organizations, DARPA and self-healing networks, and of course how to fund an endeavour designed to talk and think about this issue.
Regardless of funding, a few of us decided that it is important to continue to ask this question. We as a body of professionals in the fields of information and computer security have a responsibility to develop the arguments, and help to inform the public debate. It is up to us as a profession to champion all sides of the argument, until well established positions and defensible, legal methods can be established.
We discussed the need to create a forum to discuss the ethics of the red response to a blue challenge. A place to creatively debate the relative merits of the hack-back, or the attack response. The word think-tank may apply, this may be a public forum of dissenting opinion on the subject of cyber self-defense, or cloud threat response, or it may just be what Brandon called it as J. J. Thompson and I sat with him musing after a particularly lively debate with Anupam Rawla and Tom Haney, it may be the beginnings of a doctrine.
It is with great pleasure that I introduce to you the Orlando Doctrine. We look forward to reading, and responding to your arguments for or against cyber self-defense. Some of the greatest minds in the profession are represented here, so bring your best arguments, and be prepared to defend yourself.
Spencer Wilcox, CISSP, CPP