Many years ago when Distributed Denial of Service (DDoS) attacks were becoming a more common problem, I had a meeting with a government agency (not to be named here). The discussion was broad in terms of challenges they faced around cyber security, but it was their response to how they handled DDoS attacks that stuck out more than any part of the meeting. “Oh, we just shut down the servers that are being attacked until the attack subsides,” was their input on DDoS defense strategy. Now, to be fair, this was in the early days of advanced thinking on DDoS defense, and also in the context of a broader climate where the view was if there’s a DDoS attack going on, it might signal an attempt to breach data from the server so best to lose availability than lose data confidentiality.
Times have changed since then and most any government agency now has to more evenly balance the availability threats with those targeting data confidentiality or integrity. Indeed, a few recent situations have highlighted the impacts of a loss of availability and the constituent reaction to security strategies that don’t effectively balance staying connected with staying secure.