The Offense-Defense Balance of Cyber

Cyber has typically been seen to have a very lop-sided offense-defense balance—with offense coming out on top. This is partly because of a function of the probability; defense must account for all possible avenues of attack but offense has to find that one single route to vulnerability. Rebecca Slayton addresses the issue of offense-defense balance in cyber by conceptualizing the issue in terms of utility—a shared feature of different modes of offense-defense balancing.

Several key insights drive her analysis. The cost of cyber operations depends not on the features of the technology alone, but also on the skills and competence of the actors and organizations that create/use/modify information technology. For example, ‘ease of use’ or ‘versatility’ of information technology seems to favor offense, but that property arises form interactions between technology and skilled actors. The operation might be quick but the construction and deployment of cyber weapons is a slow, laborious process.

Overall this implies that the utility of cyber operations differs in some serious ways. For example, a tight coupling of individual skills and information technology makes the economics of producing cyberweapons different than conventional physical weapons. The skills of the programmer have a huge effect on the efficacy and construction of the weapon. Software is continuously modified. And code takes the shape of a ‘use and lose’ weapon — once identified, it becomes obsolete. Thus, you need continued investment and skill to develop the weapons. The cost of the programmer is not accounted for in offense-defense balance analysis. The competency of managers is also important—defense failures often must do with personnel failures or out of date software. The success of offense is due to poorly managed defense. Attacks also need expensive infrastructure to be put into place—the actual attack itself might be cheap but the research and implementation of infrastructure is not. The complexity of the defense target–which increases defense costs–also increases offense costs to understand the complex system. Accessing physical effects through cyber is hard to accomplish as well. Attacking industrial control systems at a strategic point in time requires persistent communication–something hard to accomplish in such a system when deploying the cyber weapon.

A look at Stuxnet shows the high cost value of attacking–much more so than the actual defense, however the goal was considered significant enough not to quibble over the cost. The actual effect was negligible—delaying the Iran nuclear program by 3 months rather than years, whereas the cost to the US was relatively high.

I think this article raises some very interesting points about the perceived cost of offense. Often we conceive of cyber as being ‘cheap’ warfare because of the ease with which code is copied – but the constant updating and the initial conceiving of it has huge talent costs. I wouldn’t discount the high offense value of cyber necessarily though. Consider the recent situation with cyberwarfare and the 2016 US election. There was an interesting strategy taken of not directly affecting physical domains (like ICS)—instead, the focus was more so on disinformation and social media. Slayton herself acknowledges that the value of a defense target is variable in relation to the social network it is embedded in—but I think even she would pause at how to calculate the cost when it is the social network itself that is the direct target. To be sure, the disinformation cost millions to implement. Yet, the defense cost is hard to ascertain and depending on your point of view it could range from astronomical to relatively benign.

I think this also raises some questions about what constitutes a cyber offense. I have been implicitly assuming that using information technology to disseminate false information counts as an attack. The article itself focused purely on software integrity, however. Do you think that constitutes a cyber attack? If so, what are other novel ways that cyber can impact society writ large—beyond the focus of disrupting software systems. — Kabbas

3 thoughts on “The Offense-Defense Balance of Cyber

  1. It is indeed true that the cost of offensive cyber operations is often higher than perceived. However, they are by no means prohibitively expensive, and in most cases can be carried out at a price less than the expected value of the results of the operation. The advantage, in terms of both cost-efficiency and ease of use, still lies with the offensive side.

    Part of the reason for this is that the targets of modern cyber operations have shifted from the computer systems themselves to the people operating them. What would be considered a ‘high value target’ in the online world, such as a company that stores a large amount of personal information, is likely to be well guarded against classic network-based intrusions since current defensive best practices have nearly two decades’ worth of experience fending off intruders to draw on. However, most organisations gloss over educating their employees on internet security, which is the reason why most large data breaches today are the result of phishing attacks that target the people with access to secure systems instead. It takes minimal effort to draft a phishing email, and even less to send it to a large number of potential victims. Such techniques are widely employed today by both unaffiliated and state-sponsored groups, an example being the attack on Sony Pictures by North Korea.

    Adding to the problem is the fact that computer code is almost never a “use-and-lose” weapon. While it is true that software companies release fixes for vulnerabilities very rapidly after one is discovered, its adoption by consumers takes far longer. For example, take the fact that until 2016, the UK’s 4 nuclear submarines ran on Windows XP, which, incidentally, stopped receiving software updates from Microsoft in 2014. Updating a personal computer may seem like a simple click-and-forget operation, but when it comes to large-scale computer systems in which a few seconds of downtime could be devastating, the adoption of new security patches is often delayed, leaving attackers a larger time window in which to compromise a system.

    Even in cases where network-based offensive tools are developed at great cost, the value of the results could far outweigh the price. In 2017, a group called the “Shadow Brokers” released a suite of offensive tools developed by the NSA for exploiting vulnerabilities in Windows systems. Some of the tools had been developed as far back as 2008, and had not yet been discovered by the vendors of the software. Thus, for an undoubtedly large financial investment, the NSA gained unfettered, undetected access to any system running Windows Server 2008 for almost a decade, which would almost certainly have been worth the cost.

    The current state of the offence-defence balance has not been lost on major companies. Living up to the saying “the best defence is a strong offence” in a roundabout way, almost all major organisations employ “penetration testers”, whose job is to attack the company’s own network to discover flaws that an otherwise hostile entity may exploit. Software vendors also offer “bug bounties”, which involve providing monetary incentives and recognition for unearthing flaws in their products. Despite the absence of an impenetrable defence, the advantage held by the offensive side is somewhat mitigated by these efforts to bring potential attackers into the fold.

  2. The problem that resonated with me was the problem of defining an attack, or more generally, offensive actions in cyberspace. What makes a cyber action offensive or defensive? The article does a great job of taking about states and larger more orchestrated actions but I would like to ask a couple questions about if that holds up for all cases.

    There is one story ( of a security expert who unilaterally found a vulnerability in in-flight entertainment systems and was able to gain control of a plane momentarily from his seat. This was done in the name of exposing a critical flaw in connecting inflight entertainment and the flight control systems (like really who made this?) and thus I would argue a defensive action through unilateral offensive experimentation. A warrant was issued as this is unsolicited testing of their system. Does this seem like the right policy even if the researcher had good intentions? what policy should there be for companies that actively neglect to make their systems secure?

    How can we assist policy that allows honey-potting or the widely-accepted practice of designing a hardened system made to look vulnerable in order to observe attackers and attacker behavior? This is an offensive technique as it usually begins with sending out “feelers” or messages on forums for vulnerable websites (thus legally an invitation?) to draw attention to the honey pot. This quasi-invitation under false pretenses is legally ambiguous but widely practiced and critical to counter-research and reverse engineering of exploits. What truly characterizes an offensive action in cybersecurity or defensive action? How can we use these definitions (or exceptions) to aid policy?

  3. Kabbas, I enjoyed reading your blog post. Some aspect that I found interesting about what might constitute a cyberattack is the assumption that a cyberattack cannot be totally destructive or apocalyptical. In this course, we have discussed things like nuclear weapons and biological weapons as having possible apocalyptic effects where if one attack were so devastating, it would cripple the enemy to the point of no response. My question now becomes when we are analyzing the offense defense balance as we have in Slayton’s piece, are we making the false assumption that a total cyberattack could not completely destroy one side? As the DeNardis reading states, ‘An attack on the Internet is no longer merely about disrupting communication systems connecting people, but about disrupting real world, material infrastructure necessary for basic societal functioning.” I do not know much about cyber attacks but is there a possibility of a virus destroying our cyber infrastructure? Perhaps if we analyzed this threat with the belief that the stakes are higher, we might change our strategies going forward in the field of cyberwarfare.

    Slayton argues that the switch “from defensive to offensive operations, however, should reduce the need to focus on offensive operations and create a space for investing in defense.” In cyberwarfare, can having a good offense be a good defense itself? I look forward to continuing this discussion in precept. –Paul

Leave a Reply