The Offense-Defense Balance of Cyber

Cyber has typically been seen to have a very lop-sided offense-defense balance—with offense coming out on top. This is partly because of a function of the probability; defense must account for all possible avenues of attack but offense has to find that one single route to vulnerability. Rebecca Slayton addresses the issue of offense-defense balance in cyber by conceptualizing the issue in terms of utility—a shared feature of different modes of offense-defense balancing.

Several key insights drive her analysis. The cost of cyber operations depends not on the features of the technology alone, but also on the skills and competence of the actors and organizations that create/use/modify information technology. For example, ‘ease of use’ or ‘versatility’ of information technology seems to favor offense, but that property arises form interactions between technology and skilled actors. The operation might be quick but the construction and deployment of cyber weapons is a slow, laborious process.

Overall this implies that the utility of cyber operations differs in some serious ways. For example, a tight coupling of individual skills and information technology makes the economics of producing cyberweapons different than conventional physical weapons. The skills of the programmer have a huge effect on the efficacy and construction of the weapon. Software is continuously modified. And code takes the shape of a ‘use and lose’ weapon — once identified, it becomes obsolete. Thus, you need continued investment and skill to develop the weapons. The cost of the programmer is not accounted for in offense-defense balance analysis. The competency of managers is also important—defense failures often must do with personnel failures or out of date software. The success of offense is due to poorly managed defense. Attacks also need expensive infrastructure to be put into place—the actual attack itself might be cheap but the research and implementation of infrastructure is not. The complexity of the defense target–which increases defense costs–also increases offense costs to understand the complex system. Accessing physical effects through cyber is hard to accomplish as well. Attacking industrial control systems at a strategic point in time requires persistent communication–something hard to accomplish in such a system when deploying the cyber weapon.

A look at Stuxnet shows the high cost value of attacking–much more so than the actual defense, however the goal was considered significant enough not to quibble over the cost. The actual effect was negligible—delaying the Iran nuclear program by 3 months rather than years, whereas the cost to the US was relatively high.

I think this article raises some very interesting points about the perceived cost of offense. Often we conceive of cyber as being ‘cheap’ warfare because of the ease with which code is copied – but the constant updating and the initial conceiving of it has huge talent costs. I wouldn’t discount the high offense value of cyber necessarily though. Consider the recent situation with cyberwarfare and the 2016 US election. There was an interesting strategy taken of not directly affecting physical domains (like ICS)—instead, the focus was more so on disinformation and social media. Slayton herself acknowledges that the value of a defense target is variable in relation to the social network it is embedded in—but I think even she would pause at how to calculate the cost when it is the social network itself that is the direct target. To be sure, the disinformation cost millions to implement. Yet, the defense cost is hard to ascertain and depending on your point of view it could range from astronomical to relatively benign.

I think this also raises some questions about what constitutes a cyber offense. I have been implicitly assuming that using information technology to disseminate false information counts as an attack. The article itself focused purely on software integrity, however. Do you think that constitutes a cyber attack? If so, what are other novel ways that cyber can impact society writ large—beyond the focus of disrupting software systems. — Kabbas