In cybersecurity, the difference between offense and defense is at once extremely straightforward and incredibly difficult to pin down. It is straightforward because defending your own networks and data and attacking someone else’s look completely different: the former involves implementing security controls and detection systems within the confines of your own computer systems, while the latter involves exploiting vulnerabilities in someone else’s systems. So it really should not be difficult to designate any particular activity in cyberspace by an individual country as offense or defense—except that, increasingly, countries seem to view the best cyber defense as, well, offense.
In 2018, the United States Cyber Command announced a new cyberspace strategy grounded in the ideas of persistent engagement with adversaries and defending forward so that defensive interventions occurred “as close as possible to the origin of adversary activity.” The crux of the strategy was essentially to broaden the boundaries of defense so that it would include cyber activities that occurred outside the borders of the networks being defended to encompass activities targeting adversary networks. In other words, offensive cyber activity was rebranded as “forward defense.”
I wrote at the time about my skepticism around relying on offensive cyber capabilities as a defensive strategy, but there were certainly points to recommend this strategy, especially the sense that a defensive strategy focused on hardening networks and computer systems against attacks simply was not working very well. Three years later, though, it is a little hard to tell whether ramping up offensive cyber activity has contributed to a stronger cybersecurity posture for the United States—or, indeed, even how much that offensive cyber activity has been ramped up under the new strategy.
Part of what makes it difficult to assess the effectiveness of offensive cyber activity as a means of defense is that many of these offensive operations may be carried out in secret. So in addition to a few specific operations reported in the media—including a 2019 attack on the Russian Internet Research Agency and two other attacks, also in 2019, directed at Iran—it is possible that there are many examples of persistent engagement in cyberspace that the public simply isn’t privy to. For example, when the Russian REvil ransomware gang went offline earlier this year, following several high-profile ransomware attacks on U.S. targets including Colonial Pipeline and JBS, it was very unclear whether that was the work of the United States government or not.
I don’t think that taking the servers used to perpetrate ransomware attacks offline is necessarily a bad idea. If that is what happened in this case (and again, no one seems to be sure), it does seem like there would be a benefit to making clear that is why the servers went down in order to send a clear signal to other cybercriminals. But just because it may be warranted and useful, it does not mean that this type of offensive cyber activity is defense, in the sense that it makes computer systems any safer. Taking out the computer that has attacked you is not defense its retribution, and that’s an important distinction to keep clear if only because it highlights the need to do a very different kind of work to actually defend infrastructure from ransomware.
More generally, I am wary of blurring the lines between offense and defense—and particularly the language we use to describe each. That’s partly because I think there are significant differences between interfering with your own networks and messing around in someone else’s, but mainly because I worry that relying on offense as a country’s main source of defense can lead to countries neglecting the less exciting but equally (if not more) important work of trying to build out more secure infrastructure and computer networks.
It is possible to point to a series of severe cyberattacks in the United States over the course of the past few years (SolarWinds, Colonial Pipeline, JBS, to name just a few) and argue that their severity suggests persistent engagement has not worked and offensive cyber activity is not an effective defensive strategy in cyberspace. It is equally possible to invoke the relative security of the 2020 election and other unknown, secret offensive cyber operations as evidence that this strategy has been a great success for the United States. Given how little is known publicly about the extent of these operations and how little it is possible to know about what the landscape of threats and cyberattacks would have looked like under a different strategy, I’m not convinced it is possible to draw any very strong conclusions one way or the other.
What does seem clear from the past few years is that offensive cyber activities do not—and will not—suffice to defend computer networks absent the more traditional, inner-looking work of defense. There may well be value in both offensive and defensive cybersecurity efforts, but there is also value in keeping them distinct in order to clarify that the rules, standards, and norms for each are quite different and, most importantly, that offense cannot and should not be viewed as a substitute for a strong defense.
Josephine Wolff is an Associate Professor of Cybersecurity Policy, The Fletcher School at Tufts University.