There is a simple conjecture that is quite common in all aspects of society: “the best defense is a good offense.” This idea persists and leads to the belief that action can trump protection in cyber security because of its simplicity and the general failure to evaluate claims with evidence. The complexity of computers can give the impression that little is known about their functions leading to the formation of an idea that became conventional wisdom: attack first, sort out the details later.
Yet, there is no evidence that the offense is the best course of action in cyber security. The concept of the offense/defense balance (hereafter O/D balance) has long been studied in International Relations. The basic premise is that “when defense has the advantage over offense major war can be avoided.” This simple conjecture has created a field of research that seeks to unlock the mysteries behind war and peace by focusing on the nature of operations and attack profiles.
Seemingly unknown to most cyber security scholars, the literature became confused over how to measure the balance between the offense and defense and even over its central variables. The recent passing of Robert Jervis highlights the power and breadth of his work. While Jervis’ work kicked off the modern era of research of the O/D balance, he also highlighted the need for a distinction between offensive and defensive operations.
Moreover, even if we accepted the doubtful claim of an offensive advantage s empirically accurate and measurable, this idea nonetheless fails to clearly motivate action. States assuming an offensive advantage might be deluded in their perspective, as happened during World War I. Alternatively, a state might go on the offense anyway, due to the drive of other motivating reasons, such as the importance of a territorial claim or the need to signal discontent.
Challenging the idea of an Offense/Defensive Balance in Cyberspace
There are three core problems with the O/D balance: the undisguisable nature of the variables; the failure to examine how perceptions impact a sense of balance; and the difficulty of measurement.
The key challenge for discussions of the offense or defense in cyberspace is that it is near impossible to distinguish between the two frames. The fluidness of the concept of offense or defense makes the terms virtually useless for research. Moves that are said to be defensive involve forward maneuvers that can seem offensive in nature, a common confusion with the U.S. strategy of “defend forward.” While cyber mission forces can go on the attack, they also can be posted as defensive operators seeking to stop attacks before they happen. The active and adaptive nature of modern technology makes the distinction between offense and defense entirely empty.
A key foundation of the O/D balance is the idea that each side will correctly perceive either the offense or defense as having the advantage, determining the probability for war. Yet, as critics have pointed out “it is inherently difficult to assess the impact of weapons technologies, particularly when they have not been employed in war.” Perceptions of cyber power and an emphasis on offensive dominance are in the eye of the beholder with many doubting the offensive power of the United States or the defensive capability of the North Koreans in an isolated network. In a domain that operates mostly without empirical evidence, anyone can perceive whatever they choose, often based on fictions.
It is impossible to measure the success or failure of the theory of O/D balance in cyberspace given the conditions laid out by the proponents of the theory. Absent of measurement, scholars, and policymakers are making predictions that can never be falsified. In short, we can never know if one is wrong or right. Glaster and Kaufmann counter the idea that the theory cannot be measured “as simply incorrect.” They offer a reformation of O/D balance as the ratio of costs for the attacker versus the costs to defend territory. This premise is inoperable in cyber security for the simple reason that there is no territory to take.
The challenge of distinction then returns: how would one measure the costs to defend versus the costs to attack? While it might be simple in the abstract, would one classify US Cyber Command (USCYBERCOM) as offensive and the Department of Homeland Security (DHS) as defensive? Such simple distinctions betray the fluidity of computer network operations and the pace at which bureaucratic organizations operate and share talent. Glaser and Kaufmann dismiss these challenges, suggesting that “ballpark estimates of the balance may be sufficient.” Yet, “ballpark” estimates encourage the classification of success and dismissal of failure absent more precise metrics.
Ending Dangerous Conjectures
The failure of the O/D balance literature is critical because a misguided focus on the balance between offensive and defensive operations clouds understandings of cyber strategy. It also forces practitioners towards leveraging language that does not describe the nature of cyber operations. It is near impossible to distinguish cyber actions between offense and defense and even more difficult to measure the effectiveness of said actions. The mental gymnastics required to argue that leaders can accurately measure the O/D balance in cyberspace rapidly become impractical.
The belief in the utility of aggression is dangerous and likely a reaction to the threat inflation pervasive in the discourse. The pathology of offensive advantage and of defenders under siege is reinforced by the discourse in the media and social media about a constant barrage of cyber-attacks. This pathology will lead to strategic malaise and constant attacks, as defenders fail to shore up vulnerabilities.
Conflict is a continuum. As states build towards conflict, little actions taken can add up and interact with big factors such as territoriality to produce warfare. From this perspective, the distinction between “offensive” and “defensive” actions has little value.
The premise of O/D balance theory provides poor policy advice, sometimes leading policymakers to propose offensive operations when these operations might be unsuited for the domain, or worse, ineffective. The focus on this theory is troubling because it minimizes the defense due to the fear of the ‘magic’ of emergent technology. Some might argue that we have failed in the defense for cyber operations, with the SolarWinds operation being a classic example. However, the reality is that states have rarely tried to do defense correctly due to bureaucratic issues, money, lack of knowledge, or because of the pull of the offense.
The misapplied and dangerous conjecture that the best defense is a good offense must end. The best defense is a real defense. Measuring success or failure in the domain is a critical task to avoid the sorts of “ballpark” empirical estimates that dominate the field. Trying to sort out just what is offensive and what is defensive distracts the policymaker and the strategic planner from developing options to protect the national security of the state and ward off the most common abuses in cyberspace.
Brandon Valeriano is a Senior Fellow at Cato Institute