PerspectiveWhy Cyber Operations Do Not Always Favor the Offense
Among policymakers and analysts, the assumption that cyberspace favors the offense is widespread. Those who share this assumption have been urging the U.S. government to prioritize offensive cyber operations. Rebecca Slayton writes that the belief in offense dominance is understandable – but mistaken: A focus on offense “increases international tensions and states’ readiness to launch a counter-offensive after a cyberattack, and it often heightens cyber vulnerabilities,” she writes.
Among policymakers and analysts, the assumption that cyberspace favors the offense is widespread. Those who share this assumption have been urging the U.S. government to prioritize offensive cyber operations. In a policy brief for Harvard University’s Belfer Center – a brief based on her International Security article — Rebecca Slayton writes that the belief in offense dominance is understandable: breaches of information systems are common, ranging from everyday identity theft to well-publicized hacks on the Democratic National Committee.
“A focus on offense, however, increases international tensions and states’ readiness to launch a counter-offensive after a cyberattack, and it often heightens cyber vulnerabilities,” she writes. “Meanwhile, belief in cyber offense dominance is not based on a clear conception or empirical measurement of the offense-defense balance.”
Her main arguments in questioning the advisability of adopting offensive cyber operations:
· Creating unnecessary vulnerabilities. Making offensive cyber operations a national priority can increase instabilities in international relations and worsen national vulnerabilities to attack. But because the skills needed for offense and defense are similar, military offensive readiness can be maintained by focusing on defensive operations that make the world safer, rather than on offensive operations.
· Managing complexity. The ease of both offense and defense increases as organizational skills and capability in managing complex technology improve; it declines as the complexity of cyber operations rises. What appears to be offensive advantage is primarily a result of the offense’s relatively simple goals and the defense’s poor management.
· Assessing kinetic effects. It is often more expensive for the offense to achieve kinetic effects—for instance, sabotaging machinery—than for the defense to prevent them. An empirical analysis of the Stuxnet cyberattacks on Iran’s nuclear enrichment facilities shows that Stuxnet likely cost the offense more than the defense and was relatively ineffective.
