Today’s prevailing wisdom, both inside and outside the Department of Defense, is that offense dominates in the cyber domain.1 Determining the balance between offense and defense arises with the emergence of every new military technology. Driving the current belief in cyber’s offensive dominance is the idea that digital weapons—which rely primarily on manpower—are cheap to create, while society’s overall dependence on the Internet creates a plethora of vulnerabilities for intrusion, exploitation, and attack.2 The primary benefit to the offense in the cyber domain is the lack of physicality. Cyber, unlike the other domains, is a hybrid of the logical and the physical, which means that intrusions, attacks, and defense occur at the “speed of light.”3 Yet cyber’s greatest offensive advantage is the same factor that limits its overall effectiveness as a weapon, namely, the logical-physical divide. Bridging this steep divide is required if digital operations are to significantly impact the physical world.
When compared to traditional arms manufacturing, the creation of most cyber weapons is not only cheap, but also easy to hide. Computers, Internet access, and manpower with the right education and skills are all one needs to begin hacking computers. This is likely the reason why even Kim Jong-Un, the leader of reclusive North Korea, calls cyber warfare a “magic weapon.”4 Cyber attacks will only increase as more computers connect to the Internet and more people gain the skills to hack them.
Misperceptions about cyber warfare are fueled by a cognitive bias with regard to cyber intrusions and attacks. On any given day there are millions of attempted malicious operations within the cyber domain; any approximation for all attacks will likely be underestimated, considering the billions of people connected to the Internet and the automated way the simplest of malware searches for and attacks targets. Many of these attempts are blocked before they even can gain access to a system. Even if on a percentage basis the number of effective attacks is small, news reports of these attacks garner media attention, increasing the perception that successful cyber attacks are easy.
Cyber attacks are hard for the same reason any attack is difficult—there are many steps involved in skirting the defenses of the adversary. For military operations in urban terrain, the Marine Corps uses a template for successful attacks: reconnoiter the objective, isolate the objective, gain a foothold, and secure the objective.5 Successful cyber attacks require the same process. Hackers must first conduct reconnaissance on a target, isolate that target from potential cyber defensive support, gain the foothold in the system, and finally exploit that foothold to obtain the objective. Smart defenders can, and often do, spoil attacks on networks by interrupting this process at any of the four steps.6 This process will become even more difficult as cyber defenses are strengthened. Material losses from hacks have brought visibility from top-level corporate executives, prompting cyber defenders to strengthen their shielding structures even more and build network architectures with redundancy in mind—a principle every good communications officer in the military has implemented for years.
Offensive cyber weapons also face the dual problems of “perishability” and obsolescence. Perishability is when a cyber weapon is no longer effective after it has been used. Obsolescence refers to a cyber weapon becoming ineffective because of time. The vulnerability in a system that is exploited when an attacker uses a cyber weapon immediately becomes well known to system administrators and those who developed the original code. Patches are written and, when installed, close the gap that the attack originally used. A cyber weapon is perishable because it is impossible to reuse as long as the system is updated.
Obsolescence occurs by the same process except that the vulnerability is discovered and fixed before an attacker uses the cyber weapon. Unlike weaponry in the physical world, the development of cyber weapons and countermeasures happens at an incredibly rapid pace, meaning that attackers in cyberspace must constantly update their arsenals to have any hope of conducting a successful attack. Since it is difficult for an attacker to know if a developed weapon has become obsolete, it is extraordinarily difficult to plan a truly effective cyber attack. Though these same factors affect the defender, who must constantly update systems and fix gaps in the defense, the burden of action rests on the shoulders of attackers.
Minimal vulnerability also makes cyber weapons more defensive in nature. Missiles in hardened silos and ships in harbors are relatively well defended, reducing the incentive to strike first because each side can reasonably expect to use its weapons and defend itself successfully. Cyber criminals and nation-states can effectively hide and protect their cyber arsenals from other actors because of the complex nature of cyber geography and good encryption. With cyber weapons moored safely in their cyber harbors, nation-states have little advantage to striking first against an opponent.7 At first glance, the effects of obsolescence would seem to undermine this stability in the cyber world because a weapon has a “use it or lose it” advantage. Not all cyber weapons, however, are created equal. The logical-physical divide between the cyber domain and all the other domains separates out low-level from high-level cyber weapons. Only complex, higher-order cyber weaponry can meaningfully bridge this divide, making them less susceptible than low-level weapons to obsolescence.
Bridging the Cyber Divide
Design, planning, and implementation of effective cyber attacks must take into account the three basic elements to cyber security: confidentiality, integrity, and availability.8 Confidentiality assures that only the appropriate owner can operate the system and that messages sent to and from that system can only be read by the intended recipient. Integrity refers to the completeness and accuracy of data used by the system for its various functions. Availability means an authorized user can use a system as anticipated. A cyber attack is an action that compromises any of these three legs of the security triad. Only attacks on the integrity of systems, however, are capable of bridging the logical-physical divide in any meaningful way.
Attacks on confidentiality, commonly referred to computer network exploitation (CNE) in the Department of Defense, are effectively a form of espionage. Breaches of confidentiality are actually intrusions rather than attacks, because they do not cause any damage per se. CNE is typically used to gather intelligence on computer systems as well as for any of the other myriad purposes criminals and nation-states want information. Intrusions into a system can serve a dual purpose in that they not only enable information extraction, but they can also provide a way to plant malicious code within a system or corrupt its data without the owner knowing. According to some cyber experts, this highlights the offensive nature of all malicious cyber actions.9 Just because intrusions are necessary to further attack computer systems, however, does not mean that CNE tips the offensive-defensive balance in favor of the offense.
Espionage networks historically have the same capabilities of gathering intelligence as well as providing a network for potential covert, malicious action. Espionage networks in themselves, however, do not change the offensive-defensive balance because, outside of the intelligence gathered, it would be difficult to obtain a strategic advantage large enough to prompt a nation to strike first and initiate a war. Intelligence gathering may even promote stability between nations by reducing the amount of private information held by each side, creating a defensively favored relationship.10
Another option of a cyber attacker is to deny authorized users the availability of their systems. The most common uses a technique known as distributed denial-of-service attacks, where hackers shut down computers or websites by overloading a system’s capacity with digital traffic. Availability attacks are commonly used by non-state actors but are also used by nation-states, such as when the “Guardians of Peace,” later unveiled as North Korea, took down the website of Sony Pictures Entertainment in December 2014.11 These attacks garner a lot of attention but ultimately amount to nothing more than a cyber prank. Losses did occur, and effort was expended to correct the problem. From a strategic perspective, however, these attacks hardly affect the offensive-defensive balance. As network architects design systems with inherent resiliency, the actual usefulness of such cyber pranks will diminish. Only with a massive, concerted effort to simultaneously bring down multiple systems could an availability attack have significant impact.
Attacks against the integrity of computer systems aimed at translating digital information into real-world effects hold the greatest promise for cyber attackers. To date, the most effective known cyber attacks were the ones against Iran’s nuclear program using the malicious computer worm Stuxnet. Stuxnet offers an excellent example of an integrity attack, where the software of the programmable-logic controllers was altered to change the rate of spin in centrifuges used to enrich uranium.12 The Stuxnet attack was effective because it focused on the interface between the logical and the physical—by corrupting the data that directly controlled how fast the centrifuges spun, the attack destroyed the equipment necessary to produce weapons-grade uranium.13 Another example is the now-famous Aurora exercise, where the Department of Homeland Security destroyed an electric generator by inputting data that closed a breaker with the grid out of phase, thereby placing a catastrophic amount of torque on the generator.14
Cyber attacks targeting the integrity of systems are the most potent, but they are also the most difficult to successfully execute. An effective attack not only requires unauthorized entrance into the system, but also purpose-built malware that merges detailed knowledge of the target with excellent programming designed to exploit flaws in physical systems. The significant increase in expert manpower and time needed to create these weapons, as well as the increased security needed to prevent their disclosure, significantly increases their cost. Even if an adversary overcomes these difficulties to develop a potentially effective weapon, execution of the plan must be flawless. The increased intricacy makes the overall attack more vulnerable where even the slightest hint that something is awry could throw the whole operation. Proponents of offensive dominance in the realm of cyber argue that the cost of offensive weaponry is far cheaper than defensive measures. The truth is that meaningful offensive weapons incur the high cost while the defender can easily and cost-effectively protect through good information practices, design, and the safeguarding of the critical logical-physical interface.
Only the most sophisticated cyber attacks—requiring significant investments of manpower, expertise, time, money, and coordination—can bridge the logical-physical divide between the cyber domain and other domains to create strategic, real-world effects. Even simple cyber attacks must incorporate multiple stages allowing the defender opportunities to break the offensive momentum. This is not to say that low-level attacks cannot have impacts—they can, and do, inflict damage and cost on the victim—but those impacts do not cross the threshold required to tip the balance in favor of the offense. Understanding that the challenge of defending against high-level attacks pales in comparison to the difficulty of conducting them establishes that cyber is actually defensively oriented.
Cyber presents a whole new arena for interactions between nation-states. Current U.S. policy purposely has avoided opening the Pandora’s Box of escalation and retaliation in the cyber domain, despite calls by some to “come back at them.”15 To take full advantage of our nation’s substantial defensive and offensive cyber capabilities, planners must account for the proper strategic balance between the two. Abandoning the “cult of the offensive” in cyber is the first step toward achieving effective cyber operations, prudent policy, and real security.
1. Henry Farrell, “The Difference Between Offense and Defense in Cybersecurity,” Washington Monthly, 5 July 2013, www.washingtonmonthly.com/ten-miles square/2013/07/the_difference_between_offense045666.php. Jan Van Tol, Mark Gunzinger, Andrew Krepinevich, and Jim Thomas, “Air Sea Battle: A Point of Departure Operational Concept,” Center for Strategic and Budgetary Assessments, 18 March 2010, http://csbaonline.org/publications/2010/05/airsea-battle-concept. William J. Lynn III, “Defending a New Domain: The Pentagon’s Cyberstrategy,” 28 March 2016, http://archive.defense.gov/home/features/2010/0410_cybersec/lynn-article1.aspx.
2. Erik Gartzke and Jon R. Lindsay, “Weaving Tangled Webs: Offense, Defense and Deception in Cyberspace,” Security Studies, vol. 24, no. 2 (June 2015), 316–17.
3. Gregory Rattray and Jason Healey, “Categorizing and Understanding Offensive Capabilities and Their Use,” in Proceedings of a Workshop on Deterring Cyberattacks: Informing Strategies and Developing Options for U.S. Policy (Washington DC: National Academies Press, 2010), 78–79, www.nap.edu/read/12997/chapter/8#79.
4. Flora Drury, “North Korea’s ‘Ruthless Magic Weapon’: The Cyber Warrior Factory ‘Behind Sony Attack,’ Which Handpicks Genius Children to Target Enemies of Kim Jong-Un,” The Daily Mail, 18 December 2014, www.dailymail.co.uk/news/article-2877589/North-Korea-s-Bureau-21-cyber-warriors-trained-secretive-hacking-unit.html.
5. Marine Corps Reference Publication 3-11.1A, Commander’s Tactical Handbook, (Quantico, VA: Marine Corps Combat Development Command, 1998), 33.
6. P. W. Singer and Allan Friedman, “Cult of the Cyber Offensive,” Foreign Policy, 15 January 2014, http://foreignpolicy.com/2014/01/15/cult-of-the-cyber-offensive.
7. Andy Beckett, “The Dark Side of the Internet,” The Guardian, 25 November 2009, www.theguardian.com/technology/2009/nov/26/dark-side-internet-freenet.
8. P. W. Singer and Allan Friedman, Cybersecurity and Cyberwar: What Everyone Needs to Know, (New York: Oxford University Press, 2014), 35–36.
9. Bruce Schneier, “There’s No Real Difference Between Online Espionage and Online Attack,” The Atlantic, 6 March 2014, www.theatlantic.com/technology/archive/2014/03/theres-no-real-difference-between-online-espionage-and-online-attack/284233.
10. Michael Kapp, “Spying for Peace: Explaining the Absence of Formal Regulation of Peacetime Espionage,” master’s thesis, University of Chicago, June 2007, 10–13, 17. Russel Buchnan, “Cyber Espionage and International Law,” in Research Handbook on International Law and Cyberspace, ed. Nicholas Tsagourias and Russel Buchnan, (Northampton, MA: Edward Elger Publishers, 2015), 174–75.
11. Andrea Peterson, “The Sony Pictures Hack, Explained,” The Washington Post, 18 December 2014. “Update on Sony Investigation,” Federal Bureau of Investigation press release, 19 December 2014, www.fbi.gov/news/pressrel/press-releases/update-on-sony-investigation.
12. William J. Broad, John Markoff, and David E. Sanger, “Israeli Test on Worm Called Crucial in Iran Nuclear Delay,” The New York Times, 15 January 2011.
13. David E. Sangar, “Obama Order Sped up Wave of Cyberattacks Against Iran,” The New York Times, 1 June 2012.
14. Jeanne Meserve, “Sources: Staged Cyber Attack Reveals Vulnerability in Power Grid,” CNN, 26 September 2007, www.cnn.com/2007/US/09/26/power.at.risk/index.html?iref=tonews. Joe Weiss, “Misconceptions About Aurora: Why Isn’t More Being Done,” Infosec Island, 13 April 2012, www.infosecisland.com/blogview/20925-Misconceptions-about-Aurora-Why-Isnt-More-Being-Done.html.
15. William Petroski, “Kasich Talks Tough on Cybersecurity at Iowa Forum,” The Des Moines Register, 26 September 2015.