Cult of the Cyber Offensive: Misperceptions of the Cyber Offense/Defense Balance by Charles Smythe
See pdf above for the article. My notes are the comments on the pdf. Below I will pull out sections and put my notes so they have context.
A growing consensus among U.S. military leadership and policy makers is that offensive strategies have an advantage over defensive strategies in cyberspace. However, this consensus is based on a series of misperceptions. The first misperception is the inflation of cyber threats. The second is the misperception that both disruption and espionage strategies are the same as degradation strategies (deterioration in the operability of information systems). These misperceptions confuse the reality that the cost/benefit calculation of skills and expertise required in degradation operations favors the defense, not the offense.
Having just started reading, I would initially agree. The offense has the benefit of variety, rapidity, harmony (hopefully) and initiative while the defense has been reactive and of the defend everywhere/everything mentality that other domains realize is flawed.
In 2012, Defense Secretary Leon Panetta warned that the United States faced the threat of suffering a “cyber-Pearl Harbor,” the effects of which could range from train derailments to power grids being shut down.[5] While Panetta is correct in acknowledging vulnerabilities within infrastructure information systems that could be exploited, his comments echo a growing trend of inflating cyber threats beyond necessity and are problematic in several ways. First, the effects of degradation operations seek to mimic those of real-world effects. For
example, a degradation operation targeting the U.S. electrical grid would produce similar effects to that of the 2003 blackout, which impacted a great portion of the northeastern U.S. and Canada. Despite nearly 50 million Americans being affected, power was restored within two days and no outage-related deaths occurred during this period. [6] Additionally, although power was out, satellite imagery of the affected area shows that most affected areas—primarily large population centers—retained power via backup generators, therefore mitigating the impacts of the loss of power [See Figure 1]. Had this scenario been the result of a degradation operation, it fails to paint the
catastrophic picture that Panetta’s Pearl Harbor comparison evokes.
This is assuming the operation would be isolated and not in conjunction with other kinetic or non-kinetic operations. It also assumes the actor would be a capable nation-state or a party that didn’t identify themselves. Imagine the political weight if a terrorist or activist group were to claim responsibility and then claim the ability to repeat the operation.
As a result, the second problem is that Panetta’s warnings present a fallacy in establishing causal links between opportunity and outcome. In arguing that the existence of certain vulnerabilities could lead to a Pearl Harbor-like catastrophe, he is exaggerating the effects of degradation operations and blurring the lines between what is possible
versus what is actually feasible.[8] Lastly, overstating cyber threats to this degree contributes to threat inflation. Exaggerating the effectiveness or severity of cyberattacks, even to increase awareness of vulnerabilities, distorts both the threat and the needed response.
I would say this doesn’t mean we shouldn’t stop thinking about it and planning for it. Otherwise we leave ourselves open to a failure of imagination. We didn’t think it was feasible for Japan to sail across the ocean and strike Pearl Harbor with torpedo planes. We also didn’t think it was feasible for a group of terrorists to take down the twin towers using commercial aircraft.
I agree there has to be motive and capability but I caution against disregarding it as it opens ourselves up to surprise and failure of imagination.
There is a point to be made that overstating these threats benefits the enemy and may play into their strategy.
In the case of Panetta’s Pearl Harbor scenario, his exaggeration of the threat and the United States’ vulnerabilities obscures the reality that the only actors with sufficient resources to even possibly shutdown significant portions of the U.S. electrical grid are Russia or China and even then, neither possess the capabilities required to cause the level of physical destruction Panetta fears through cyber means alone.
Is it though? I’m not sure I believe that ONLY Russia and China are capable of causing a blackout on an electrical grid.
Just last month one person was able to connect to a Florida water plant with the same permissions as technicians and support personnel. They only got caught because they did it during business hours and someone noticed the mouse moving on its own. (A rookie mistake)
https://thehill.com/opinion/cybersecurity/540009-cybersecurity-and-your-water-hacker-attempted-to-poison-florida-citys
https://www.govtech.com/sponsored/Oldsmars-Cyber-Attack-Raises-the-Alarm-for-the-Water-Industry.html
To understand the real danger of cyber threats, it is necessary to begin with understanding what constitutes an act of force in cyberspace. When assessing what constitutes advantages for the offense in terrestrial warfare, Robert Jervis, the Adlai E. Stevenson Professor of International Politics at Columbia University, states that offensive advantage is determined when it is easier to destroy the enemy and occupy their territory than it is to defend against attack.[10] The inverse is also true when determining defensive advantages. Although
the objectives differ between the type of warfare Jervis refers to and warfare in cyberspace, the notion of force underpins offensive strategies.
This seems easy to understand from an attrition warfare point of view but how does maneuver warfare fit into this? Does it fall under offensive advantage because it is based on high tempo and flexible operations to out maneuver your enemy and cause paralysis in their decision making ability.
Maybe this lends itself to another discussion of “Is the defense inherently reactive in nature?”
Also, Boyd would have a fit that they think the options are either destroy enemy and occupy territory or defend against attack. Very old school, attrition warfare way of looking at it. Physical only, no moral or mental.
Determining an advantage between the offense and
defense is measured by the relative ease with which force either
destroys or can be defended against.
Again, see above. This is WW1 era strategic thinking.
Thomas Rid, Professor of Strategic Studies at Johns Hopkins University’s School of Advanced International Studies, lists three
criteria[12] which he asserts constitute the essence of warfare and claims that no existing offensive cyber capability meets all three criteria.
I wish they would have listed the criteria in the article. They are listed at the bottom in the citations. Action must be violent, instrumental, and political. Why does action need to be violent to be considered warfare? How do they define violent? Does threat of violence count? One bullet? One casualty? What does instrumental mean? If an action achieves its political objective is it not also instrumental? If an action fails to achieve its objectives wouldn’t that make it not instrumental and therefore not warfare?
Going further, Rid states that, to date, only a small number
of cyberattacks even meet one of the criteria. The question then is, if offensive strategies and capabilities in cyberspace are incapable of exerting force and do not meet the criteria for warfare in the cyber domain, then how are offensive actions and strategies in cyberspace classified? The answer is complicated.
Wait, since when are they incapable of exerting force? Stuxnet didn’t exert force on Iran? Influence campeigns didnt exert force on the 2016 election? Russia didnt exert force on Estonia or Ukraine? North Korea didnt exert force on Sony and the movie theaters? The US didnt exert force on those trying to influence the 2018 and 2020 election? (and does that count as offense, defense, or an offensive-defense?)
It is well-documented that most actions and strategies in cyberspace are incapable of generating any type of physical force by which adversaries can be compelled.
Don’t know if I agree with that. Ill have to go read [14] (“The Myth of Cyberwar”). Do they address the Sony hack and the Interview being prevented from being shown in US theaters or Milosovich?
If they mean actually “physical force” then what about Stuxnet delaying Irans nuclear capability?
Nearly all recorded instances of degradation have had correlating espionage activities associated with them.[15] Espionage is required to infiltrate a network to degrade it by exploiting key vulnerabilities within the system. The reason these strategies are often conflated is because the general assumption, as Panetta demonstrates, is that the objectives of all cyber strategies are to degrade.
Is that what Panetta is demonstrating or was he saying it is a possibility? I don’t think he mean that ALL cyber strategies are to cause kinetic effects like that. I absolutely don’t think the objective of all cyber strategies should be to degrade.
The danger in conflating espionage and disruption with degradation is that the conflation generates fear and misperceptions which can result in overreactions and aggression.
This is probably a really good point. It can shape cyber policy and may cause escalation when unwarranted. I.e. US/Russia saying they can/will respond to cyber attacks as kinetic and are open to responding with nuclear weapons. Do we respond to all cyber action with nuclear weapons? No. So where do we draw the line? How do we prove who did it?
Also, is this not useful for warfare when turned on the enemy? This is the moral and mental areas of conflict. Can we cause fear and misperceptions in the enemy resulting in overreactions, mistakes, or paralysis.
The primary objectives of espionage strategies are to infiltrate a
network in order to monitor activity and steal or manipulate information.
Does manipulating information not fall under degradation? If the enemy knows you are manipulating information but doesn’t know what or where then they now will distrust they systems and info and that can lead to disruption in their operations and responses.
They are relatively easy as there are countless ways to
covertly gain access to a network and steal information with little monetary expense.
There are countless ways to do this but only China and Russia can get into a power grid and cyber is incapable of exerting force? What is the distinction between gaining access to steal information and causing disruption or destruction? (Next lines say disruption is also easy)
Degrading a network is very costly in terms of time, money, and skills and expertise, explaining their infrequent use. Furthermore, degradation operations, contrary to what many believe, rarely result in either short- or long-term effects equal to the costs necessary to carry out an operation of this type.
How is degrading more costly? Degradation was “damaging enemies networks, operations, or physical information systems”. How is that harder than espionage or disruption. I would almost say it is easier than espionage because once you get it you just have to destroy instead of hiding and collecting intel undetected for long periods of time.
For example, Stuxnet, one of the most well-known degradation attacks in recent time, cost the United States an estimated $300 million dollars over a six-year period of research, development, and implementation.[17] Despite becoming the foremost example of a degradation operation’s destructive potential, its success has been largely exaggerated. The Stuxnet virus only succeeded in shutting down 984 Iranian centrifuges, a mere 30%
of Iran’s total production capacity, and only setback Iran’s enrichment timetable by one to two years.
How much did WannaCry cost? How much damage did it cause to hospital infrastructure?
Stuxnet was expensive because it was a highly specialized and defended target with large political implications if they were caught so they spent the money to get it right. The cost goes down the more general you get and the less you care about the risk of getting caught.
Also, how much does a missile cost? How much does it cost to train the pilot, certify them, operate the jet, maintain the jet.
We spend tons of money on munitions to blow up tents in the desert.
In addition, the International Atomic Energy Agency believes that Iran was able to supplement the loss of production by overworking its remaining centrifuges, resulting in overall positive enrichment production estimates.
This is an interesting point though. You may be able to relate it to failed bombing campaigns that only ended up strengthening the resolve of the people and cause increased production output.
As this example demonstrates, despite degradation operations being the only type of cyber operation capable of manifesting physical effects, its destructive potential is often overstated.
Again I disagree. Disruption could cause a physical effect, if you get the enemy to act upon false info that could cause an effect, if you get them to distrust their info that could cause them to hesitate at critical moments or slow their tempo which causes physical effects. Even espionage could cause physical effects. What if you sow discord among the ranks and create mistrust. Mistrust brings down organizations. You could paint one of their own as a double agent and cause them to be executed. Is that not physical?
Also, why are they only focusing on physical? There is also the moral and mental aspects of warfare. Did we lose the physical war in vietnam? We won every physical battle right? We lost the moral/mental war. We lost the battle of the homefront. Could cyber play a role in that in future wars?
The danger in placing espionage and disruption in the same category as degradation is that it generates the perception that conducting operations in cyberspace that have the potential destructive capability of degradation are cheap, easy, and that nearly anyone can do it.
This goes back to them assuming degradation is way more costly (and effective or valuable) than espionage and disruption which they said was easy and cheap and anyone could do it.
Of the 272 recorded cyber operations between opposing states from 2000 to 2016, only 40 (~14%) degraded or sabotaged networks or systems in any significant manner. Each of these 272 operations, were likely to have thousands, if not millions, of individual activities, none of which resulted in a single casualty.
This number is probably effected by how highly (or overly) classified cyber is in relation to other operations.
What do they mean by significant?
Is the aim of war or a countries policies to cause casualties?
In contrast to the reality of these numbers, seventy percent of Americans fear that the United States will suffer a devastating cyberattack that cripples critical infrastructure or destabilizes financial institutions.[20] The side-by-side comparison of these figures highlights how conflation of strategies has generated a disproportionate amount of fear around the possibility of danger, which in reality is unlikely.
You could say the same thing about terrorism, yet here we are.
While geography has value throughout all the levels of war, Jervis summarizes that anything which serves to increase the distance which an attacker must traverse, or makes the attacker vulnerable while traversing, subsequently increases the advantage for the defense. [22] Increasing time and distance is easily done by developing firewalls, encrypting data, utilizing air-gap networks, etc. However, these are passive defensive measures which usually only serve to delay a persistent attacker.
The attacker is traveling at the speed of light.
You are assuming your defenses will work or that they will notify a person who is paying attention or looking for it and will then take (and is authorized to take) the proper action on it.
The benefit of geography within cyberspace is that it is synthetic. The defender is able to create the “ground” they fight on and can continually shape the “terrain” to their advantage. In the event of an attack, should a part of a network be infiltrated, the affected portion of the network could be contained, even disconnected, all while maintaining the integrity of the data and the network’s function, given proper coordination and planning.[23] The malleable geography of networks and information systems creates an inherent defensive advantage.
This is a really cool idea!
The defender could continuously shape the “ground” they operate on thus preventing the attacker from orienting and adapting to the change then attacking before the ground is changed again.
What if we build networks where IPs and connections constantly change, where we spin up networks on demand and compile and execute code or even operating systems at the time we need them for missions.
This puts variety and rapidity while maintaining harmony and initiative into the hands of the defender!
Adopting an active and integrated defense within cyberspace, where networks and network components can continually be reconfigured and redesigned, significantly increases the cost of resources and time attackers would have to dedicate to find and exploit a breach.
Again, great idea but we have to actually do it. Until then the offensive still has the advantage, no?
The matter of technology is another mechanism that Jervis applies to determine an advantage between the offense and defense.
They are talking about terrain and technology and it reminds me of a Boyd quote:
“Terrain doesn’t fight wars, machines don’t fight wars, people do and they use their minds!”
Does the advantage go to whoever better trains and educates their people?
The development and production of conventional weapons require a distinctive set of skills and expertise than those necessary to deploy them within a battlespace. Conversely,
the skills and expertise required for developing and producing
cyberweapons are the same used to employ them.
Are they? Are our capability developers qualified to do ops? Are our operators qualified and able to be capability developers?
Paller is correct in noting that skills, more than the capabilities themselves, are what matter when discussing cyberweapons.
I would agree, although Boyd makes the argument that this applies to all domains, not just cyber (as he made his point back in the 80s)
Absent from skills, cyberweapons suffer from impermanence. In other words, most cyberweapons only work once.
How does this mean they only work once?
Also, since when? They work until the vulnerabilities are patched or access is lost. Bombs only work once but you can use the same design over and over. Cyber weapons work until they are discovered AND the vulns patched, then you have to design a new “weapon”. They could even be based on the same type of model (vuln) though.
It is widely accepted that espionage and disruption strategies often employ cheaply conducted operations and as a result the balance of costs favors the offense. However, the effects that these operations produce, both in means of coercive force and more physical force, are severely limited, arguably negating their advantage to the offense. The strategy which does apply in accurately measuring the offense-defense balance is degradation.
All this is still going on the assumption that I disagreed with earlier.
The consensus is that the offense is heavily favored regarding
degradation operations. This view stems from the perception that in order to be successful, the defense must counter all attacks, whereas the attacker merely needs to find a single entry point to exploit in order to be successful.
This may be getting at a great point.
“Defend everywhere and everywhere you are weak”
Do we really need to defend everything or do we need to assure our mission? Defend our centers of gravity.
Espionage and disruption strategies dominate the offensive advantage perspective, creating pessimism surrounding the effectiveness of the defense. However, it must be reiterated that these strategies and operations are actually less impactful to the offense/defense balance debate due to their low-cost, low-payoff dividends.
Someone should tell the NSA that espionage is low-payoff.
Simply put, degradation strategies and operations require the same, if not more, skills, expertise, and money than it does to defend against them.
So our enemies are spending more on offense than we are on defense? Tough to say for sure, I’m sure they aren’t publicizing it.
You also probably need to take into account the attack surface for each side and their dependence on that infrastructure.
Robert Jervis observes that if the costs of the offense and defense are comparative then arms races are less likely to occur, making it possible for states to provide for their own security without overtly threatening the security of other actors, lessening the severity of the security dilemma.
Does this get muddied when cyber is so classified?
(Dr Strangelove quote? “The whole point of the doomsday machine…is lost if you keep it a secret!”)
Prior to World War I, defensive strategies and operations were heavily favored, and yet war still occurred in 1914.
I wouldn’t say heavily favoring defensive strategies would prevent war. There were a lot of causes of WW1.
Also does Blitzkrieg fall under a “cult of the offensive”?
USCYBERCOM’s vision for the United States’ cyber posture is troubling due to its seemingly blasé inference of preemptive action.
As opposed to reactive?
In addition, USCYBERCOMS’s vision reflects some of the beliefs[37] about the course of a war where the offense is dominant or perceived as dominant.
This is probably a good point. We don’t want to limit ourselves or have a failure of imagination in the defensive capabilities realm. It is good to look at it from a different (or defensive) perspective.
If these misperceptions are allowed to persist in influencing policy, it increases the risk of moving warfare out of the cyber domain and into the physical world. Sometimes the best defense is simply a good defense.
It’s probably true that offensive cyber isn’t all its hyped up to be but it seems like they are taking the ideal version of defense vs the real or even toned down version of offense.
I don’t think our defense is there yet. We aren’t manipulating and maneuvering on the cyber “terrain”. We are still defending everywhere and looking for technology to solve our problems.
We suffer from Hume’s induction problem and assume we can defend from future events by looking at the past.
You cant dismiss the possibility of future events because they haven’t happened yet.