Why belief in first-strike advantage is as misguided today as it was in 1914.
- By Allan Friedman, P.W. Singer<p> P.W. Singer is director of the Center for 21st Century Security and Intelligence at Brookings. Allan Friedman is a visiting scholar at the Cyber Security Policy Research Institute at George Washington University. They are the co-authors of Cybersecurity and Cyberwar: What Everyone Needs to Know, from which this essay is adapted. </p>
In military circles 100 years ago, whatever the question was, attack was always the answer.
Attaque à outrance, or "Attack to excess," was a concept that took hold in European military circles at the turn of the 20th century. The idea was that new technologies like the railroad and telegraph gave an advantage at the strategic level to whichever nation could mobilize first and go on the offensive, while new technologies like the fast-firing cannon, machine guns, and rifles meant at the tactical level that the troops who showed the greatest offensive élan (a concept that combined both willpower and dash) would always carry the day on the battlefield. The philosophy gained huge popularity. In Germany, it drove the adoption of the Schlieffen Plan (which envisioned a rapid mobilization of the army to first knock out France to its west with a lightning offensive and then swing back to face Russia to the east), while in France it was actually written into military law in 1913 that the French army "henceforth admits no law but the offensive."
There were only two problems with Attaque à outrance, an idea that historians now call the "cult of the offensive." The first was that it drove the European powers into greater and greater competition and ultimately war. When crisis loomed after the assassination of Archduke Franz Ferdinand in 1914, few thought it worth going to war. But soon the sides feared that they were losing a tight window of opportunity during which to mobilize to their advantage, or even worse, that they would be caught helpless. Fear of being on the defensive prompted the powers to move to the offensive, launching their long-planned attacks as part of a war most didn’t want. The second problem was even worse. These new technologies didn’t actually give the offense the advantage. Once the war started, it became clear that "attacking to excess" against fast-firing artillery, rifles, and machines guns was not the way to quick victory, but rather to a quick death. A bloody stalemate of trench warfare instead resulted.
Today, this question of whether new technology favors offense or defense is a critical one for cybersecurity and cyberwar, and it shapes everything from the likelihood of war to how governments and even businesses should organize themselves. And just as prior to the outbreak of World War I, there is widespread assumption that cyberattack has the inherent advantage over cyberdefense. As one Pentagon-funded report concluded in 2010, "The cyber competition will be offense-dominant for the foreseeable future." This kind of thinking is why Congress repeatedly in 2013 pressed the U.S. military about its cyberoffense capabilities, to make sure we are ahead, with military leaders like Gen. Keith Alexander, the simultaneous head of the NSA and Cyber Command, assuring them that, "Our offense is the best in the world."
This belief in the inherent superiority of cyberoffense has helped drive increased spending on offensive capabilities by militaries around the world, with the U.S. military spending, depending on the measure, 2.5 to 4 times as much on cyberoffense research and development as cyberdefense research. An accompanying industry has also arisen: markets for so-called zero days — coding flaws that can be exploited by hackers — and now even "hackback" firms that will take the offensive for hire.
The conventional wisdom about offensive advantage has become so entrenched that some argue that the real problem is not that the offense has an advantage, but that it isn’t talked about enough, meaning that few have been warned about the risks of actually using such weapons. "We’ve got to step up the game; we’ve got to talk about our offensive capabilities and train to them; to make them credible so that people know there’s a penalty to this," said James Cartwright, the four-star Marine Corps general who led much of the initial U.S. strategy in cyber issues until his retirement in 2011. "You can’t have something that’s a secret be a deterrent. Because if you don’t know it’s there, it doesn’t scare you." (Two years later, this quote took on far greater resonance, when Cartwright was reported to have been the alleged source of leaks to the media that revealed the U.S. role in building Stuxnet, the first true use of a cyberweapon.)
The basic thinking behind assumed offensive dominance is, as one Center for Strategic and Budgetary Assessments (CSBA) report explained, "It will be cheaper and easier to attack information systems than it will be to detect and defend against attacks." Indeed, as a former senior Pentagon official explained, "A few teenaged hackers sipping Red Bull in their parent’s basement can have a WMD-style impact."
More importantly, the attackers have the advantage of being able to choose the time and place of their attack, whereas the defender has to be everywhere. This is true with any weapon, but in cyberspace it is even more pronounced. While in the physical world territory is relatively fixed, the amount of "ground" that the defender has to protect is almost always growing in the cyberworld — and growing exponentially. The number of users on computer networks over time is an almost constant upward curve, while the number of lines of code in security software, measured in the thousands two decades ago, is now well over 10 million. By comparison, malware has stayed relatively short and simple (some is as succinct as just 125 lines of code), and the attacker only has to get in through one node just one time to potentially compromise all the defensive efforts. As the director of the Defense Advanced Research Projects Agency (DARPA), put it, "Cyber defenses have grown exponentially in effort and complexity, but they continue to be defeated by offenses that require far less investment by the attacker."
Just as before World War I, however, the story of offense’s inherent advantage is actually not so simple. The cyberattacks that are truly dangerous require a great deal of expertise to put together. And while they might play out in terms of microseconds, they often take long periods of planning and intelligence gathering to lay the groundwork. Neither Rome nor Stuxnet was built in a day. This means that crippling attacks out of the blue are not as easy to pull off in the cyber world as is too often depicted by both policymakers and Hollywood.
Another challenge for offensive actors is that the outcome of a cyberattack can be highly uncertain. You may be able to get inside a system or even shut it down, but that is only part of the story of what makes a good offense. The actual effect on your target is hard to predict, and damage assessment is difficult to carry out, meaning that it’s tough to know if the attack worked or what to do next.
Nowhere was this more evident than in the United States’ covert cyber campaign against Iranian nuclear facilities. Stuxnet was not something your run-of-the-mill terror group could have pulled off. It involved a Manhattan-project style of organization and expertise. The people involved ranged from intelligence agents and analysts — who teased together the exact location, make, and model of the targets in Iran — to some of the top cyber weapons designer talent in the world to engineering and nuclear physics experts, who helped the group understand the target and how best to compromise the research. The result was a weapon of sophistication and nuance not seen before that could be deployed without the initial knowledge of the Iranians.
Despite this amazing level of effort and expertise, Stuxnet ended up not just in the Iranian targets, but in thousands of computers around the world, from India to Eastern Europe. It was that unexpected result that led IT researchers to first begin to explore it and ultimately piece together what Stuxnet actually was, compromising the operation.
But it’s not just that cyberoffense can be unpredictable and even counterproductive — cyberdefense is not as helpless as is often portrayed. The attackers may have the luxury of choosing the time and place of their attack, but they have to make their way through a "cyber kill chain" of multiple steps if they actually want to achieve their objectives. According to Charles Croom, a retired U.S. Air Force lieutenant general who once led the Defense Information Systems Agency, "The attacker has to take a number of steps: reconnaissance, build a weapon, deliver that weapon, pull information out of the network. Each step creates a vulnerability, and all have to be completed. But a defender can stop the attack at any step."
Moreover, defenders who are losing in the cyber realm don’t have to restrict the game to just that domain or one iteration. They can try to impose other costs on the attacker, whether they be economic or diplomatic costs, traditional military action, or a cyber counterattack. Rather than just sitting there defenseless, they can take action either to deter the attack or reduce the benefits from it.
The most important lesson researchers have learned in traditional offense-defense balances — and now in cybersecurity — is that the best defense actually is a good defense. Regardless of which side has the advantage, any steps that raise the capabilities of the defense make life harder on the offense and limit the incentives for attacks in the first place. In cybersecurity, these include any and all measures that tighten network security and aid in forensics to track back attackers.
The Internet evolves and so do doctrines. The smart players in the field are moving from a traditional framework of defense to an approach of resilience. Instead of building walls, they are focusing on how systems recover rapidly, or, even better, keep on functioning even after they have been compromised. The idea is to build systems where the parallel for offense and defense isn’t from warfare, but biology. When it comes to bacteria and viruses in our bodies, human cells are actually outnumbered by as much as 10 to 1. But the body has built up an amazing capacity of both resistance and resilience, fighting off what is most dangerous and, as Vint Cerf, the computer scientist who is literally one of the "fathers of the Internet," puts it, figuring out how to "fight through the intrusion."
No computer network will mimic the human body perfectly, but DARPA and other groups are working on "intelligent" computer security networks that learn and adapt to resist cyberattacks. In the future, it’s not difficult to imagine that cyberdefense will sometimes be able to outsmart an adversary and turn the tables on them. Other efforts aim at misdirecting attacks down false alleys of faked information or sending them into so-called honeypots to ensnare and study them. Just the mere existence of such systems, moreover, would sow doubt among adversaries that an attack is going to work.
In the end, the focus on offense and defense obscures a crucial reality of modern-day cybersecurity that distinguishes it from World War I, or, even worse, the poorly thought-out Cold War parallels that too many leaders and commentators make.
In 1914 and again in 1945, the powers of the day ended up split into two alliances, worried that one or the other side would seize the offensive advantage. But much like the users of the broader Internet itself, cyberattackers and defenders today range from the more than 100 militaries that have built some kind of cybermilitary unit to large and small technology firms to collectives that join Anonymous netizens interested in everything from Internet Freedom to cute cat videos. The online world is hardly bipolar, and nor should our thinking on it be.
So when the question is how to protect your online glass house, buying a stone sharpening kit is certainly not the only answer.