The Unsettled Question of Offense vs Defense in Cyberwarfare
Some of the most famous military advancements, such as trenches and machine guns, have favored defensive operations, but in the minds of both the public and many policymakers, there is the belief that cyber weapons are different in that they favor the offense. Cited for advancing this argument are the plethora of computer vulnerabilities, the low financial cost of hacking, and the lack of penalties for discovered attacks. While we have a few examples of genuine cyber warfare working effectively, most of our knowledge comes instead from using cyber tools for disruption, espionage and information warfare rather than the use of genuine cyber weapons, that is, cyber tools designed to create physical damage in support of military objectives. Presently, we are unable to say that cyber weapons have an inherent offense-defense balance because they are complex, skill dependent, and we are not sure how effective they will be in conjunction with military actions.
Much of this problem is related to the definition: the term cyberwar is frequently used with little thought applied to what it means. As a result, the use of cyber tools for espionage, propaganda, theft, and disruption are often erroneously labeled acts of cyberwar. Cyberwar, like its regular counterpart, requires material damage such as destroying assets, disabling weapons that rely on digital components, and disabling the critical infrastructures that power the machinery of war. It is these physical effects, and how they complement military actions, which determine whether a weapon is defensive or offensive in nature.
However, in the case of cyber weapons, producing these physical effects can prove difficult due to how digital and analog systems interact. Even if a hacker can gain access to a computer system, they may be unable to produce their desired effect. For example, the effect may be partially controlled by a mechanical process entirely separate from computers, multiple digital systems may interact in ways unforeseen to attackers, or an intruder may not have enough knowledge of the analog system to produce the desired effect. Unlike intruders, defenders tend to know their systems better, and can more effectively use the interplay between digital and analog systems to prevent or repair damage and minimize the tactical effects of intrusions. If the offense has the advantage in penetrating systems, the defense has an offsetting advantage in understanding their own complex systems.
Furthermore, cyber weapons are difficult to use, requiring specialized skills to design and manage, and they are not uniform. cyber weapons are tailored to the system they seek to exploit, often taking advantage of specific, possibly unique vulnerabilities to achieve the desired outcome. Additionally, in order for these weapons to produce the effects ordered by military commanders, they must be surreptitiously implanted throughout the target system prior to activation to create an attack infrastructure in waiting. These complex infrastructures will have to be constantly updated as defenders identify vulnerabilities, apply patches, and add or remove components to the system. Because these may vary so widely, making a blanket assessment of the entire panoply of cyber weapons is nearly impossible.
Not only do cyber weapons require specialized skills to deploy, but the operator must also understand the targeted analog system to achieve their desired effect. This deep knowledge, such as how the individual components of a missile work together to produce flight, targeting, and detonation, is extremely rare among the hacking community. Building upon that, the maintenance of these large infrastructures requires teams of dedicated, skilled operators working together to produce something too complex and sprawling to be managed by a lone wolf, as acts of data theft or wanton intrusion often are. Not only will militaries require almost uniquely skilled individuals for offensive operations, but they will also require large bodies of them working in concert. The intense focus on specific skill sets makes it problematic to simply classify cyber weapons as offensive or defensive on the whole. Often, the most skilled team will have the advantage.
Altogether, this suggests that the debate around the offense-defense balance of cyber weapons should not be considered as settled as some believe. This discussion has significant implications not only for the planning of cyber operations on the battlefield but also for which capabilities are funded. Furthermore, it also affects the way that we defend our systems when we recognize that the threats of war are distinct from those of crime and espionage in cyberspace, as they are in other things. Currently, we do not know what effect cyber weapons will have on mechanical military systems, their tactical or strategic value in war, or how lasting those effects will be. With these unknowns and without enough concrete examples to guide us, we can't answer this question, even if our fear of the offense makes it seem more powerful.
Michael Depp is program coordinator with the EastWest Institute, which creates constructive dialogues aiming at preventing conflicts. The views expressed here are solely those of the author and do not necessarily reflect the views of the EastWest Institute.