The Difference Between Offense and Defense in Cybersecurity

This New York Times article about Edward Snowden implicitly highlights the perceived dilemmas of US cybersecurity policy.

In 2010, while working for a National Security Agency contractor, Edward J. Snowden learned to be a hacker. He took a course that trains security professionals to think like hackers and understand their techniques, all with the intent of turning out “certified ethical hackers” who can better defend their employers’ networks. But the certification, listed on a résumé that Mr. Snowden later prepared, would also have given him some of the skills he needed to rummage undetected through N.S.A. computer systems and gather the highly classified surveillance documents that he leaked last month, security experts say.

Some intelligence experts say that the types of files he improperly downloaded at Booz Allen suggest that he had shifted to the offensive side of electronic spying or cyberwarfare, in which the N.S.A. examines other nations’ computer systems to steal information or to prepare attacks. The N.S.A.’s director, Gen. Keith B. Alexander, has encouraged workers to try their skills both defensively and offensively, and moving to offense from defense is a common career pattern, officials say.

In other words, there is little practical difference between the skill sets of offensive and defensive hackers. The knowledge developed in the one can be transferred to the other (and arguably improved if one switches back and forth between them, so that one grasps the logic of both defending and attacking).

This has implications for the US understanding of the fundamental dilemmas of cybersecurity. US thinking about cybersecurity is pretty directly descended from the strategic concepts of the Cold War. Robert Jervis’s article on the offense defense balance has been especially influential. Summarizing and simplifying, Jervis argues that periods of history where offense has the advantage over defense – that is where it is easier to attack than defend – will have a higher risk of conflict than moments of history where defense has the advantage. Periods where (a) offense has the advantage, and (b) it is difficult to distinguish between offensive and defensive weapons, are particularly dangerous. Even when a state builds up its military capacities purely in order to defend itself, its neighbors may worry that it secretly plans to attack them, and decide to build up their own defenses. This may in turn lead the original state to worry, and so on, creating a spiral of increasing military spending and instability.

As scholars including the Monkey Cage’s Jim Fearon have argued, there isn’t as much empirical support for this argument as you might expect, given its plausibility. Even so, it profoundly influences US cyber security policy. This Foreign Affairs article (gated) by Deputy Undersecretary for Defense William Lynn draws heavily on the idea that offense has the advantage over defense in cyber security.

Jervis’ framework also helps explain why US officials say very little about the US offensive capacity. The US does not want to give any more excuse to other states to build up their own offensive cybersecurity capabilities than it absolutely has to. Nor do officials like Lynn talk about offense-defense distinguishability, for obvious reasons.

Not only does the US have an independent cyberoffensive capacity, but much of its defensive capacity could easily be turned towards offensive purposes. Specifically, the bits of cyber defense that rely on trained specialists like Snowden, rather than e.g. bureaucratic standards for network defense etc, very obviously have offensive uses. As the NYT article suggests, white hat hackers can become black hat hackers at … the drop of a hat.

US policy makers believe that cybersecurity is a highly insecure world, in which offense prevails over defense, but in which it is often impossible to distinguish offensive from defensive capabilities. They themselves seem to blend the offensive and defensive together in their own military practices. There are also other problems, to do with the difficulty of attributing cyber-attacks with certainty, which make it hard to apply the Cold War approach of reducing the risk of war through mutual deterrence. All this adds up to a picture of a volatile and uncertain world, in which insecurity is likely to be rife, and enforceable agreements nearly impossible. Understanding this goes a long way towards helping you understand the foundations of US cybersecurity policy.

[Cross-posted at The Monkey Cage]

Support Nonprofit Journalism

If you enjoyed this article, consider making a donation to help us produce more like it. The Washington Monthly was founded in 1969 to tell the stories of how government really works—and how to make it work better. Fifty years later, the need for incisive analysis and new, progressive policy ideas is clearer than ever. As a nonprofit, we rely on support from readers like you.

Yes, I’ll make a donation

Henry Farrell

Henry Farrell is an associate professor of political science and international affairs at George Washington University.