Questioning the Offense-Defense Balance in Cyberspace
Analysts, policymakers, and defenders often paint a bleak picture of the cybersecurity landscape. The Internet was built for resiliency, convenience, and openness, not security, and barriers to entry are low, meaning that criminals, foreign intelligence, activists, and states have many opportunities to launch countless attacks, especially if they are automated. The technology is constantly changing with new vulnerabilities discovered every day. Add to that the much discussed and debated “advanced persistent threat,” the genius hacker or state-sponsored organization with better expertise and funding than your IT department. The APT will not stop until your network is breached. As a result, cyberspace has been characterized as offense-dominated and network defense as a Sisyphean task.
This cyber defeatism, however, is misleading. While pundits tend to focus on the difficulties faced by defenders, attackers also face a considerable challenge. Lockheed Martin characterized all the steps in an advanced attack as links in the “cyber kill chain,” all of which have to go right for an attack to succeed. The first step is reconnaissance, gathering information such as relevant email addresses or, for spear phishing, deeper intelligence on the structure and function of the target organization. Next is weaponization, combining an exploit with a malware payload. Then there is delivery via web, email, USB, or some other method. The vulnerability next needs to be exploited to execute code on the victim system. Following successful exploitation, the malware must install on the system. Next is command and control to manipulate the victim, and finally, “Actions on Objective” where the attackers use that control to achieve their original aim. If any of these steps fail, so will the attack. While some of these elements can be trivial, simply having a vulnerability on a network does not mean that an attack will be successful.
Stopping an advanced attack, therefore, does not take an impenetrable network, but simply breaking the chain at a crucial point. Furthermore, according to Microsoft’s Trustworthy Computing Group, less than 1% of exploits use zero day vulnerabilities, security gaps that have not yet been publicly acknowledged. This means that 99% of attacks can be prevented through proper patching. While some patches are not available, most major software providers are diligent about fixing vulnerabilities in their code as fast as possible. More often, inattentive administration and lack of compliance causes lapses in updating and patching software.
Another much cited hindrance to cyber defenders is the difficulty of attribution, as a hacker half the world away can attack a target anonymously through a series of proxies. Yet the growing consensus in the cybersecurity community is that, for practical purposes, much of the attribution problem has been solved. While some call cyberspace a global commons, the servers, nodes, wires, and networks all have physical locations and owners. And attribution for cyber attacks does not necessarily have to be electronic. For crime, solving many cases had more to do with tried and true investigative techniques such as cultivating informants than digital forensics, and for information warfare the state with the motive and capability will be the prime suspect if it has not already taken credit and massed troops at the border. Lastly, perfect attribution may not be required for defense. It is not necessary to know who is attacking you to block the attack, and only that an actor is malicious to disable him.
Further, even if we accept that cyber weapons have an advantage over defenses, that still does not lead to the conclusion that defense is hopeless, merely that there needs to be a shift in defensive paradigm. As General Alexander of Cyber Command and the NSA often notes, part of the problem is a passive approach to defense. In most conflict, the distinction between offense and defense is fairly arbitrary as strategic defense often includes tactical offense such as covering fire. The “cyber domain” is offensive dominant when we rely exclusively on firewalls, antiviruses, and mitigation, just as air would be offensive dominant if, rather than shooting down bombers, we defended against air raids with only bunkers.
This point is not lost on network defenders as interest in offensive capabilities is increasing. There is a growing consensus in government by leaders such as General Alexander and the Defense Advanced Research Projects Agency has been exploring tactical offensive capabilities in programs like Plan X. There has also been a recent increase in “active defense” or “strike-back” technology among corporations.
Without question, network defenders face a daunting task, but it is far from hopeless. Attackers will continue to breach private and government networks, just as burglars will continue to break into houses and spies will continue to steal secrets. For these reasons, presumption of breach and risk management remain important strategies. Yet just as with physical theft and espionage, we cannot throw up our hands and assume the battle is lost. To the extent that offense and defense can even be distinguished in cyberspace, their balance is not permanently skewed, and remains to be firmly set.