On March 8 I attended an event for OU’s annual IAS Symposium. This year’s topic was global cyber trends and I went to a lecture entitled “What is the Cyber Offense-Defense Balance?” that was given by Rebecca Slayton, a professor at Cornell.
I don’t know very much about global cyber trends and had no idea what the cyber offense-defense balance even was when I sat down for the lecture, so I learned a lot in the hour and fifteen minutes I was there. Dr. Slayton began by outlining the conventional wisdom, which is that offense has the upper hand in cyberspace. Basically, first-mover advantages and the cost of attacking vs. defending favors the offensive in cyber operations. She then addressed the minority view, the cyber defense advantage, and proceeded to assert that in reality neither of these are true but that we are simply asking the wrong question. What we should be asking is “under what circumstances do cyber operations favor offense rather than defense?” The cyber offense-defense balance, according to Slayton, is shaped not only by technology but also by the complexity of adversaries’ goals relative to their skills and organizational capacity. In other words, a potential offensive advantage must be defined in relation to specific adversaries with specific goals, in conjunction with skills and organizational context.
In cyber operations, both the offense and the defense want to maximize payoff versus cost. This payoff is shaped by the goals of each adversary and subjective value of their operation. For example, cyber offense is valuable for countries or actors who value covert operations or action at a distance, who don’t have other means of attack, and who have adversaries who rely heavily on cyberspace. Cyber defense is valuable for actors who depend on cyberspace. The cost of cyber operations is more difficult to measure because cyber weapons have very different costs than physical ones. Each code design can only be reused until it is discovered, and costs are dominated by research, development, and testing rather than materials and production as physical weapons are. Maintenance costs are also huge in the software lifecycle.
The lecture also covered the consequences of cyber operations. The example that Dr. Slayton used was Stuxnet, a US-Israeli attack on an Iranian uranium enrichment facility. Over the at least 4 year development period ending with discovery in 2010, hackers took control of the facility’s computers and periodically sped up the centrifuges to damaging speeds without the scientists’ awareness. The costs due to loss of production and centrifuges was estimated to be near 7 million, and the non-monetary payoffs for the offense came in the form of damaged morale, excessive security, and resulting organizational inefficiencies. The perceived value of Stuxnet appears to be 2 orders of magnitude greater than its costs for the US and Israel. Although this may be true, the cost of offense exceeded that of defense and the blowback was that it strengthened the resolve of Iran nuclear power and that Iran was able to use the attack to learn about cyber weapons. Slayton’s final takeaway was that there is no offense-defense balance because cyberspace is not uniform (kind of a cop-out given the title of her lecture, I know).
Overall I thought the lecture was very interesting. As the importance of technology worldwide continues to increase, there are many adaptations we need to make and precautions we need to take, and as the definition of war changes with new developments it is likely that this topic will only become more prevalent in our society.