Cult of the Cyber Offensive

Why belief in first-strike advantage is as misguided today as it was in 1914.

In military circles 100 years ago, whatever the question was, attack was always the answer.

Attaque à outrance, or "Attack to excess," was a concept that took hold in European military circles at the turn of the 20th century. The idea was that new technologies like the railroad and telegraph gave an advantage at the strategic level to whichever nation could mobilize first and go on the offensive, while new technologies like the fast-firing cannon, machine guns, and rifles meant at the tactical level that the troops who showed the greatest offensive élan (a concept that combined both willpower and dash) would always carry the day on the battlefield. The philosophy gained huge popularity. In Germany, it drove the adoption of the Schlieffen Plan (which envisioned a rapid mobilization of the army to first knock out France to its west with a lightning offensive and then swing back to face Russia to the east), while in France it was actually written into military law in 1913 that the French army "henceforth admits no law but the offensive."

There were only two problems with Attaque à outrance, an idea that historians now call the "cult of the offensive." The first was that it drove the European powers into greater and greater competition and ultimately war. When crisis loomed after the assassination of Archduke Franz Ferdinand in 1914, few thought it worth going to war. But soon the sides feared that they were losing a tight window of opportunity during which to mobilize to their advantage, or even worse, that they would be caught helpless. Fear of being on the defensive prompted the powers to move to the offensive, launching their long-planned attacks as part of a war most didn't want. The second problem was even worse. These new technologies didn't actually give the offense the advantage. Once the war started, it became clear that "attacking to excess" against fast-firing artillery, rifles, and machines guns was not the way to quick victory, but rather to a quick death. A bloody stalemate of trench warfare instead resulted.

Today, this question of whether new technology favors offense or defense is a critical one for cybersecurity and cyberwar, and it shapes everything from the likelihood of war to how governments and even businesses should organize themselves. And just as prior to the outbreak of World War I, there is widespread assumption that cyberattack has the inherent advantage over cyberdefense. As one Pentagon-funded report concluded in 2010, "The cyber competition will be offense-dominant for the foreseeable future." This kind of thinking is why Congress repeatedly in 2013 pressed the U.S. military about its cyberoffense capabilities, to make sure we are ahead, with military leaders like Gen. Keith Alexander, the simultaneous head of the NSA and Cyber Command, assuring them that, "Our offense is the best in the world."

This belief in the inherent superiority of cyberoffense has helped drive increased spending on offensive capabilities by militaries around the world, with the U.S. military spending, depending on the measure, 2.5 to 4 times as much on cyberoffense research and development as cyberdefense research. An accompanying industry has also arisen: markets for so-called zero days -- coding flaws that can be exploited by hackers -- and now even "hackback" firms that will take the offensive for hire.

The conventional wisdom about offensive advantage has become so entrenched that some argue that the real problem is not that the offense has an advantage, but that it isn't talked about enough, meaning that few have been warned about the risks of actually using such weapons.  "We've got to step up the game; we've got to talk about our offensive capabilities and train to them; to make them credible so that people know there's a penalty to this," said James Cartwright, the four-star Marine Corps general who led much of the initial U.S. strategy in cyber issues until his retirement in 2011. "You can't have something that's a secret be a deterrent. Because if you don't know it's there, it doesn't scare you." (Two years later, this quote took on far greater resonance, when Cartwright was reported to have been the alleged source of leaks to the media that revealed the U.S. role in building Stuxnet, the first true use of a cyberweapon.)

The basic thinking behind assumed offensive dominance is, as one Center for Strategic and Budgetary Assessments (CSBA) report explained, "It will be cheaper and easier to attack information systems than it will be to detect and defend against attacks." Indeed, as a former senior Pentagon official explained, "A few teenaged hackers sipping Red Bull in their parent's basement can have a WMD-style impact."

More importantly, the attackers have the advantage of being able to choose the time and place of their attack, whereas the defender has to be everywhere. This is true with any weapon, but in cyberspace it is even more pronounced. While in the physical world territory is relatively fixed, the amount of "ground" that the defender has to protect is almost always growing in the cyberworld -- and growing exponentially. The number of users on computer networks over time is an almost constant upward curve, while the number of lines of code in security software, measured in the thousands two decades ago, is now well over 10 million. By comparison, malware has stayed relatively short and simple (some is as succinct as just 125 lines of code), and the attacker only has to get in through one node just one time to potentially compromise all the defensive efforts. As the director of the Defense Advanced Research Projects Agency (DARPA), put it, "Cyber defenses have grown exponentially in effort and complexity, but they continue to be defeated by offenses that require far less investment by the attacker."

Just as before World War I, however, the story of offense's inherent advantage is actually not so simple. The cyberattacks that are truly dangerous require a great deal of expertise to put together. And while they might play out in terms of microseconds, they often take long periods of planning and intelligence gathering to lay the groundwork. Neither Rome nor Stuxnet was built in a day. This means that crippling attacks out of the blue are not as easy to pull off in the cyber world as is too often depicted by both policymakers and Hollywood.

Another challenge for offensive actors is that the outcome of a cyberattack can be highly uncertain. You may be able to get inside a system or even shut it down, but that is only part of the story of what makes a good offense. The actual effect on your target is hard to predict, and damage assessment is difficult to carry out, meaning that it's tough to know if the attack worked or what to do next.

Nowhere was this more evident than in the United States' covert cyber campaign against Iranian nuclear facilities. Stuxnet was not something your run-of-the-mill terror group could have pulled off. It involved a Manhattan-project style of organization and expertise. The people involved ranged from intelligence agents and analysts -- who teased together the exact location, make, and model of the targets in Iran -- to some of the top cyber weapons designer talent in the world to engineering and nuclear physics experts, who helped the group understand the target and how best to compromise the research. The result was a weapon of sophistication and nuance not seen before that could be deployed without the initial knowledge of the Iranians.

Despite this amazing level of effort and expertise, Stuxnet ended up not just in the Iranian targets, but in thousands of computers around the world, from India to Eastern Europe. It was that unexpected result that led IT researchers to first begin to explore it and ultimately piece together what Stuxnet actually was, compromising the operation.

But it's not just that cyberoffense can be unpredictable and even counterproductive -- cyberdefense is not as helpless as is often portrayed. The attackers may have the luxury of choosing the time and place of their attack, but they have to make their way through a "cyber kill chain" of multiple steps if they actually want to achieve their objectives. According to Charles Croom, a retired U.S. Air Force lieutenant general who once led the Defense Information Systems Agency, "The attacker has to take a number of steps: reconnaissance, build a weapon, deliver that weapon, pull information out of the network. Each step creates a vulnerability, and all have to be completed. But a defender can stop the attack at any step."

Moreover, defenders who are losing in the cyber realm don't have to restrict the game to just that domain or one iteration. They can try to impose other costs on the attacker, whether they be economic or diplomatic costs, traditional military action, or a cyber counterattack. Rather than just sitting there defenseless, they can take action either to deter the attack or reduce the benefits from it.

The most important lesson researchers have learned in traditional offense-defense balances -- and now in cybersecurity -- is that the best defense actually is a good defense. Regardless of which side has the advantage, any steps that raise the capabilities of the defense make life harder on the offense and limit the incentives for attacks in the first place. In cybersecurity, these include any and all measures that tighten network security and aid in forensics to track back attackers.

The Internet evolves and so do doctrines. The smart players in the field are moving from a traditional framework of defense to an approach of resilience. Instead of building walls, they are focusing on how systems recover rapidly, or, even better, keep on functioning even after they have been compromised. The idea is to build systems where the parallel for offense and defense isn't from warfare, but biology. When it comes to bacteria and viruses in our bodies, human cells are actually outnumbered by as much as 10 to 1. But the body has built up an amazing capacity of both resistance and resilience, fighting off what is most dangerous and, as Vint Cerf, the computer scientist who is literally one of the "fathers of the Internet," puts it, figuring out how to "fight through the intrusion."

No computer network will mimic the human body perfectly, but DARPA and other groups are working on "intelligent" computer security networks that learn and adapt to resist cyberattacks. In the future, it's not difficult to imagine that cyberdefense will sometimes be able to outsmart an adversary and turn the tables on them. Other efforts aim at misdirecting attacks down false alleys of faked information or sending them into so-called honeypots to ensnare and study them. Just the mere existence of such systems, moreover, would sow doubt among adversaries that an attack is going to work.

In the end, the focus on offense and defense obscures a crucial reality of modern-day cybersecurity that distinguishes it from World War I, or, even worse, the poorly thought-out Cold War parallels that too many leaders and commentators make.

In 1914 and again in 1945, the powers of the day ended up split into two alliances, worried that one or the other side would seize the offensive advantage. But much like the users of the broader Internet itself, cyberattackers and defenders today range from the more than 100 militaries that have built some kind of cybermilitary unit to large and small technology firms to collectives that join Anonymous netizens interested in everything from Internet Freedom to cute cat videos. The online world is hardly bipolar, and nor should our thinking on it be.

So when the question is how to protect your online glass house, buying a stone sharpening kit is certainly not the only answer.



Call Off the Sainthood of Ariel Sharon

Why Israel's late leader was a war criminal not a peacemaker.

During Israel's 1982 invasion of Lebanon, all of us living in besieged West Beirut were aware that the Israeli military was seeking to eliminate the leadership of the Palestine Liberation Organization (PLO), and had no qualms about killing large numbers of civilians in the process. We knew this from the aerial bombardment of the area around Beirut's Arab University, where the PLO had many of its offices. Dozens of apartment buildings there had been reduced to rubble.

Toward the end of Israel's ten-week bombardment and siege of Beirut, a building that housed refugees located several blocks from my home in the Sanayeh neighborhood was entirely destroyed from the air, killing dozens. Immediately after the attack, I surveyed the carnage with a friend. After leaving him to return home, I heard another huge explosion -- it was a car bomb, presumably set off close to the destroyed building in order to kill those trying to rescue survivors. My friend barely escaped with his life.

This and other examples of the handiwork of the architects of the Israeli invasion of Lebanon, preeminent among whom was Ariel Sharon, failed to make it into most of the hagiographic coverage of the man's passing in the American and Israeli media. We were instead told that Sharon was "controversial," and that Palestinians had criticisms of him, but that he was a "hero," a "staunch defender of Israel's security," and most grotesquely, "a peacemaker."

In September 2012, the New York Times published an op-ed on the 30th anniversary of the Sabra and Shatila massacres, during which the Israeli military stood by while their right-wing Lebanese allies murdered nearly 1,400 defenseless Palestinian and Lebanese civilians in a Beirut refugee camp. The article, which was based on newly uncovered documents in the Israel State Archives, revealed new details on Sharon's role in, and indirect American diplomatic responsibility for, these atrocities. The New York Times did not, however, feature this account in its coverage of Sharon's death. Instead, it re-ran online a 1983 apologia by Sharon for his invasion of Lebanon, during which there were nearly 50,000 casualties, most of them civilians.

The Lebanon war that Sharon, then the defense minister, did more than anyone else to launch was an unmitigated catastrophe for the Palestinians, the Lebanese, and in the view of most Israelis at the time, Israel itself. Israel's subsequent occupation of South Lebanon until 2000, the consequent intensification of the Lebanese civil war, the slaughter of untold numbers of innocents, and the deaths of hundreds of Israeli soldiers and thousands of other combatants should all be laid in large part at Sharon's feet.

Sharon's profound impact on the Middle East stretched far beyond Lebanon. If the creation of a truly sovereign, independent, contiguous, and viable Palestinian state is not possible today -- as most sober observers believe -- this is largely his achievement. From his appointment as agriculture minister in 1977 until his passing from the Israeli political scene after his stroke in 2006, he probably did more than any other Israeli leader to make Israel's colonization of the occupied West Bank and Arab East Jerusalem an astonishing success.

Sharon flew over the region in a helicopter to select sites for new colonies, all the while pioneering novel means of stealing land from its Palestinian owners. As prime minister, he continued this expansion process, which has turned the occupied West Bank into a Swiss cheese patchwork thoroughly dominated by lush Israeli settlements on what seems to be every hilltop. Simultaneously, he engineered a unilateral withdrawal from the Gaza Strip, while retaining draconian control over it from without, thereby turning it into the world's largest open-air prison.

Vice President Joe Biden eulogized Sharon today as a "historic leader" who was dedicated to the pursuit of peace. The very idea is ludicrous. Sharon began his career as a military commander renowned for ruthless assaults on innocent civilians -- like the slaughter in the West Bank village of Qibya in 1953, when commandos of his Unit 101 blew up homes over the heads of their residents, killing 69 people.

The attack led to the first ever U.N. Security Council condemnation of Israel. It was not an isolated incident: Indeed, it established a pattern of dozens of "eyes for an eye," and of the Israeli leadership's systematic deception about what was actually happening on the ground.  This approach has characterized Israel's response to any resistance to its expansion since the foundation of the state.

Sharon was emblematic of the Israeli refusal to accept that Palestinian resistance was an inevitable response to the forcible establishment of a Jewish state and the concomitant expulsion of hundreds of thousands of Palestinians. In later years, he became one of the most sophisticated employers of the trope of "terrorism" to demean this resistance.

The characterization not only of those who took up arms against Israel, but of all Palestinians, as "terrorists" can be seen in the transcript of a meeting between Sharon, other Israeli ministers, and U.S. envoy Morris Draper on Sept. 17, 1982, in the midst of the Sabra and Shatila massacres.

Morris Draper: The hostile people will say, sure the IDF [Israel Defense Forces] is going to stay in West Beirut and they will let the Lebanese go and kill the Palestinians in the camps.

Ariel Sharon: So we'll kill them. They will not be left there. You are not going to save them. You are not going to save these groups of the international terrorism [sic].

MD: We are not interested in saving any of these people.

AS: If you don't want the Lebanese to kill them, we will kill them.

Everyone present at this meeting, American and Israelis, knew that there were no PLO fighters in the camps. More than 15,000 PLO personnel had been evacuated from Beirut weeks earlier in a deal brokered by the United States. Had any number of these hardened combatants -- who had resisted the Israeli siege of Beirut for nearly two months -- been present, the perpetrators of these massacres would not have been able to operate with total impunity.

Nonetheless, during this 90-minute meeting with Draper, Sharon repeated the canard that thousands of "terrorists" had remained behind after the PLO evacuation. He used the term "terrorist" 39 times, as part of a ceaseless browbeating of Draper, who had been told to demand that the Israelis immediately withdraw their forces from West Beirut. Instead of complying with Draper's request, Sharon stonewalled, giving the butchers inside the camps many more hours to complete their gruesome work under the glow of star shells fired by Israeli troops to illuminate the killing ground.

Today, the American and Israeli media are celebrating this very same man. It is hard to imagine this kind of kid-glove treatment of anyone else with such a list of atrocities to his name. But apparently, such inconvenient facts are not welcome. In a more just world, he would have ended up facing the International Criminal Court in The Hague.

Yoav Lemmer-Pool/Getty Images