Offensive and Defensive Use of Cyberspace

INTRODUCTION The cyberspace is a relatively recent addition to the strategic sphere, let alone the world in general. For centuries, the battlefield had two dimensions: land and sea. Just over a century ago, a third dimension – the air – was added. This allowed us to project force across previously unimagined distances. Before the end […]

INTRODUCTION

The cyberspace is a relatively recent addition to the strategic sphere, let alone the world in general. For centuries, the battlefield had two dimensions: land and sea. Just over a century ago, a third dimension – the air – was added. This allowed us to project force across previously unimagined distances. Before the end of the century, a new paradigm was established, with the emergence of a fourth dimension: the cyberspace.

Where air power enabled force projection across borders at much greater distances, cyber warfare has transcended the physical altogether, enabling users to attack anything anywhere, from anywhere, in real time. Further, its implications are far wider than any other means of warfare. It can attack something as simple as communications, or something as advanced and intricate as economic ties.

This gives cyber warfare an unparalleled edge in conflict as well as society: nothing, apart from a book and mail by courier, can be safe from it. Given the volatile and ubiquitous nature of cyberspace, this paper will argue that cyber warfare favors the offense over defense.

THE ROLE OF CYBER WARFARE

The literature on the nature and merits of cyber warfare is somewhat limited, as the concept entered the strategic canon only recently. However, it has quickly risen to prominence and pushed the boundaries of the conventional battlefield. Using the term warfare immediately conjures images of armed conflict, but the cyberspace has obscured these archaic definitions. The cyberspace expands conflict into the civilian sphere like no other combat revolution ever has.

To answer the research question, this paper will first devote a subsection to important definitions pertaining to the issue at hand. It will consider two important terms: cyberspace and cyber warfare.

DEFINITIONS

Cyberspace. In essence, the term refers to the ‘world’ created by the connections in our ever-growing web of devices – computers, phones, servers, and hard-drives, to mention some. This world is dominated by the transfer of data, pertaining to anything known to man. [1] Kuehl (2009) concurs: it is an information environment framed by the use of independent and inter-connected electronic devices. [2]

Cyber Warfare. Taddeo (2012) defines it as warfare using Information and Communication Technology (ICTs), waged in the information domain, against both the physical and the abstract. [3] Carr (2012) offers a much more concise approach: “Cyber warfare is the art and science of fighting without fighting; of defeating an opponent without spilling their blood.” [4] We can divide Cyber Warfare into three main components: mechanical attacks, electromagnetic attacks, and digital attacks. [5] This highlights the versatility of Cyber Warfare, which is important: it can physically debilitate enemy systems,  deprive them of the electricity required to operate them or send signals, as well as directly intervene in the digital process of the systems.

Discussing motivations is also an important aspect of determining whether offense or defense is favored, for one or the other is usually the intention of the attack. This paper will argue that these motivations will play the most important role in determining the attack, no matter what the results are, as motivations will determine the nature of the attack. The offense is intended to attack and debilitate an adversary’s assets, whereas defense is intended to protect your own. [6]

OFFENSIVE CYBERWEAPONS

Liles et al. (2012) divide cyber attacks into three categories – mechanical, electromagnetic, and digital – that can all be for offensive purposes. There is a clear conceptual argument that favors the offense, especially using the above classifications: attack costs less than defense. It is easier to devise attacks on all three levels than it is to mount a defense against an unknown array of attack methods. [7] As such, there can be offensive favor in cyber warfare. [8]

A Weapon for the Weak. Lindsay (2013) argues that cyber warfare is inherently offensive in nature. According to him, cyber weapons are the weapons of the materially weak, and thus provides them an opportunity to strike at their adversaries with great force without facing them on a conventional battlefield. [9] As such, he argues it holds the same appeal as terrorist strategies: attack a more powerful target with an impact beyond simply the material. The cyberspace is ubiquitous, and thus readily available to a far larger extent than any traditional weapon. As such, it is a popular weapon among the materially weaker forces, be they states or other actors. This builds on Krepinevich’s argument; the number of actors that can use cyber weapons makes it even harder to defend oneself.

Liff (2012) gives two reasons why offense is favored: the cost is lower (Krepinevich 2012; Lindsay 2013), and time-frame. [10] Cyber attacks can circumvent the military altogether, and strike at civilian targets, while still inflicting significant damage that must be addressed. This is the equivalent of London having no air defenses during the Blitz – a civilian target, indeed, but the damage would have been near irreparable. Further, cyber attacks offer an element of surprise previously unheard of; we can now strike in mere seconds. [11] Despite defense systems relying on much of the same technology, anticipating and defending against such time-frames is a herculean task indeed.

DEFENSIVE CYBERWEAPONS

Where cyber attacks that do not necessarily debilitate enemy systems can serve offensive purposes, they can also serve defensive purposes. Krepinevich (2012) outlines three main weaknesses regarding cyber weapon defense: single-point-of-failure systems, ‘monoculture’, and global supply chains. [12] The former pertains to weak points in computer systems that risk impacting the entire system once compromised. [13] The ‘monoculture’ refers to, for instance, the prevalence of operating systems and software; when over 80% of the world relies on an OS or software, compromizing it becomes significantly easier. [14] Lastly, global supply chains pose a risk when individual countries, for instance, supply parts to most of the world. This gives them an opportunity to modify the product to build back-doors, argues Krepinevich. [15] This puts the defense at a disadvantage.

Canabarro and Borne (2013) disagree, attributing an advantage to defensive cyberweapons and warfare. They attribute this benefit to the vast array of different information systems that exist; it is difficult to devise uniform cyber attack methods that apply to all of these systems. [16] This contradicts arguments made by writers such as Krepinevich (2012), who asserts that it is the other way around: there are vast arrays of attacks and uniformity in design. Canabarro and Borne, however, make an important point in that not only do many different systems indeed exist, but they also learn: once an attack has happened, its repeatability is largely eliminated. [17] This suddenly shifts costs onto the offensive actors, that must continuously develop new forms of cyber weapons and attacks.

Cyberspace changes continuously, and this often mistakenly leads to an assumption that attackers gain the advantage of devising ever new methods of attack. This is true, but also for defense, that develops new methods of defending (Libicki 2014). He argues that offensive improvement is not a given when it is defensive systems that define what they can do. As such, defensive cyberwar acquires an advantage in determining the form of ‘battle’. [18]

DISCUSSION

Cyber warfare has become such a defining issue because it violates all strategic paradigms humanity has developed over its history. The cyberspace is an abstract space, and so ‘warfare’ in it is purely technical and, in large part, a theoretical matter. Our previous military strategies and the great minds that conceived them were formed over decades and centuries, as technology steadily progressed. In the case of cyber warfare, however, we have not had time to firmly establish a solid paradigm because as soon as one is formed, reality has changed.

Conventional warfare can be explained in rather simplistic terms: the superior side will win. ‘Superiority’ may entail many things, but it can be attained. When discussing the cyberspace, however, one must appreciate the fact that, whatever is done by any actor, there will always be someone at least equally proficient out there that can circumvent or bypass any implemented measure. Further, airpower began blurring the line between civilian and military targets. Cyberspace, however, eliminates the difference entirely – while the military and civilian worlds use it differently, there is only one cyberspace, and attacking it will likely have far-spread consequences.

Liles et al. (2012) argue that the offensive-defensive line is so blurred in the case of cyber warfare, that it is a useless concept to apply to the topic. [19] In line with Robinson et al. (2015), I beg to differ. There are clear examples of defensive cyber-units running exercises with a clear us-vs-them composition. [20] Broadly speaking, I agree with this because there is a clear conceptual difference between launching a cyber attack against enemy assets, and implementing protective measures for your own. As such, one can claim it potentially favors one strategy over another.

The above does, however, touch upon what I believe is part of Liles et al’s. (2012) argument: the reasons for offensive and defensive action can be blurred. In 1967, Israel launched preemptive airstrikes against Egypt, the reason being self-defense in the face of a coming attack. Is this offensive or defensive action? It can likewise be difficult to distinguish in cyber warfare. Intelligence operations are a previously mentioned example of offensive cyber warfare. These invasive operations are, outside of wartime, used to collect information to gain a better image of the world. This motivation is certainly not offensive, yet the action is.  

Liff (2012) argues that they can quickly become marginal. Cyber warfare will only truly favor the offense in a coercive diplomatic situation wherein there is an approximately equal balance of power. [21] A negligible power that threatens a superpower with cyber attacks will achieve little, as there is little conventional force behind them. While vulnerabilities certainly exist, they are often quickly identified and rectified. [22] As such, a cyber attack is the first strike, and if it is followed by nothing, then much of its advantage disappears. This does not necessarily favor the defense, but it lessens the advantage of offensive cyber weapons.

Cavelty (2014) also argues for both offensive and defensive merits of cyber warfare, as states are quite simply investing more and more in it. [23] This can give an edge to whoever invests more resources, though can also lead to the argument of this paper: it favors no one. These investments are in both offensive and defensive capabilities, as one cannot develop striking capabilities without also developing a defense against the strikes of others. The state-level world has been hijacked by a virtual arms race that does not give a clear edge to any actor, nor any particular capability.

One could also argue that cyber warfare favors no one, due to its ubiquitous and volatile nature. Today we rely on electronics for almost everything: generating information, storing information, transferring information, treating information, and analyzing information. This means that we need to defend this system (the cyberspace) just like one would physically guard material goods (ledgers, money, other valuables). This means that both sides have developed offensive and defensive methods from the beginning, which does not really give either one any particular advantage over the other.

CONCLUSIONS

The cyberspace is owned by no one, but it can be manipulated by those with enough technical clout. This can be exploited to mount a vast array of attacks against any target, anywhere, within seconds of launch. The only physical attack that could replicate the surprise effect of such cyber attacks is a punch, which, in the grand scheme, would be of negligible significance.

This gives cyber offenses the first-strike advantage that defensive systems struggle to keep up with. While intrusions can be dealt with rapidly, it is much more difficult to altogether prevent them. As such, while it may not be as immense as many would argue, there remains a clear advantage for the offensive side when it comes to cyber weapons.

The mobility of offensive cyberwar is often overstated, however (Libicki 2014). As such, it should be tempered with a bit of caution: both sides rely on the same cyberspace that remains incredibly volatile. While offensive methods gain an advantage in unpredictability, the defense remains an also moving target, decreasing the seemingly immense offensive advantage.

 

REFERENCES

[1] Lance Strate, “The varieties of cyberspace: Problems in definition and delimitation,” Western Journal of Communication 63, no. 3 (1999): 382 – 383.

[2] Daniel T. Kuehl, “From Cyberspace to Cyberpower: Defining the Problem,” in Cyberpower and Cybersecurity, ed. Franklin D. Kramer, Stuart H. Starr, and Larry K. Wentz (Lincoln: University of Nebraska Press, 2009): 24 – 28.

[3] Mariarosaria Taddeo, “Information Warfare: A Philosophical Perspective,” Philosophy & Technology 25, no. 1 (2012): 105 – 107.

[4] Jeffrey Carr, Inside Cyber Warfare: Mapping the Cyber Underworld, 2nd ed. (Sebastopol: O’Reilly Media, Inc., 2012). 2.

[5] Samuel Liles, J. Eric Dietz, Marcus Rogers, and Dean Larson, “Applying Traditional Military Principles to Cyber Warfare,” NATO 4th International Conference on Cyber Conflict, 2012, available at: https://ieeexplore.ieee.org/document/6243973 (Accessed December 1, 2018).

[6] Diego R. Canabarro and Thiego Borne, “Reflections of the Fog of (Cyber)War,” National Center for Digital Government, 2013, https://www.umass.edu/digitalcenter/sites/default/files/FogofCyberWar.pdf (Accessed December 3, 2018). 9.

[7] Andrew F. Krepinevich, “Cyber Warfare: A “Nuclear Option”?” Center for Strategic and Budgetary Assessment, 2012, https://csbaonline.org/research/publications/cyber-warfare-a-nuclear-option (Accessed November 30, 2018). 16.

[8] Jack Goldsmith, “The New Vulnerability,” The New Republic, June 7, 2010, https://newrepublic.com/article/75262/the-new-vulnerability (Accessed December 2, 2018).

[9] John R. Lindsay, “Stuxnet and the Limits of Cyber Warfare.” Security Studies 22, no. 3 (2013): 375 – 377.

[10] Adam P. Liff, “Cyberwar: A New ‘Absolute Weapon’? The Proliferation of Cyberwarfare Capabilities and Interstate War,” Journal of Strategic Studies 35, no. 3 (2012): 415.   

[11] Ibid. 415 – 416.

[12] Krepinevich, “Cyber Warfare: A “Nuclear Option”?” 39 – 42.

[13] Ibid. 39 – 40.

[14] Ibid. 40 – 41.

[15] Ibid. 41 – 42.

[16] Diego R. Canabarro and Thiago Borne, “Reflections on the Fog of (Cyber)War,” National Center for Digital Government, 2013, https://www.umass.edu/digitalcenter/sites/default/files/FogofCyberWar.pdf (Accessed December 3, 2018). 9.

[17] Ibid. 9.

[18] Martin C. Libicki, “Why Cyber War Will Not and Should Not Have Its Grand Strategist,” Strategic Studies Quarterly 8, no. 1 (2014): 32 – 33.

[19] Samuel Liles, J. Eric Dietz, Marcus Rogers, and Dean Larson, “Applying traditional military principles to cyber warfare,” 4th International Conference on Cyber Conflict, 2012, https://ieeexplore.ieee.org/abstract/document/6243973 (Accessed November 30, 2018). 176.

[20] Michael Robinson, Kevin Jones, and Helge Janicke, “Cyber warfare: Issue and challenges,” Computers & Security 49 (2015): 82 – 84.

[21] Adam P. Liff, “Cyberwar: A New ‘Absolute Weapon’? The Proliferation of Cyberwarfare Capabilities and Interstate War,” Journal of Strategic Studies 35, no. 3 (2012): 417.

[22] Ibid. 415 – 416.

[23] Myriam D. Cavelty, “Breaking the Cyber-Security Dilemma: Aligning Security Needs and Removing Vulnerabilities,” Science and Engineering Ethics 20, no. 3 (2014): 701 – 715.

Image Credit: McCabe, Karen. “Global, Open Standards for Cyber Security.” November 6, 2014. https://beyondstandards.ieee.org/cybersecurity/global-open-standards-for-cyber-security/.

You may also like