 |
Center for Nonlinear Studies |
Both popular and scholarly discourse about cyber-conflict reflect the prevailing view that cyberspace favors the offense. While a few scholars have challenged this conventional wisdom, the debate remains muddy because the offense-defense balance of cyber-operations is rarely defined, let alone empirically assessed. This paper clarifies the debate in three ways. First, it analyzes how international relations scholars, military officials, and private sector computer security experts implicitly define offense-dominance in cyberspace, showing that these groups maintain divergent conceptions. Second, it proposes to define the offense-defense balance of cyber-operations in terms of the relative utility of offense and defense, i.e. the benefits of offense less the costs of offense, relative to the benefits of defense less the cost of defense. It theorizes the factors that contribute to increased benefits or costs; a key innovation here is that the costs of cyber-operations are determined not by technology, but by the organizational processes that govern the interactions between skilled workers and technology. Third, it provides an empirical cost-benefit analysis of the Stuxnet cyberattacks by Israel and the U.S. on Iran. While this analysis has many uncertainties, it appears likely that the costs of offense exceeded the costs of defense, and that the perceived benefits of both offense and defense were roughly two orders of magnitude larger than costs, making the costs irrelevant.
Host: Benjamin Sims, 505-667-5508 bsims@lanl.gov