Skip to content

The Trouble with Offensive Cybersecurity

An offensive cybersecurity strategy is déjà vu in the worst way.

Words: Zoë Brammer
Pictures: Meritt Thomas
Date:

In a job interview last week, I was asked why I thought the future of cybersecurity should be defensive rather than offensive in nature. Having published an academic paper on the subject, I launched into my spiel on the attribution problem and the event-specific and inefficient nature of offensive cybersecurity. But as I walked home after the interview, I realized I should have quoted Einstein instead and said simply, “The definition of insanity is doing the same thing over and over again but expecting different results.”

I was born in 1998 and have been alive for a host of US foreign policy blunders. In the last year or so, the US has seriously fumbled the ball in several key moments, including the COVID-19 response, the Solar Winds attack, and the recent US withdrawal from Afghanistan. I realized that all of these instances and countless others before them can be traced back to the same theme: hubris. There seems to be a pervasive belief that “we,” the good ole’ U S of A, are never wrong, that we know best, and that what is “best” is often the most aggressive, least communicative option on the table.

When COVID-19 began to spread, President Trump was too busy tooting the “China is evil” horn to get a grip on the pandemic at home. When we invaded Afghanistan in 2001, it was not enough for us to rid the country of the Taliban. We felt the need to engage in nation building and tried to re-organize an entire culture and system of governance. And last year, while the US was busy building a space force and gloating about technological advancements, the Russians hacked multiple government agencies and remained undetected for over nine months. In essence, the United States is doing the same thing over and over—thinking we know best, thinking only of ourselves, and acting aggressively and without listening—and expecting different results.

The United States is doing the same thing over and over—thinking we know best, thinking only of ourselves, and acting aggressively and without listening—and expecting different results.

It should come as no surprise, then, that cyberspace has come into play as the next “domain” to conquer after the “traditional” four—land, sea, air, and space. The idea of establishing “cyber dominance” involves achieving and maintaining strategic and tactical dominance in critical elements of cyberspace and has been pursued across the world through the establishment of military strategies aimed directly at information flows. This prevailing “new frontier” attitude forms the basis of America’s cyber strategy, and it is setting us up for failure.

Cyberspace is not a traditional military domain. It came to exist when computers across the world became connected through the Internet, and it describes the vast network of hardware, software, computer users, and network connections, and the ways they interact. While states can own some computers and software in the cyber domain, much of US critical infrastructure is owned by the private sector, and cyberspace itself is a non-physical entity that cannot be “dominated” by anyone. Offensive cybersecurity is appealing because it may require less cooperation between the public and private sectors, and because it can give an illusion of control. But there are also major drawbacks to an offensive approach. It is nearly impossible to identify actors in cyberspace, for example, especially in the wake of a cyber-attack. In addition, the legal framework surrounding cyber warfare remains unclear, making an offensive and retaliatory cybersecurity approach less than ideal.

The good news is there’s another option. It’s a bit less glamorous than designing bugs to infiltrate adversaries’ systems to steal information, but it is much more important for the long-term health of cybersecurity. The primary objective of the early Internet was to create an open system where researchers could share ideas by bypassing the constraints of time and distance, and as a result, security was not a primary consideration in cyberspace development. As cyberspace has evolved and expanded, so too has the existing lack of security, stretching existing security thin where it exists, and leaving holes where it does not. The result is that current cybersecurity is both inefficient and ineffective.

A pivot towards defense is the logical alternative, and could begin with two steps. First, a standardization in the field. There exists a pressing need for a common communication medium, standard interface tool, and standard message set. A lack of standardization across a single network can cause inefficiency and miscommunication. The cyber-realm is constantly shifting, but standardization is at the core of the work that needs to be done by individual states to better their cyber defense. Second, the international community would benefit from a collective cybersecurity community in which data and best practices are shared. This community would provide an opportunity to address the most basic problems of cybersecurity, such as the creation of clear and cohesive cyber-relevant definitions, a system of laws surrounding cyber warfare, and the ability to tackle the attribution problem.

This shift is not just a tactical or strategic opportunity. With the US withdrawal from Afghanistan still fresh in our memories, and the twentieth anniversary of the September 11 attacks looming ahead, the US is overdue for some self-reflection. The cyber domain offers us incredible opportunities for collaboration, community, and security, but also houses some of the most dangerous transnational threats. We have an opportunity to pivot away from insanity and towards innovation—to acknowledge our history and learn from it, instead of treating cyberspace like a new frontier.

Zoë Brammer graduated summa cum laude from Clark University with degrees in International Relations and Economics. Her primary area of interest is security studies, with a special focus in cybersecurity and its international implications. She was previously published in “Security and Society in the Information Age”, an academic journal, for her work on defensive cybersecurity. 

Zoë Brammer

Hey there!

You made it to the bottom of the page! That means you must like what we do. In that case, can we ask for your help? Inkstick is changing the face of foreign policy, but we can’t do it without you. If our content is something that you’ve come to rely on, please make a tax-deductible donation today. Even $5 or $10 a month makes a huge difference. Together, we can tell the stories that need to be told.

SIGN UP FOR OUR NEWSLETTERS