Myth #12: The best cyber defense is a good cyber offense.
Myth: The offensive use of cyber capabilities as a response to cyber attacks carried out by an adversary (sometimes referred to as “hackbacks”) deters criminals and state(-backed) actors and therefore increases security for your government, businesses, critical infrastructures and citizens (“deterrence-by-punishment”).
Busted: The United States is among the leading countries when it comes to conducting offensive cyber operations with the ultimate goal to deter adversaries. Offensive use of cyber capabilities is one of many options when deciding how to respond to cyber operations. There are also political sanctions, economic sanctions, clandestine operations, military operations, criminal indictments and targeted financial sanctions against individuals.
If deterrence-by-punishment worked, there should be a significant drop in cyber operations against the United States. However, so far, large-scale data breaches and other cyber operations (DNC, F-35 stealth fighter blueprints, OPM, Equifax) continue to plague the United States. Because this strategy does not seem to work, the US government has shifted its approach from trying to deter an adversary through cyber means to conducting cyber operations to preempt adversarial cyber operations before they even happen under the new strategic doctrines of “defending forward” and “persistent engagement”.
In addition to the apparent failure of deterrence-by-punishment, immediate offensive countermeasures to disrupt ongoing attacks or retrieve “stolen” data, so-called “hackbacks”, face tremendous challenges. Attributing an attack and responding in time without any prior preparations (e.g. carefully scanning for/compromising vulnerable systems) is nearly impossible. Such a strategy would therefore rather lead to more IT insecurities as it requires the responsible agencies to stockpile vulnerabilities and hack tools without a decent chance of successfully using them.
With few exceptions, such as the allegedly US-Israel cyber campaign against nuclear enrichment facilities in Iran (Stuxnet), cyber operations have not yet exceeded a certain threshold and might therefore currently be at the lower end of an escalation cycle. Other responses, such as sanctions and indictments, might be more proportionate and effective and therefore will yield better results in fighting the adversary off. There is however no solid data substantiating that any of those response strategies achieves any lasting (deterring) effect.
There is simply no proof that offensive cyber defense works. The United States as the key actor has shifted its strategy from deterring to preempting cyber operations. Attribution of cyber operations continues to be a major challenge. Forensic analysis of attacks takes time and attributions and actors increasingly use malicious software stitched together from the code of other threat actors (Vault7) to conduct false-flag operations. If attribution continues to be a major challenge, attackers will be unlikely to be deterred because they can be confident that they will remain anonymous.
Truth: The use or threat of preemptive offensive cyber capabilities does not deter adversaries from attacking you. The use of better IT security and resilience mechanisms might also not deter them (“deterrence-by-denial”), but will decrease the likelihood that they succeed and therefore increase security for your government, businesses, critical infrastructures and citizens.
Source: Sven Herpig, Anti-War and the Cyber Triangle: Strategic Implications of Cyber Operations and Cyber Security for the State, PhD thesis, University of Hull (2015); Sven Herpig and Thomas Reinhold, Spotting the bear: credible attribution and Russian operations in cyberspace, Chaillot Paper 148 (2018), 33-42