Analysis

No. 203, October 2013

THE OFFENSE/DEFENSE BALANCE

IN CYBERSPACE

Andrea Locatelli

As governments become increasingly involved in cyberspace for military purposes, they tend to
consider the cyber domain as critical part of their security strategies. This growing reliance on cyber
assets calls for deeper investigation on the features of cyberspace as well as their impact on state
rivalry. The paper draws from the insights of Offence/Defense Balance (ODB) theory to discuss
whether competition in cyberspace may become an incentive to the use of force. In particular, ODB
theory postulates that whenever defense is (or is held to be) more expensive relative do offense,
states will have an incentive to act aggressively. Unfortunately, three features of cyberspace give
offense an advantage over defense: the central place of vulnerabilities, the different pace of
improvements for defense and offense technologies, the difficulty in attribution. The main conclusion
of this argument is that the cyberattacks in the future are likely to become more and more common.


Andrea Locatelli, Catholic University Milan








ISPI2013

1
The opinions expressed herein are strictly personal and do not necessarily reflect the position of ISPI.
The ISPI online papers are also published with the support of Cariplo



The way wars are fought has changed dramatically in the past
decades. While the tip of the iceberg rests on fancy devices like
drones or the so-called smart bombs a deeper and even more
radical process is going on. As new technologies and military
doctrines are continuously developed and revised war becomes an
increasingly complex activity. This is hardly new, as witnessed by What is remarkable in our
the nationwide efforts required by total wars like World Wars I and day is the (almost)
II1. What is remarkable in our day is the (almost) unprecedented unprecedented pace of
pace of innovations in military technology. To put it bluntly, some innovations in military
of todays realities are yesterdays sci-fi conjectures (and by technology. To put it
yesterday we can consider a three-decade span of time). How all bluntly, some of todays
these changes are affecting war is still under debate and as realities are yesterdays
usually happens this question has polarized analysts in two scifi conjectures
opposing camps: Conservatives vs Revolutionaries2.
The rise of cyberspace as a domain of warfare is no exception. The
impact of the Internet on military operations has brought analysts
within both military circles and the academic community to discuss
whether a digital revolution is occurring or not. As recognized most
recently by Jon Lindsay3, the Conservatives/Revolutionaries divide
seems to follow the border between these communities: while most
scholarly literature tends to dismiss the novelty brought about by
the cyber-dimension4, analysts and practitioners within the armed
forces are more inclined to underscore its potential5. Both camps

1 On the growing complexity of war, see M. VAN CREVELD, Technology and War. From

2000 b.C. to the Present, New York, The Free Press, 1989, p. 153.
2 The literature on this topic has revolved since the early 1990s around the so-called

Revolution in Military Affairs (RMA) concept. I have provided a more detailed overview
in A. LOCATELLI, Tecnologia militare e guerra. Gli Stati Uniti dopo la Rivoluzione
negli Affari Militari, Milano, Vita e Pensiero, 2010, pp. 23-64.
3 J. LINDSAY, Stuxnet and the Limits of Cyber Warfare, Security Studies, Vol. 22, No.

3, 2013, pp. 367-368.

4 For a sample of the literature, see: T. RID, Cyber War Will Not Take Place, Journal of

Strategic Studies, Vol. 35, No. 1, February 2011, pp. 5-32; A. LIFF, Cyberwar: A New
Absolute Weapon? The Proliferation of Cyberwarfare Capabilities and Interstate War,
Journal of Strategic Studies, Vol. 35, No. 3, June 2012, pp. 401-428; M. LIBICKI,
Cyberspace Is Not a Warfighting Domain, I/S: A Journal of Law and Policy for the
Information Society, Vol. 8, No. 2, 2012, pp. 321-336. For a critical view, see T. JUNIO,
How Probable is Cyber War? Bringing IR Theory Back In to the Cyber Conflict Debate,
The Journal of Strategic Studies, Vol. 36, No. 1, February 2013, pp. 125-133.
5 For a landmark example, see former US Deputy Defense Secretary William J. Lynns

vision in W. LYNN, Defending a New Domain: The Pentagons Cyberstrategy, Foreign

Affairs, Vol. 89, No. 5, September/October 2010, pp. 97-108; in the same journal retired
ISPI2013

army general Wesley Clark with Peter Levin expressed similar concerns: W. CLARK, P.
LEVIN, Securing the Information Highway: How to Enhance the United States
Electronic Defenses, Foreign Affairs, Vol. 88, No. 6, November/December 2009, pp.
2-10.

have forceful arguments to support their thesis, but their main

weaknesses rest on the lack of evidence. Put it bluntly, whereas
cyber-threats, illicit activities in cyberspace, are everydays
business, none of them qualifies as a security threat, let alone an
act of war6. Nonetheless, as most militaries have come to depend on
Information and Communication Technologies (ICTs),
cyber-operations/commands have been developed and are now part
of most advanced states armed forces.
It is too early to assess whether these offices are doomed to become As governments become
the backbone of the fifth domain of war, or (like many other more conscious of their
experiments before7) they will live a short life. The point that needs capabilities (and
to be discussed here is that as governments become more conscious vulnerabilities) in
of their capabilities (and vulnerabilities) in cyberspace, they will cyberspace, they will likely
likely shape their own strategies accordingly. In other words, since shape their own strategies
strategy is the art of matching (political) ends and (military) accordingly. In other
means8, the features of cyberspace as a potential military asset words, since strategy is the
may have an impact on how states pursue their national security. art of matching (political)
In the following pages we will make some inference starting from ends and (military)
the Offense/Defense Balance (ODB) theory. In the next section we means , the features of
will discuss the main tenets of this argument. We will then come to cyberspace as a potential
assess how cyberspace affects the ODB. Finally, section 4 will military asset may have an
present the main conclusions. impact on how states
pursue their national
security
The Offense/Defense Balance Argument

6 The only exception is the STUXNET virus that attacked the Iranian centrifuges in

Natanz in 2009-2010.
7 See among others the ambitious Office of Force Transformation, established in
ISPI2013

October 2001 and closed just five years later.

8 C. GRAY, Modern Strategy, Oxford: Oxford University Press, 1999; E.

LUTTWAK, Strategy. The Logic of War and Peace, Cambridge, MA, Harvard
University Press, 1987.

Proponents and critics of the ODB hypothesis are mostly concerned When attack and conquest
with topical issues in international politics, such as the security are held to be easier than
dilemma9, war inception10, and escalation11. All these phenomena, protecting a given target
the argument goes, can lead to opposite outcomes depending on a (being it a swath of land, a
single variable: the (assumed) relative strength of offense over line of communication, or
defense, and vice versa. Simply put, when attack and conquest are a military facility), ODB
held to be easier than protecting a given target (being it a swath of theory predicts as likely
land, a line of communication, or a military facility), ODB theory systemic outcomes an
predicts as likely systemic outcomes an intense security dilemma, intense security dilemma,
the possibility of major wars and the tendency to increase war the possibility of major
aims. Even if the causal path can take many ways12, the logic of this wars and the tendency to
argument is quite straightforward. When policymakers and increase war aims
strategists are convinced that the offender has an advantage over
the defender, they will be tempted to perpetrate preemptive
attacks. They will also be skeptical of their counterparts
intentions, as well as willing to take more risks in war.
On the other hand, when defense is easier than offense, states have
more incentives to cooperate, embark on binding strategies and
even engage in disarmament policies. To illustrate this point, in a
seminal contribution Barry Posen argued that ethnic groups in
failed states are less susceptible to the vicious logic of the security
dilemma (thus preventing the outbreak of civil wars) if they can
credibly show that their military forces are for defense only13. Or,
more recently, Charles Glaser14 claimed that states seeking
security have better chances of increasing their status without
threatening other powers.
For heuristic purposes, the viability of this theory rests on the
ability to spell out the causes of this balance. In a nutshell: since
military power alone is too rough as a variable, what are the factors
that solve the equation? Since the issue at stake is military victory,
most authors turned to military technology as a catch-all

9 C. GLASER, The Security Dilemma Revisited, World Politics, Vol. 50, No.1, October

1997, pp. 171-201. C. GLASER, Rational Theory of International Politics: The Logic of
Competition and Cooperation, Princeton, NJ, Princeton University Press, 2010.
10 See, among others: S. VAN EVERA, Causes of War: Power and the Roots of Conflict,

Ithaca, NY: Cornell University Press, 1999; M. BROWN, O. COT, S. LYNN-JONES, S.

MILLER (eds.), Offense, Defense and War, Cambridge, MA, The MIT Press, 2004.
11 E. LABS, Beyond Victory: Offensive Realism and the Expansion of War, Security

Studies, Vol. 6, No. 4, Summer 1997, pp. 1-49.

ISPI2013

12 S. VAN EVERA, Causes of War, cit.

13 B. POSEN, The Security Dilemma and Ethnic Conflict, Survival, Vol. 35, Spring

1993, pp. 27-47.

14 C. GLASER, Rational Theory of International Politics cit.

explanation15. The main line of argument is that throughout

history technological developments favored either offense or
defense. For instance, at the end of the nineteenth century, due to
rapid advance in firepower (mostly in terms of range, speed and
precision), a widespread belief circulated in European military
circles that offense would be easy, and probably conducive to a swift
victory16. In more general terms, Karen Ruth Adams finds a
statistical correlation between what she calls offense dominant
eras and the frequency of wars17. In a word, the international
system is more prone to peace and stability when technology clearly
makes it possible to: 1) draw a distinction between offensive and
defensive weapons; 2) assess the relative superiority of offense over
defense.
For practical purposes, the major issue with ODB theory is how to
measure this balance. In the most concise statement, Charles
Glaser defines it as the ratio of the cost of the offensive forces the
attacker requires to take territory to the cost of forces the defender For our purposes, the main
has deployed18. The measurement issue is probably the most tenet of ODB theory is still
controversial element of the theory19, as a number of problems need worth investigation:
to be solved: how can we foresee the costs of both offense and whenever defense is (or is
defense before they actually take place? How can we do it, held to be) more expensive
considering that these costs vary according to the nature and relative to offense, states
dimension of the territory to conquer? Are the costs of conquest will have an incentive to
enough, or should we also include the costs of keeping control over use force. This argument,
the seized territory in the offense component? mutatis mutandis, can be
tested in the cyberdomain

15 This is true for both proponents and critics of this theory. See, among others, K.
LIEBER, Grasping the Technological Peace: The Offense-Defense Balance and
International Security, International Security, Vol. 25, No. 1, Summer 2000, pp.
71-104; J. SHIMSHONI, Technology, Military Advantage, and World War I. A Case for
Military Entrepreneurship, International Security, Vol. 15, No. 3, Winter 1990/91, pp.
187-215; K. ADAMS, Attack and Conquer? International Anarchy and the
Offense-Defense-Deterrence Balance, International Security, Vol. 28, No. 3, Winter
2003/2004, pp. 45-83; Y. GORTZAK, Y. HAFTEL, K. SWEENEY, Offense-Defense
Theory: An Empirical Assessment, Journal of Conflict Resolution, Vol. 49, No. 1,
February 2005, pp. 67-89.
16 A number of accounts are available in S. MILLER, S. LYNN-JONES, S. VAN EVERA

(eds.), Military Strategy and the Origins of the First World War, Princeton, NJ,
Princeton University Press, 1991. The main problem with this view was that it focused
just on the tactical dimension, thus failing to take into account the strategic advantage
of defense. A. LOCATELLI, Tecnologia militare e guerra, cit., pp. 70-74.
ISPI2013

17 K. ADAMS, Attack and Conquer?..., cit.

18 C. GLASER, Rational Theory of International Politics, cit., p. 43.

19 C. GLASER, C. KAUFMANN, What Is the Offense-Defense Balance and How Can

We Measure It?, International Security, Vol. 22, No. 4, Spring 1998, pp. 44-82.

These and other problems have generated a lengthy debate, which

is not possible to discuss here20. For our purposes, the main tenet of
ODB theory is still worth investigation: whenever defense is (or is
held to be) more expensive relative to offense, states will have an
incentive to use force. This argument, mutatis mutandis, can be
tested in the cyber-domain.

The Offense/Defense Balance in Cyberspace

The first problem when it comes to assessing the ODB in
cyberspace is to define the meaning of cyberspace and cyber-attack.
Given the complexity and pervasiveness of ICTs, it should surprise
no one that different authors came up with different visions. For
our purposes, suffice it to say that cyberspace includes both a
physical and a virtual dimension. According to Derek Reveron, for
example, like the physical environment, the cyber-environment is
all-encompassing. It includes physical hardware []; information
[]; the cognitive []; and the virtual. When aggregated, what we
think of as cyberspace serves as a fifth dimension where people can
exist through alternate persona on blogs, social networking sites
and virtual reality games21. In the same volume, Brandon The result is twofold: on
Valeriano and Ryan Maness write that cyberspace is physical; that the one hand,
is, it has defined boundaries of main-frames, wires, hard drives and cyberthreats can take the
networks, but, they also add: it is important to know that the form of either criminal
cyber world is restricted to the domains of human thought; finally, activities or acts of war
they conclude, perhaps the most important distinction of just depending on the
cyberspace is between the physical layer and the syntactic layer22. target of the attack. On the
The dual nature of cyberspace (hard and soft, or real and virtual) other hand, the sources of
makes of it a peculiar battleground, where actions can have these threats vary
different purposes, like destroying physical infrastructures conspicuously, ranging
(unlikely), or disrupting processes (quite likely). Secondly, and from hackers, to terrorists,
equally peculiar, is the centrality of Internet for both military and to intelligence services

20 For a summary, see: S. LYNN-JONES, Offense-Defense Theory and Its Critics,

Security Studies, Vol. 4, No. 4, Summer 1995, pp. 660-691. See also J. DAVIS, B.
FINEL, S. GODDARD, S. VAN EVERA, C. GLASER, C. KAUFMANN, Correspondence.
Taking Offense at Offense-Defense Theory, International Security, Vol. 23, No. 3,
Winter 1998/99, pp. 179-206. The latest contribution, as far as I know, is K. LIEBER,
Mission Impossible: Measuring the Offense-Defense Balance with Military Net
Assessment, Security Studies, Vol. 20, No. 3, pp. 451-459.
21 D. REVERON, An Introduction to National Security and Cyberspace, in D.

REVERON (ed.), Cyberspace and National Security, Washington DC, Gergetown

ISPI2013

University Press, 2012, p. 5.

22 B. VALERIANO, R. MANESS, Persistent Enemies and Cyberwar. Rivarly Relations

in an Age of Information Warfare, in D. REVERON (ed.), Cyberspace and National

Security, Washington DC, Gergetown University Press, 2012, pp. 140-141.

non-military actors. While differences exist between civilian and

military networks, they mostly use the same hardware and
software. The result is two-fold: on the one hand, cyber-threats can
take the form of either criminal activities or acts of war just
depending on the target of the attack23 (see Figure 1). On the other
hand, the sources of these threats vary conspicuously, ranging from
hackers, to terrorists, to intelligence services. Similarly to the
terrorist challenge, then, the definition of cyber-threats in terms of
war poses a significant problem24. Fortunately, a narrow definition
of cyber-attack serves our purpose nicely. Since our goal is to assess
the ODB in cyberspace, we just need to consider those actions
perpetrated by and aimed at state actors. We can then stick to
Hershs definition of cyber-war as the penetration of foreign
networks for the purpose of disrupting or dismantling other
networks, and making them inoperable 25.

Figure 1 - Top 5 Activities for Malware Destination by Industry

(virus rate per e-mail).
Source: Symantec Intelligence Report, August 2013, p. 25.

Borrowing the terms of ODB theory, then, drawing a distinction

between offense and defense becomes somewhat less complicated.
Equally important, it is easier to assess their relative costs, as the
main purpose of action is not to control a territory but to

23 A concise list of cyber threats includes viruses, logic bombs, Trojan horses, worms, etc.
Their consequences are hardly confined to the civilian or military domain only. Just as
an example, when a virus attacks a commercial website, it can slow down the Internet,
with consequences for both private actors and governments.
24 For a discussion of the legal implications, see C. DROEGE, Get Off My Cloud: Cyber
ISPI2013

Warfare, International Humanitarian Law, and the Protection of Civilians,

International Review of the Red Cross, Vol. 94, Issue 886, June 2012, pp. 533-578.
25 S. HERSH, The Online Threat: Should We Be Worried about Cyber War?, New

Yorker, November 2010.

compromise/ensure the effectiveness of a system or network. As for

the traditional domains of war, it is probably impossible to measure
the ODB as if it were an equation. Nonetheless, some features of
cyberspace suggest that offense has a comparative advantage over
defense. This largely depends on the following considerations:
1. Vulnerabilities are key. What makes cyber-attacks possible is
the existence of vulnerabilities in the targeted system. Put it
differently, viruses, worms, netbots and threats of this kind can
only take place if they have access to their target through a
network and, most importantly, if they can exploit flaws in the
software. But it is technically impossible to rule out flaws in
software designs (see figure 1) and practically unfeasible to
disconnect computers from the network.
The centrality of defense vulnerabilities, and the need to exploit
them fully to make the attack successful leads to an unpleasant
consequence: an incentive to preemptive attack. In the words of US
National War College professor Richard Andres, one of the most
noteworthy characteristics of cyber-defenses is that they change
rapidly. Practically speaking, the only way to maintain the ability
to penetrate an opponents cyber-defenses is to continually probe
and alter them [] however, these preemptive actions can have
unanticipated and sometimes catastrophic consequences26.

Figure 2 - Total Vulnerabilities Discovered by Month

Source: Symantec Intelligence Report, August 2013, p. 18.
ISPI2013

26 See, among others, R. ANDERS, The Emerging Structure of Strategic Cyber Offense,

Cyber Defense, and Cyber Deterrence, in D. REVERON (ed.), Cyberspace and National
Security, Washington DC, Georgetown University Press, 2012, pp. 94-95.

2. Progress in offense is faster than defense. Differently from the

other domains, cyberspace is not natural but is the result of
technological evolution. As such, its features (and the ODB) are Both defense and offense
constantly evolving. In this sense, both defense and offense develop develop and improve, as
and improve, as witnessed by the constant upgrading of hardware witnessed by the constant
and software (or, in a different perspective, by their rapid upgrading of hardware
obsolescence). So far, however, improvements in defense have been and software (or, in a
succeeding at a slower pace than progress in offense27. The end different perspective, by
result is aptly summarized by Martin Libicki: Offense-defense their rapid obsolescence)
curves at levels that characterize todays cyberspace favor the
offense. That is, another dollars worth of offense requires far more
than another dollars worth of defense to restore prior levels of
security28.
3. Attribution is difficult. As the source of the attack can be As the source of the attack
thousands of miles away, and the main vector for the attack rests can be thousands of miles
on a network, identifying who actually perpetrated the offence is away, and the main vector
usually a difficult task. Moreover, considering that it may take just for the attack rests on a
a handful of people to plan and execute the attack, it is quite easy network, identifying who
for governments to deny responsibility. An example can be found in actually perpetrated the
the 2007 attack on Estonian web sites: in this case, a botnet (i.e. a offence is usually a
network of hijacked computers) was used to flood the servers with difficult task
massive simultaneous requests, thereby producing a
denial-of-service attack. Since many of the requests were traced
back to Russia, Estonian authorities conjectured direct
involvement from the Kremlin. Although the argument is
plausible29, as of today there is no evidence of that.
The difficulty in attribution does not directly affect the ODB.
However, at least indirectly, it favors offense, since it nurtures the
illusion that the attack can go unpunished. This problem also
makes retaliation more difficult, since one of the main
requirements for retaliating an attack is to know who should be the
target of retaliation. The end result is that cyber-deterrence is more
difficult than nuclear or even conventional deterrence, which in
turn lowers the expected costs of the attack30.

27 K. LIEBERTHAL, P. SINGER, Cybersecurity and U.S.-China Relations, Brookings

Institution, February 2012, pp. 14-16.

ISPI2013

28 M. LIBICKI, Cyberdeterrence and Cyberwar, Santa Monica, CA, RAND, 2009, p. 32.

29 S. BLANK, Web War I: Is Europes First Information War a New Kind of War?,

Comparative Strategy, Vol. 27, No. 3, 2008, pp. 227-247.

30 M. LIBICKI, Cyberdeterrence and Cyberwar, cit.

Conclusions
Cyberspace, as shown by the origins of the Internet with the ARPA
project in the early 1960s, was originally created as a force
multiplier. The way it developed, as well as the growing
dependence of the armed forces on networks, gave rise to
widespread speculations on the possibility of future cyber-wars.
Such a scenario does not seem likely in the short term, but recent
episodes like operational attacks during the 2008 Russia-Georgia
war, or most evidently STUXNET against Iran lead to
investigating the growing importance of cyberspace for military
purposes.
In these pages we tried to borrow the main proposition from ODB
theory namely, that war is more likely when offense is less costly
than defense to discuss whether we can expect military
cyber-operations to be more frequent in the future. A cursory look
at the main features of cyberspace suggests that offense has an
advantage over defense. Or better, the prospect of the attacker
being successful against given targets is higher than the prospect of
the defender thwarting the aggression. Following this logic, then,
we should foresee a growing number of cyber-attacks, if not at the
strategic level, at least at the operational level31.
ISPI2013

31 These terms are borrowed from M. LIBICKI, Cyberdeterrence and Cyberwar, cit.,

chapter 6.

10