Monday, December 19, 2005

Defense Seldom Wins Wars

In preparation for my career as an Air Force intelligence officer, I studied history at the US Air Force Academy. Since then I have enjoyed lectures produced by The Teaching Company, like Famous Romans. One of the lessons I have taken from this course is that defense seldom (if ever) wins wars. I was reminded of this lesson when I read Tom Ptacek's post " The Only Defense Is A Good Defense."

Tom is replying to my post where I said the following:

"I also do not agree [with SANS.edu] that 'knowledge... is the only defense to the growing threat.' The best defense is a strong offense. That means hunting down and prosecuting threats. No amount of defense can sufficient protect any moderately complex enterprise against determined intruders."

Tom disagrees and says that "Firewalls", "IT and Network Security teams", and "Vulnerability Research" have "done the most to improve security over the last 5 years." If we consider the risk equation to be something like "Risk = Threat X Vulnerability X Asset value", we must realize that Tom's points all address the vulnerability side of the equation. Applying countermeasures to the vulnerability aspect of the risk equation leaves the threat component untouched.

When the attacker is allowed freedom of maneuver, the defender will lose. The side with initiative has the superior position, unless the defenses are so unsurmountable that attack is more costly than defense. Let's return to the Famous Romans lecture for a moment. Prior to the rule of the emperor Hadrian, the Roman Empire had pursued an expansionist foreign policy. Rome had lost many battles to its neighbors, but those neighbors essentially remained on the defensive. They feared Rome would invade, conquer, and eliminate them (at worse).

When Hadrian became emperor in 117 AD, he changed Rome's foreign policy. He decided to consolidate the empire's borders. His most famous action was the building of Hadrian's Wall, separating England from Scotland. The wall was the ultimate statement of defense, as is sought to keep barbarians separated from Roman cities like London.

In some respects, this ultimate defensive maneuver was a success; London flourished. However, the building of the wall signalled weakness to Rome's enemies. Instead of being seen as a statement of strength, barbarians interpreted as a sign the Romans would not seek to conquer them. Rome looked weak, not strong. Within a century Rome would come under increasing barbarian attack, and the remaining shell of the western "empire" was formally overthrown in 476 AD.

Now, you might say that defense can prove superior to offense. You might cite trench warfare of the late 19th century, and the horror of World War I. In those cases, it is true that the weapons possessed by each side were so horribly destructive that attacks were fruitless and bloody endeavors. However, the arrival of the tank and over a million US troops changed the equation. Offensive action eventually won WWI for the allies.

A particularly clever historian might say the Cold War was won by defense. Some argue the US out-spent, or had the capability to out-spend, Soviet Russia. That is true. Another factor was President Reagan's plan to build the Strategic Defense Initiative (SDI, or "Star Wars.) SDI changed the security situation for the Soviets. The security paradigm of "mutually assured destruction" held that seeking to wipe out the enemy was a worthless action. Once the enemy detected missile launches, he could reply with his own volley. Both sets of missiles would wipe out each side's weapons, leaving neither with an advantage to leverage in a post-exchange world.

SDI altered this nuclear attack outcome. With SDI deployed, the US could potentially preserve some of its weapons for a second round of attacks. This second round gave the US superiority over its Soviet opponent. Suddenly a nuclear war became "winnable," as insane as that sounds. In this case, then, defense was important, but only to preserve the weapons of offense.

In the final analysis, what makes you feel safer -- a lack of criminals on your street, or iron bars on your windows?

12 comments:

Matt Richard said...

I tend to agree with the statement "When the attacker is allowed freedom of maneuver, the defender will lose." This is certainly true when the attacker is skilled and has an interest in a specific target or group of targets. I think this assertion is stronger as assumed value of threat increases.

I would however counter that a good defense can nearly eliminate risk in many situations by minimizing vulnerability. Except in cases where there is a very high threat (attacker skill level) or asset value good defense usually wins. The downside to this way of thinking is that inevitably the threat will increase as the attackers learn new skills and proliferate more advanced attacks thus minimizing the value of the old defenses.

As with terrorism, "The side with initiative has the superior position" holds true. A good defense that constantly evolves will do well against established attacks and potentially some new attacks. Unfortunately in the end the attacker only has to find one weakness while the defender must attempt to hide all weaknesses.

John Collins said...

Well I had something nice and in depth typed up and lost it all!

Oh well, I am curious about the type of offensive ops you are suggesting Richard. Obviously we can't attack the attackers because then we implicate ourselves. Once the trace of the attacker leads us outside the US, what then? China won't help, Russia is a mess, Brazil and Thailand have lax cyber crime laws.

I guess I'm uneducated about "legal" offensive ops in this arena. Or maybe I'm just not understanding what you are suggesting.

Richard Bejtlich said...

Hi John,

I am not necessarily implying anything as exotic as offensive IO. Improved cooperation with foreign law enforcement is one way to eliminate threats. In a case I worked, the Bureau sent an agent to Romania to assist their law enforcement agencies track a known threat.

Chris_B said...

The problem we have here is that the military analogy falls down flat. The attackers of our networks generally can not be subdued by military means. While various legal frameworks are improving, the fact is, there never can be a "one hacker one bullet" type response.

Richard Bejtlich said...

If you can't accept a military analogy, surely a police one will apply. Why do we have jails? Why not just beef up home, auto, personal, business, etc. countermeasures and let threats roam the streets?

Anonymous said...

Your point about offense is a good one, though your Cold War history is inaccurate. The Soviets didn't think Reagan could build an effective SDI and they were right about that. They also didn't bankrupt their economy by increasing their military spending to keep up with US military spending. However, Saudi Arabia did crush the Soviet Union's ability to obtain hard currency by lowering the price per barrel of oil to the point to around the Soviet cost of extracting a barrel of oil.

Richard Bejtlich said...
This comment has been removed by a blog administrator.
Richard Bejtlich said...
This comment has been removed by a blog administrator.
Richard Bejtlich said...

Anonymous poster,

Cheaper Saudi oil played a role in the Soviet Union's collapse. However, as someone who was in the military studying to be an intelligence office when the Soviet Union collapsed, I can tell you the Soviets weren't spending their money wisely. GlobalSecurity.org reports Soviet military expenditures at 15-17% of GNP in the late 1980s. They spend less than 2% now. The Soviets wouldn't have had such trouble with oil if they hadn't been trying to match US military capabilities.

Anonymous said...

It depends on whether you view the problem from the point of view of income or spending. You're correct that the Soviets spent too much on their military, but they were doing that before Reagan came into office and the reference you cite points out that the large increases in Soviet military spending stopped in the early 1980's. The reason that the late 1980's became an era of economic problems for the USSR wasn't that they recently increased their military spending significantly (they hadn't) but because their income from oil had suddenly decreased.

I also have to disagree with your analysis of Hadrian. The Empire's policy of fixed borders dates to Augustus, the first emperor, and the last permanent province had been added in the reign of Claudius a couple of decades after that. Hadrian's predecessor, Trajan, made a few temporary conquests, but Hadrian's policy was one that had been in force for a century. While his 80-mile wall was impressive on the context of Britain, it didn't noticeably affect the perception of Rome's enemies on thousands of miles of borders in Europe, Asia, and Africa.

The fall of Roman Britain didn't result from the Romans going on the defensive, but from Rome removing the legions that manned the Wall. Constantine III withdrew the last Roman legion from Britain when he was acclaimed emperor in 407, as he needed legions to win the civil war that so frequently accompanied a new emperor after the Five Good Emperors. The main lessons from the fall of Hadria's Wall are that executive support for security efforts is essential and that a (fire)wall by itself is nothing without men to detect and react to intrusions, which I think is one with which you'd agree.

Richard Bejtlich said...

Anonymous, we can debate this infinitely. Suffice it to say I am not inventing the views I express here.

Anonymous said...

I don't think any modern historian will advance a thesis as simple as the view above about the fall of Rome. Going on the defense was one of a couple dozen major causes of the fall of Rome, along with disease, religious conflict, and all the problems inherent to expanding a city state government to govern a huge empire, but the reasons why going on the defense was a problem were more complex than you've illustrated.

The largest problem with defense was that Rome had funded the building of its empire on conquest, but when that stopped, the money to fund the state, the army, and to inspire Romans to join the legions was gone. However, Rome had little choice in the matter. There wasn't enough gold to be gained in conquering the Picts and Germanic tribes on their European borders to fund that conquest and only Rome's African border was the Sahara desert. Only to the East was there gold to be had, but conquering the mighty Parthian Empire was beyond Rome's logistical capabilities