This dynamic is an example of the “security dilemma”: When a state takes defensive measures, other states can perceive such behavior as threatening, and respond accordingly. Underlying this dilemma is the difficulty of distinguishing “offensive” from “defensive” moves when trying to evaluate another state’s intentions. Ben Buchanan, a postdoctoral fellow at the Cyber Security Project at Harvard Kennedy School’s Belfer Center for Science and International Affairs, argues in his recent book, The Cybersecurity Dilemma, that the line between offense and defense is even blurrier in cyberspace. “To assure their own cybersecurity, states will sometimes intrude into the strategically important networks of other states and will threaten—often unintentionally—the security of those other states, risking escalation and undermining stability,” Buchanan writes. Meanwhile, a ransomware attack believed to be using stolen NSA tools spread across the globe on Tuesday for the second time in as many months, showing another way cyber tools can undermine stability: The technologies states develop to protect themselves can be stolen by criminal hackers and turned against their inventors.
I recently caught up with Buchanan at the Belfer Center's Cyber Security Project, which supports my research as well, to better understand the cybersecurity dilemma and its risks. Our conversation, condensed and edited for clarity, follows.
Alyza Sebenius: Why is the line between offensive and defensive action blurry in cyber?
Ben Buchanan: One of the striking things is that network intrusions—which is to say, hacking—is really useful for defense as well as for offense. One of the stories I relate at some length is how the United States, in order to improve its cyber defenses against Chinese hacking, hacked Chinese hackers themselves—to understand who they were and how they operated—and used this information to guide its own defenses [in the 2000s].
This, of course, was great from an American perspective. But if the Chinese uncovered this intrusion, one wonders what they would think about it. Would they know that it was done genuinely with defensive intent? Or would they fear it was something more offensive?
Another of the big issues here is that the mechanics of doing offense and defense in cyber are different from conventional or nuclear. So, for example, if you're doing offense in cyber operations, it requires a lot more prep work—reconnaissance and so forth in the adversary’s systems, [and] actually getting your malicious code into their networks—than in a Cold War context, where you would launch a missile but do a lot of prep work in your own territory before launching that missile.
For example, if you look at the Stuxnet operation [which consisted of cyberattacks reportedly by the U.S. and Israel on Iranian nuclear facilities], it was preceded by months if not years of reconnaissance, getting information on how the Iranian facilities worked and ultimately how they could be attacked. And that kind of reconnaissance took place in Iranian networks. One of the things that worries me is that if a nation uncovers this kind of reconnaissance under way, they have a very hard time interpreting it and knowing if it’s for offense or for deterrence or something else.