The idea of offensive advantage dominates the cyber security field, a framework originating from research on the offense/defense balance in conventional warfare. The basic theory is that the balance of offensive and defensive forces determines what kind of strategy will be most effective. The field of cyber security consistently tries to build on offense/defense balance frameworks with little awareness of the inherent problems of the theory. If the offense is dominant, then the defense would supposedly never win against an aggressive adversary due to the compounding nature of failure. The only solution would be going on the offensive in return. This article identifies three core problems with applying the offensive/defensive balance to cyberspace: (1) the inability to distinguish between the two frames, (2) the failure to understand the impact of perceptions, and (3) the inaccuracy of measurement. The pathology of offensive advantage and being under siege as a defender can only continue to lead to strategic malaise and constant attacks as the defender fails to shore up vulnerabilities due to the mistaken belief in the ascendancy of the offense.
READ THE FULL ARTICLE HERE