The Best Defense Is a Strong Defense. Never Fight a Land War in Cyberspace.

Summary: Why defense experts obsess about the relative advantages of different military hardware (e.g., the A-10 vs the F-35), the US has unleashed the tools of cyberwar on Iran. We can expect more in the future, begun by friends and foes. So let’s learn the rules. Today Marcus Ranum explains the nature of attack and defense in cyberwar, and the advantages of each.  {@nd of 2 posts today.}

Cyber Warriors


My 2014 presentation “Never Fight a Land War in Cyberspace” compared key elements of warfare in the real world with warfare in cyberspace, exploring the interchangeability of tactics and strategy in those domains. I expected that “cyberwar” would have similar underlying principles as regular war, but found that “cyberwar” bears no resemblance to warfare at all — tactically or strategically. Of course it fits in the overall grand strategy of conflct and power, but our tendency to reason by analogy breaks down quickly here.

In this series I will lift some of the main themes from that presentation and give them the more detailed explanation they deserve.

I will use two terms as shorthand.

Cyberwar“, which I do not think is a real thing, as shorthand for “conflict in cyberspace” — which I consider real. This series continues my attempt to explain why “cyberwar” is not a useful concept; unfortunately, the term has taken on a life of its own. Caveat Emptor.

Topological warfare” as shorthand for the idea of warfare that is bound to a real-world existence. The real-world-ness of topological warfare is the basis for what we know as military strategy and tactics; it’s an environment in which armies have to eat and cannot move at light speed, etc. The topological nature of warfare deeply penetrates virtually all of our thinking about strategy and tactics.

“The Best Defense is a Strong Offense”


"Napoleon Crossing the Alps" by Jacques-Louis David (1800)

This military maxim is one of the first things commanders learn, It’s a good rule for topological warfare and has been through the ages. Why is it a good rule? Here we’ll explore why it’s a good rule in topological warfare using two forms of war: generalized modern warfare, and kendo, the Japanese art of fencing. By exploring these two different aspects of topological warfare we can better understand why the best defense can often be a strong offense. Then we will explore whether those properties apply to cyberwar and, by extension, whether the maxim holds true in that domain.

“The transition from defensive to the offensive is one of the most difficult operations in war.”
— Napoleon Bonaparte, XIX of his Military Maxims.

Bonaparte was referring to one of the most crucial problems in topological warfare: the intersection of command and logistics. Offense is not simply a problem of deciding your target and moving your forces towards it — unless you want to lose. As he demonstrated at Austerlitz, if your opponent can be caught flat-footed in the middle of re-reploying or maneuvering in the wrong direction, they are a better target. Their command and control system is already stressed from the effort of getting them moving, and there will be an inevitable lag-time to exploit while they re-orient on the new threat. By aggressively maneuvering on your enemy (strong offense) you force them to react to you, which means that you’ve eaten up some of their capacity immediately by stressing their command and control — as well as their troops tactical ability to maneuver.

"Battle of Austerlitz" by François Gérard (1810)
“Battle of Austerlitz” by François Gérard (1810)

At Austerlitz, this worked perfectly because the Russian army’s tactical responsiveness was already outclassed by the French, and the Russian command and control capability simply wasn’t as good, either. When presented with a French army bearing down on them from an unexpected direction, in the middle of a grand maneuver, the Russian command structure was not competent to respond fast enough, and the troops weren’t either – the end was a foregone conclusion.

The late master strategist John Boyd  (Colonel, USAF) established his own language for talking about this interaction with his famous observation-orientation-decision-action (OODA) loops. If you can think faster on your feet than your enemy, you can have your enemy always responding to you and have tremendous controlling influence on their actions. In Boyd’s world the best defense is a strong offense because, even if you’re not as good a pilot as Boyd, you can force him to respond to your first moves, at least, which gives you a chance. If you’re up against John Boyd, you hope for a sucker-punch and, if you get one, you’ve done better than most.

The quintessential example of this is the spoiling attack or sucker punch. If you face numerically superior forces, you launch an attack against their assembly areas and attempt to disrupt their tactical maneuvering and (hopefully) their command authority will make a mistake or their command and control might break down, giving you an opportunity to defeat the attack in detail. The Israeli opening of The Six-Day war is a great example of a successful spoiling attack.

Sun Tzu

Launching a spoiling attack immediately forces the target to respond locally or risk defeat in detail, which gives the attacker the most wonderful military advantage of all: having chosen the time, place, and composition of the battle.

Disorder is born from order; cowardice from courage; weakness from strength. The line between disorder and order lies in logistics; between cowardice and courage in strategic advantage; and between weakness and strength in strategic positioning. Thus the expert at getting the enemy to make his move shows himself and the enemy is sure to follow.
— Sun Tzu’s “The Art Of War

In Kendo, when you are a beginner, they teach you to throw simple attacks at your opponent before he does, because — if you can keep up a good flow of attacks — your opponent will have to parry them. If your strikes are properly launched, the position of your sword as it sweeps up and down will protect your head against your opponent’s being able to hit you and your opponent only has the alternative of blocking, or attempting the much more difficult cut at your wrist or torso.

Miyamoto Musashi by Utagawa Kuniyoshi (1797-1861)
Miyamoto Musashi by Utagawa Kuniyoshi (1797-1861)

Besides, my sensei explained to me, “even the best sometimes make a mistake.” If you can launch a flurry of attacks you are controlling the rhythm of the engagement, are keeping your opponent too busy to plan their own attack, and you may get lucky. Of course an opponent of superior skill will expect this, and have prepared a counter-attack with the idea of drawing your sword out of line so that they can predict where it will be and attack around it.

When you decide to attack, keep calm and dash in quickly, forestalling the enemy.
— Miyamoto Musashi’s The Book of Five Rings (~1645).

The best defense is also a strong offense when using a drawing attack. An expert might attack the opponent’s wrist having learned that their usual response to that attack is to step back and raise their sword; now they control the opponent’s movement and distance and can set them up for a successful attack at the torso.

To summarize: the best defense is a strong offense because it forces the enemy to respond, giving the attacker better control over the timing, nature, and terrain of the engagement. Whether it’s the heights at Austerlitz or the opponent’s wrist you are maneuvering on, a strong offense allows you to take the initiative.

Meanwhile, in Cyberspace

Offense in cyberwar immediately begs the question: “Who?” The first thing we need to think about is who to attack, where, and how. But immediately we have a problem: in cyberspace your enemy doesn’t exactly have a logistics train; there are no assembly points ripe for a spoiling attack.

Unlike topological warfare, we can’t see where they are maneuvering, so we can’t even reliably tell when we are about to come under attack. During The Six Day War, Israel had a plausible basis to say their spoiling attack was justified because there were masses of troops and tanks forming up outside their borders – how do we get that level of certainty or targeting in cyberspace?

If one country is preparing a cyberwar attack against another, it’s not as if they will begin massing their routers on the border. In fact the network, one-one-thousandth of a second before the attack will look exactly like it did a week before; In a kendo match, you can see your opponent’s sword and react to their body’s movements but in cyberwar your opponent has an invisible sword. Actually, your opponent is more or less completely invisible.

This leads me to offer my first military maxim of conflict in cyberspace:

Cyber fighters

Maxim #1: In Cyberspace, every attack is always a surprise attack.

Napoleon Bonaparte would throw up his hands in disgust! Mushashi would hang up his sword in despair! How can you launch a spoiling attack against an opponent that does not even appear on the battlefield until their attack is launched? There is no opportunity to strike first, let alone parry, such an attack. You simply have to withstand it. And withstanding it is easy: you can choose to simply vanish from the battle-space for the time being by powering off parts of your infrastructure.

Being able to withstand attacks is crucial, and it completely inverts the cost/benefit analysis between offense and defense that got us to where we are in topological warfare. In topological warfare, a less skilled combatant can easily attack and hope for a sucker punch, but in cyberspace it is easier for a less skilled combatant to defend; they just unplug their network.

Some of you are thinking “unplugging a network isn’t possible anymore!”. That’s not the case. Translate “unplug” to “build a resilient network with a recoverable infrastructure that can survive multiple points of failure” and you’re on the right track. To stick with the kendo-based analysis, in cyberspace you can be like The Black Knight in Monty Python, “’tis but a scratch!”

In fact, if you are competent at building systems and networks, you are probably already building in a fair degree of resilience and recovery capability. This is, however, a weakness in most organizations’ cyberspace defenses: the systems are oriented toward resisting and recovering from single-point failures, because that’s how computer hardware tends to break. Attacks in cyberspace cause multiple-point failures. If your survival strategy is single-point safe, it’s time to re-think.

We can see the beginning of an inversion in the cost/benefit analysis of attacking versus defending in cyberspace. It gets worse when we consider the problem of attribution. If we’re going to launch a successful spoiling attack, we have to know whose operation we’re going to spoil. Indeed, that opens up a huge strategic can of worms that I have been hiding under the table through this entire discussion: multiple opponents.

Multiple Opponents

Our strategic models for topological warfare are more deeply rooted in logistical reality than we generally recognize. In topological warfare, we think of our opponent as an individual mass: Germany in WWII or a cluster of allied powers “The Axis”  All of our strategic techniques and tactical doctrines are oriented toward this model. Incidentally, that’s one reason why 4GW and terrorism are a huge problem for states to deal with: they lack a convenient and comprehensible model of “Us” versus “Them” where “Them” is not a neatly classifiable group. In a sense “The War On Terror” is an attempt to lump all violent political dissent into a single entity that can be strategized against as a whole and defeated in detail. It’s childish reasoning and it ought to be obvious why it won’t work – the enemy is not employing a single strategy that can be defeated using some all-or-nothing method.

The really bad news is:  cyberspace is worse.

The logistical reality of topological warfare is that there are only so many boots you can put on the ground, and you have to move them around somehow. That doesn’t apply in cyberspace; it’s fluid.

In topological space you can look at another nation and have your intelligence forces determine that they are building up ships and planes and preparing for an attack. In a sword-fight you can see how many opponents have drawn their swords. In cyberspace you get none of that; you could be up against one, or a thousand enemies. Or none at all.

Our strategic model in topological warfare is to orient ourselves toward the enemy that is most likely to present a threat, then engage them with our best combination of offenses and defenses.. In grand strategy terms, that amounts to attempting to defeat the entire universe in detail. “Come at me, bro!” one at a time. At the level of nation-states or individual swordsmen that works. In 4GW, terrorism, and especially cyberspace, enemies are created and appear and disappear constantly. There is nothing to orient against, no attacker to prepare for. Every enemy, like every attack, can be a complete surprise.

Strategy as chess

Utterly Stupid Strategy

Even if “the best defense is a strong offense” were true in cyberspace, what are you going to do, attack everyone? For budgetary reasons, this appears to be the response from Versailles On The Potomac, but the prevailing philosophy of strategy would say that if the US continues to prepare to attack everyone, it is inviting preemptive attack from everyone.

To say that Washington does not understand 4GW or cyberwar is an understatement. You can see this inconsistency manifest in how the US Government complains about “Chinese cyberspies” while simultaneously the NSA attempts to infiltrate every significant network on earth. The only path to victory in the current scenario is complete global dominance. That’s not a strategy, it is what Sun Tzu called “the noise before defeat.”

Deterrence is another element in the current strategic debacle. Obviously, Germany asking the US NSA to stop monitoring their cell phones hasn’t worked very well. Obviously the US’ asking China to stop hacking American systems hasn’t worked very well. Obviously, the idea that it’s possible to threaten or bluster someone into stopping cyberspace attacks hasn’t worked very well.

In topological warfare the usual strategic solution for that challenge is to pick someone manageable and make an example out of them. That simply cannot possibly work in cyberspace because of the problem of attribution and the potential for its manipulation. Attribution remains hard and, short of full dominance of cyberspace, is probably impossibly expensive and unreliable. I worry about this, however, because a misplaced attribution could still be sufficient to get people killed; that’s how unwise political leaders tend to be. People talk about “cyber Pearl Harbor” but we should be much more worried about “Cyber Gulf of Tonkin.”

The Best Defense

What are we to do in an environment where the received wisdom strategies are  doomed to failure? We need to keep doing what most of us have been doing: perfecting our defenses. Because the single enemy model simply fails, If your defenses are really, really good, you don’t have to worry about deterring attack, or disrupting an attacker’s operations: you can just grin and bear it. Perhaps you might even gain some satisfaction imagining the expense and frustration the enemy is inflicting on themself. Since there are infinite enemies, some of which are unknown, a good defense can cost those enemies an infinite amount of frustration and expense.

CSIA-: CyberDefender

Maxim #2: In Cyberspace, the best defense is a strong defense.

I have some experience with this, and it’s sobering. I once spent a half hour, sword in hand, attempting to hit a 2nd degree black belt in kendo. I nearly ruptured my heart with fatigue and frustration and I don’t think he even broke a sweat.

To look at this from a strategic perspective I would point out that, by perfecting his defense so well, my opponent had a good chance of withstanding many, many, many attackers (though not all at once). It was expensive in terms of effort and resources to achieve such a level of defense but it more or less solved his problem of being attacked with a sword. If you extend that idea out, and realize that the cyberspace equivalent would be to be able to deflect an infinite number of attackers, equally effectively, simultaneously and long-term. A great defense is the gift that keeps on giving.

In cyberspace, the effective lifetime of a new exploit or attack is fairly short, while the effective lifetime of a good defense is much much longer. Since the invention of computer networking the idea of segmented networks with traffic controlling devices (nowadays we call them “firewalls”) has persisted and evolved because it simply works. When new offensive techniques are developed, defensive systems have to react to defeat them, but once they are defeated, they are defeated for everybody, which means that the logistical nightmare belongs to the attacker.

A carefully researched “day zero” exploit is valueless within a few days of the computer security world’s learning about it, and the attacker must develop a new one if they want to continue their offensive. The financial logistics of such a situation could only appeal to Pentagon contractors; the advantage rests with the defense.

Marcus Ranum

About the author

See Marcus Ranum’s impressive profile on the page About the Authors of the Fabius Maximus website.

For More Information

See all posts about cyber-war, cyber-espionage, and cyber-crime., including those about the Sony hack plus series by Edwin Covert and Marcus Ranum.


10 thoughts on “The Best Defense Is a Strong Defense. Never Fight a Land War in Cyberspace.

  • Does anyone even have solid evidence about who hacked Sony? AFAICT, no one is even sure who the perpetrators were, long after the fact. That’s nothing like conventional warfare or even 4GW.

    The NSA’s ongoing efforts to subvert the internet are now leading to discussion by other nations (and many individuals inside America) about creating an alternative internet, or internets, without the vulnerabilities engineered into the current infrastructure by our surveillance-mad government. If fundamental encryption algorithms like the elliptic functions used in the deliberately flawed NIST cryptography functions are being weakened on the sly by NSA subversion of the U.S. National Institute of Standards, the main result here is not going to be the U.S. “winning” a so-called “cyberwar” against other countries.

    Instead, the main result will most likely be a wholesale loss of faith by other countries in institutions like the NIS and standards like NIST encryption. This suggests that we’re likely to see a Balkanization of global digital communications protocols and encryption standards. At worst, this might lead to a situation where, if you want to view internet content in (say) Europe, you need a different browser running on different hardware using different encryption protocols than Google Chrome running on an Intel or AMD CPU with NIST-certified encryption. The implications for global economic and scienitifc activity seem dire.

    I’m not quite on board with the conspiracy theorists who claim that Google is a fun graphical front-end for CIA-designed digital panopticon surveillance systems — but the way things are going, I’ll get there eventually.


    • Thomas,

      “Does anyone even have solid evidence about who hacked Sony?”

      Here’s a detailed analysis of what (little) we know about the Sony hack. As several posts on the FM website have explained, determining attribution in cyberattacks is difficult at best.

      “the main result will most likely be a wholesale loss of faith by other countries in institutions like the NIS and standards like NIST encryption.”
      Perhaps so. But it’s not evident yet. Much like the expected outrage and protest by Americans at the news about NSA surveilance, the reaction so far has been quite muted. Time will tell.


    • There are a lot of things about the Sony attack that are very interesting, but I don’t think that any of us know enough to offer anything more than abstract analysis — facts are short, and if you’re trying to attribute an attack, it takes facts.

      It appears that the US Government was premature in pointing the finger at North Korea, but then leaked information that indicates that the NSA (presumably) has deeply penetrated North Korea’s networks, and – presumably, nudge nudge wink wink, that intelligence would provide convincing attribution but “we can’t show you or we’d have to kill you.” That is actually a fairly plausible argument; it is not at all unlikely that the NSA has penetrated North Korea and more likely the networks that the North Koreans use to jump into the internet. That would be an intelligence problem to talk about since it would probably mean disclosing that South Korean, Japanese, or other pac rim networks are also deeply compromised. So, when I say the US Government was “premature” in pointing the finger at North Korea, I mean that they miscalculated the public and experts’ willingness to believe the story without any supporting evidence. There is still no supporting evidence.

      The lack of evidence, coming from the FBI, deeply disappoints me. The FBI is a branch of the Department Of Justice, and is supposed to deal in evidence and know how to present a case in court. The FBI should not rely on hearsay, finger-pointing, or leaks. They should have let the accusations come from The Pentagon, or The White House, or some other branch of the government, rather than sacrificing their credibility to protect the NSA’s secrets. The US Government has a serious credibility problem when it comes to making accusations regarding, well, practically anything, given that both The Vietnam War and The Iraq War were begun under false pretenses; the US has literally killed millions based on false accusations – North Korea was wise to take the US’ accusations seriously whether they were simply bluster or not, for the same reason that I’d take it very seriously if Mike Tyson accused me of stealing his wallet even if I was nowhere in the vicinity. Violent thugs accusations get special attention.

      But, back to Sony: there is a crucial piece of the whole story that the media (which was largely playing out the story distributed by the US Government’s PR arms) ignored. And it’s a piece of the story that is utterly bizzare to omit. Namely, that Sony has been being hacked by varieties of hacker crews on and off for years.

      Remember 2 years ago when Playstation Network was offline because of hackers? Or last year when hackers were (apparently) inside Sony? So this is a company that is repeatedly, nay, constantly targeted by various hackers, and suddenly it’s North Korea?

      I know a bit about the techniques used in the most recent round of attacks, and something about what happened at Sony, and it sounds to me like bog-standard hacking. Most interestingly, to me, it was bog-standard hacking for almost a week before the whole stupid movie angle got grafted onto the story and the hackers (who presumably read google news like the rest of us) began playing along with it. I imagine that somewhere there were a bunch of non-North Koreans laughing their asses off over the way that red herring was swallowed: hook, line, and sinker.

      Another part of the story that got grafted on after the North Korea angle was promoted was the “malware is like that used by North Korea” (Pity the poor North Koreans who can’t afford the really good stuff like the NSA has been infecting the whole planet with!) well, the methods used were bog-standard hacking techniques and so was the malware. And now suddenly the North Korea angle is gone and now it’s the Lizard Squad. What if it was the Lizard Squad all along? The methods the hackers used initially, and the way the documents were posted to pastebin, as well as the media manipulation, were more in line with what you’d expect from “Anonymous” than North Korea.

      Lastly, the US Government, via the NSA, Belgacom, Stuxnet, and the FBI’s using the AntiSec hacker crew to attack Brazilian government agencies and businesses, have established that this kind of behavior is apparently acceptable for governments to do. The North Korean government would have been quite justified in shrugging and saying, “so what?” Except I don’t think they likely had anything to do with it.

      In closing, let me reiterate my opening: this is all speculation. It is my opinions and does not reflect the views of my employer, or anyone else. Unfortunately, the people who know aren’t talking and the people who are talking mostly don’t know what they are talking about.


  • Great article. Very interesting thoughts! I think that the author is correct to identify that the offense is the resource intensive strategy in cyberspace. That is highly relevant and worthwhile to consider in any sort of conflict involving cyberspace.


  • I would love to hear your view on the fact that the biggest ‘Hack’ and the biggest danger (in my opinion) comes not from an outside source but from a pissed off employee. Edward Snowden at the NSA and the 42 in Israel.
    If the object is to attack a state I would get a spy into Norton or similar antivirus companies. I would do a first strike by getting top workers into legitimate work in the banks, electricity companies and let them sleep till the time came for a first strike.
    I think a combination of cyber warfare and plain vandalism (A bottle of lighter fuel and a match) in a computer block would achieve a lot more than a team of hackers sitting in a building in North Korea.


    • I would rate insiders as consistently more of a threat than outsiders, because they can learn the “land”scape and are able to target their attacks more precisely. Also, many organizations have trust models that are flat-out bad; consider how The US Department of State apparently felt that “anyone with a clearance” could get at huge amounts of its data – including PFC Manning. In all networks that were designed around a perimeter security model, you’ll find that insiders are a disaster waiting to happen because usually there’s an “inside” and an “outside” and the trust model is 100% trust for insiders. Snowden’s actions indicate that, at least to a degree, the vaunted NSA’s networks may also be fairly lame in terms of their design. When you look at the damage that Aldrich Ames did, and how, it indicates that the CIA may have some of the same problems. At the rate at which governments learn about computer security, I wouldn’t expect any of those lessons to sink in for another couple decades, at the earliest.

      You are correct that plain old vandalism (or covert operations) would be vastly easier and damaging; that’s one of the reasons I have historically been fairly dismissive over the whole “cyberwar” kerfuffle: I see computer security as more of a strategic intelligence collection issue than a tactical one. As I’ve pointed out in other articles, actually damaging a target’s command/control networks damages one’s ability to learn from them.

      A peripheral point in all of this is the notion of guerilla warfare, which is another of the “never fight a land war in cyberspace” issues I want to touch upon later in the series. If you go far enough up the spectrum toward irregular warfare you wind up at something that looks a lot like hacking: a sort of combined intelligence gathering and interdiction/harassment process. There may be a place for that. “Embedding” would be a potentially damaging strategic interdiction process: imagine if a nation state did want to be prepared for a full-on “cyberwar” with the US – the single most damaging thing they could do would be to embed agents at telcos, government contractors, and cloud services. On iDay, those agents would collapse the network and software infrastructure from the inside. We should find it telling that the NSA (per Snowden) targets system administrators; they have probably figured this out. But they’ve only been smart enough to figure out how to use it offensively, not defensively. This is, indeed, asymmetrical warfare. In the same sense that throwing stones when you live in a glass house is asymmetrical.

      Liked by 1 person

    • An interesting discussion. I am reminded of the times when war consisted of overtaking fortified cities, harbors, passes, etc. There are numerous historical accounts of retrenched defenders successfully repulsing sustained assaults by forces at least an order of magnitude more numerous and powerful; well-designed strongholds manned by small vigilant troops could work really well.

      Of course, there are quite many accounts as well of supposedly impregnable fortified places being quickly taken once a traitor or a negligent insider left that kerkoporta open…


  • Many thanks to Marcus Ranum and FM for an extremely detailed an informative discussion! I wish we saw this kind of thoughtful analysis in the mainstream news, but, alas, we simply don’t.


Leave a comment & share your thoughts...

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s