"What Is the Cyber Offense-Defense Balance? Conceptions, Causes, and Assessment", by Rebecca Slayton, International Security, Winter 2016/17, Vo.41, n°3, p.72-109.
Abstract: Most scholars and policymakers claim that
cyberspace favors the offense; a minority of scholars disagree. Sweeping claims
about the offense-defense balance in cyberspace are misguided because the
balance can be assessed only with respect to specific organizational skills and
technologies. The balance is defined in dyadic terms, that is, the value less
the costs of offensive operations and the value less the costs of defensive
operations. The costs of cyber operations are shaped primarily by the
organizational skills needed to create and manage complex information
technology efficiently. The current success of offense results primarily from
poor defensive management and the relatively simpler goals of offense; it can
be very costly to exert precise physical effects using cyberweapons. An
empirical analysis shows that the Stuxnet cyberattacks on Iran's nuclear
facilities very likely cost the offense much more than the defense. The
perceived benefits of both the Stuxnet offense and defense, moreover, were likely
two orders of magnitude greater than the perceived costs, making it unlikely
that decisionmakers focused on costs.