Digital offense capabilities are currently net negative for the security ecosystem.[0]

The costs of improved digital offense currently outweigh the benefits. The legitimate benefits of digital offense accrue primarily to the security one percent (#securityonepercent), and to intelligence, military, and law enforcement agencies. The derived defensive benefits depend on the nature of the defender. The entire security ecosystem bears the costs, and in some cases even those who see tangible benefit may suffer costs exceeding those benefits.

Limitations of scaling are the reason why digital offense capabilities are currently net negative.

Consider the case of an actor developing a digital offense capability, and publishing it to the general public. 

The situation is much different from the offense perspective.

The actor can scale that capability across the entire range of vulnerable or exposed targets.

Only three sets of actors are able to possibly leverage an offense capability for defensive purposes.

First, the organization responsible for developing and maintaining the vulnerable or exposed asset can determine if there is a remedy for the new offense capability. (This is typically a "vendor," but could be a noncommercial entity. As a shorthand, I will use "vendor.") The vendor can try to develop and deploy a patch or mitigation method.

Second, major consumers of the vulnerable or exposed asset can take similar steps, usually by implementing the vendor's patch or mitigation.

Third, the security one percent can take some defensive measures, either by implementing the vendor's patch or mitigation, or by developing and acting upon detection and response processes.

The combination of the actions by these three sets of actors will not completely remediate the digital offense capability. The gap can be small, or it can be exceptionally large, hence the net negative cost to the digital ecosystem.

From the intruder side, little to no limitations on scaling mean the intruder can leverage the digital offense capability against all vulnerable targets.

This is the key insight that produces digital offense capabilities as net negative for the entire security ecosystem:

Stated differently:

An intruder actor can leverage an offense capability against any vulnerable target.

Few (if any) defenders can leverage a derived defense capability against all vulnerable targets.

Vendors may have the strongest case for being able to scale defense, depending on the nature of the vendor's offering.

Vendors who provide software or other capabilities that require customer action for updates are in the weakest position. If customers do not update, they remain vulnerable.

Vendors who mandate automatic updating are in a stronger position. Customers receive the update, with the effectiveness of the update mechanism being the major limitation.

Vendors who operate "as a service" offerings, such as the major cloud and email providers, are in the strongest position. They can silently improve their offering without user involvement. They can scale defense across their service as they more or less completely control it.

Major consumers may operate with or without the involvement or action of vendors. When the major consumer is operating an on-premise instance, for example, they can be in a position to implement a mitigation or remediation. Such major consumers have teams that qualify them as being in the security one percent, so in some ways this dual-counts the defensive benefit.

Some major consumers may remain vulnerable, however, regardless of their relative size or nature. The SolarWinds case has shown that organizations with multi-billion-dollar information technology budgets can be as helpless as those outside the security one percent.

The security one percent is likely to voice the loudest objections. The security one percent are individuals working in entities with the budget to fund a blue (defense) team, and probably a red (offense) team.

As mentioned in a previous blog post, the security one percent can use offensive tools to equip their red or penetration testing teams. Those teams, nonexistent outside the security one percent, can work with or against blues team to determine if countermeasures are effective. 

The security one percent is generally oblivious to their privilege. I was personally not aware of this mindset until the rise of ransomware in 2018-2020. 

The exceptions are two-fold. One group who is aware of their privilege comes from "the other side of the tracks." They worked for an entity without a security team, perhaps in a non-IT role, or a non-security role. Another exception involves people who volunteer or consult with entities outside the security one percent. They see the gap between their own capabilities and those they are trying to help. 

One portion of the security one percent is particularly critical: those who rely upon offense for their income, or enjoy it as a hobby. They reject any sentiment or policy prescription that threatens their livelihood or enjoyment, regardless of the larger societal cost. Addressing the concerns of this group requires a separate blog post.

The difference in the capabilities of the vendor/major consumer/security one percent triad and the rest of the security ecosystem is the result of defense failing to scale as effectively as offense.

When an actor publicly releases a digital offensive capability, especially in the form of working code, generally any threat actor can leverage that capability against any vulnerable target.

The inverse is not true. Any defensive capability, derived from the offensive capability, can generally not be leveraged to protect any vulnerable target. 

Free or open source tools, training, or knowledge are helpful, but they require deployment, tuning, comprehension, commitment, and a host of other capabilities that do not scale as effectively as offensive code. While using offensive code has a learning and operational curve, it is nowhere as steep as that facing defenders.

The strongest and most helpful exception is found in vendors who offer "as a service" capabilities. They can independently and comprehensively improve their security posture with little to no involvement from the vulnerable population. (An exception, for example, is offering, but not mandating, multi-factor authentication. Only by adopting MFA does the population improve its security.)

The summary yields three conclusions:

1. Limiting the availability of digital offense capabilities, such that they are not public and within the reach of any threat actor, will likely limit offensive options for intruders, thereby increasing their operational costs to research, develop, deploy, and maintain offensive tools.

2. Increasing the use and reliance upon "as a service" offerings will likely improve the security of the ecosystem, as defensive measures can be scaled across the entire vulnerable population.

3. The rise of "as a service" offerings will likely drive intruders to target those offerings directly, rather than the independent assets distributed across the ecosystem.

There are no "solutions" in digital security -- only trade-offs.[1] 

I am cautiously optimistic that some combination of the first two conclusions would offset the rise of the third conclusion, generating a net positive improvement in digital security. 

Too many in the digital world have treated security as a technical problem with technical solutions. While technical matters play a role, the centrality of the digital ecosystem means that it should be treated as a public policy concern. That strategy is at least two decades overdue.

Please direct comments on this post to Twitter.

[0] I'm very confident this argument holds for public digital offense capabilities. After publishing this post I realized I assumed this perspective but did not make it explicit. Hence, this note.

[1] I derive this phrase from one of my public policy professors, Philip D. Zelikow, who noted that there are no solutions in public policy -- only trade-offs.