The Cybersecurity Dilemma: The Prevalence and Dangers of Defensive Hacking
Image: Fort George G. Meade Public Affairs Office

The Cybersecurity Dilemma: The Prevalence and Dangers of Defensive Hacking

How offense can be the best defense in cyberspace.
February 20, 2017, 12:00pm

The Greek historian Thucydides warned of the dangers of conflict caused by misperception. As one nation defends itself, even if it harbors no ill will towards others, it sometimes appears to be a threat. Other nations perceive this threat and take steps to respond, which leads to an escalatory and dangerous cycle. Thucydides wrote that "it was the rise of Athens, and the fear that this inspired in Sparta, that caused war to be inevitable." 


This problem has come to be known as the security dilemma. A great deal of modern foreign policy involves navigating its challenges—finding ways to secure nations while signaling to other nations that they need not fear attack. But cybersecurity poses a new challenge, one that is often at the heart of relationships between the strongest nations.

In this exclusive excerpt from The Cybersecurity Dilemma, Ben Buchanan shows how one of the most common assumptions about nations' hacking operations is wrong: they are not always offensive in nature. Instead, beset by network breaches they find hard to stop, governments carry out their own intrusions to try to get ahead of the problem. Nations launch these intrusions with genuinely defensive intent, but they're unlikely to be perceived that way when discovered. The risk is a cybersecurity dilemma—that which is meant to quell conflict and tension instead becomes a threat to international peace. 

At some point in the mid-2000s, the NSA came up with new a code-name that evoked, intentionally or not, both an empire and a dark message: BYZANTINE HADES. The code-name was a replacement of sorts for a previous one, TITAN RAIN, that had made its way into media reports, including a big story in Time magazine. The two code-names described one of the biggest threats facing the American computer networks: Chinese intrusions. Behind both names were cases of stolen secrets, the exfiltration of classified information, and an eventual threat to American capabilities and competitiveness. The subject matter was vast. But naming was the easy part. The real challenge lay in pushing back and defending the many American computer networks of interest against the Chinese intrusions.

No single account will do justice to what surely was and is a massive and largely secret effort to secure American networks. But one often-overlooked document leaked by Edward Snowden makes a revealing subplot public. In response to intrusions launched by a sub-group the NSA code-named BYZANTINE CANDOR, the defenders at NSA's Threat Operations Center sought more information. They asked the network intruders in the agency's Tailored Access Operations unit, which carries out intrusions, for assistance in gathering "actionable intelligence" on the Chinese hackers. The American intruders went to work, gaining access to infrastructure used by the foreign operators. Once they gained this access, they were able to observe the adversary in action from these midpoints. But the NSA unit went deeper still. They were able to penetrate five computers from which the Chinese launched their operations. In effect, they had hacked the hackers, following the Chinese operators back to their virtual base and gaining "excellent sources of data" on a wide range of the adversary's activities.


The data the NSA collected by penetrating BYZANTINE CANDOR's networks had concrete forward-looking defensive value. It included information on the adversary's "future targets," including "bios of senior White House officials, [cleared defense contractor] employees, [United States government] employees" and more. It also included access to the "source code and [the] new tools" the Chinese used to conduct operations. The computers penetrated by the NSA also revealed information about the exploits in use. In effect, the intelligence gained from the operation, once given to network defenders and fed into automated systems, was enough to guide and enhance the United States' defensive efforts.

This case alludes to important themes in network defense. It shows the persistence of talented adversaries, the creativity of clever defenders, the challenge of getting actionable intelligence on the threat, and the need for network architecture and defenders capable of acting on that information. But it also highlights an important point that is too often overlooked: not every intrusion is in service of offensive aims. There are genuinely defensive reasons for a nation to launch intrusions against another nation's networks.

There are genuinely defensive reasons for a nation to launch intrusions against another nation's networks.

This defensive enhancement can take many forms. Intruding into another nation to learn the location of its command and control infrastructure for cyber operations enables traffic to and from that infrastructure to be more easily blocked. Gathering information on the type of malicious code developed by an adversary enables defenders to develop tailored indicators of compromise. Determining the adversary's likely method of entry and potential targets permits a nation to pre-position defenses and minimize the risk. Finding a zero day vulnerability that an adversary will soon employ can give the defenders time to alert the vendor or otherwise protect its own systems. President Obama spoke broadly about these kinds of efforts, saying, "We cannot prevent […] cyber threats without some capability to penetrate digital communications, whether it's to […] intercept malware that targets a stock exchange, to make sure air traffic control systems are not compromised or to ensure that hackers do not empty your bank accounts." A former member of the NSA's Office of General Counsel was more specific, writing that signals intelligence efforts can "gain information of critical importance to the defensive mission—say by intercepting the plans of a malicious actor against U.S. networks in advance."

Defenders can also use information gained from these intrusions to better look within their own systems to see if the intruders have already made entry. The cybersecurity coordinator at the United States National Security Council, Michael Daniel, implicitly acknowledged the intruders' need for secrecy, and the defenders' incentive to counteract it. He said, "If you know much about it, [cyber is] very easy to defend against….[T]hat's why we keep a lot of those capabilities very closely guarded."

NSA Headquarters

An aerial view of the NSA headquarters in Fort Meade, Maryland. Photo: Trevor Paglen

Other Snowden files show what the NSA can do when it gathers this data, describing an interrelated and complex set of United States programs to collect intelligence and use it to better protect its networks. The NSA's internal documents call this "foreign intelligence in support of dynamic defense." The gathered information can "tip" malicious code the NSA has placed on servers and computers around the world. Based on this tip, one of the NSA's nodes can act on the information, "inject[ing a] response onto the Internet towards [the] target." There are a variety of responses that the NSA can inject, including resetting connections, delivering malicious code, and redirecting internet traffic.

Similarly, if the NSA can learn about the adversary's "tools and tradecraft" early enough, it can develop and deploy "tailored countermeasures" to blunt the intended effect. The NSA can then try to discern the intent of the adversary and use its countermeasure to mitigate the attempted intrusion. The signals intelligence agency feeds information about the incoming threat to an automated system deployed on networks that the NSA protects. This system has a number of capabilities, including blocking the incoming traffic outright, sending unexpected responses back to the adversary, slowing the traffic down, and "permitting the activity to appear [to the adversary] to complete without disclosing that it did not reach [or] affect the intended target."


These defensive capabilities appear to be actively in use by the United States against a wide range of threats. NSA documents indicate that the agency uses the system to block twenty-eight major categories of threats as of 2011. This includes action against significant adversaries, such as China, as well as against non-state actors. Documents provide a number of success stories. These include the thwarting of a BYZANTINE HADES intrusion attempt that targeted four high-ranking American military leaders, including the Chief of Naval Operations and the Chairman of the Joint Chiefs of Staff; the NSA's network defenders saw the attempt coming and successfully prevented any negative effects. The files also include examples of successful defense against Anonymous and against several other code-named entities.

All nations spy, and all nations know this. But cyber operations can quickly turn from espionage to something more damaging.

Some might object that this is the argument that proves too much, that only the most sophisticated nations could be capable of such activities. But it is also quite likely to be the case that the United States and its partners need to rely less on network penetrations to gain actionable defensive intelligence than other nations.  This is due to the United States' tremendous passive collection capability from the core routers and switches of the internet, a capability made possible by extensive partnership with the some of the world's most important telecommunications providers and one out of many other countries' reach.

For example, Canada's signals intelligence agency has developed a system of more than "200 sensors deployed across the globe" that "scales to backbone internet speeds." Canadian spies use this system to "track known threats, discover unknown threats, [and provide] defence at the core of the internet." While this passive collection is supplemented with active and more focused collection inside the networks and infrastructure of other nations, it nonetheless enables by itself the acquisition of information useful for the defensive mission.

In one sense, the existence of defensive-minded intrusions in cyber operations is quite a departure from the traditional logic of international relations and the security dilemma. With conventional forces, it is probably true that nations could improve their defenses by stationing a military presence in the territory of a potential adversary. This military unit could see preparations for attack, ready its armaments, and thwart the invasion before it made any progress. But the unilateral stationing of troops in a foreign country is an invasion and a violation of sovereignty, even if the invading nation claims that the troops were there to carry out a defensive mission. Defensive invasions with conventional forces are still invasions, and carry with them the very strong likelihood of escalation and conflict.

Defensive-minded network intrusions, on the other hand, are not invasions, but intelligence efforts. Nations carrying out these sorts of intrusions are gathering information on other nations' capabilities and attempting to do so in a covert fashion. To some degree, intelligence collection is a long-accepted part of international politics. Simply put, all nations spy, and all nations know this. But cyber operations can quickly turn from espionage to something more damaging. In these circumstances, when intelligence collection is particularly threatening or can directly enable attack, defensive espionage can cause tension and conflict—even conflict no one wants.

Ben Buchanan is a postdoctoral fellow at Harvard University's Cybersecurity Project. His first book, The Cybersecurity Dilemma: Hacking, Trust and Fear Between Nations (Oxford University Press, $37.95), was published in 2017. You can follow him on Twitter: @BuchananBen.

Get six of our favorite Motherboard stories every day by signing up for our newsletter.