The Information Science Colloquium speaker for Wednesday, Nov. 8, 2017, will be Rebecca Slayton, Associate Professor in the Department of Science & Technology Studies at Cornell University. Slayton’s research and teaching examine the relationships between and among risk, governance, and expertise, with a focus on international security and cooperation since World War II. Her first book, Arguments that Count: Physics, Computing, and Missile Defense, 1949-2012 (MIT Press, 2013), shows how the rise of a new field of expertise in computing reshaped public policies and perceptions about the risks of missile defense in the United States. In 2015, Arguments that Count won the Computer History Museum Prize.

Slayton’s second book project, Shadowing Cybersecurity, examines the emergence of cybersecurity expertise through the interplay of innovation and repair. Slayton is also working on a third project which examines tensions intrinsic to the creation of a “smart” electrical power grid—i.e. a more sustainable, reliable, and secure grid. Both of these current projects are supported by a five-year National Science Foundation CAREER award, “Enacting Cybersecurity Expertise.” Slayton is also a project lead on research funded by a Department of Homeland Security Center of Excellence, the Critical Infrastructure Resilience Institute.

Talk: What is the Cyber Offense-Defense Balance? Conceptions, Causes, and Assessment

Abstract: Both popular and scholarly discourse about cyber-conflict reflect the prevailing view that cyberspace favors the offense. While a few scholars have challenged this conventional wisdom, the debate remains muddy because the offense-defense balance of cyber-operations is rarely defined, let alone empirically assessed. This talk clarifies the debate in three ways. First, it analyzes how international relations scholars, military officials, and private sector computer security experts implicitly define offense-dominance in cyberspace, showing that these groups maintain divergent conceptions.  Second, it proposes to define the offense-defense balance of cyber-operations in terms of the relative utility of offense and defense, i.e. the benefits of offense less the costs of offense, relative to the benefits of defense less the cost of defense. It theorizes the factors that contribute to increased benefits or costs; a key innovation here is that the costs of cyber-operations are determined not by technology, but by the organizational processes that govern the interactions between skilled workers and technology. Third, it provides an empirical cost-benefit analysis of the Stuxnet cyberattacks by Israel and the U.S. on Iran. While this analysis has many uncertainties, it appears likely that the costs of offense exceeded the costs of defense, and that the perceived benefits of both offense and defense were roughly two orders of magnitude larger than costs, making the costs irrelevant.