Let's say we have fortifications. People are needed to man them. This is understood by everyone. Entry points are checked, etc.
Compare with 'cyber' systems. How many people are adding features, working on bugs and the like, versus how many are even looking into security vulnerabilities?
Translating to the physical domain, it would be as if we were building a fort, then moving almost everyone to build extensions or new forts, with a handful responsible for the security of all fortresses - and the paths in between them! In the dark.
The fact that most systems are not immediately "owned" speaks volumes on how difficult this is to accomplish. Barring zero days, the main way one gets compromised is by making mistakes (not patching, leaving systems unsecured, etc). That is, there's a door that's open and unguarded...
"Defense vs Offense" is underspecified for this disagreement. Considering "defense" as the developers writing an application, and "offense" as the reverse engineers attempting to exploit it, defense may still be cheaper in some scenarios.
If you consider "defense" as an organization attempting to provide a service securely, and "offense" as all the security threats they are exposed to, it seems hard to argue that the defensive side has any sort of advantage over all of the attackers.
Let's say we have fortifications. People are needed to man them. This is understood by everyone. Entry points are checked, etc.
Compare with 'cyber' systems. How many people are adding features, working on bugs and the like, versus how many are even looking into security vulnerabilities?
Translating to the physical domain, it would be as if we were building a fort, then moving almost everyone to build extensions or new forts, with a handful responsible for the security of all fortresses - and the paths in between them! In the dark.
The fact that most systems are not immediately "owned" speaks volumes on how difficult this is to accomplish. Barring zero days, the main way one gets compromised is by making mistakes (not patching, leaving systems unsecured, etc). That is, there's a door that's open and unguarded...