Cost to attack versus cost to defend

A relatively inexpensive drone strike cut Saudi oil output by half. In the past, it would have cost a lot more to achieve the same results. As Benedict Evans said in his newsletter:

Once upon a time you'd have needed warplanes or even commandos to do this, and a lot of money and risk. Now the game has changed.

I think about this frequently. The means to attack tend to advance faster than the means to defend. And with technology providing more leverage, the cost to attack is coming down while the cost to defend stays flat.

Consider the following attacks:

  • Privacy: getting access to private information (e.g. Equifax)

  • Identity: getting access to sensitive accounts (e.g. SIM swapping)

  • Infrastructure: hacking a power grid or other infrastructure

  • Propoganda: spreading false information to influence a population

The systems under attack get increasingly complex, introducing more vulnerabilities. Meanwhile, the technologies to exploit those vulnerabilities are available to more people for less money.

One of the cool things about blockchains is the cost to attack can scale with the value of the network. So as more mining power gets committed to the bitcoin network, it becomes more expensive for an attacker to commit fraudulent transactions. By designing defense into the system itself, you avoid the constant cat-mouse game we see in every other system.

Obviously blockchains do not solve the problem of “protecting my oil fields from drone strikes.” But it is interesting to think about where else we can design defense into the system itself. Privacy defaults are a good example of this. If nobody can see any individual person’s information, then attacks are not possible.