Forget Cyberwar: We Need Cybersecurity First

Russia’s invasion of Ukraine has shattered many illusions. One of them is the idea that skill in offensive cyber operations can ever be a substitute for reliable computer and information systems.

There are lessons for the United States. Cybersecurity is not about who can do the flashiest hacks but about how to keep our networks safe. This is difficult because it requires powerful interests in the government and the private sector to invest resources and make trade-offs they would rather not make. An offense-based strategy that appears “tough” hides these trade-offs while actually making U.S. cybersecurity worse.

Illusions of deterrence

Cyberwar strategists have described cyber conflict as a kind of asymmetric warfare that puts advanced societies at a strategic disadvantage. Offense is easy, while defense is hard. The United States is in a uniquely tough position. Multiple skilled adversaries—Russia, China, North Korea, Iran— are ready to attack the United States’ modern, internet-dependent society. Meanwhile, U.S. political and economic culture is hostile to the regulation and public spending that are needed to stop data breaches, protect online privacy, and make networks safe.

Enter the siren song of offensive cyber operations. If the United States can make its adversaries fear its cyber warriors, then it can take its time with upgrading government systems, protecting its critical infrastructure with voluntary frameworks instead of mandatory rules, and allowing Big Tech to continue to monetize Americans’ sensitive data. U.S. adversaries will be deterred by their fear of some massive response if they cross U.S. red lines. Defense, the story goes, is simply too hard— perhaps impossible—so why bother?

Offense has dominated the conversation for decades. President Barack Obama launched the Stuxnet attack on Iran and created United States Cyber Command. His plan for legislation to require greater protection for critical infrastructure was blocked by Congress under heavy industry pressure. President Donald Trump’s national cyber strategy sought to “preserve peace through strength” by maintaining “United States overmatch in and through cyberspace.”…