Imminent National Cyber Strategy May Lean on Offense at the Expense of Defense

The Trump Administration’s National Cyber Strategy is imminent. While many of its anticipated themes have been woven through prior strategies spanning the previous five administrations, reports suggest a decidedly new shift that would prioritize cyber offense in order to shape adversary behavior and relegate cyber defense to the back burner. If implemented, this is a shift that threatens to compromise our national security. 

The new strategy’s priorities have been signaled for months:

• Shaping adversary behavior

• Promoting common sense regulations

• Modernizing federal networks

• Securing critical infrastructure

• Sustaining technology superiority

• Growing the cyber talent pool 

These priorities are not novel. However, the prioritization of offensive capabilities over reinforcing our defensive capabilities would be a new path. 

Inside Previous National Cyber Strategies

To understand how abrupt this shift would be, consider the progression of cybersecurity strategies from the late 20th century to today. President Bill Clinton’s Critical Infrastructure Protection directive in 1998, referred to by many as the dawn of U.S. cybersecurity policy, focused on securing critical infrastructure in cooperation with close allies, international organizations, and multinational corporations. President George Bush’s 2008 Comprehensive National Cybersecurity Initiative focused on getting the federal government’s own house in order, including by reducing vulnerabilities, fusing the government’s own information, and growing the workforce through the National Initiative for Cybersecurity Education. The 2016 Obama-era Cybersecurity National Action Plan, meanwhile, focused first on raising nationwide cybersecurity resilience, and on deterring, discouraging, and disrupting malicious activity in cyberspace to step in when preventative measures were deemed insufficient, This included the establishment of United States Cyber Command, the development of an international cyber strategy, and the first indictments of known nation-state actors for computer intrusion and intellectual property theft. The first Trump Administration’s National Cyber Strategy similarly began with a focus on protection, with a complementary focus in its third pillar on efforts to preserve peace through strength, including imposing consequences and countering malign cyber influence and information operations. And most recently, the Biden Administration’s 2023 National Cybersecurity Strategy placed top priority on protection and defense of U.S. critical infrastructure, followed by a secondary focus on disruption of malign cyber operations. 

The new strategy's focus on leading with offense to shape behavior will be a marked shift from all strategies of years past. But that will also depend in large part on what offense means, something that, to date, the Administration has characterized as a range of activities outside U.S. networks.

Admittedly, leveraging offensive activity supports well-intentioned objectives—primarily protecting U.S. intellectual property and critical infrastructure. However, if the theory really is to strike first, without an equal if not greater emphasis on scaling defense, the ends don’t justify the means. 

Offensive Approach has Drawbacks

First, the technical difficulty in actually leveraging offensive cyber activities to shape the behavior of the actors most known to target our intellectual property and critical infrastructure–Chinese state-sponsored actors–cannot be understated. Likewise, using offensive capabilities to target other malicious actors, including from Russia, North Korea, and Iran, is not as straightforward as it might seem. Among other challenges, they operate from a range of dynamic infrastructure scattered across the globe, necessitating a holistic picture of their operations together with a well orchestrated campaign to actually have long-term impact. Without better integration with industry, as noted below, it’s hard to see this approach achieving sustained success in shaping adversary behavior.

Next, rather than merely playing a game of whack-a-mole with the ransomware actors who frequently exploit known vulnerabilities to launch their campaigns, a defense-first oriented strategy could exert a longer-term impact than offense alone. Consider, for example, the value of a concerted, incentivized campaign to address known exploited vulnerabilities or selectively replace end of life equipment—take those exposures out of the hands of threat actors from the start.

Moreover, industry already has deep insight into threat actor activity–whether by tracking how criminal and nation-state actors misuse corporate intellectual property and assets (e.g., cloud and other services) or by tracing their financial gains on the blockchain. A defensive cyber strategy could continue to examine the barriers to fusing these insights and empower industry to take greater collective action against these actors, before pursuing offensive cyber actions that could ultimately put U.S. companies at greater risk. If this is the Administration’s actual intent, it would be a welcome shift. While joint sequenced operations, civil takedowns, and traditional defensive measures have had some impact, the Administration can and should do more by working with industry and international partners to articulate clear frameworks that shape adversary behavior, including through disruptive actions like active defense, and not “hack back.”

Finally, to truly change the behavior of our adversaries, we must first change our own. For too long, we have placed the burden of security squarely at the feet of the buyer, rather than the manufacturer who creates the software in the first place. Too many of the vulnerabilities that threat actors exploit exist precisely because of structural misalignments in the market that allow poor design practices to persist. Instead of throwing stones at others’ houses, the U.S. government should leverage its buying power to demand more from software manufacturers, and the market should hold industry accountable for certain flaws that could have been prevented through secure software development and lifecycle management practices. 

Industry leaders have signaled their impatience with the current approach, which “often results in rushed product releases without comprehensive security built in or enabled by default, creating repeated opportunities for attackers to exploit weaknesses.” Yet early federal efforts to require secure by design practices in the U.S. government were recently dealt a blow when the Office of Management and Budget rescinded mandatory software attestations–shifting the burden back to industry and undercutting one of the U.S. government’s most powerful tools to protect our intellectual property and secure our critical infrastructure. 

So, where would an offense-first approach leave us—especially U.S. industry? Potentially holding the bag. Offensive cyber capabilities can and should be part of the toolbox, but they cannot lead the charge without also scaling defense. The forthcoming National Cyber Strategy marks a pivotal moment for U.S. cybersecurity policy. A strategy that prioritizes shaping behavior through offensive operations over improving defense would risk exposing critical infrastructure, intellectual property, and U.S. companies to even greater harm. True national security comes not from striking first, but from leveraging innovation to significantly reduce the security gaps available to attackers, empowering industry to take lawful, coordinated actions, and realigning incentives in the marketplace to support secure software and hardware practices. Only then can we truly put America first.