cybersecurity threats is available publicly. But all too many decision makers still focus on the short-term costs of improving their own organizational cybersecurity postures, and little has been done to harness market forces to address matters related to the cybersecurity posture of the nation as a whole. If the nation’s cybersecurity posture is to be improved to a level that is higher than the level to which today’s market will drive it, the market calculus that motivates organizations to pay attention to cybersecurity must be altered in some fashion.
Cybersecurity is important to the nation, but the United States has other interests as well, some of which conflict with the imperatives of cybersecurity. Tradeoffs are inevitable and will have to be accepted through the nation’s political and policy-making processes. Senior policy makers have many issues on their agenda, and they must set priorities for the issues that warrant their attention. In an environment of many competing priorities, reactive policy making is often the outcome. Support for efforts to prevent a disaster that has not yet occurred is typically less than support for efforts to respond to a disaster that has already occurred. In cybersecurity, this tendency is reflected in the notion that “no or few attempts have yet been made to compromise the cybersecurity of application X, and why would anyone want to do so anyway?,” thus justifying why immediate attention and action to improve the cybersecurity posture of application X can be deferred or studied further.
Progress in cybersecurity policy has also stalled at least in part because of conflicting equities. As a nation, we want better cybersecurity, yes, but we also want a private sector that innovates rapidly, and the convenience of not having to worry about cybersecurity, and the ability for applications to interoperate easily and quickly with one another, and the right to no diminution in our civil liberties, and so on. Although research and deeper thought may reveal that, in some cases, tradeoffs between security and these other equities are not as stark as they might appear at first glance, policy makers will have to confront rather than elide tensions when they are irreconcilable, and honest acknowledgment and discussion of the tradeoffs (e.g., a better cybersecurity posture may reduce the nation’s innovative capability, may increase the inconvenience of using information technology, may reduce the ability to collect intelligence) will go a long way toward building public support for a given policy position.
The use of offensive operations in cyberspace as an instrument to advance U.S. interests raises many important technical, legal, and policy questions that have yet to be aired publicly by the U.S. government. Some of these questions involve topics such as U.S. offensive capabilities in cyberspace, rules of engagement, doctrine for the use of offensive capabilities, organizational responsibilities within the Department of Defense and the intelligence community, and a host of other