Does the information domain inherently favor offensive or defense? This is a complex question that integrates technology with economics, and even with grand strategy.

When the notion first emerged that cyberspace could constitute a military domain comparable to land, sea, air, and space, people had in mind armies of ‘cyborgs,’ or robots. Somewhat unlike the drones of today, they were envisioned to not only project force, but also presumably hold territory, and could thus be considered an offensive tool.

Later, we realized how fundamentally different bits are from atoms, and it became increasingly clear that everything is vulnerable. Around the time that bootlegged music started to proliferate on P2P platforms like Napster, cybersecurity became heavily associated with intellectual property.

Under that model, information is valuable due to its external association with some factor in the ‘real world.’ More recently, however, as the internet has been used to transmit not only data but value, it has become apparent that the intrinsic characteristics of information matter as much as its external associations. Copying code may be costless, but it is still dangerous to execute untrusted code without costly verification.

These eras of cybersecurity are reflected in the evolution of US cybersecurity strategies over time, although with significant delays as bureaucrats have caught up with technical thinking. The latest iteration is basically neutral between offense and defense. Most significantly, though, it reflects a vision of cybersecurity as a global effort to be coordinated between the US and its allies and partners.

Not your grandmother’s internet

These changes can be tracked through the changing use of the word “deterrence,” which first became a cybersecurity term of the art in the 2018 US Cyber Strategy. “For a while, the United States seemed almost to hope that the mere example of its good-faith engagement with malicious cyber actors such as Russia and the PRC might be enough to persuade them to rein in their bad behavior,” said Assistant Secretary of State Christopher Ashley Ford in a 2020 speech.

“But we have learned the lessons of that history, and we have come more explicitly to incorporate elements of deterrence into cyberspace security diplomacy as well. The lessons of the last few years have made clear that having a framework of responsible state behavior is not enough in itself: there must also be consequences for the violation of such norms.”

That doctrine was updated this March in a long-awaited National Cybersecurity Strategy. This time, however, the word “deterrence” was once again nowhere to be found.

That reversal in direction reflects interrelated changes. The notion of absolute security for internet-connected assets has been abandoned in favor of defense in depth. At the same time, geopolitical changes over the past five years have undermined almost all types of non-technical deterrence, at least regarding Russia and China, which the newest Strategy names as two of the highest-priority malicious actors (along with North Korea and Iran).

Ransomware attacks have increased during that time, fueled by greater sophistication of hackers, as well as increased maturity of blockchain ecosystems. As such, the new Strategy puts increased emphasis on financial sector controls, including AML/CFT, and makes particular note of illicit cryptocurrency exchanges. Cybersecurity concerns underlie an apparent broader ongoing regulatory crackdown on digital assets.

One of the most interesting updates, meanwhile, involves the respective sections on diplomacy. The final pillar of the 2018 Strategy was to “Advance American Influence,” with plenty of mention of concepts like freedom, governance, and markets. The optimistic notion that the internet would inevitably promote openness, which formed a major part of the rationale that opening up to China would cause it to democratize, had still not been fully refuted by an internet of “walled gardens” (private ecosystems, mainly controlled by non-interoperable social media platforms).

Rather than American influence, however, the new Strategy puts much more emphasis on coalitions of allies and partners (the latter of which would include Taiwan). In part, this represents a partisan difference in views on American power, but it is also a highly practical way to counter threats of a global nature. It specifically notes assistance provided in response to attacks in Costa Rica, Albania, and Montenegro.

Cybersecurity is not elitist

The implications of this approach extend beyond just cybersecurity. The US urgently needs some sort of diplomatic ‘carrot’ towards middle powers as it increases its use of financial sanctions and semiconductor controls. Recent moves to ban TikTok reinforce the impression of that American moves to counter Chinese influence are primarily punitive in nature.

Even the traditional tool of development financing at best only matches China’s Belt and Road. Warnings of “debt diplomacy” prompted a now-famous quip on Twitter, attributed to a Kenyan official: “Every time China visits we get a hospital, every time Britain visits we get a lecture.”

Far from being an elitist concern, if anything, cybersecurity is of greater interest to poorer countries, as long as they are developed enough to connect their financial systems to the internet. It is a topic of consistent interest among members of the Asian-Pacific Association of Banking Institutes (APABI), of which TABF serves as the secretariat.

Cybersecurity aid constitutes a rare avenue for the US to approach the information domain from a lawful and ethical, yet offensive posture. The US should, and probably will increase its utilization over time. Due to human resource constraints, however, law enforcement is forced to aggressively triage threats. Director Christopher Wray of the FBI recently requested money to hire 192 new cyber staffers, claiming to Congress that the FBI was outnumbered 50 to 1 by Chinese hackers.

It is impossible for the government to compete with the private sector on pay, although the current tech sector layoffs offer a small window of opportunity. Moreover, an even bigger challenge is the gaping culture chasm between traditional and digital talent, even relative to the financial sector. The national security apparatus does not look highly upon the career flexibility which is valued in the tech sector.

Moreover, the security clearance process is notorious for weeding out free thinking and international ties, including even foreign country expertise. This will likely need to change in light of the recent leaks on Discord, a video game chat platform. Jack Teixeira, the 21 year-old who shared a wide range of sensitive documents to teenage admirers, managed to obtain his Top Secret clearance despite being denied a firearm license due to violent and racial threats, as well as comments about guns at school. The case demonstrates that mere conformity and traditional career paths were insufficient criteria to begin with.

Chatbots, not hackbots

An important question for the future will be whether large language models (LLMs) could alleviate any aspect of this bottleneck. Given how wrong previous prognostications have been about the future of information technology, some modesty is in order when extrapolating ahead, but some preliminary conclusions can still be drawn.

LLMs will not invent new types of attack. They are not creative in that sense, and other, more specialized types of algorithms are more suited to that task. Rather, they are economic engines which make certain, less sophisticated tasks orders of magnitude cheaper, such as social engineering.

The parameters of cybersecurity policy have changed even in the short time since the recent Strategy was released, but this update may not strongly affect the overall balance between defense and offense. It is already understood that maintenance of network operations must co-exist with governance over physical territory. The question now is how to scale the aspects of cybersecurity which truly require scarce world-class talent.