Major Cyber Attacks Not the 'New Normal'.

• Author: Lane, Gentry
• Position: Viewpoint

* Cyberspace is the only warfighting domain in which daily degradation of critical assets is tolerated. This tolerance is not born out of willful indifference, but out of willful engagement in a losing battle due to lack of strategic response.

The scale and scope of advanced persistent threat-perpetrated aggression is beyond existing surveillance and incident response capabilities of any one nation. Despite America's technical advantage and consequential fighting force, it is and will always be outnumbered in the cyber domain. However, "always outnumbered" is not necessarily a decisive disadvantage. Military history is replete with smaller forces overcoming larger ones to achieve mission success.

The imbalance of power should be the leading factor when evaluating engagement strategies, but this is not currently the case. Instead, priority is given to triaging obvious insufficiencies in lieu of developing a viable asymmetric battle strategy. This approach yields stopgap solutions, piecemeal strategy and continued unencumbered success for adversaries.

Despite doctrine issued from both the Defense Department and the White House, the United States does not have a cohesive, sustainable strategy to efficiently deter nation-state aggression nor to adequately defend critical assets.

"Persistent engagement" and "defend forward," the two pillars of the current cyber national security strategy, are lines of effort unviable as standalone strategies. While both gambits yield intermittent efficacy in shaping adversary behavior, there are limits to their effectiveness. Given the escalating sophistication and scale of malicious cyber actors, scaling these lines of effort in a sustainable way is not possible.

Unfortunately, effort and budget continue to be allocated to the low hanging fruit and triage initiatives: establishment of norms and redlines for adversaries who flout international humanitarian law; initiatives that only incrementally increase the cybersecurity workforce; innovation programs that yield few results; and vague vows to increase resiliency. These initiatives fall short of the kind of strategic thinking and cohesive, sustainable, strategy development that the current situation requires.

These efforts are misaligned because the objective is unclear. The desired end-state has yet to be defined in the context of comprehensive strategy.

Further confounding the disorganization is a lack of consensus on the current state of affairs. There is no doubt among adversaries that they are each engaged in...