Offense Won’t Cut it Alone

Imagine a future where every phishing attempt is thwarted before it reaches your inbox. Local police have cyber-forensics units on call 24/7, and nation-state intrusions trigger instant, coordinated responses that safeguard our economy, our power grid, and our trust in each other. That is the goal of an effective cybersecurity strategy: a cyberspace governed not by fear or threats, but by shared responsibility, layered defenses, and a relentless focus on resilience and recovery.

Getting there is possible, but in our renewed efforts to achieve these goals, it must be done carefully. As we increase our focus on offensive operations to address the most sophisticated nation-state actors, we must not take our eye off the cyber fundamentals needed to deter the criminal networks that target the general population for financial gain. 

These distinctions matter. By grouping all cyber threats under the same umbrella and relying on militarized metaphors, we’ve muddled our response and neglected the specific strengths of our civil institutions. All three pillars are critical for tackling the root causes of cyber harm:

• Ubiquitous Digital Crime needs local cops with keyboards.
• Organized Digital Extortion needs joint task forces, not solo private investigators.
• Nation-State Operations demand national coordination and defense-grade capabilities.

The bright side is that there are straightforward policies that policymakers can implement now to address these issues. Here’s what they need to do:

1. Ubiquitous Digital Crime: The New Petty Theft

From toll-tag scams and fake delivery texts to phishing and credential harvesting, cybercrime has become the digital equivalent of shoplifting—mass-market, low-sophistication, high-volume scams that erode public trust and impose a constant burden on individuals and businesses. The strategy for tackling these crimes should include:

Prevent

• Mandate stronger default authentication standards in consumer software.
• Fund public awareness campaigns on phishing and fraud.
• Leverage public-private information-sharing platforms to identify emerging scam trends and adapt defenses.

Respond

• Retool and retrain local law enforcement: each jurisdiction should have a dedicated or shared cybercrime response team equipped with the tools, personnel, and legal frameworks to investigate and prosecute digital scams.
• Build a “cyber” reporting infrastructure, integrated with real-time data feeds from financial institutions and telecom providers.

Recover

• Establish victim support services, modeled on fraud-victim hotlines, to help restore credentials and recover stolen funds.

2. Organized Digital Extortion: The Coupling of Cyber Crimes with Psychological Threats

The strategy here should include:

Prevent

• Require critical-service providers (hospitals, utilities, municipalities) to adopt the cyber fundamentals by meeting baseline cybersecurity standards and undergoing regular third-party audits.
• Enact liability reform to hold software developers accountable for incorporating security best practices.

Respond

• Elevate FBI, NSA, and CISA to lead incident response, not just advise on it.  
• Create joint rapid-deployment teams (akin to FEMA’s response to hurricanes) that can surge into major incidents.
• Strengthen legal frameworks to discourage ransom payments, while streamlining lawful access for investigations.

Recover

• Launch a public-sector “cyber disaster relief” fund to underwrite recovery costs for small jurisdictions and nonprofits.
• Mandate post-incident “after-action” reports, with lessons learned shared across sectors to prevent recurrence.

3. Nation-State Operations: The Realm of Advanced Persistent Threats (APTs)

When breaches are orchestrated by nation-states—through espionage, sabotage, or intellectual property theft—we’re in the domain of national security.

Prevent

• Expand threat-sharing partnerships between top government agencies and vetted private-sector security firms.
• Harden civilian critical infrastructure to defense-grade resiliency standards.

Respond

• Pre-position response capacity by establishing standing contracts with leading incident-response firms and law firms—locking in legal, logistical, and financial terms ahead of time—so surge teams can be deployed instantly when a multi-vector APT campaign hits.
• Leverage public attribution, targeted sanctions, and other visible deterrence to raise the cost of state-sponsored intrusions.
• Better integrate cyber defense into our national defense posture: fuse military, NSA, FBI, DHS, and diplomatic channels with private-sector allies for real-time intelligence exchange.

Recover

• Institute “cyber reconstruction” programs to restore services and infrastructure while codifying digital-domain law enforcement partnerships.
• Embed continuous red-teaming exercises to stress-test recovery plans and improve resilience. 

Rebuilding the Framework: Prioritizing the Cyber Fundamentals

To support this model, Congress must invest in modernizing local and federal law enforcement, updating cybercrime statutes, building public-private reporting pipelines, and clarifying the roles and responsibilities at every level of government. Our goal is not just to prevent breaches—but to establish rule of law in the digital domain.

The time has come to move beyond war metaphors and build a governance model rooted in the cyber fundamentals—one that addresses street-level scams, organized crime syndicates, and nation-state aggression with the right tools, the right people, and the right mission.