U.S. Cyber Policy: Offense, Deterrence and Strategic Competition

Today, the United States faces a cyber threat landscape that is shifting faster than relevant policy frameworks intended to address it. The United States remains structurally and doctrinally misaligned for strategic competition in cyberspace, complicating pre-crisis decision-making and coordination across military, intelligence, and law enforcement authorities. Washington has struggled to define and implement a coherent approach to offensive cyber operations and cyber deterrence, particularly as adversaries expand their capabilities, embed disruptive access within critical infrastructure, and exploit legal inadequacies. Offensive cyber policy has evolved in a piecemeal fashion and would benefit from deliberate reform, particularly in the authorities and processes that govern pre-crisis operations. What began in the early 2000s as an intelligence-driven model centered on clandestine collection has evolved into a contested operational environment where cyber effects are now entwined with traditional military planning, strategic competition, and crisis signaling. The United States must now navigate this space using authorities that were not designed for the scale or tempo of today’s threats, while relying on an organizational structure that reflects institutional strength, as well as operational and policy challenges.

Over the last decade, adversaries such as Russia, China, Iran, and North Korea have steadily expanded the scope and ambition of their cyber operations. China has demonstrated the clearest long-term strategic intent. Its campaigns against U.S. critical infrastructure, government agencies, and private-sector networks underscore Beijing’s preference for persistent access that can be weaponized during a future geopolitical crisis. Russia has also used cyber operations to support military campaigns, most notably in Ukraine, where destructive malware and grid attacks accompanied conventional assaults. These developments indicate that adversaries increasingly treat cyberspace as a battlespace that is continuously in play, one where access, disruption, and coercion are cultivated in advance rather than activated only at the moment of conflict.

Against this backdrop, the United States has undergone a notable shift in cyber operational policy. For years, offensive cyber activity was tightly controlled, often requiring extensive interagency deliberation and White House approval. This changed with National Security Presidential Memorandum 13 (NSPM-13) in 2018, which allows the President to delegate greater operational decision-making to specific organizations, most notably U.S. Cyber Command, and the concurrent codification in the National Defense Strategy of the concept of “defend forward,” that is, the policy that the United States must seek to operate continuously in foreign networks to disrupt adversary campaigns before they reach U.S. targets. Although effective in some operational respects, NSPM-13 also reignited debates around oversight, intelligence equities, Title 10–Title 50 boundaries, and the strategic risks of persistent engagement.

Read more at MCCRARY INSTITUTE TASK FORCE ON NATIONAL SECURITY AND LAW ENFORCEMENT