Former National Cyber Director Chris Inglis: Cyber defense needs consequences
WASHINGTON – Former National Cyber Director Chris Inglis argues the United States can’t build credible cyber resilience while treating offensive action as a separate lane. In his view, deterrence requires both the ability to withstand attacks and the ability to impose costs on adversaries who keep pushing.
“This really is kind of any hammer needs an anvil, and any anvil is useless without a hammer,” Inglis told Cyber Focus host Frank Cilluffo. “The discussion of whether it’s going to be a focus on defense kind of inherent resilience or a focus on imposing consequences is a false choice.”
The conversation arrives as Congress and the national security community debate what it means to strengthen America’s offensive cyber capabilities, and it tracks with themes raised in recent McCrary Institute work on the evolution of U.S. cyber policy and doctrine. But Inglis’ focus is less about labels than outcomes: whether the U.S. can convince rivals that coercion and disruption will fail, and that aggressive campaigns will carry real costs.
Inglis’ core point is practical: Hardening systems can deflect a large share of criminal and opportunistic threats, but it won’t dissuade determined state actors who assume they can break in anyway. “You need to have some remedies for those that say… ‘I’ve got the capacity and the willpower to actually kind of breach your inherent resilience, your defenses, because nothing can be made perfect,’” he said.
That logic also shapes how he revisits the early years of U.S. cyber doctrine. Inglis recalled a period when Washington emphasized restraint to avoid “militariz[ing] cyberspace or the Internet,” and argues the approach carried a strategic cost. “And so that was a lesson that perhaps our restraint was escalatory,” he said, describing 2017 as an inflection point – when attacks such as WannaCry and NotPetya demonstrated how quickly disruptive campaigns could spill across borders and critical systems.
From there, Inglis frames the shift toward a more active posture – captured in concepts such as “defend forward” and “persistent engagement” – as defense with initiative, not a search for escalation. “[With defend forward] we’re not going to wait onshore for [malicious cyber activity] to arrive and then kind of cede the initiative to adversaries,” he said. The aim, he explained, is to contest malicious activity earlier, closer to where threats are staged, and ideally alongside partners whose infrastructure is being abused.
Even with doctrine moving in that direction, Inglis spends time on the friction that still slows execution: authorities, accountability and coordination across missions that blend intelligence, military action and diplomacy. He describes cyber as a domain where longstanding legal lines can blur – especially when the technical steps required to gather intelligence and the steps required to create effects overlap for most of an operation.
Late in the episode, Inglis pointed to recent public discussion of cyber being used as one tool inside broader national security campaigns – an encouraging sign, he suggested, that cyber power is being integrated rather than treated as a boutique capability. But his closing warning is less about any single operation than about whether the United States can move fast enough to integrate cyber with other instruments of power.
“What keeps me awake at night? We don’t have time, right? We’re way behind the curve,” Inglis said.