It has become quite clear to many strategists that the classical concept of strategic deterrence has its limitations in cyberspace.

For the most part, however, the U.S. posture toward cyberspace was more defensive in nature and focused on strategic deterrence. The United States calculated that the perception of its retaliatory capabilities would make adversaries think twice before launching significant attacks targeting it. Leaks by National Security Agency contractor Edward Snowden detailing U.S. cyberactivity and the tools that the agency has at its disposal only reinforced the views of U.S. capabilities. In many ways, the split of U.S. Cyber Command away from Strategic Command, which oversees strategic deterrence, is emblematic of the shift in U.S. posture in cyberspace from defense toward what has been described as "persistent engagement."

In its 2018 Command Vision, the cyber command lays out its objective that the United States must "defend forward as close as possible to the origin of adversary activity, and persistently contest malicious cyberspace actors to generate continuous tactical, operational, and strategic advantage." This belief was reinforced in the Trump White House's first full National Cyber Strategy released in September. If fully implemented, the strategy would entail frequent cyberactivity against aggressors in cyberspace — and in the case of the response after Iran's downing of the UAV, a willingness to retaliate for physical attacks through cyberwarfare.

A Change in Global Dynamics

While it may be easy to connect the more aggressive cybersecurity posture of the United States with Trump's America First strategy, multiple drivers have pushed the country in that direction.

It has become quite clear to many strategists that the classical concept of strategic deterrence has its limitations in cyberspace. While U.S. adversaries certainly calculate that a significant cyberattack against the United States could draw a U.S. response, they also know the difficulties of attributing those attacks to a specific state actor. That's why countries with such intent in cyberspace, including Russia, Iran and China, often employ nonstate actors to carry out offensives against the United States and its allies, giving them a higher degree of plausible deniability. This makes it difficult to rely on strategic deterrence, in which an adversary desiring to launch a cyberattack must first assess the probability of counterattack. This is why disruption, as opposed to deterrence, has become a more appealing option for U.S. strategists.

From an empirical perspective, the concept of deterrence hasn't held up in recent years, as the United States has faced dozens of state-backed cyberattacks from virtually every one of its adversaries. For Russia, online disinformation campaigns, of which its activities during the 2016 U.S. general elections are but one example, are extensions of its decades-old military strategy. But it does not limit its cyberspace activities to the shaping of perceptions. Its other cyberwar operations include a series of attacks testing the defenses surrounding critical U.S. infrastructure, including operations, still likely ongoing, targeting the U.S. electricity grid and its operators. While China has yet to carry out the same level of sophisticated disinformation campaigns as Russia, Chinese cyberattacks against U.S. infrastructure and network probes continue to be a key U.S. concern – although publicly released information detailing its activities is understandably rare. The simple fact is that, short of preventing a significant loss of life or economic activity, China's and Russia's actions show that the U.S. doctrine of deterrence has not held at the lower and middle levels. This same dynamic persists for North Korea and Iran – both of which have pursued actions targeting the United States in cyberspace despite the threat of retaliation. As the United States repositions its national strategy to focus more on the competition with other peer or near-peer powers like Russia and China, a shift in thinking on cyberspace has become almost a necessity. Both have shown a repeated willingness to take on the United States in cyberspace, making it necessary for the Pentagon to develop a holistic strategy to counter their actions. And in the event of a war, the United States will need to have offensive cybertools at its disposal. Malware, backdoors and other code needed to implement a cyberattack can't necessarily be developed and deployed on the fly. So if the United States wants to tap that option at a moment's notice, it will need to preemptively probe its adversaries' defenses and install the needed components before the outbreak of conflict.