McCrary Institute releases paper encouraging a thoughtful strategy for more offensive cyber
WASHINGTON – As Washington ramps up conversation on the need for more offensive cyber capabilities, the McCrary Institute for Cyber and Critical Infrastructure Security today released a paper laying out how we got where we are, what capabilities are used and what tensions exist in the current structure, and advocates for a thoughtful, forward-leaning cybersecurity strategy that more proactively defends the homeland and deters our adversaries.
You can find the full paper, U.S. Cyber Policy: Offense, Deterrence, and Strategic Competition, here.
This paper is the first in a series of products from the McCrary Institute’s Task Force on National Security and Law Enforcement, which brings together senior leaders from across the national security community and the private sector. Task Force members include former leaders from the defense, intelligence, homeland security, and law enforcement communities, industry, the White House, and Capitol Hill — individuals with direct experience operating within, overseeing, and shaping U.S. cyber authorities, institutions, and doctrine.
“As cyberspace has emerged as a central arena of strategic competition, U.S. cyber policy and structures have struggled to keep pace. Business as usual isn’t cutting it,” said Frank Cilluffo, Director of the McCrary Institute. “In a domain defined by persistent engagement and pre-positioned access, we cannot simply ‘firewall’ our way out of the problem. As the Administration weighs consequential decisions—from the future of the dual-hat relationship between NSA and Cyber Command to proposals for a dedicated Cyber Force—it is essential to ground those debates in a clear understanding of how we arrived here and where existing authorities, organizations, and doctrines fall short. This paper draws on the collective experience of our senior fellows to clarify the strategic tradeoffs ahead and establish a foundation for the policy discussions that must follow.”
The task force is co-chaired by Thomas P. Bossert, President and Co-Founder, Trinity Cyber, Former Assistant to the President for Homeland Security; Hon. Chris Inglis, Former National Cyber Director; Gen. Kenneth F. McKenzie, Jr, USMC, Ret., Executive Director, Global and National Security Institute, Executive Director, Florida Center for Cybersecurity; and Cilluffo.
“Read this report if you agree that the status quo in cybersecurity is not good enough,” said Tom Bossert.
“No domain of interest is as critical to the health, safety and vitality of our society as the digital infrastructure known as cyberspace. And no instrument of national power is as actively deployed as the body of tools, doctrine and skills collectively referred to as cyber operations,” said Chris Inglis. “This accessible and concise report is an essential foundation to understand our experience in reconciling our aspirations for cyber to the realities of cyber. It’s a must read for all those who intend to thrive and prosper in the 21st century.”
“This is an important study, and we hope it will prove useful as policymakers face some tough decisions in cyber,” added Gen. Kenneth F. McKenzie, Jr, USMC, Ret.
The McCrary Institute is a leader bringing forward the people and ideas shaping the digital world in national security and cybersecurity policy. You can find this paper along with insights from guests on the Cyber Focus podcast discussing issues in the paper alongside independent reporting on our news site Threat Beat. Visit www.ThreatBeat.com/OffensiveCyber.
Key Insights:
- Cyberspace is no longer peripheral to national security. It is a foundational domain of competition that will shape deterrence, crisis stability, and alliance credibility in the years ahead. The choices made now regarding authorities, organization, and doctrine will determine whether the United States can sustain strategic advantage in a domain defined by persistent campaigns and enduring competition.
- While the United States retains significant technical capabilities, it continues to operate within legal and organizational frameworks that were not fully designed for continuous engagement, pre-positioned access, or competition below the threshold of armed conflict. This gap increasingly constrains strategic coherence and timely decision-making.
- As the United States confronts an era where adversaries increasingly view cyberspace as an active battlespace rather than a passive espionage environment, it must develop a strategy that accounts for the complexity of modern digital conflict. This requires sustained policy modernization, legal reform, and organizational adaptation. It also demands a realistic understanding of how the United States lost its early cyber advantage and what it will take to rebuild strategic leverage in an environment where access is contested, deterrence is uncertain, and adversaries are no longer deterred by traditional concepts of signaling or punishment.
- The trajectory of U.S. cyber policy illustrates a national security enterprise still adapting to a domain that has matured faster than the institutions designed to govern it. What began three decades ago as a narrow concern about critical infrastructure protection and intelligence collection has evolved into a continuous, contested, and strategically significant arena of statecraft. Throughout this evolution, the United States has struggled to balance offense and defense, secrecy and transparency, and operational agility with the need for careful oversight.
- The future of U.S. cyber policy will hinge on decisions made in the coming years. Policymakers must modernize statutory authorities, strengthen oversight mechanisms, and build a more integrated interagency framework. They must also confront the reality that deterrence in cyberspace will not mirror Cold War models. Instead, it will require resilience at scale, agile operational capacity, and a doctrine capable of shaping adversary behavior while managing escalation risks. Above all, cyber policy must become more predictable, coherent, and strategically grounded.
- Cyberspace is now a foundational dimension of national power, military readiness, economic stability, and democratic resilience. Should the United States fail to adapt, adversaries will shape the rules and rhythms of this domain to their benefit. If it succeeds, Washington can ensure that cyberspace remains an arena where American innovation, capability, and strategic discipline provide a decisive advantage. However, if the United States does not resolve these structural questions in the medium-term, it is likely to retain tactical cyber superiority while continuing to lose strategic leverage, providing a tradeoff adversaries are increasingly prepared to exploit.
About the McCrary Institute at Auburn University
The McCrary Institute for Cyber and Critical Infrastructure Security at Auburn University is dedicated to defending the systems that power our national and economic security, our communities and our way of life. Positioned at the intersection of policy, applied research and public-private partnerships, the Institute serves as a trusted convener of national leaders – shaping strategy, aligning priorities and driving real-world cybersecurity solutions to protect the nation’s critical infrastructure. Learn more at McCraryInstitute.com.