Cyber offence isn’t something that CISOs generally invest in. For nation-states it seems that defence is where the investment should be going also…:
[…] Cyber superpowers cannot easily or effectively showcase their cyber arsenal of zero-days or the cyber-physical attack points they have access to within an enemy’s critical infrastructure without significantly jeopardizing those same tools and access. In a cyber-driven conflict, the instant an actor shows their hand, revealing cyber tools or accesses, they are made moot – vulnerabilities are remediated, networks patched, and the strategic advantage effectively erased.
The key for both keeping and showcasing cyber superiority lies in defense. Nations can use key metrics around attack prevention and disruption, as well as advancements in key technologies, to project defensive prowess without giving up their strategic advantage, all while resourcing network and infrastructure resilience.
Unfortunately, as reflected in the recent Cyber Solarium Commission (CSC) report released this March, the United States and most other countries have continued to focus largely on cyber offense, without recognizing that the nature of cyber has changed the national security paradigm. And even when nations have focused on cyber defense, strategies and technologies are largely out of date considering the advances continually occurring in offense.