The Fifth Domain

1. The Shifting Balance: From Offensive Advantage to Defender's Resilience

Today, as for the last twenty-five years, the conventional wisdom in the fields of computer science, information technology, and networking is that there is an enormous offensive preference.

Offensive dominance challenged. For decades, the prevailing belief was that cyber attackers held an insurmountable advantage, making defense a losing battle. This "offensive preference" meant that it was cheaper and easier to attack than to defend, leading to widespread vulnerability across computer networks. However, this long-held assumption is increasingly being questioned by experts and real-world outcomes.

Kill Chain disruption. The "kill chain" model, developed by Lockheed Martin, revolutionized defensive thinking by breaking down an attack into distinct stages: reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on objectives. Defenders only need to disrupt one of these stages to thwart an attack, while attackers must successfully execute all of them. This framework empowers defenders by providing multiple points of intervention.

Eroding advantage. Advanced defensive technologies and strategies are making it harder for even sophisticated nation-state actors to operate undetected. Companies like CrowdStrike demonstrate that rapid detection and containment can stifle adversaries, preventing them from achieving their goals. The increasing cost and difficulty for attackers to find and exploit vulnerabilities, coupled with improved defensive tools, suggest that the offensive advantage is slowly but surely eroding.

2. Cybersecurity is a Shared Responsibility, Primarily Private

The fundamental responsibility for the protection of the nation’s networked systems falls on the private-sector owners and operators of those systems, with the government in a supporting role.

Private sector's onus. Unlike other national security domains where government takes primary responsibility, cybersecurity places the main burden on private companies. This is because most critical infrastructure and digital assets are privately owned and operated. CEOs often express incredulity, arguing they pay taxes for national defense, but the reality of cyberspace's structure dictates this division of labor.

Government's supporting role. The government's function is limited to actions only it can perform, such as:

• Investigating crimes and prosecuting perpetrators.
• Collecting intelligence and sharing threat information.
• Using diplomatic tools and imposing sanctions.
• In rare cases, employing military force.
  This approach, often likened to "Home Depot: You can do it. We can help," avoids the pitfalls of government overreach that could stifle innovation or compromise privacy.

Avoiding overreach. Proposals for a "Great Firewall of the United States" or military control over private networks are deemed ineffective and dangerous. Such systems, while potentially offering some security, would incur massive societal disruption, enable censorship, and undermine privacy. The goal is to preserve the internet's value as a platform for efficiency and economic growth, not to destroy it in the name of security.

3. Building Resilience: Smart Tech, Cloud, and Identity

Resiliency isn’t about avoiding a breach, it’s about preventing bad outcomes.

Beyond prevention. Cybersecurity is not just about preventing breaches, but about building "cyber resilience"—the capacity to prepare for, recover from, and adapt and grow stronger after disruptions. This involves rapidly responding to incidents, returning to a good state, managing bad outcomes, and learning from every attack. Companies like Aetna, with hundreds of millions in security spending, exemplify this by deploying diverse controls and constantly changing their attack surface.

Leveraging the cloud. Cloud computing offers significant security advantages for most organizations, especially smaller ones. Cloud providers like Amazon, Google, and Microsoft invest billions in security, offering:

• Automation: Secure configuration of devices.
• Self-tailoring: Services that work together seamlessly.
• Self-healing: Automatic failover to backup infrastructure.
  While concerns about concentrated risk exist, for 99% of businesses, cloud security is superior to what they could achieve independently.

Identity as the new perimeter. Weak or stolen passwords remain the cause of over 80% of data breaches. Multifactor authentication (MFA) is a critical defense, but adoption is slow. Future solutions involve "passwordless" authentication and advanced analytics that use dozens of factors (location, device, typing speed) to continuously verify identity. The "ReallyU" proposal envisions a federated, opt-in system for online identity verification, leveraging government and private sector resources to combat identity theft and fraud.

4. Government's Imperative: Regulating for Resilience and Securing the Core

Smartly leveraging existing regulatory authorities in tailored ways is exactly what government should be doing.

Nudges and shoves. Voluntary frameworks like the NIST Cybersecurity Framework have encouraged some companies to improve security. However, for critical sectors and pervasive vulnerabilities, stronger "shoves" in the form of regulation are necessary. The historical opposition to federal cybersecurity regulation, often citing innovation stifling, is being challenged as losses mount and state-level regulations proliferate.

Outcome-based regulation. Effective regulation should be outcome-based, telling entities what to achieve, not how to do it. Examples include:

• Design Basis Threat (DBT): Used in nuclear facilities, requiring defenses against a defined adversary.
• Regulation E: Mandates banks reimburse consumers for fraud losses, incentivizing robust security.
• Data Bonds: Requiring companies storing PII to purchase bonds covering the full societal cost of a breach, akin to oil tankers needing financial responsibility for spills.
  This shifts the economic burden of poor security onto companies, aligning incentives for better protection.

Securing the internet's backbone. Beyond individual companies, the internet's core infrastructure—DNS, BGP, and 5G networks—remains vulnerable. China Telecom's manipulation of BGP routing, for instance, demonstrates how nation-states can redirect traffic. The FCC's reluctance to regulate these foundational systems leaves them exposed. Mandatory security requirements for this backbone are crucial to prevent widespread disruption and maintain national security.

5. The Workforce Crisis: Cultivating Cyber Talent

The military services were taking the easy way out by repurposing troops in similar areas rather than saying, what do I need to do this job, what are the attributes of the people who can do it, and what do I need to do to train them?

Hype vs. reality. The "cybersecurity workforce crisis" is often overhyped, with claims of millions of unfilled positions globally. Data from NIST's Cyberseek reveals that the real shortage is not at the entry level, but for experienced, mid-career professionals. Many entry-level certification holders struggle to find jobs, indicating a mismatch between training programs and market demand.

Experiential learning. Traditional classroom models are ineffective for developing cyber warriors. The U.S. military, through initiatives like the Cyber Operations Academy Course, is shifting to experiential, hands-on learning. This approach, often guided by ex-NSA experts, focuses on:

• Self-taught aptitude: Identifying individuals with innate curiosity and tenacity.
• Progressive challenges: Learning by doing, with mentors providing guidance.
• Real-world problems: Applying skills to live scenarios.
  This model, exemplified by companies like Point3 Security's Escalate platform, is more effective than rote memorization for developing practical skills.

Government as talent incubator. The federal government can play a crucial role in cultivating cyber talent. Programs like CyberCorps offer scholarships and guaranteed federal jobs, providing valuable experience. However, the rigid civil service system hinders retention. A proposed "CyberCorps" cadre within CISA would professionalize federal cybersecurity, offering specialized training, career progression, and competitive compensation, with the understanding that these trained professionals would eventually benefit the private sector.

6. Global Stability: Military Posture and Diplomatic Frameworks

Mishandled, cyber weapons could trigger a larger conflict of the kind we have successfully struggled to avoid.

Military's five missions. The U.S. military aims for "dominance" in cyberspace, encompassing five missions:

• Defending its own networks.
• Protecting the defense industrial base (DIB).
• Ensuring weapons integrity.
• Guarding critical civilian infrastructure for military support.
• Conducting offensive cyber operations.
  A hypothetical Iran-Israel conflict scenario reveals significant U.S. vulnerabilities across these missions, from compromised DLA systems to hacked weapons platforms and an inability to launch rapid offensive cyber responses.

"Defend forward" and legal shifts. Historically, legal and bureaucratic impediments limited U.S. military offensive cyber operations. However, the 2019 NDAA and NSPM 13 have granted Cyber Command authority to "defend forward"—identifying, penetrating, and disrupting adversary systems in peacetime. This aims to create "escalation dominance" by making enemies uncertain about their weapons' effectiveness and U.S. cyber defenses, thereby deterring conflict.

A Digital Schengen Accord. To achieve global cyber stability, a new diplomatic framework is needed. The "Schengen Accord for the Internet" proposes a bloc of like-minded nations that harmonize cybercrime laws, ensure free data flow, and cooperate on law enforcement and threat response. This would exclude nations that provide safe havens for cybercriminals or engage in disruptive activities, creating a powerful incentive for responsible behavior and a more secure, interoperable internet for its members.

7. Democracy's Shield: Protecting Elections from Hybrid War

Putin ordered an attack to undermine America by heightening its internal divisions and undermining its citizens’ confidence in their democracy.

Hybrid war's impact. Russia's 2016 election interference, orchestrated by entities like the Internet Research Agency, demonstrated a "hybrid war" strategy combining cyberattacks, disinformation (maskirovka), and social media manipulation. This multifaceted assault aimed to sow division and undermine confidence in democratic processes, a tactic extensively tested in Europe before being deployed against the U.S.

Vulnerable election ecosystem. The U.S. election system, with its decentralized nature across over 3,000 county governments, presents numerous vulnerabilities. These include:

• Candidate/campaign hacks: Personal devices and campaign networks.
• Voter registration database breaches: Altering or deleting voter records.
• Insecure voting machines: Lack of paper trails and susceptibility to manipulation.
• Social media manipulation: Bots and fake personas spreading disinformation.
  The "security through diversity" argument is flawed, as it creates a tier of easily exploitable targets and allows attackers to focus on key swing districts.

Multi-pronged solutions. Defending democracy requires a comprehensive approach:

• Mandatory security standards: Federal laws for voting machines (requiring paper audits, third-party certification) and voter databases.
• Social media regulation: Requiring platforms to identify and remove bots/foreign entities, and mandating disclosure for political ads.
• Real-time intelligence sharing: Government agencies must provide ongoing, unclassified reports to the public on foreign interference.
• International cooperation: An alliance of democracies to share intelligence, best practices, and collectively sanction malicious actors.
  These steps are crucial to counter the "cyber Pearl Harbor" that undermines trust in democratic institutions.

8. The Near Future: AI, Quantum, 5G, and IoT

Whoever becomes the leader [in AI] will become the ruler of the world.

AI's dual nature. Artificial Intelligence (AI) and Machine Learning (ML) are transforming cybersecurity. While AI-enabled defensive tools (endpoint protection, vulnerability managers, IAM/PAM) are improving detection and response, offensive AI is also rapidly developing. DARPA's "Grand Challenge" demonstrated AI's ability to autonomously hack networks, and tools like IBM's DeepLocker show how AI can create highly targeted, evasive malware.

Quantum's disruptive potential. Quantum computing, though still in its early stages, promises to revolutionize computing power. Qubits, leveraging superposition and entanglement, can process vastly more information simultaneously than classical bits. This could:

• Break modern encryption: Quantum computers could crack current encryption algorithms in seconds, necessitating a shift to quantum-resistant cryptography (e.g., NIST's upcoming standard).
• Enhance AI: Combining quantum computing with ML could create a "Network Master" AI capable of real-time, comprehensive network defense or devastating, optimized attacks.
  The "quantum arms race" between nations like the U.S. and China is driven by this potential for both defensive and offensive breakthroughs.

5G and the insecure IoT. The rollout of 5G mobile technology, promising 10x faster speeds and supporting millions of devices per square kilometer, will supercharge the Internet of Things (IoT). However, this expansion comes with immense security risks:

• Huawei controversy: Concerns about backdoors in 5G infrastructure from Chinese vendors.
• Insecure IoT devices: Billions of "dumb" sensors (from pacemakers to tractors) are being connected without adequate security, creating vast new attack surfaces.
• Botnet platforms: IoT devices are easily compromised and can be weaponized for large-scale DDoS attacks (e.g., Mirai botnet).
  Without robust security regulations and industry standards, the proliferation of insecure IoT devices on 5G networks will dramatically increase the attack surface and the potential for catastrophic cyber incidents.

9. Personal Cybersecurity: Practical Steps for Self-Defense

Passwords are like underwear. Don’t let people see them, change them often, and don’t share them with anyone.

Prioritize what matters. While personally identifiable information (PII) is frequently compromised, its impact is often mitigated by credit freezes and bank protections. The real personal cybersecurity risks lie in vulnerable passwords and devices. It's crucial to understand what you value most online and protect it accordingly.

Password hygiene is paramount. The most common vulnerability is reusing weak passwords. To protect yourself:

• Unique, complex passwords: Use different, long (10+ characters) passwords with mixed characters for every account.
• Password managers: Utilize services like LastPass or Dashlane to generate and store complex passwords, requiring you to remember only one master password.
• Two-factor authentication (2FA): Enable 2FA on all critical accounts (banks, email, social media) for an extra layer of security.
• Deception: Use fictional answers for security questions to prevent identity theft.

Device and data protection. Your personal devices are prime targets. Simple steps can significantly enhance security:

• Software updates: Enable automatic updates for your operating system (e.g., Windows 10, latest macOS) and web browser (Chrome is recommended).
• Antivirus software: Install and keep updated (Sophos, McAfee, Symantec).
• Email vigilance: Never click links or open attachments from unknown or suspicious emails without verifying the sender.
• Camera/microphone control: Cover laptop cameras, disable app access to microphones unless necessary, and be mindful of smart home devices like Alexa.
• Regular backups: Back up all critical data (emails, documents, photos) to an external, disconnected hard drive or a secure cloud service.

Last updated: January 8, 2026