The US doesn’t just need a cyber policy, it needs a cyber doctrine
Defining a cyber policy is necessary—we need to know who executes which action—but the lack of a strategic doctrine means we still won’t have principles that govern our priorities or our actions in cyberspace. Failing to have a governing cyber doctrine will leave the U.S. more vulnerable to future cyber threats.
A cyber policy unrooted from a cyber doctrine is unlikely to be smart policy. In general, administrations can only create smart policy when guided by a thorough understanding of the threat environment as well as the principles that govern which threats to address. This is especially true in the cyber environment, where a threat could be espionage, criminal, or destructive in nature, and the actors could range from states such as North Korea to terrorist groups, criminals, or hacktivists. These actors’ capabilities vary widely, as do the threats they pose; a comprehensive cyber doctrine would help experts decide how to think about each of these threats and respond in a manner that contributes to greater U.S. security objectives.
A governing cyber doctrine would also help experts decide where to put resources, both in terms of manpower and for the research and development of cyber capabilities. Few cyber experts expect a U.S. cyber doctrine to dictate that the U.S. stop every threat from every possible actor, from the Chinese down to a solitary hacker dedicated to cyber vandalism. However, a cyber doctrine would clarify expectations, both by helping government agencies figure out where to allocate resources in order to pursue American priorities, and by making clear to private corporations what protection and aid they should receive from the government in the face of varying cyber threats.
Finally, developing a cyber doctrine would make cyber deterrence significantly more feasible. Deterrence is based on underlying assumptions about who can be deterred and how. It incorporates psychology, expectations about how an adversary will respond to a threat, and calculations related to the harm a country is willing to incur. A cyber policy lacking a cyber doctrine will not capture all those assessments. Developing a doctrine that governs cyber policy, on the other hand, would enable the U.S. to develop a strategy, capabilities and a public posture towards cyber threats and to potentially deter those threats altogether.
The cyber field is incredibly complex—it encompasses a wide variety of threats and actors, and will force the U.S. to make difficult decisions regarding whom can be deterred and when, where to put resources, and when to deploy offensive weapons. All these calculations should be geared towards the primary goal of maintaining American security. The U.S. deserves more than policy—it deserves a doctrine.