Cyber warfare is a growing segment of operations globally. One that, unlike conventional warfare, our country is under-staffed and unprepared to engage with enemies in.

While our current deterrents to conventional and nuclear engagements may be effective (if potentially catastrophic) they are not nearly as effective in cyberspace, because digital attacks take time to trace and often cannot by traced with any reasonable degree of certainty. This raises the question of how we determine if an attack is state-directed or perpetrated by non-state actors and if such a person were to attack the U.S. how do we retaliate against them?

It’s also worth noting how dependent we, as a nation, are on flawed software and hardware. The vast majority of our economy, information and infrastructure are potential vectors that could be exploited by attackers. However, some of our most potent threats in cyberspace lack this dependence on digital controls for these important aspects of their well-being. We could threaten North Korea or Iran with retaliation if they perpetrated such an attack, but they have much less that’s at risk regardless of if we are successful in such a retaliatory attack.

One thing that our government has improved on lately is treating digital threats to Americans in the same way a physical attack on American infrastructure would be. The government has been reluctant to formally accuse states like Russia, Iran, China and North Korea in the not-so-distant past but seem more willing to, following the Russian hack of the Democratic National Committee and the Department of Homeland Security’s formal accusation. Another is updating systems, which is necessary for securing our digital infrastructure from attack. The U.S. Navy paying Microsoft nearly $10 million to continue supporting Windows XP, rather than designing and implementing an upgrade plan for their service’s infrastructure was a waste of money when the systems would inevitably require a real update solution. The cost associated with timely updates of hardware and software will seem negligible versus the cost of having our security systems compromised by foreign (state-backed or non-state) or domestic actors.