At the highest levels of national government, two of the most important decisions to get right are properly prioritizing among competing missions, and balancing between short-term and long-term objectives. The most consequential and highest risk threat is attack by one or more nation-states intent on projecting power, and who are willing to damage or destroy critical information infrastructure by cyber means in order to achieve this objective. Threat actors falling into this category have the necessary time, resources, sophistication, and access to do so. This category certainly includes cyber warfare. Today, nation-states are beginning to understand in concrete terms the potential benefits and costs of cyber attacks used as a means of projecting national power. It may not take a great deal of a nation's cyber resources, planning time, or technical access to achieve limited national objectives.
In the U.S., cyber defense of critical infrastructures is largely a homeland security mission. It may be that defense always lags the most potent offense. But the goal is an effective defense, not a perfect one. To get ahead of the most serious national cybersecurity risks, including that of cyber warfare, a country's cybersecurity leadership must seek an appropriate balance of resources, energy, and focus between those threats that are most frequent and those that are most consequential. The historical bias in dealing with cyber risk has been to look at it through the lens of commerce, not national security – and to reinforce the emphasis on short-term thinking rather than long-term strategy. One way to overcome this bias is simply to emphasize efforts that mitigate the most consequential risks. A nation's cyber leadership could decide, for example, that it should apply significant early resources to mitigating the national security risk associated with defending critical infrastructure against nation-state threats.