Despite a decade of prolific writing, many questions about cyber power, cyber war, and cyber attack remain unresolved. In particular, national governments, including the U.S. Government, do not yet have wellformed cyber attack policies and strategies or the frameworks around which to build them. Furthermore, accelerating changes in power distribution, cyber technology, and other dynamics of the strategic environment exacerbate the dearth of open, distinct, and explicit cyber attack guidance. If such well-defined guidance did exist, what questions would one reasonably expect it to answer? On what intellectual foundation should a state build its cyber attack policy and strategy? If an outsider wanted to understand an actor’s strategic guidance, what clues would he look for?
Answers to these questions could—and this article argues should—reside in four foundational elements: contextual views, the cyber attack spectrum, balance of focus, and appropriate circumstances. How an actor approaches each of these elements fundamentally shapes the myriad details of subsequent policy and strategy. One could use a framework based on these elements as a model to think about and discuss cyber attack in a structured way, a basis for forming one’s own policy and strategy, or a tool for assessing and understanding the strategic guidance of another actor. This article first presents such a framework and then uses it to make recommendations for U.S. national guidance