Not sure why people vote you down for sharing your opinion. Having said that, your logic is fundamentally flawed. Governments have to either focus on attacking or defending. Focusing on attacking means keeping a lid on vulnerabilities, which weakens the security of citizens and corporations inside their own country. Focusing on defending means disclosing those vulnerabilities in order to protect everybody, which also means those vulnerabilities can't be used in attacks anymore. You can't really have both.
Not disclosing vulnerabilities is not a question of attacking or defending, it's just stupid to keep vulnerabilities open.
I also didn't propose to uncompromisingly favor attack capabilities. I still don't think effective cyber defense is possible on a national level without leading the edge on offensive abilities as well.
I really don't want to explain it a third time, so let me just ask you a question instead: How do you lead the edge on offensive abilities without keeping vulnerabilities/bugs secret? Let me rephrase that: How do you lead the edge on offensive abilities without weakening the security of the people who are paying your salary; the very same people you swore an oath to protect? Please explain to me how that is possible on a technical level. If you can't, or you still don't really understand what I'm talking about, that's fine. Just ask.
---
I'm gonna explain it a third time. (Looks like you don't want to talk to me.)
Having offensive abilities means having one or more remote exploits ready to use. Having remote exploits ready to use means sitting on undisclosed vulnerabilities. Sitting on undisclosed vulnerabilities means weakening the security of the people you're supposed to protect.
It's quite simple, really. You can't remotely attack a computer without remote exploits. I only count remote attacks as "cyber warfare".
Remote exploits work surprisingly well on unpatched systems, stupid users, malconfigured hardware/software and if that doesn't work, maybe it's time for a bit of oldfashioned humint.
I just explained to you why that's not true. Let me try again:
Attacking a computer means finding a bug and keeping it secret until you use it to attack said computer. Defending a computer means finding a bug and disclosing/fixing it so that nobody can use it to attack said computer. I hope it's obvious to you that these two ideas contradict each other.
Please let me know if you have questions. This is very important and not intuitive at all. I'd love to help you understand it better.
Attacking someone who is attacking you is also a form of defense. Please let Sun Tzu know if you have questions. This is very important and not intuitive at all, though I don't particularly care about helping you to understand it better since it's considered common knowledge in the modern era.
I can do this all day: In order to be able to attack somebody who's attacking you, you need exploits available to you. If you have exploits available to you, you're making yourself attackable. Do you really not see the problem here?
