Editor’s note: This article is the seventh in an 11-part series examining how the United States should organize, lead, and integrate economic statecraft into strategy, defense practice, and the broader national security ecosystem. This special series is brought to you by the Potomac Institute for Policy Studies and War on the Rocks. Prior installments can be found at the War by Other Ledgers page.
Americans lost nearly $21 billion to cybercrime in 2025, a new record for cyber-enabled economic losses. Private sector losses to malicious cyber activity regularly exceed $200 billion in a given year. Alongside criminal groups, state-sponsored hackers are increasingly targeting America’s pocketbook. Neither the economic sphere nor cyberspace are classic terrestrial warfighting domains. Yet war is being actively waged through both realms and national cyber security is vital to the prosperity and protection of today’s hyperconnected economy.
China is both the greatest economic threat and the most active and persistent cyber threat to the United States. Both its economic and cyber statecraft campaigns reach deep into America’s government, private sector, and critical infrastructure. These two efforts overlap: Cyber espionage, digital theft, and supply chain compromises are key pillars of China’s strategy to undermine the U.S. economy. Addressing this challenge requires marshaling economic and cyber power into cohesive, coordinated campaigns.
Given the inseparable nature of modern economics and cyberspace, the future of American economic statecraft lies in lessons from the nation’s cyber past. America’s evolving approach to contemporary economic statecraft still suffers from strategic immaturity, information sharing barriers, and institutional fragmentation. U.S. cyber statecraft has grappled with identical issues for over a decade, moving from firewalled initiatives to more coherent national collaboration. Lessons from cyber statecraft show that U.S. economic statecraft should develop new strategic paradigms, recraft information sharing incentives, and centralize disparate bureaucratic efforts.
The Intersection of Economic and Cyber Statecraft
Economic statecraft focuses on deterring, compelling, or persuading through tools like sanctions, export controls, development aid, tariffs, and investments. Similarly, cyber statecraft seeks to achieve policy objectives by manipulating incentives and security around digital resources, infrastructures, and interactions. This can include conducting cyber operations — the use of computer code to defend, exploit, or attack computers, networks, and their information.
Both necessitate whole-of-government action and private sector coordination. Economic and cyber issues cut across bureaucracies, impacting both strategic goals and daily operations. Governments set policy, but the private sector is on the front lines carrying out day-to-day statecraft. The private sector dominates the U.S. economy: Federal spending and consumption only account for roughly 23 percent and 17 percent of the 2025 gross domestic product, respectively. Private spending also dwarfs government investment in cyber-related sectors like telecommunications and infrastructures like data centers. Furthermore, the private sector remains disproportionately targeted by malicious economic measures and cyberattacks.
The practice of economic statecraft and cyber statecraft has increasingly converged. Much of contemporary economic statecraft relies on and is executed through cyberspace.
Nowhere is the extensive overlap clearer — and failure more catastrophic — than in the financial sector. The U.S. equities market relies on digital systems to create over $1 trillion of activity per day. The New York Stock Exchange alone digitally processes over 1.2 trillion order messages daily. Within domestic banking, over 800,000 electronic wire transfers occur daily amounting to over $4.6 trillion. The Automated Clearing House Network, used for direct depositing paychecks, averages roughly 141 million transactions a day totaling $368 billion. International transactions rely on digital messaging through the Society for Worldwide Interbank Financial Telecommunication (better known as SWIFT) to communicate and validate payment transfer details. Economies collapse without the digital tools and public-private partnerships built through cyber statecraft.
The funds and sensitive data transferred across the financial sector are also prime targets for cyberattacks. The scope of compromise is massive. For example, data breaches of JPMorgan Chase in 2014, Equifax in 2017, and First American Financial Corp in 2019 cumulatively exposed over one billion customer records. By 2025, a single cyberattack cost financial institutions over $5.5 million on average.
Adversarial activities by states like North Korea encompass financially motivated cyberattacks for economic ends. Digital cryptocurrency theft has allowed the Kim Jong Un regime to sidestep international sanctions and fund its nuclear weapons program. For economic statecraft, cyberattacks are enablers for the theft of intellectual property, proprietary economic data, and corporate trade secrets, the damages of which have been previously highlighted in this series.
Simultaneously, economic statecraft tools underpin elements of cyber statecraft. The International Emergency Economic Powers Act of 1977 and the 2015 National Defense Authorization Act give the president authority to block financial transactions and seize property of foreign individuals engaging in malicious cyber activities. The US government has used this authority to punish Russian election interference, the SolarWinds hack, and adversarial involvement in internet infrastructure and telecommunications companies. Programs like the Department of the Treasury’s Office of Foreign Assets Control Cyber-Related Sanctions and rulings from the Department of Commerce have been key to implementing presidential decisions.
Economic and cyber statecraft touch on nearly every element of society, from protecting bank accounts to protecting government secrets. Due to the inextricable interdependencies between global digital markets and cyber security — and the necessity of private-public collaboration across both — the evolution of U.S. cyber statecraft holds valuable lessons for its refinement of economic statecraft.
Lesson 1: New Strategic Paradigms for More Effective Competition
Senior policymakers have yet to advance a strategic vision that clearly reimagines U.S. economic competition amidst contemporary geopolitics. Instead, various departments and committees have released strategies for addressing individual elements of economic statecraft without a unified approach. The result is a fragmented, short-term approach to economic security that lacks a comprehensive direction for longer-term competition.
Much like economic statecraft today, America’s early strategic approach to cyberspace lacked a unified vision for ongoing competition with adversaries.
Slow to recognize the risks of adversarial threats, early strategies cast cyberspace as a balance between the promises and vulnerabilities inherent in new information technologies. The first national cybersecurity strategy in 2003 and subsequent documents advanced this framing with little emphasis on adversaries. While the Department of Defense named cyberspace as a warfighting domain in 2011 and acknowledged the threat of external actors, it received no more attention than insider threats or supply chains.
Instead of defining clear tools, roles, and authorities for competition, cyber statecraft of the 2000s and early 2010s defaulted to self-restraint, nuclear-style deterrence logics, and the case-by-case response to cyber incidents. Direct confrontation and sustained competition with adversaries in and through cyberspace was the exception, not the norm.
As a result, U.S. cyber statecraft relied on individual departments and agencies to deploy respective economic, diplomatic, and legal means for addressing security concerns arising from adversaries. Deterrence thinking prevailed but was consistently undermined by threat actors. Deterrence hinges on reliably and systematically imposing costs on attackers or reducing or denying their potential gains. This is nearly impossible in cyberspace, where attackers face multiple avenues for compromise with few risks, particularly with lower-cost techniques like ransomware.
Today’s economic statecraft looks the same: A reactive, piecemeal approach of disparate and episodic experimentation with individual policy tools without a catalyzing vision.
For cyber statecraft, 2018 marked an important turning point. The Department of Defense and U.S. Cyber Command redefined the competitive landscape through two strategic concepts. In 2018, the Department of Defense introduced the “defend forward” concept, whereby the United States would “disrupt malicious cyber activity at its source.” Cyber Command’s framework of persistent engagement operationalized the concept, further shifting U.S. posture from crisis response to active campaigning through ongoing, preemptive cyber operations.
This pivot away from restraint and deterrence advanced a new strategic paradigm: Proactive cyber operations paired with private sector and allied engagement to deny, degrade, disrupt, or destroy adversarial cyber threats below the threshold of armed conflict. The national cyber strategies of 2023 and 2026, along with the Defense Department’s 2023 Cyber Strategy, reinforced the vision to leverage out-of-network operations for disrupting malicious actors.
Greater military and law enforcement initiative has become an increasingly important prong of cyber statecraft alongside more traditional defensive measures like the “Shields Up” and “Shields Ready” programs of the Cybersecurity and Infrastructure Security Agency. Economic statecraft today has no emphasis on active and sustained campaigning to gain and maintain strategic advantage.
American economic statecraft is at an inflection point where a paradigmatic shift in strategy could create a more comprehensive approach to maintaining competitive advantage. The United States should formulate a longer-term, objectives-based strategy underpinned by active and persistent economic campaigning against adversaries.
Lesson 2: Changing Incentive Structures for Information Sharing
Effective economic statecraft requires information sharing between government and the private sector. Each has important insights that contribute to a competitive economic edge. However, as Karyn Eliot and Jennifer Buss highlight, there are numerous barriers. National security intelligence and corporate America remain siloed: Existing incentives and practices have led to fragmented, transactional information sharing.
The same was true for cyber information sharing prior to 2015. Public-private information sharing at the time occurred through the Department of Homeland Security’s Office of Intelligence and Analysis and the National Protection and Programs Directorate (the predecessor to the Cybersecurity and Infrastructure Security Agency). Although not formalized until 2014, both possessed authorities for information and intelligence sharing between the government and private sector.
Yet, the private sector was highly averse to sharing threat information. Companies feared shared cyber intelligence might spur regulatory investigation or appear as evidence in regulatory action. They also feared that proprietary or embarrassing information included in intelligence might become public through Freedom of Information Act mechanisms. Companies further worried the federal government could waive intellectual property rights associated with shared intelligence concerning stolen proprietary data or trade secrets. Corporations expressed broader concerns that volunteering cyber information to the government might violate privacy laws and that commercial-to-commercial sharing might result in liability over negligence, violate fiduciary and privacy obligations, or appear as coordinated anti-competitive actions.
Information sharing for economic statecraft faces these same disincentives today. Legislation was key to remedying these barriers for cyber statecraft, but Congress has yet to craft a solution for economic statecraft.
The Cybersecurity Information Sharing Act of 2015 greatly reshaped these incentives. It advanced key definitions for 18 information sharing concepts. This common set of terms facilitated information sharing agreements and laid the groundwork for subsequent efforts to clarify incident reporting standards. The Department of Homeland Security became the official hub for public-private sharing and for distributing information to other departments coordinating sector-specific cybersecurity. The law also included provisions for Information Sharing and Analysis Organizations to facilitate cyber threat information sharing among voluntary members.
The law established the federal government’s “duty to share” with the private sector, creating a default posture of information flow instead of one concerned about intelligence gains or losses. It also limited federal uses of information for defending against cyber threats or in response to threats like terrorist attacks or serious economic damages.
For private companies, it implemented cyber intelligence sharing protections, including exemptions from regulatory and antitrust enforcement, limiting disclosures under the Freedom of Information Act, and the retention ownership over proprietary information.
Similar legal changes are necessary for economic statecraft efforts. Without changing incentive structures, the government and private sector face an uphill battle in sharing and acting on economic threat information.
Lesson 3: Bureaucratic Centralization Solves (Some) Problems
Economic statecraft responsibilities are spread across federal bureaucracy, making coordination an imperative. As William Norris lays out in his article in this series, more than 1,400 offices across 13 departments and 10 federal agencies have roles relevant to economic statecraft.
Likewise, cyber statecraft is dispersed across the federal government, with over 500 organizations in the Department of Defense alone responsible for elements of cyber operations. Agencies necessarily possess different responsibilities and interests for executing cyber statecraft, and conflicts continue to arise as they compete for resources and power within and across administrations.
Yet, in contrast to economic statecraft, America’s cyber statecraft has produced three examples of centralization that streamlined national efforts: The creation of the Cybersecurity and Infrastructure Security Agency, U.S. Cyber Command, and the National Cyber Director.
The establishment of the Cybersecurity and Infrastructure Security Agency in 2018 under the Department of Homeland Security was a watershed moment for civilian bureaucracy. After the globally devastating WannaCry and NotPetya ransomware attacks of 2017, officials moved to centralize and accelerate incident response and information sharing. The new agency to lead cybersecurity programs, operations, and polices and to coordinate security, resilience, and technical assistance efforts across federal and nonfederal entities.
Subsequent consolidation removed redundancy and facilitated more effective coordination. The agency combined stakeholder coordination arms into a single division and created a common communication hub for critical infrastructure partners. It also unified three different operations centers for information sharing and incident response to enhance awareness and threat monitoring. Despite its successes coordinating national cybersecurity, the agency faces a drastically reduced role under the current administration. The Trump administration has made extensive cuts to the agency’s election security, stakeholder engagement, and broader workforce with an eye towards dramatically reducing its budget.
The creation and elevation of U.S. Cyber Command streamlined the coordination and expansion of military cyber operations. Prior to 2010, those activities were relegated to different joint task forces housed at different times under various Department of Defense organizations. The 2008 Agent.BTZ compromise of the Defense Department’s secret computer network showed the need to centralize and coordinate military cyber resources.
U.S. Cyber Command has since provided a unity of command and mission clarity for protecting defense networks and executing cyber operations in service of policy goals. Additionally, because one individual leads both U.S. Cyber Command and the National Security Agency the Department of Defense can assess and mitigate the tradeoffs of disrupting or continuing intelligence collection on an adversary. The 2018 elevation of U.S. Cyber Command to a standalone combatant command served to attract greater resources and coalesce coordination to combat adversarial cyber threats.
Economic statecraft lacks similar bureaucratic and policy focal points for information flow and stakeholder coordination. Responsibilities remain primarily split among the Departments of Treasury, Commerce, State, and Defense, with no partner leading the dance. A new agency is not the only answer, but effectively coordinating economic statecraft mandates a more permanent solution than temporary, issue-driven interagency committees. The Office of Strategic Capital within the Department of Defense has helped to centralize and scale investments into critical technologies but it has limited coordination ability vis-à-vis other federal departments outside the Department of Defense.
At a higher executive level, Congress established the Office of the National Cyber Director and confirmed the first National Cyber Director in 2021 to better galvanize and coordinate cyber statecraft. Centralizing executive branch leadership was a necessary step to align interagency planning, resourcing, implementation of federal cyber policy and strategy. The Office has since played a central role in developing and implementing the 2023 and 2026 national cyber strategies and the first strategy for improving the national cyber workforce. More broadly, the Office has worked to strengthen interagency, public-private, and international coordination on key U.S. interests related to cyberspace.
A new strategic office or organization is also necessary to align, coordinate, or deconflict the diverse elements of economic statecraft. Any new bureaucracy should also be fit for purpose — reorganization for the sake of reorganization is unlikely to beget increased competitiveness vis-à-vis economic adversaries.
At the same time, the U.S. government should deal with the growing pains a new economic statecraft bureaucracy will inevitably face. For instance, in addition to political pressures, the Cybersecurity and Infrastructure Security Agency remains hamstrung amidst ongoing structural changes, slow response times, and inconsistent engagement practices. U.S. Cyber Command did not eliminate bureaucratic turf battles, and the command still struggles with fragmented command and control over its subcomponents. The Office of the National Cyber Director lacks performance measures and cost estimates for its strategic initiatives, struggles to determine and allocate resources, and has no true enforcement power.
Learning from Cyber: The Way Forward for Economic Statecraft
America’s evolving cyber statecraft, and its corresponding institutions and processes, provide a series of lessons upon which U.S. economic statecraft can build for future success. While challenges for cyber statecraft still remain, the increasing interdependence and overlap between economic statecraft and cyber statecraft necessitate learning from the recent past.
U.S. cyber statecraft has grappled with the same strategic, informational, and bureaucratic challenges facing economic statecraft today. Getting economic statecraft right also bolsters cyber statecraft. The two are interdependent and mutually reinforcing, and the global competitive environment requires leveraging economic and cyber efforts in tandem.
America has all the right tools for conducting effective economic statecraft, and now is the time to integrate them with novel strategy, new incentive structures, and more streamlined coordination.
Jason Blessing, Ph.D., is a research fellow at the Potomac Institute for Policy Studies. His research focuses on the intersection of cybersecurity, defense policy, and international relations. All views are his own and do not represent the views of the Institute. Follow him on LinkedIn and on X/Twitter @JasonABlessing.
**Please note, as a matter of house style, War on the Rocks will not use a different name for the U.S. Department of Defense until and unless the name is changed by statute by the U.S. Congress.
Image: CISA.gov via Flickr.
