I discuss here two illustrative cases of paradoxical puzzles in cybersecurity:

1) To reduce failures, aim at having some failures;

2) To get better international cybersecurity, have fewer rules and limit prosecutorial-type enforcement.

First, to reduce failures, don't aim at a state where there are no failures. More sophisticated approaches to cybersecurity embrace paradox (or, if you will, irony). One salient example is the concept of “zero trust,” where, in effect, cybersecurity never sleeps. Additionally, a state of perfect security would breed complacency. Preferable to have imperfect security, where skirmishes lead to vigilance, and modest occurrences of failure cultivate determination.

Second, while rules and enforcement are important parts of any cybersecurity program, in dealing with nation-state actors who may not be subject to U.S. domestic law enforcement (akin to dealing with quantum particles that do not observe Newtonian laws of physics), it's often preferable to aim at somewhat ambiguous principles which enjoy broad consensus than to aim at rules and enforcement. Read more about Tool Without A Handle: Cybersecurity Paradoxes