The big problem is that cyber warfare is totally different to normal warfare, in fact it’s so different that calling it warfare at all is meaningless. In regular warfare you can build up your own defences without improving your opponent’s defences, and you can develop new weapons that your opponents will not have. This basic asymmetry is key to the very concept of war: the side with the better weapons, defences and tactics should normally win.
But cyber warfare doesn’t work like that. Because everyone uses the same software infrastructure, and the “weapons” are nothing more than weaknesses in that global infrastructure, building up your own defences by fixing problems inherently builds up your opponents defences too. And developing new “weapons” is only possible if your opponents are able to develop the very same weapons for themselves, by exploiting the very same vulnerabilities in your country that you are exploiting in theirs.
Successful spying is invisible and undetected. The infiltration of critical national infrastructure by enemies of the state happens quietly and without anyone realising until it’s too late. A successful penetration of someone else’s infrastructure yields an unforgettable intelligence report that makes the government feel successful and in control. A successful penetration of your infrastructure yields nothing visible at all.