Defending Forward: The 2018 Cyber Strategy Is Here

Great-power strategic competition, defend forward, and prepare for war: These are the three central tenets of the newly released summary of the 2018 Department of Defense Cyber Strategy. The new strategy document is decidedly more focused, risk-acceptant, and active than its predecessor in 2015. It centers on China and Russia, arguing that the United States must actively counter these state actors with a strategy that seeks to preempt, counter, deter, and win. Although the strategy maintains the 2015 document’s dedication to a free and open internet, the new version contains a number of terms that deserve unpacking, among them “defending forward,” “persistence,” and “defense critical infrastructure.” Regardless of the new terminology, the upshot for strategic focus is clear: Deterrence is no longer the prominent pillar of U.S. cyber defense strategy and the United States has moved past preparations for defense and will now confront the adversary on its home turf.

A New Environment

The 2018 Cyber Strategy reflects the changes in the political, technical, and institutional environment over the last three years. In that time, the cyber threat has evolved significantly, including the Russian campaign against the U.S. election, the proliferation of ransomware attacks on critical infrastructure (such as WannaCry and Petya), and the mass exploitation of U.S. intellectual property by both state and nonstate actors. Meanwhile, the Defense Department has matured its cyber forces since 2015, with the elevation of Cyber Command to a unified command, the maturation of the 133 cyber national mission teams, and the initiation of the first public cyber campaign within a conventional conflict (Joint Task Force-Ares, the cyber operations against ISIL in Syria).

There have also been broader political changes. Under the Trump administration, the new National Defense Strategy and National Security Strategy have focused U.S. foreign policy on great-power competition and taken a generally more risk-tolerant view of the use of power. Perhaps most significantly for cyber space strategy, the Trump administration has rescinded the Obama-era presidential directive on response to cyber activities (PPD-20), which is now under revision. The original directive limited the role of the Defense Department to defending the nation, and designated other agencies, such as the Department of Homeland Security, as the lead for significant cyber attacks against America’s civilian infrastructure.

The New Strategy: What’s Changed and What’s the Same?

In the midst of all this change, a number of factors remain the same between the 2018 and 2015 Cyber Strategies. Most importantly, both treat the open, free, and reliable internet as a foundational objective for U.S. national security. Both strategies accept that this open internet may increase vulnerabilities, but also creates prosperity and national security advantages that make those vulnerabilities a worthwhile risk. This is a telling similarity between the two documents because it represents a continued belief that the current structure of the internet benefits the United States. This is remarkable coming from two administrations that hold divergent beliefs about America’s place within the international order.

Both strategies also emphasize the role of increased cyber defense and resilience in ensuring the U.S. military’s conventional warfighting superiority, though the 2018 strategy appears more realistic about the prioritization of defense and resiliency measures within the warfighting force. Additionally, both strategies highlight the importance of cultivating cyber talent and place significant focus on technological innovation (though the 2018 strategy offers more mature ideas about talent and tech, including the Cyber Excepted Service and the use of cloud computing and artificial intelligence). Finally, both strategies recognize the need for alliances and international engagement in order to achieve strategic objectives.

There are, however, significant differences between the two strategies that lead to very different cyber behaviors, capabilities, and responsibilities. Perhaps the most glaring is that the tone of the two documents is strikingly dissimilar. The 2015 strategy strove to “mitigate risk” and “control escalation.” In comparison, the 2018 strategy takes a much more active and risk-acceptant tone, pledging to “assertively defend our interests.” This is because the document views the main risk to U.S. objectives not as the use of cyber operations, but rather “inaction: [as] our values, economic competitiveness, and military edge are exposed to threats that grow more dangerous every day.” Further, the 2018 strategy exhorts the Defense Department to “win” and “preempt,” two words noticeably absent from the earlier strategy. The new document also articulates a change in the department’s cyber mission priorities. In 2015, these priorities included defending the .mil, preparing to defend the United States, and “if directed by the President” providing cyber capabilities to support military operations. In contrast, 2018 advocates more expansive and active missions to defend forward, compete daily, and prepare for war.

Defend Forward        

The introduction of a new mission to “defend forward” is perhaps the most significant difference between the two strategies. The term demonstrates not only the more active tone of the 2018 strategy, but also the urgency envisioned by the document. Whereas the 2015 strategy called on the Department of Defense to “be prepared to defend the U.S. homeland and U.S. vital interests,” the 2018 strategy drops “be prepared” and instead orders American forces to “defend forward to disrupt or halt malicious cyber activity at its source, including activity that falls below the level of armed conflict.” This is interesting for several reasons. First, the strategy places defense outside the bounds of the .mil (the networks owned and operated by the U.S. military) and instead advocates defense of resources that enable military operations but may operate on the .com (private industry). The strategy also expands departmental efforts beyond U.S. geographic boundaries. By instructing forces to halt activity at its source, the strategy advocates operations that degrade adversary cyber activity before those actions reach U.S. networks or assets — think scouting teams or counterintelligence operations versus building or defending a wall around networks. Additionally, “defend forward” suggests a preemptive instead of a reactive response to cyber attacks. Reactive strategy might focus on hack-backs, while a preemptive strategy might focus on operations that prevent an adversary’s cyber unit from accessing the internet. Finally, the strategy asserts that the United States will be willing to take these actions before or absent armed conflict. This implies that the restraint seen under the Obama administration may no longer be the norm in Trump’s Department of Defense.

Defending forward also has significant implications for the Department of Defense’s role in defending critical infrastructure, or the sectors of an economy that are considered vital to a country’s economic prosperity or national security. Whereas the 2015 strategy focused on the .gov and delegated defense of critical infrastructure to other federal agencies, the 2018 strategy shows the department seeking a much more proactive role (notably, Homeland Security’s role was significantly diminished in the strategy). In particular, the strategy asserts that the Defense Department must be prepared to defend “defense critical infrastructure,” which it defines as “the composite of DoD and non-DoD assets essential to project, support, and sustain military forces and operations worldwide” as well as the defense industrial base. It will do this not by invoking defense support to civil authorities (a focus in the 2015 strategy), but instead by building “trusted relationships with private sector entities that are critical enablers of military operations and carry out deliberate planning and collaborative training that enables mutually supporting cyber activities.” (See, for example, Project Indigo). The private sector is, therefore, no longer last in the list of relationships that are pivotal to defense of the nation’s networks. It is also not an actor to be managed, but instead to be treated as an ally and a relationship that is mutually beneficial. This will allow the Department of Defense to lean on the high concentration of talent within the private sector as well as to attain more situational awareness about potential state cyber campaigns that target private sector assets.

Day-to-Day Competition

The language of competition in the 2018 Cyber Strategy aligns closely with that of the National Security Strategy and National Defense Strategy, as does its focus on China and Russia. The strategy highlights these two countries in the introduction as “states that can pose strategic threats to U.S. prosperity and security” and discusses the need to prioritize Defense Department cyber resources to “persistently contest malicious cyber activity in day-to-day competition.” This focus leads logically to a strategy of tailored deterrence against attacks by competitor states that might “constitute a use of force against the United States, our allies, or our partners.” That suggests deterrence is no longer focused on cyber exploitation (stealing data) nor on cyber attacks that solely create economic effects. Another major difference is that the 2018 strategy emphasizes the constant nature of the competition (the document uses the term “persistence” four times) and advocates a strategy not of one-off responses to events, but instead concerted ongoing efforts to win in cyber space.

In contrast, the 2015 strategy specifically avoided the word “competition.” In general, the tone of that document was about being prepared to react to any number of events from a wide array of actors. For example, the strategy included not only large states like China or Russia but also Iran, North Korea, ISIL, criminal actors, ideological groups, patriotic entities, and other nonstate actors. All of these nonstate actors are left out of the 2018 strategy and Iran and North Korea are not called out as peer competitors and top priorities. This focus on a wide array of actors and actions in the 2015 strategy led logically to a comprehensive deterrence strategy for a wide range of cyber activities. This comprehensive strategy did incorporate options for responding to future events, but in general viewed these confrontations as discrete incidents, not as a constant competition. The shift, therefore, is that the 2015 strategy sought to preserve the status quo, while the 2018 document assumes the status quo is already in jeopardy.

Prepare for War

Finally, the 2018 Cyber Strategy concludes with an admonition to the Pentagon’s cyber forces to prepare for war (yet another phrase not used in 2015). And while this statement may appear incendiary, it represents a larger Defense Department focus on readiness and lethality combined with the competition rhetoric of the National Security Strategy and National Defense Strategy. “Prepare for war” also could be a rhetorical device to elevate a sense of urgency regarding the integration of cyber operations within joint warfighting, as well as a reminder to conventional warfighters about the extraordinary vulnerabilities inherent in U.S. digitally enabled weapons and operations. It aligns closely with the tone of the 2018 U.S. Cyber Command Vision, which emphasizes the “at war” mentality of the joint cyber force.

Challenges and Moving Forward

The 2018 Department of Defense Cyber Strategy represents a thoughtful maturation of U.S. defense cyber strategy that aligns closely with administration priorities and reflects the realities of resource and talent constraints within the department. However, there are significant challenges to the implementation of the strategy and elements that require significant debate as they are pursued. An area that deserves more attention is the relationships that the Department of Defense should have with the vastly different sectors of critical infrastructure. For instance, federal elections — a new addition to the list of critical infrastructure — are managed at the state level. This begs a debate over how cyber defense is applied at the state and local level and the role the military should play in electoral processes. The department should also be aware that the private sector’s priorities may not always align with the government’s. The private sector, particularly firms that operate globally, have competing interests in maintaining their place in the market and may privilege their shareholders or employees over U.S. security priorities (see for example Google’s fraught relationship with both the U.S. Department of Defense and China). Also, as government services continue their transition to cloud-based storage and service run by the private sector — for example, with the Joint Enterprise Defense Infrastructure contract — the public-private geography of defense vulnerabilities may place companies like Amazon in a position to be “defended forward.” That could be a complicated relationship with unforeseen potential to escalate state competition to civilian infrastructure and the private sector.

Most importantly, there are both benefits and pitfalls to this much more forward-leaning and risk-acceptant cyber strategy. First, we want to be clear about how this strategy frames risk. The 2015 strategy spoke explicitly of the risk of using cyber operations and extensively about the risk of escalation from U.S. cyber operations. The implicit assumption was that the primary risk to U.S. security comes from America itself using cyber operations, not from adversary cyber operations. The 2018 strategy, while being more risk-acceptant about acting in cyber space, is much more risk-averse about America’s ability to continue absorbing the same rate of cyber attacks, especially from China and Russia. In that sense, the strategy makes a useful pivot toward framing risk in a way that aligns much more closely with how members of private industry view the cyber threat and the role of government. This will likely lead to better use of defense resources (for instance on offensive cyber teams instead of repairing damaged private networks after an attack), a more effective deterrence strategy, and options and authorities for slowing down the pace of cyber attacks against the United States (particularly its critical infrastructure). Further, the focus on degrading adversaries’ cyber capabilities instead of threatening attacks on adversary civilian infrastructure looks closer to counterintelligence operations than a strategic plan to cripple an opposing nation (which could be highly escalatory). Increasingly, scholarly analysis of cyber operations and crisis stability suggests that these kinds of cyber vs. cyber operations can occur below the threshold of conflict without escalating to conventional military uses of force.

Despite these strengths, the strategy, ironically, run the risk of the same sort of escalation the Obama administration sought to avoid by restraining its operations in cyber space. In particular, we can never be completely sure that more aggressive strategies in cyber space will not spill over to the conventional warfighting domains, both because of the uncertainty about the cascading effects of cyber attacks and about unknown adversary beliefs regarding those attacks. To mitigate some of that risk, Erica Borghard and Shawn Lonergan have recommended rules of engagement and cyber confidence-building measures (also advocated in the 2018 strategy) that encourage risk management internally and signal restraint externally. Finally, more work needs to be done to understand what types of targets or effects might inadvertently trip a country into escalation — something the Department of Defense should continue to explore even as it implements a more confrontational strategy.

Overall, there is much to be optimistic about in the 2018 Cyber Strategy. If only in words, it certainly moves the United States significantly closer to a mature, if aggressive, articulation of cyber defense for a nation (and not simply .gov and .mil assets) defending against, below, and above the level of armed conflict.

Nina Kollars is an associate professor within the Strategic and Operational Research Department at the Naval War College, a nonresident fellow of the Modern War Institute, and a core faculty member of the newly established Cyber and Innovation Policy Institute. Follow her @nianasavage on Twitter.

 Jacquelyn Schneider is an assistant professor within the Strategic and Operational Research Department at the Naval War College and a core faculty member of the newly established Cyber and Innovation Policy Institute. Follow her @JackieGSchneid on Twitter.

 The opinions expressed herein are our own and do not reflect the views of the Department of Defense, the Department of the Navy, or the Naval War College.

Image: Airman Magazine