Welcome to Cyber Realism: Parsing the 2023 Department of Defense Cyber Strategy
Released to the public on Sept. 12, the Department of Defense’s 2023 Cyber Strategy differs from its predecessors in its lack of bold new buzzwords. The 2015 strategy reimagined deterrence for the cyber domain, and the 2018 strategy articulated “defend forward” as a new foundational concept. But despite being informed by years of major cyber developments — the significant legal and policy changes that enabled U.S. Cyber Command to engage in more frequent offensive cyber operations, as well as the ongoing demonstration of military cyber capabilities in the Russo-Ukrainian War — the 2023 Cyber Strategy offers nothing as momentous.
Having both contributed to the drafting of the new strategy, we believe that this modesty is a good thing. Instead of minting new cyber bumper stickers, the strategy seeks to rationalize and contextualize concepts that already exist. While it may appear as though the strategy has something for everyone (as most strategies do), a closer examination reveals that cyber’s role is consistently limited, caveated, or subsumed by broader frameworks.
Three examples stand out. First is a move away from cyber for cyber’s sake and toward situating cyber effects as one important tool among many for U.S. policymakers — what the Pentagon now calls “integrated deterrence.” Second is a reaffirmation of concepts introduced in 2018 (defend forward and persistent engagement) and a vision for how U.S. Cyber Command might operate below the threshold of armed conflict — what the Pentagon now calls “campaigning.” Third is an attempt to right-size expectations about Department of Defense’s role in civilian cybersecurity.
In short, if the 2023 Cyber Strategy has a theme, it is one of cyber realism. By considering the comparative advantage of cyber capabilities and acknowledging the limits of cyber capacity, the United States is better prepared to direct finite cyber resources against multiplying threats.
Turning the Page on “Cyber Pearl Harbor”
This realism is overdue. For at least two decades, policy discourse around cyber threat, cyber risk, and cyberwar has come to resemble a slowly deflating balloon. Initially, practitioners and experts expressed fears of “cyber doom.” Cyberspace was portrayed as the new “Wild West,” defined by lawlessness and brimming with nefarious actors. Cyber threats were described in the same breath as nuclear armageddon until the two seemed almost to merge: “cybergeddon.” The prospect of a crippling surprise cyber attack against the United States — a “cyber Pearl Harbor” — gripped the imaginations of U.S. policymakers and the American public alike.
As the theoretical danger of cyber attacks became associated with that of nuclear weapons, cyber theorists understandably looked to Cold War–era ideas of nuclear deterrence and coercion to describe how to keep cyber capabilities in check. The result was cyber deterrence: visions of a complex dance of cleverly choreographed cyber attack and counterattack, playing out beyond sight and at the speed of light.
And yet the reality of cyber operations has never measured up to these dramatic expectations. Beyond a few “perfect storm” events like the 2010 Stuxnet cyber campaign, which disrupted Iran’s nuclear enrichment program (and which is very much the exception that proves the rule), the strategic impact of cyber operations appears quite modest. U.S. Cyber Command’s 2016 Operation Glowing Symphony certainly created friction for the Islamic State, but the bluster of dropping “cyber bombs” was largely overblown. Similarly, the U.S. military successfully disrupted the efforts of the Internet Research Agency, a Russian-linked troll farm, to sow disinformation during the 2018 midterm elections and conducted similar operations in both 2020 and 2022. But these were targeted and scoped campaigns with limited effects. Even in Russia’s ongoing war against Ukraine — the largest conventional war of the twenty-first century — the dreaded Russian cyber “shock and awe” has failed to achieve strategic effects.
But the cyber domain can hardly be ignored, either. The total number of publicly known cyber attacks recorded each year continues to rise precipitously. Hostile, state-aligned cyber activity has inflicted tremendous harm on the United States, whether China’s 2015 exfiltration of 22.1 million federal employee records from the U.S. Office of Personnel Management, Russia’s hack-and-leak operation targeting the 2016 presidential election, or emerging evidence of China’s mid-2021 compromise of Guam’s critical infrastructure via Volt Typhoon. Yet even in these most spectacular cases, such cyber activities have not led to escalation between rival states, much less escalation into armed conflict. Instead, the role of cyber operations during interstate competition looks more like a form of subversion, intelligence activity, or sub-crisis maneuvering.
As Deputy Assistant Secretary of Defense for Cyber Policy Mieke Eoyang recently declared, “There are no mushroom clouds in cyber war.” If the prospect of earth-shattering, strategic weapons and complex deterrence schemes does not capture the reality of military cyber, then U.S. cyber policy needs a better frame. The 2023 Cyber Strategy seeks to provide one.
No More “Cyber for Cyber’s Sake”
Traditional cyber deterrence has often looked to a reciprocal, within-domain model, drawing from Cold War–era nuclear deterrence theories. To prevent cyber attacks, so the argument went, the United States had to develop its own strategic cyber capabilities and credibly threaten to use them. This model has remained popular despite the ways in which the mechanics of cyber operations awkwardly diverge from those of traditional nuclear deterrence. These include the challenges of attribution, the ephemeral nature of cyber accesses and exploits, and the fact that demonstrating a cyber capability might enable a target to patch their systems and mitigate the threat. Despite this growing list of caveats, it has remained a common argument that the best way to counter cyber threats is with cyber effects.
The 2023 Cyber Strategy brings this debate back to earth. As the document states, “Cyber capabilities held in reserve or employed in isolation render little deterrent effect on their own.” This is the first time that a high-level U.S. defense document has been so frank about the limits of cyber deterrence theory. Rather, the strategy continues, cyber capabilities are “most effective when used in concert with other instruments of national power, creating a deterrent greater than the sum of its parts.” This is a clear articulation of integrated deterrence, the concept that grounds both the 2023 National Security Strategy and the 2023 National Defense Strategy.
Although integrated deterrence has come under a fair bit of criticism for its attempts to blend military and nonmilitary means in a more holistic (and less defense-centric) national security posture, it makes a great deal of sense in a cyber context. How often have cyber threats been extinguished with cyber capabilities alone? Conversely, how often has cyber intelligence helped guide other instruments of national power? Cyber effects might rarely be decisive on their own, but it would be hard to find a modern national security challenge that does not have a cyber dimension — and a potential role for the military’s cyber capabilities.
If the new strategy accomplishes just one thing, it might be this: freeing military cyber from its silo and defining it as a more useful, practical tool for senior leaders in the Pentagon and White House alike.
Cyber Operations Were Made for Campaigning
Despite early speculation that the Joseph Biden White House might significantly curtail the operational authorities delegated to U.S. Cyber Command during the Donald Trump administration, it appears that no such changes have been made. Instead, the 2023 Cyber Strategy reaffirms the concepts of defend forward and persistent engagement, first introduced in the 2018 strategy and U.S. Cyber Command’s 2018 Command Vision, respectively. Those documents cast cyber operations as a perpetual contest between the United States and its adversaries, premised on speed, adaptability, and offensive action. A continuation of defend forward and persistent engagement also suggests a continuation of the delegated authorities necessary to make them work.
The 2023 Cyber Strategy proceeds to fold defend forward and persistent engagement into the broader strategic construct of “campaigning.” Campaigning, which joins integrated deterrence as the second major conceptual foundation of the 2022 National Defense Strategy, entails the “conduct and sequencing of logically linked military activities to achieve strategy-aligned objectives over time.” Although the concept of military campaigns is nearly as old as that of militaries themselves, campaigning also encompasses noncombat activities such as training exercises or freedom of navigation operations that can be used to achieve discrete military or nonmilitary goals. In current Department of Defense strategy documents, campaigning is portrayed as the answer to adversaries’ gray zone activities, enabling the U.S. military to undertake its own operations below the threshold of armed conflict.
Campaigning is a concept uniquely well suited to cyberspace and the day-to-day reality of cyber operations. The 2023 Cyber Strategy outlines several such campaigning activities: generating insights about cyber threats; disrupting and degrading malicious cyber actors by defending forward; and advancing joint force objectives, specifically by making adversaries “doubt the efficacy of their military capabilities as well as the belief that they can conduct unattributed coercive actions against the United States.” Each of these activities requires a rapid and continuous operational tempo. Each falls somewhere short of an act of war. Incorporating defend forward and persistent engagement within the logic of campaigning reflects another form of cyber realism: rather than serving as standalone concepts, they have become part of the drumbeat of interstate competition.
A Leaner Cyber Mission
Just as the 2023 Cyber Strategy is deliberate in its discussion of the utility of cyber operations, it is also frank about the limits of these operations. Far from committing the Pentagon to new, open-ended cyber missions, the strategy more often scopes and refines those missions that already exist.
This shift is especially apparent in the strategy’s treatment of homeland defense. “We once aspired to defend every network,” explained Assistant Secretary of Defense for Space John Plumb in a recent speech on the strategy, “but that is impractical.” Part of the reason arises from legal and normative concerns. Beyond the department’s statutory role in ensuring the cyber security of the defense industrial base, there are few authorities under which military cyber forces may directly interface with domestic civilian networks. These authorities are limited for a reason: Americans have a long history of skepticism about the use of military capabilities on U.S. soil, physical or virtual.
There are also practical reasons for this change. For one, the military is not especially well suited to defending civilian networks. Beyond providing a reassuring presence, there is probably little that a cyber protection team or National Guard cyber unit can do in an emergency that could not be done by a private network administrator or third-party vendor already familiar with the affected enterprise network. Even as policymakers push for more and more cyber “surge capacity” between defense and private or federal civilian networks, it is difficult to find cases in which these authorities have been activated, much less meaningfully employed.
By contrast, the entire defend forward mission set — the act of finding and disrupting malicious cyber activity before it can strike the U.S. homeland — is something that can only be pursued by military cyber operators equipped with appropriate authorities and capabilities. The 2023 Cyber Strategy steers the limited capacity of military cyber toward tasks for which it is uniquely well suited. At the same time, it seeks to bolster that capacity with internally facing reforms to cyber recruiting and retention as well as closer cooperation and information sharing with U.S. private industry. In this way, the Pentagon appears to recognize that the growth of cyber threats is outstripping the growth of military capacity to counter these threats directly and, therefore, the need to prioritize the allocation of cyber resources.
Next Steps for Cyber Realism
Of course, the 2023 Department of Defense Cyber Strategy could say quite a bit more in some areas. The United States has consistently condemned Russian cyber attacks against civilian populations and publicly detailed the legal basis of U.S. cyber operations. But despite this, the strategy acknowledges only that the United States will “reinforce norms of responsible behavior in cyberspace” while leaving the norms themselves undefined. The strategy also states that the United States will build the cyber capacity and capability of allies and partners, but it says less about the utility of cyber cooperation and how it might intersect with U.S. diplomatic aims. Such questions will need to wait for the first U.S. International Cyber Strategy, to be released by the State Department later this year.
There are also important points that the strategy does not address at all. There is no discussion, for instance, about how the Pentagon delineates cyber and information effects, despite the creation of new doctrine and bureaucratic entities intended to address this very problem. Furthermore, while the strategy articulates various lines of effort, it does not explore how the military should prioritize the development and employment of cyber capabilities against various threats, along differing time horizons, and at different thresholds of severity. Developing a cyber capability to deter high-end military aggression, for instance, might look quite different from developing a capability to sustain low-level friction. With regard to such an important foundational question as “What is the best use of the U.S. military’s formidable cyber arsenal?” the strategy remains silent.
Overall, the 2023 Cyber Strategy’s pragmatic frame is apparent throughout the document. In its treatment of cyber operations as one tool among many, its focus on the utility of cyber below the threshold of armed conflict, and its deliberately narrow discussion of the role of the U.S. military in cyberspace, the strategy brings a dose of realism to a field that quite literally emerged out of science fiction. The Pentagon’s thinking about the cyber domain, once abstract and speculative, has become grounded in real-world lessons and examples. And the cyber enterprise itself, having won its seat at the table, must now consider how to use that seat most effectively.
Emerson T. Brooking is a resident senior fellow at the Digital Forensic Research Lab of the Atlantic Council. From August 2022 to August 2023, he was a cyber policy advisor in the Office of the Deputy Assistant Secretary of Defense for Cyber Policy and served on the writing team for the 2023 Department of Defense Cyber Strategy.
Erica D. Lonergan is an assistant professor in the School of International and Public Affairs at Columbia University. She previously served on the writing team for the 2023 Department of Defense Cyber Strategy and was a senior director on the Cyberspace Solarium Commission.
The views expressed are those of the authors and do not reflect the official policy or position of the Department of Defense.