By: Benjamin Carsman, Columnist
Photo Credit: DoD News
On September 18, the US Department of Defense released a ten-page unclassified summary of its 2018 Cyber Strategy.[i] While substantially different in many regards from the 2015 Cyber Strategy released by the Obama Administration,[ii] two aspects in particular merit attention. First, the strategy recognizes day-to-day competition in cyberspace with strategic rivals and adversaries as an unacceptable status quo, requiring a far more active defensive posture; and second, this posture will require DoD to take a more expansive role in defending non-DoD critical infrastructure and regulating Defense Industrial Base (DIB) networks and systems. When considered alongside the recent revisions to PPD-20,[iii] which allow greater freedom of action in responding to cyber attacks by eliminating the requirement that all offensive cyber operations receive presidential approval,[iv] these policy shifts clearly demonstrate that the Department of Defense will be taking a much more aggressive and expansive role in actively defending US interests and networks than before.
The foundation of this year’s strategy is its focus on strategic competition, specifically with Russia and China, and its effects in the cyber domain. According to the strategy, “Competitors deterred from engaging the United States and our allies in an armed conflict are using cyberspace operations to steal our technology, disrupt our government and commerce, challenge our democratic processes, and threat our critical infrastructure.”[v] Moreover, this situation has become untenable, and the United States “cannot afford inaction: our values, economic competitiveness, and military edge are exposed to threats that grow more dangerous every day.”[vi] The result of this analysis is a new defensive posture—“defending forward” —which is perhaps the most striking feature of the strategy.
The DoD will now “take action during day-to-day competition to preserve US military advantages and to defend US interests” and “defend forward to disrupt or halt malicious cyber activity at its source, including activity that falls below the level of armed conflict.”[vii] When taking into account the aforementioned revisions to PPD-20, this would likely not only entail allowing DoD cyber operators increased leeway to routinely conduct ‘active defense’ (ie. hacking back) during breaches, but also to penetrate adversaries’ networks beforehand in order to gather the intelligence necessary to thwart malicious activity early in their operational execution or preempt it altogether. Furthermore, “activity that falls below the level of armed conflict” likely refers to disruptive or destructive attacks on Information Communications Technology (ICT) networks being leveraged by attackers, signaling an increase in aggressiveness and risk acceptance.
Another aspect of DoD’s cyber strategy that stands out is the apparent expansion of the Department’s role in defending critical infrastructure and regulating the Defense Industrial Base. Though more bureaucratic and less dramatic, this shift in posture is still highly consequential. According to the strategy, the Department must “be prepared to defend non-DoD-owned Defense Critical Infrastructure (DCI) and Defense Industrial Base (DIB) networks and systems,”[viii] signaling a more hands-on approach for the Department in critical infrastructure protection outside of DoD networks. Additionally, while there were various references to coordinating with interagency partners, the Department of Homeland Security and FBI—currently two lead agencies in critical infrastructure protection and cyber defense investigations—were not explicitly named. When combined with the absence of defined agency roles in the National Cyber Strategy released this week,[ix] this appears to signal that an enhanced DoD role in supporting critical infrastructure protection writ large may be imminent.
On a related note, and of particular concern to Chief Information Security Officers at DIB contractors across the Beltway and beyond, the DoD strategy also calls for the Department to “set and enforce standards for cybersecurity, resilience, and reporting; and be prepared, when requested and authorized, to provide direct assistance, including on non-DoD networks, prior to, during, and after an incident.”[x] As such, DIB entities may see more robust regulation, accountability, and penalties for lax cyber security practices, to potentially include increased network monitoring and defense by DoD personnel. This is unsurprising given the strategy’s focus on addressing enduring strategic competition and the undermining of the United States’ military, economic, and technological advantages by rivals and adversaries. The shift in policy may also signal that DoD has run out of patience with DIB companies policing their own networks and is more willing to take direct action to prevent consequential breaches, like the Chinese hack of General Dynamics Electric Boat this June that resulted in the theft of an electronic warfare library, information about the Navy’s cryptographic systems, and highly sensitive US submarine technology.[xi]
Clearly, the 2018 Department of Defense Cyber Strategy represents a significant shift from our nation’s previous cyber security posture, provoked by a sober recognition that the current era of strategic competition is characterized by daily conflict in cyberspace, and that the U.S. must be more assertive in confronting these threats. While this may well increase the risk of escalation,[xii] the authors of this strategy would likely argue that the current status quo, characterized by penetrations of our critical infrastructure networks,[xiii] erosion of our military, economic, and technological advantages,[xiv] and the undermining of our democracy,[xv] is simply unsustainable. As such, a more aggressive cyber security strategy is a critical first step towards altering this status quo and defending US interests in cyberspace.
[i] United States, Department of Defense, Summary of the 2018 Department of Defense Cyber Strategy, September 18, 2018, accessed September 21, 2018, https://media.defense.gov/2018/Sep/18/2002041658/-1/-1/1/CYBER_STRATEGY_SUMMARY_FINAL.PDF.
[ii] United States, Department of Defense, The Department of Defense Cyber Strategy 2015, April 2015, accessed September 23, 2018, http://archive.defense.gov/home/features/2015/0415_cyber-strategy/final_2015_dod_cyber_strategy_for_web.pdf.
[iii] Presidential Policy Directive 20 is an Obama-era directive governing the interagency process for conducting cyber operations; “FACT SHEET: Presidential Policy Directive on United States Cyber Incident Coordination,” National Archives and Records Administration, accessed September 29, 2018, https://obamawhitehouse.archives.gov/the-press-office/2016/07/26/fact-sheet-presidential-policy-directive-united-states-cyber-incident-1.
[iv] Erica D. Borghard, and Shawn W. Lonergan, “What Do the Trump Administration’s Changes to PPD-20 Mean for U.S. Offensive Cyber Operations?” Council on Foreign Relations, September 10, 2018, accessed September 29, 2018, https://www.cfr.org/blog/what-do-trump-administrations-changes-ppd-20-mean-us-offensive-cyber-operations.
[v] United States, Department of Defense, Summary of the 2018 Department of Defense Cyber Strategy, 1.
[vi] Ibid, 2.
[vii] Ibid, 1.
[viii] Ibid, 3.
[ix]United States, Executive Office of the President, National Cyber Strategy of the United States of America, 8, September 20, 2018, accessed September 25, 2018, https://www.whitehouse.gov/wp-content/uploads/2018/09/National-Cyber-Strategy.pdf.
[x] United States, Department of Defense, Summary of the 2018 Department of Defense Cyber Strategy, 3.
[xi] Chris Bing, “Chinese Hackers Stole Sensitive U.S. Navy Submarine Plans From Contractor,” Cyberscoop, June 11, 2018, accessed September 29, 2018, https://www.cyberscoop.com/submarine-contractor-hacked-china-us-navy/.
[xii]Ben Buchanan, “The Implications of Defending Forward in the New Pentagon Cyber Strategy,” Council on Foreign Relations, September 25, 2018, accessed September 29, 2018, https://www.cfr.org/blog/implications-defending-forward-new-pentagon-cyber-strategy.
[xiii] United States, Department of Homeland Security, Computer Emergency Readiness Team, Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors, March 15, 2018, accessed September 25, 2018, https://www.us-cert.gov/ncas/alerts/TA18-074A.
[xiv] United States, Office of the Director of National Intelligence, National Counterintelligence and Security Center, Foreign Economic Espionage in Cyberspace, July 24, 2018, accessed September 25, 2018, https://www.dni.gov/files/NCSC/documents/news/20180724-economic-espionage-pub.pdf.
[xv] United States, Office of the Director of National Intelligence, Intelligence Community Assessment: Assessing Russian Activities and Intentions in Recent US Elections, January 6, 2017, accessed September 25, 2017, https://www.dni.gov/files/documents/ICA_2017_01.pdf.