The Pentagon’s Cyber Strategy: What’s New and What it Means

By Kate Charlet

Kate Charlet is the program director for Technology and International Affairs at the Carnegie Endowment for International Peace. She works primarily on the security and international implications of evolving technologies, with a focus on cybersecurity and cyber conflict; biotechnology; and artificial intelligence. Charlet served in the Department of Defense for the last decade, most recently as the Deputy Assistant Secretary of Defense (acting) for Cyber Policy, where she led the development of DoD cyber policy and strategy, guidance on development cyber capabilities, and the expansion of international cyber relationships. Charlet is the recipient of the Secretary of Defense Meritorious Civilian Service Award and served in senior advisory roles on the Defense Science Board Task Forces on Cyber Deterrence, on Cyber as a Strategic Capability, and on the Presidential Commission on Enhancing Cybersecurity. Prior to working cyberspace issues, Charlet served as the director for strategic planning at the National Security Council, led teams at DoD working Afghanistan strategy and policy, and conducted research on issues at the nexus of science & security at the Center for Strategic and International Studies. Charlet holds degrees in Molecular Biology from Princeton University and International Relations / Strategic Studies from Johns Hopkins School of Advanced International Studies.

On Wednesday, the Department of Defense (DoD) quietly released an unclassified summary and fact sheet on its 2018 Cyber Strategy, which replaces the 2015 DoD Cyber Strategy. Here are ten things you need to know about the new strategy:

  1. The cyber strategy is deeply influenced by the National Defense Strategy, with a clear logic flow from Secretary James Mattis’ priorities on increasing the lethality of the Joint Force and strategic competition with China and Russia. I’m unconvinced of the centrality of the “lethality” concept for cyberspace, given that militaries use networks so heavily for defensive and logistical needs. But it is not easy to achieve a cyber strategy so genuinely nested in the broader strategic themes of the Department, and this deserves applause.
  2. A major shift is the explicit focus on China and Russia as the top strategic competitors. This is attributed to their roles, respectively, in eroding U.S. military and economic vitality and challenging our democratic processes. Never before has DoD set such unambiguous cyber priorities; U.S. leaders have typically discussed Russia, China, Iran, and North Korea as a group. (And in recent years, the campaign against ISIS became a major focus.) Strategic priorities always get strained by daily crises, so the new emphasis will increase stability and focus. The thing to watch is China’s reaction to being called out so specifically.
  3. A top objective of the strategy remains ensuring DoD can conduct its missions, even when under cyber attack. The importance of this goal cannot be under-stated: if DoD fails in this, then everything else it seeks to do in cyberspace is moot. But the document misses an opportunity to take the concept to the next level. It should have emphasized the need for bolder, well-resourced resilience initiatives such as those the Defense Science Board recommended in 2017.
  4. The concept of “defend forward” is already generating controversy – but it’s really an easier-to-understand evolution of the “defend the nation” concept from the 2015 strategy. Defending forward means that DoD’s cyber operators will operate outside of U.S. borders, seeking to disrupt malicious cyber activity closer to its source. Since DoD has, in all domains, operated outside of the nation’s borders, this should surprise nobody. The Department of Homeland Security (DHS) and Federal Bureau of Investigation have primary responsibility at home.
  5. Far more notable is that defending forward will happen in the context of day-to-day competition, rather than in crisis. DoD has long debated the relative emphasis on preparing cyber operations for contingencies only, versus doing more in the gray area between peace and armed conflict. The new approach derives from a growing consensus that lower-level malicious campaigns pose a major, cumulative risk and must be contested. This is right, but raises challenges. More frequent operations raise the potential for short-term mistakes or medium-term dynamics that increase instability in cyberspace. DoD must not find itself so focused on the day-to-day that it underprepares for major conflict. And above all, DoD needs to show that it can produce useful and calibrated capability, thoughtful proposals, and meaningful results.
  6. The strategy is more explicit on DoD’s role in defending critical infrastructure. The role itself is not new, but the direct, simple articulation of its responsibility is a step forward. DoD should not duplicate the efforts of domestic agencies or appear to exceed its statutory authorities inside U.S. borders. But the clear statement that DoD plays an important role in this area clears up some common misperceptions. (I particularly liked the emphasis that DoD can help provide warning of attacks, and see positive opportunities for public-private collaboration in that space.)
  7. The strategy is uninspired on international partnerships. It should have made a stronger, fuller case for working with allies and partners to demonstrate resolve, share information, and coordinate response actions. These partnerships, most obviously demonstrated in the coordinated attribution of the NotPetya attacks to Russia, are increasingly vital to set expectations of acceptable behavior in cyberspace and show common purpose when those expectations are exceeded.
  8. The discussion of cultivating talent and capability is as un-sexy as could be. But these topics are colossally important – they are the bread and butter of cyber capability. The emphasis on developing “cyber fluent” leaders and fostering agility identify important gaps requiring attention.
  9. Only in the current environment would it be a pleasant surprise for DoD to highlight its role in reinforcing norms of responsible behavior in cyberspace. Since the UN GGE process flopped in 2016, the White House has talked more about “cost imposition” than about norms. So while the strategy’s support of “prohibitions against damaging civilian critical infrastructure during peacetime” is notable and reassuring, it is insufficient. DoD must cultivate a stronger mindset of using cyber power responsibly and contributing purposefully to a more stable environment in cyberspace. This is even more important in light of reports on newly delegated authorities and streamlined approval processes.
  10. The strategy makes little mention of new and future threats. What is the military’s role in cyberspace in combating information operations? What is the next evolution of Russia’s disinformation campaign? How will DoD deal with increasingly capable small actors who are less inhibited, less deterrable, and enabled by artificial-intelligence driven hacking tools? We are left to hope that the classified materials ponder these important questions.

Kate Charlet, Fmr. Dep. Assistant Secretary of Defense for Cyber Policy

“The Cipher Brief has become the most popular outlet for former intelligence officers; no media outlet is even a close second to The Cipher Brief in terms of the number of articles published by formers.” —Sept. 2018, Studies in Intelligence, Vol. 62

Access all of The Cipher Brief’s national security-focused expert insight by becoming a Cipher Brief Subscriber+ Member.

Subscriber+

Categorized as:Cyber Defense SystemsTagged with:

Related Articles

Search

Close