The Pentagon's Cyber Strategy: What's New and What it Means

On Wednesday, the Department of Defense (DoD) quietly released an unclassified summary and fact sheet on its 2018 Cyber Strategy, which replaces the 2015 DoD Cyber Strategy. Here are ten things you need to know about the new strategy:

1. The cyber strategy is deeply influenced by the National Defense Strategy, with a clear logic flow from Secretary James Mattis’ priorities on increasing the lethality of the Joint Force and strategic competition with China and Russia. I’m unconvinced of the centrality of the “lethality” concept for cyberspace, given that militaries use networks so heavily for defensive and logistical needs. But it is not easy to achieve a cyber strategy so genuinely nested in the broader strategic themes of the Department, and this deserves applause.
2. A major shift is the explicit focus on China and Russia as the top strategic competitors. This is attributed to their roles, respectively, in eroding U.S. military and economic vitality and challenging our democratic processes. Never before has DoD set such unambiguous cyber priorities; U.S. leaders have typically discussed Russia, China, Iran, and North Korea as a group. (And in recent years, the campaign against ISIS became a major focus.) Strategic priorities always get strained by daily crises, so the new emphasis will increase stability and focus. The thing to watch is China’s reaction to being called out so specifically.
3. A top objective of the strategy remains ensuring DoD can conduct its missions, even when under cyber attack. The importance of this goal cannot be under-stated: if DoD fails in this, then everything else it seeks to do in cyberspace is moot. But the document misses an opportunity to take the concept to the next level. It should have emphasized the need for bolder, well-resourced resilience initiatives such as those the Defense Science Board recommended in 2017.
4. The concept of “defend forward” is already generating controversy – but it’s really an easier-to-understand evolution of the “defend the nation” concept from the 2015 strategy. Defending forward means that DoD’s cyber operators will operate outside of U.S. borders, seeking to disrupt malicious cyber activity closer to its source. Since DoD has, in all domains, operated outside of the nation’s borders, this should surprise nobody. The Department of Homeland Security (DHS) and Federal Bureau of Investigation have primary responsibility at home.
5. Far more notable is that defending forward will happen in the context of day-to-day competition, rather than in crisis. DoD has long debated the relative emphasis on preparing cyber operations for contingencies only, versus doing more in the gray area between peace and armed conflict. The new approach derives from a growing consensus that lower-level malicious campaigns pose a major, cumulative risk and must be contested. This is right, but raises challenges. More frequent operations raise the potential for short-term mistakes or medium-term dynamics that increase instability in cyberspace. DoD must not find itself so focused on the day-to-day that it underprepares for major conflict. And above all, DoD needs to show that it can produce useful and calibrated capability, thoughtful proposals, and meaningful results.
6. The strategy is more explicit on DoD’s role in defending critical infrastructure. The role itself is not new, but the direct, simple articulation of its responsibility is a step forward. DoD should not duplicate the efforts of domestic agencies or appear to exceed its statutory authorities inside U.S. borders. But the clear statement that DoD plays an important role in this area clears up some common misperceptions. (I particularly liked the emphasis that DoD can help provide warning of attacks, and see positive opportunities for public-private collaboration in that space.)
7. The strategy is uninspired on international partnerships. It should have made a stronger, fuller case for working with allies and partners to demonstrate resolve, share information, and coordinate response actions. These partnerships, most obviously demonstrated in the coordinated attribution of the NotPetya attacks to Russia, are increasingly vital to set expectations of acceptable behavior in cyberspace and show common purpose when those expectations are exceeded.
8. The discussion of cultivating talent and capability is as un-sexy as could be. But these topics are colossally important – they are the bread and butter of cyber capability. The emphasis on developing “cyber fluent” leaders and fostering agility identify important gaps requiring attention.
9. Only in the current environment would it be a pleasant surprise for DoD to highlight its role in reinforcing norms of responsible behavior in cyberspace. Since the UN GGE process flopped in 2016, the White House has talked more about “cost imposition” than about norms. So while the strategy’s support of “prohibitions against damaging civilian critical infrastructure during peacetime” is notable and reassuring, it is insufficient. DoD must cultivate a stronger mindset of using cyber power responsibly and contributing purposefully to a more stable environment in cyberspace. This is even more important in light of reports on newly delegated authorities and streamlined approval processes.
10. The strategy makes little mention of new and future threats. What is the military’s role in cyberspace in combating information operations? What is the next evolution of Russia’s disinformation campaign? How will DoD deal with increasingly capable small actors who are less inhibited, less deterrable, and enabled by artificial-intelligence driven hacking tools? We are left to hope that the classified materials ponder these important questions.

This is the strategy of a Defense Department that feels itself with a stronger hand; one it must use wisely. The document is bold, even hawkish, which risks stirring the already-buzzing hornet’s nest of military competition in cyberspace. But as the Belfer Center’s Michael Sulmeyer is fond of saying, 'Other nations are escalating all on their own in ways that are not limited to responding to the U.S. military’s statements and actions.' So in the end, I can forgive the occasional chest-thumping in the strategy. It reflects a sentiment that the U.S. position in cyberspace is both unacceptable and untenable. And that’s something we should all feel profoundly.