BOTTOM LINE UP FRONT — The U.S. is facing an onslaught from adversaries in cyberspace, and while conversations about the response has focused on bolstering cybersecurity defenses, some have argued for an approach more geared to offense. That’s the view of many experts and of some officials in the new Trump administration, including National Security Advisor Mike Waltz, who has said the U.S. should “start going on offense and start imposing… higher costs and consequences” for cyberattacks directed at U.S. targets.
The U.S. has already taken retaliatory action against bad cyber actors; in one of his final acts as president, Joe Biden issued an executive order on cybersecurity that grants expanded authorities for sanctions against those who launch cyberattacks against U.S. critical infrastructure. Soon after, the Treasury Department sanctioned an alleged hacker and companies in China linked to the recent Salt Typhoon hack of U.S. telecommunications firms. Washington has imposed similar sanctions and financial restrictions on entities linked to other recent China-linked attacks, and the Department of Defense’s most recent Cyber Strategy instructed the department to prepare responses to “destructive cyber attacks.” But many experts believe the U.S. still lacks a clear offensive cyber strategy.
The Cipher Brief asked experts what such a strategy might look like. They offered a range of ideas – from offensive “playbooks” to cyber counterstrikes to an increased role for the private sector – all in the name, as one expert put it, of making “the leap from passivity to proactivity.”
THE CONTEXT
- Several high-profile cyberattacks have recently hit the U.S., including: the “Salt Typhoon” campaign which breached at least nine U.S. telecommunications firms to access the devices of top officials and agencies; an alleged attack by Chinese state-sponsored hackers that breached U.S. Treasury Department computers and accessed unclassified documents; and attacks by Iranian hackers against Western critical infrastructure organizations.
- In his final days in office, former President Joe Biden signed an executive order that expands federal authority to sanction ransomware groups who target U.S. critical infrastructure.
- The Department of Defense’s latest Cyber Strategy, published in September 2023, directs the DoD to “be prepared to defend the U.S…from disruptive or destructive cyber attacks,” and orders the department to “build and maintain viable cyber options and plan to use those options” to do so.
- President Donald Trump’s 2018 National Cyber Strategy gave greater authority to the Defense Department and other agencies to use of offensive cyber operations to penetrate foreign networks to deter attacks on U.S. targets.
The Cipher Brief spoke with George Barnes, former NSA Deputy Director; Rear Admiral Mark Montgomery (Ret.), former Executive Director of the Cyberspace Solarium Commission; and Lieutenant General Charles L. Moore (Ret.), former Deputy Commander of U.S. Cyber Command at the Cyber Initiatives Group Winter Summit; and received written comments from David Charney, a psychiatrist who worked referral as a consultant to the Central Intelligence Community to understand the reasons, possibilities and hurdles for an offensive cyber strategy.
Their comments have been lightly edited for length, clarity and format.
THE EXPERTS
Barnes: I support an offensive strategy first and foremost in the government. Industry will always have a role to play, and it can increasingly help. Industry has an aperture. They understand what’s happening. Industry has software tools and capabilities distributed around the world, and they have credentialed access to those capabilities for providing updates. As we saw in Ukraine, industry ended up having a role in helping Ukraine defend itself against the Russians. There is definitely a role for industry.
One of the things we need to do is think ahead. Let’s develop playbooks. Let’s do exercises with industry and government ahead of time to say, Well, what if X happens? How will we react and respond? How can we proactively position ourselves so we know, for example, if one of our big U.S. companies has a big deployed infrastructure in that foreign area, what should they do? What’s the policy? What are the parameters? What are the accountabilities?
There’s a lot that we saw play out without those policies and strategies in Ukraine. Let’s learn from that and say, OK, if a Ukraine war was to happen again – in Taiwan or somewhere else – how could industry know what latitude it should take? Should it request latitude? There are all kinds of things that Microsoft and others did and can do. Let’s think about that. And that can be very effective, and it can be coordinated. That’s different from them getting into deny, disrupt, disable, or destroy. It can get into deny, but to disable or to destroy, it’s all a matter of which “D” you pick and where industry can more comfortably play.
Charney: Our current posture has limited us primarily to tactical defensive measures when we really want strategic results: decisively stopping damaging intrusions that—let’s be honest—are roughly equivalent to blatant kinetic attacks that threaten our very survival.
Our adversaries are happy with our self-imposed limitations. We predictably respond to cyberattacks almost entirely with defensive measures. They know we believe that if we can’t prove beyond a shadow of a doubt that a specific actor was the cyber intrusion perpetrator, we’ll complain, but reliably fall back on our usual policy of just sitting on our hands. This brings to mind the Cold War worry about our nation in danger of becoming “a pitiful, helpless giant.” That’s because in the cyber world our adversaries are playing by different rules. And they are winning. We are losing. Our passive policy means programmed failure.
Changing our current mindset is key. To improve cybersecurity, we must make the leap from passivity to proactivity, from a strategy that doesn’t work and never will, to a strategy that can and will work. From exclusive reliance on defensive measures, a fundamentally passive posture, to adding a proactive strategy that uses offensive measures too. Although adding offensive measures can get messy and has its own costs, carefully crafted offensive postures have been historically able to solve extremely difficult problem sets and bring about success.
Our message should be that crossing our red lines is unacceptable and we will push back. There will be repercussions. Better for our warnings to be publicized so that our actions possess moral clarity. Punishments will be directly tied to the crimes that triggered them. This will help make our warning messages clearer and more justifiable—we always attach our responses to the moral point we want to make.
If and when we do choose to initiate cyber counterstrikes, public diplomacy principles require that they must make sense to publics at large, both within our country and in the country that attacked us.
A revised proactive policy that adds offensive measures needs to become our new modus operandi, because our nation has become infamous for declaring red lines, but when they get crossed, we’re nowhere to be found. We must change our reputation for being weak at the moment of truth and hold accountable those who cross our red lines. If not, we become enablers of bad behavior that will worsen over time. Enabling bad behavior risks escalation to fully kinetic responses, because when things finally reach the point of being intolerable, nothing else will work.
RADM Montgomery (Ret.): I envision [U.S. Cyber Command] as being the offensive end of offense. They're about operational preparation of the battlefield. They're about executing a strike. One team that could be part of an offensive strategy to defend our networks is the National Guard. It can move between authorities. I'll add in there the governors’ authorities, which are different from the federal operating authorities – but they are not ready for prime time. If you look at different states, there's states you'll go to, and their number of cyber operators will be 600, 800. Then you can go to couple of states where I'm asking, How many people are in your team? And I'm talking to three people on a Zoom. That’s it.
To me, a grand offensive strategy isn't just about cyber command or intelligence community downrange doing operational preparation in the battlefield, or actual disruption with the military forces or espionage or actual disruption with the intelligent community forces. That is something that I'm assuming is happening – I hope it’s happening properly.
Where we need the offensive strategy is in helping our private sector companies respond to damaging attacks. We've got to figure out a solution that uses tools that the military can help develop without pinning the bill on the military, and develops a capability capacity that the private sector becomes comfortable with, that they know and they can begin to use. Then you can actually start formulating your offensive strategy for how you use these forces to work together to defend your assets. I don't want the private sector coming up with a solution on their own. So in the absence of that, we have to do something.
Eventually we're going to be able to pass – at the speed of data – threat information, threat signals, warnings between ourselves inside government and then at an unclassified level or a very low, unclassified level out to industry, and then industry reporting back what they're seeing so that we can see the adversary's campaign against us. We have to have this improved data sharing, information sharing, threat sharing, and it's got to be at the speed of data.
That's where we're headed. That's a ways off, but that's where I want to end up. And there is a requirement for the private sector to not just be a victim but to be an aggressive participant.
Overall, we've got to understand what the authorities need to be, what the resources need to be, who's going to command and control these things, how it's going to work, because I think you have to explain all that before you take that first step onto the moving train. Because once you do it, DoD is really good at doing what they're told to do. And so you want to make sure that how we've organized this is right. The other federal agencies you will have to push, but DoD will move out once they get the order.
Lt. Gen. Moore: I view a grand strategy as this comprehensive long-term plan with very specific strategic objectives, using all the levers of national power to accomplish our goals and achieve national interest. I don't think it applies when you're talking about one domain, and tone aspect – i.e., the offensive cyber of one domain. That said, because of the unique aspects of cyber, specifically due to digital convergence and the ubiquitous nature of this domain, it's beneficial if we talk about how we might have specific strategy and objectives for what we should be trying to accomplish as not just a whole-of-nation approach, but also with our friends and allies.
Much of the work that's going on is obviously done at a level that's not going to be obvious, or even something we can talk to the American people about. And it's not always great to just say, Hey, trust us, there's a lot of great work going on. I understand that frustration. But this is a nuanced discussion. And when you talk about being noisy and the benefits of that, I think you have to realize that you can't change an adversary's calculation unless they know you're there. But if they know you're there, they're going to take actions to stop what you're doing. And so there's a difference between making an adversary not want to conduct some type of an operation – i.e., change their calculation – and taking actions to prevent them from succeeding. And the latter is really where we have been focused. When you talk about defending forward and being persistently engaged, that's the focus that we've really been after.
We need a campaign that focuses on making sure the United States remains the dominant player in the development and the use of advanced tools like artificial intelligence and quantum. We need a campaign that goes after the big four, the Russia, the China, North Korea, and Iran of course – fully integrated with the other instruments inside the DoD's capabilities. We need a campaign to deal with espionage and IP theft. We need a campaign to protect our supply chains. We need a campaign to go after counter ransomware. These are not difficult things to do, but they require dedication and they require persistence and they do require a bit more resources. There's also campaigns that we need to run that are more administrative in nature – i.e., how we go about continuing to develop inside our society the workforce that we're going to need to deal with this environment. How do we go about advancing norms of behavior? And so all of these things brought together and executed persistently help us achieve what should be our national objectives.
We're really good in crisis. A crisis happens, and we tend to figure out how to deal with all the barriers that we're dealing with day to day. You can look at Ukraine and the support that we were providing Ukraine and how rapidly we started sharing information. It was unprecedented. With Volt Typhoon and Salt Typhoon, and the campaigns that they're running against us, we are being campaigned against. We have to start doing the same thing to our adversaries.
Read more expert-driven national security insights, perspective and analysis in The Cipher Brief
