How the US DOD Cyber Strategy changes national cyber defense

A decade ago, then-Secretary of Defense Leon Panetta uttered a phrase that would go on to live in infamy: “cyber Pearl Harbor.” Panetta was using his platform as the country’s leading national security official to warn of dire future digital assaults on the United States. Energy infrastructure, transportation systems, financial platforms, and more were vulnerable to exploitation, he warned. The media, pundits, and politicians have used the phrase, along with the similarly evocative “cyber 9/11” and “cyber Katrina,” galvanize support for national efforts to address cybersecurity challenges.

The infamy of the “cyber Pearl Harbor” meme lies in its utter disloyalty to the realism of global cyber conflict. The idea of Western society collapsing around our shoulders due to digital disruption, the argument goes, ignores the fact that such disruption offers no strategic utility to those actors most capable of executing such an attack, beyond the context of a shooting war with a peer state competitor. Substantial disruptions, as seen in incidents like NotPetya, are inevitable, but they are unlikely to be common, endemic, or as cataclysmic as the “Pearl Harbor” mnemonic implies. Instead, cyber usage by belligerents in recent major conflicts in Ukraine and Israel – both limited and lacking a “cyber blitzkrieg,” often with a performative focus – feel much more exemplary of cyber conflicts to come.

2023 Cyber Strategy offers pragmatism

A major driver of the campaign against cyber doom nomenclature is the argument that such framing creates a disconnect between government concerns about national cyber defense and the realism of industry efforts to build a healthier cyber ecosystem. Given this, the recent publication of the Department of Defense’s 2023 Cyber Strategy should be seen as a welcome evolution of government perspective on the scope of defense and deterrence challenges in the cyber domain.

Unlike previous manifestations of the defense community’s strategic vision for operation in cyberspace, the 2023 document is extremely conservative. It forwards no major conceptual developments, no new branding for emergent ideas around digital operations, and no radical reactionary takes on the war in Ukraine. While cyber strategy “with the brakes on” might sound risky at first glance, this restraint in the face of recent changes that enable the activities of US Cyber Command introduces a measure of stability to national cybersecurity policymaking. More importantly, it offers breathing room within which civilian, industry, and government can find balance that has perennially been absent in public-private relations in this space.

Greater cross-sector consideration for national cyber defense

Prior to the release of the 2023 document, the 2022 National Defense Strategy outlined a new concept that will drive the vision, planning, and actions of the Pentagon called “campaigning.” The concept is not cyber-specific. Instead, it is a more holistic representation of the idea that national security and foreign policy objectives are invariably secured via sequential and cumulative activities planned across multiple domains of government and national capacity. That distinction between government and national capacities is noteworthy, as the campaign idea emphasizes that military activities must align with those that are strategically relevant. This includes non-military actors, their interests, their infrastructures, and their own capacities to impact international politics and commerce.

The point of the 2022 strategy, now brought forward in cyber-specific terms in the 2023 Cyber Strategy, is that the concepts of defending forward in a domain defined by persistent engagement with adversary forces demand delegation and co-reliance across public-private boundaries. The Pentagon recognizes, quite practically relative to years past, that most cybersecurity activities occur entirely beneath the threshold of armed conflict between countries.

One might have previously taken this admission to imply that the Pentagon is intent on persistent, rapid, and sustained military actions that only rarely scale to the level of major operations (e.g., the Olympic Games) and that most cyber isn’t about degrading adversaries’ real-world capabilities. The 2023 strategy now prioritizes activities focused on cumulative outcomes rather than persistent effects. It is not enough to simply engage consistently; tactical actions must be scalable to strategic gains.

This means the Department of Defense more clearly recognizes that America’s attack surface – i.e., its IP space, information environment, cyber-physical infrastructure and, yes, its people – is overwhelmingly private in nature. This obvious point has always been acknowledged colloquially, but it is now central to the campaigning concept. Operating to secure military objectives online by defending forward means collaboration beyond the scope of operational planning. It means extending educational activities to key stakeholders of national digital health — not just service providers, but social technology product vendors, diverse software developers, and more. It means post-operational follow-through and delegating responsibility for recovery and future preparedness to willing private partners, with federal support. It also means realistic expectations about what civilian society can contribute to the national cyber defense. All told, a promising development.

Less leadership, more integration mean better leadership

Another key element of the recognition that cyber affairs are never purely cyber is the admission that federal leadership on cybersecurity might be counterproductive. “Leading” on an issue that co-varies with other dimensions of statecraft and societal function often over-emphasizes the importance of that area.

This is the pathology of thought that has dominated American outlook on cybersecurity for more than three decades. Realization that cybersecurity was a substantial national challenge in the 1990s and early 2000s gave rise to the cyberspace domain concept as a center of gravity for government- and military-led conversations about digital issues. While that was mostly welcome, it also over-emphasized cyber for the sake of cyber and often overrode the reality that cyber operations are usually an adjunct or enabling set of activities tied to other political, economic, and security challenges.

The 2023 Cyber Strategy corrects this overstatement in the form of an admission. The document is candid about the constraints of operating in cyberspace to deter foreign adversaries from attacking American industry, society, government, and international partners. As so many advocates of Cold War nuclear-era deterrence thinking for cyberspace have been forced to concede recently, the logic of operation in the fifth domain makes signaling and demonstrating the kinds of capability necessary for true deterrence difficult.

Performative gestures via cyber operations are often counterproductive in that they let adversary defenders glimpse gaps in their defensive setup and deploy fixes. Attribution muddies the waters of directed coercion that typically requires reasonable specificity and communication of urgency to be effective. Opportunities to improve deterrence via counter-hacking are often stymied by delays in marrying exploits to talent, infrastructure, and political vision during nanosecond crisis developments.

Instead, the US government now suggests that it will lead less and in doing so, counterintuitively, lead better. This is the concept of integrated deterrence being brought to the fore of federal cybersecurity efforts. Deterrence cannot be achieved via cyber action alone, particularly not action primarily undertaken by US Cyber Command and its other federal co-belligerents. Instead, cyber capabilities must be made adjunct to “other instruments of national power” to create a “deterrent greater than the sum of its parts.”

This is intended to unleash US Cyber Command from traditional constraints on its capability to defend the digital health of America – not so much the inability to authorize its own operations, but rather the inability to let non-governmental partners and interests shape the federal cyber mission. Now there is a recognition that the best instruments for building a national cyber deterrent might not be a primarily defense-oriented posture. This position is intelligent and promising. It also suggests space within which shared public-private interests can flourish while avoiding traditional industry concerns about federal overstep (or oversight). 

Constructing defense institutions as more reliable cybersecurity partners

A final transition made apparent with the 2023 Cyber Strategy is the practical reeling in of the Pentagon’s cyber mission. Campaigning and the shift toward integrated deterrence does not imply open-ended missions and resources, just adding new ideas about public-private collaboration. Instead, they reflect a reality that cyber isn’t just an adjunct focus for national security practice but one where constant activity isn’t always welcome. Defending every piece of American IP space has never been possible for the Pentagon, legally or practically. Now, there is recognition that doing so is also not desirable from a deterrence perspective.

The 2023 Cyber Strategy perspective emerges from a humbling view of recent history in which an ecosystem of federally enabled helpers to surge to the rescue during crises has barely materialized and has rarely been called upon. The Pentagon just isn’t suited for this kind of support activity relative to the closer mission support roles that US Cyber Command is built around. Now, the Pentagon will support capacity-building, intelligence support, workforce expansion, and cyber-awareness initiatives without defining the scope of required interaction with the Department of Defense. In doing so, the DOD seeks to be a more reliable partner for industry, particularly elements of the Defense Industrial Base (DIB), absent the demands of a singular strategic or operational approach to national cyber defense.

Cyber safe harbor, not Pearl Harbor

That the Pentagon is nixing the specter of cyber Pearl Harbor as a conceptual vehicle for conversations about national cyber defense is a welcome development. Cyber threats are not the stuff of strategic calamity that punditry and Hollywood often like to convey. At the same time, the landscape of cyber threats continues to expand and diversify year-on-year. In this context, the Department of Defense just can’t cover the country with the cyber equivalent of a missile defense shield and so must adjust its posture to be as efficient as possible as it attempts to create meaningful deterrence.

There is always a honeymoon phase around new strategic documentation where government intention is tempered by the actions of officials, Congress, and existing partners. However, the 2023 Cyber Strategy should be embraced by industry as an opportunity to engage with the defense establishment without fear of co-option.

The document is practical in a way that has been missing in past iterations. The priorities laid out, despite being more about restraint than new activity, also stands to aid efforts to establish constraining norms around cyber threats. The realization of a lesser role for the Pentagon in underwriting national cyber response capabilities without direct mission control suggests singular value for companies that suspect themselves to be in the direct fire line of geostrategic competition, such as those invested in Ukraine’s reconstruction. What is otherwise a somewhat boring update to American cyber defense priorities is also perhaps the best federal promise of real assistance the private sector has ever seen.

Critical Infrastructure, Government

Go to Source