Over the last six months, the government has released a series of strategic documents and executive orders that have led some to conclude that the gloves are off when it comes to deploying offensive cyber capabilities.
The Department of Defense Cyber Strategy, released in an unclassified summary this week, reiterates the proactive use of offensive cyber capabilities. However, instead of viewing this as unfettered authorization to deploy these capabilities, it should be viewed as the emergence of a national security framework that acknowledges the realities of a dramatically shifting international system and technological change. Importantly, the strategy sends core signals to U.S. adversaries, allies, and the private sector.
For our adversaries, the policy homes in on defending forward, stating that cyber campaigns will be countered by “defending forward to intercept and halt cyber threats.” Instead of waiting for the attacks to happen in the homeland, offense will be used surgically to counter campaigns. This is a full-court press strategy that leverages offense to counter threats and underpins the notion of deterrence by denial. It does not imply unconstrained deployment of offensive capabilities, but rather an approach that is focused to stop a threat before it harms its target.
The strategy also alludes to countering adversarial, cyber-enabled information operations. Given the emphasis on China and Russia within the strategy, this again helps progress a more coherent approach to countering the full range of cyber-enabled interference operations instead of viewing computer compromises and disinformation within discrete stovepipes.
Finally, too often the cyber component is siloed as separate from other tools of national power. The Cyber Strategy specifies that all instruments of national power will be employed to deter malicious cyber activities. Again, this implies a more nuanced approach to countering the threat, as well as one that understands the risks of escalation.
For our allies, the strategy emphasizes the pursuit and defense of a free and open internet. This is perhaps the major continuation from the 2015 strategy, and signals to democratic allies that the U.S. remains steadfast in a commitment to preserving a foundational component of democracy. If there is any doubt, the very first sentence notes, “American prosperity, liberty, and security depend upon open and reliable access to information.” At a time when cyber-enabled activities are exasperating fissures in democratic institutions across the globe, the strategy attempts to renew U.S. commitment to preserving a free and open internet as critical to democracy. To further specify this commitment, the strategy offers U.S. support and participation in global institutions to help shape cyber confidence building measures and those norms for responsible behavior in cyberspace.
Finally, for the private sector, this strategy extends Defense Department defensive commitments beyond .mil and .gov domains. Historically, the approach toward the private sector has more or less been one of letting it fend for itself. While the strategy more so focuses on the defense industrial base, the commitment to critical infrastructure widens the potential for greater defensive support for the private sector. At the same time, the emphasis on commercial-off-the-shelf cyber capabilities and leveraging automation and data analysis additionally highlight potential avenues for greater partnerships with the private sector.
In short, rather than reflecting a shift toward unconstrained cyber anarchy, the strategy continues the momentum away from post-hoc responses to cyber attacks, and instead takes a nuanced, multi-faceted approach toward one of the most daunting national security challenges. Importantly, it amplifies the ongoing discourse on the use of offensive capabilities, providing transparency in an area that has for too long been viewed as a dark art, while signaling to attackers that the unfettered deployment of cyber-enabled attacks against the U.S. is over.
Andrea Little Limbago is chief social scientist at Endgame, a cybersecurity software company. She previously taught in academia before joining the Joint Warfare Analysis Center as a computational social scientist. While at JWAC, she earned the command’s top award for technical excellence for her analytic support across the Department of Defense. She holds a Ph.D. in political science from the University of Colorado at Boulder.