Published by The Lawfare Institute
in Cooperation With
The 2018 Department of Defense Cyber Strategy is the third report of its kind: The document, a summary of which was issued on Sept. 18, follows the Department of Defense Strategy for Operating in Cyberspace in July 2011 and the April 2015 Department of Defense Cyber Strategy. As a Chinese cybersecurity analyst reading the three documents, I have noted several interesting developments over time. The most significant among them, in my opinion, is the change of operating concept—from “active cyber defense” to “defending forward.” Here, I’d like to consider what might be behind such a change and why the change in concepts will have implications not only for the U.S. military but also for international cyber stability.
The 2011 report was the first to set out the concept of “active cyber defense,” defining it as “synchronized, real-time capability to discover, detect, analyze, and mitigate threats and vulnerabilities, so as to prevent intrusions onto DoD networks and systems.” Though the term disappeared in the 2015 document, it was widely used in the Defense Department in the following years, including in DARPA’s Active Cyber Defense (ACD) program. The concept echoes the definition of “active defense” in the Defense Department’s dictionary of military terms: “the employment of limited offensive action and counterattacks to deny a contested area or position to the enemy.”
The 2018 report introduces the term “defending forward.” It characterizes defending forward as a method “to disrupt or halt malicious cyber activity at its source, including activity that falls below the level of armed conflict,” and to “counter cyber campaigns threatening U.S. military advantage.”
The strategies described by active cyber defense and defending forward share features, including the use of defense to mean “defenses that go beyond passive ones.” But their differences are noteworthy.While active cyber defense aims to “detect and stop malicious activity before it can affect DoD networks and systems,” the goal of defending forward is to “disrupt or halt malicious cyber activity at its source.” The definitions in the 2011 and 2018 documents suggest that defending forward should be understood as something more proactive and potentially escalatory than active cyber defense. As NSA Director Paul Nakasone said during an August 2018 dinner hosted by the Intelligence and National Security Alliance, “We’ve got to act forward outside of our boundaries, something that we do very, very well at Cyber Command in terms of getting into our adversary’s networks.”
Defending forward also has a broader scope. While active cyber defense is an effort to defend the Defense Department’s networks and systems—in order to, as the 2015 report describes it, “blunt an attack and prevent the destruction of property or the loss of life—defending forward will “strengthen the security and resilience of networks and systems that contribute to current and future U.S. military advantages.”
Unlike the more limited focus of active cyber defense and the 2015 report, defending forward aims at all threats, including activities falling below the level of armed conflict. Similarly, Cyber Command will likely fulfill missions beyond defending only .mil networks under the new strategy because U.S. military operations depend on not only .mil but also .com. As Bruce Berkowitz pointed out early in 2001, U.S. military forces depend on commercial transportation systems for logistics and, in many cases, for moving units to the scene of battle. And a foreign adversary could significantly hinder U.S. forces by attacking computers at, say, commercial harbor facilities.
The evolution in Defense Department cyber documents suggests that the U.S. cyber force is expanding its scope of operations in terms of geography, timing and potential adversaries. But what animates these changes?
When drafting an operational concept, the first thing to consider is the identity of the hypothetical adversary. In assessing the security environment in cyberspace, the 2011 report addresses the inherent insecurity caused by the architecture of the internet and asserts that cyber-threats may come from various sources, including state actors, small groups, insiders and supply chain vulnerabilities. The 2015 report listed four nations—including Russia, China, Iran and North Korea—as the main sources of cyber-threats and also included descriptions of possible threats from terrorist groups like the Islamic State and criminal groups. It came to the conclusion that “[s]tate and non-state threats often also blend together,” which “can make attribution more difficult and increase the chance of miscalculation.”
There are notable changes in how the 2018 strategy assesses the cybersecurity environment. The document declares that “our focus will be on the States that can pose strategic threats to U.S. prosperity and security,” without mentioning any nonstate actor as the source of threat. What’s more, the four countries are now listed in a new order: China, Russia, North Korea and Iran. Rather than an inadvertent adjustment of sequence, this is more likely the result of careful consideration, as it is in strict accordance with security environment assessments in other documents. Among the four nations frequently mentioned as major security challenges in various U.S. strategy documents in recent years, China was listed fourth in the National Military Strategy issued in June 2015, following Russia, Iran and North Korea; second in the Defense Posture Statement in February 2016; and first in 2018 National Defense Strategy, followed by Russia, North Korea and Iran. Given the rapid deterioration of China-U.S. relations, especially since the Trump administration announced sweeping tariffs on Chinese imports in March 2018, even a “minor” change like this in the new cyber strategy document sends the Chinese government a a signal that America views China as a potential adversary.
The 2018 strategy also shows the rapid enhancement of U.S. cyber-military capabilities and the largely expanded missions of the cyber-forces. The first Defense Department Cyber Strategy, was published in 2011, 14 months after the establishment of Cyber Command and eight months after the the command achieved full operational capabilities. In 2018, CYBERCOM was elevated from a sub-unified Combatant Command under U.S. Strategic Command to a fully unified one. The 133 Cyber Mission Forces all achieved full operational capability (FOC) in May 2018, four months ahead of the September deadline. The achievement of FOC signaled a rapid pace in the buildup of cyber forces, suggesting it was time for the Defense Department to revise relevant operational concepts.
In the months before the release of the 2011 strategy, CYBERCOM’s main focus was “safeguarding our military assets”—which then-NSA Director Keith Alexander explicitly specified was “not about an effort to militarize cyber space.” Now, the 2018 Cyber Command Vision describes CYBERCOM’s focus as “achiev[ing] cyberspace superiority by seizing and maintaining the tactical and operational initiative in cyberspace, culminating in strategic advantage over adversaries.” This more aggressive U.S. operational posture, together with huge improvements of U.S. capabilities, will naturally cause nervousness in some countries—especially those the United States has listed as security challenges.
The U.S. is consistently critical of China’s cyber security measures and hypes China up as a cyber threat. In this context, the more proactive posture pursued in the 2018 strategy might be understood by some in the U.S.—with whom I cannot agree—as a response to China’s cyber posture. However, from China’s perspective, the U.S. enjoys a large military advantage in cyberspace, as Yao Yunzhu and her colleagues have elaborated in a joint report—an advantage obtained through formulating and updating cyber operational doctrines and strategies, setting up and elevating cyber command, and building cyber warfare units.
China does not seek an arms race with the United States. To be sure, it intends to develop its own cyberspace capability as well, for two reasons: first, to keep up with recent trends in the military-technological revolution worldwide; and second, to ensure that China can win a local war shaped by the wide application of information and communication technologies. As to what posture Chinese military pursues in cyberspace, the latest National Defense White Paper, titled China’s Military Strategy (2015), declares that China “will expedite the development of a cyber force.” The main tasks include enhancing China’s capabilities of cyberspace situation awareness, improving cyber defense, and supporting the country’s endeavors in cyberspace and its participation in international cyber cooperation. Such efforts aim to “stem major cyber crises, ensure national network and information security, and maintain national security and social stability.”
While the Chinese military also uses the language of active defense, it is used to describe the military strategic guideline—which is used in China as the guiding principle of military strategy—rather than an operational concept, which refers to what the commander intends to accomplish and how it will be done using available resources. China’s National Defense White Paper in 2015 illustrates the Chinese sense of “active defense.” It boils down to: adherence to the unity of strategic defense and operational and tactical offense; adherence to the principles of defense, self-defense and post-emptive strike; and adherence to the stance that “[w]e will not attack unless we are attacked, but we will surely counterattack if attacked.” This can be explained as follows: China aims to promote peace by mitigating crises and creating a stable environment during peacetime; China’s military strategy seeks to prevent crisis escalation through deterrence and crisis control when crisis has taken place; should a military confrontation erupt, China’s military strategy will consist of taking resolute actions to achieve victory. As of now, China has not released any official documents containing detailed descriptions of how the strategic military guideline of active defense will be implemented in cyberspace. But the 2015 white paper shows that China’s active defense seeks retaliation as opposed to a pre-emptive strike, while the U.S. Defense Department made it clear in the 2018 report that it “seeks to preempt, defeat, or deter malicious cyber activity.” The chief difference here is the preference for preemption or retaliation as the principle guiding the use of power.
If unilateral military advantage were the only thing the Defense Department needed to consider, then such changes would be expected and would not be troubling. However, in an interconnected world, especially in globally interconnected cyberspace, there are interactions among various actors. Interactions in cyberspace can foster trust and cooperation, but they also have the potential to provoke suspicion, competition and conflict. Alarmingly, the latest Defense Department document lists “defend forward, shape the day-to-day competition, and prepare for war” as the Pentagon’s priorities and “building a more lethal joint force” as the first approach the department will take. In the meantime, terms like “mitigate risks” and “control conflict escalation,” which were used in the previous two reports, have disappeared from the latest report.
Other countries will likely feel anxious about their own cybersecurity if they see that the most powerful cyber force is committed to building more forces and pursuing a more offensive posture, even though some Americans may understand the Defense Department as, itself, responding to the aggressive postures of other states. This increased insecurity and heightened suspicion are particularly dangerous in cyberspace, because operations there are more apt to lead to unintentional crisis and escalation.
But there is more than one way to achieve security in cyberspace. An alternative to aggression is self-restraint, which could play a similar role in improving security environment without entailing adversarial responses. In fact, the U.N. Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (GGE) offers quite a few suggestions regarding norms of self-restraint. For example, the group recommends that states should refrain from attacking critical infrastructures and impairing the work of computer emergency response teams (CERTs). The GGE mainly focuses on peacetime norms, while the Defense Department Cyber Strategy aims to cover everything from peacetime to conflict. However, the 2018 strategy ostensibly endorses the work done by the GGE and hopes to work with others to “reinforce norms of responsible State behavior in cyberspace.” As such, principles included in GGE reports needs to be taken into consideration.
Some think tanks and corporations also have undertaken initiatives in this arena. The Microsoft Corporation’s Digital Geneva Convention proposal urges governments to “exercise restraint in developing cyber weapons and ensure that any that are developed are limited, precise, and not reusable.” Carnegie's Cyber Policy Initiative is exploring ways the United States and China can reduce cyber threats to nuclear stability, including potentially through development of norms. The Cyber Policy Initiative also proposed that states focus on protecting the integrity of the financial system against cyber threats as an area of common interest, particularly in light of risks associated with manipulations of the integrity of financial data or the availability of critical systems.
If there is one lesson to be learned from the Cold War, it is that maintaining strategic stability among major powers is critical to preventing nuclear conflict. Today’s international cyber-order is at a crossroads: one route may point toward achieving general stability, while the other may lead to chaos and conflict. Enhancing military capability with proactive and bold action will lead to widespread feelings of insecurity, precipitating a security dilemma—a situation in which actions by one state intended to heighten security lead other states to respond with similar measures, which in turn lead to a decrease rather than an increase in the original state’s security. Starting from self-restraint can lead to mutual restraint, non-binding agreements and, as time goes on, formal treaties.
Americans may conclude from Russia’s alleged interference in 2016 U.S. elections that restraint does not work well in cyberspace. However, the consensus points reached between President Xi and President Obama in 2015 are an example of a bilateral commitment to restraint in cyber activities that has been beneficial to both sides. As described by James Lewis, director of the U.S. Center for Strategic and International Studies' Strategic Technologies Program, the agreement had the the potential to decrease frictions between the U.S. and China, and it did contribute to a more stable bilateral relations. Reports also indicate a notable decline in commercial cyber espionage allegedly attributed to Chinese sources, at least in the first few months following the agreement. What’s more, it provides a foundation for the two countries to have more dialogues on cybersecurity with encouraging results.
Even for critics of the Obama-Xi agreement, however, restraint is still less risky than being dragged into an unintended cyber conflict. By exercising self-restraint, the United States can not only enjoy stability and security in cyberspace, but also continue to take the lead in international rulemaking—if it is still willing to.