Published by The Lawfare Institute
in Cooperation With
Editor's note: This article is part of a series of short articles by analysts involved in the Cyberspace Solarium Commission, among others, highlighting and commenting upon aspects of the commission's findings and conclusion.
President Eisenhower’s 1953 Solarium Commission gathered top thinkers to weigh the merits of three logically distinct strategies to combat the Soviet Union; advocates of each position suggested distinct policies for U.S. arms development, doctrine and force posture. Today’s Cyberspace Solarium Commission drew from the story of Eisenhower’s 1953 commission and brought together practitioners, experts and scholars to tackle the challenge of cyberspace for U.S. strategy.
At first, this was meant to be a competition between divergent strategic approaches that seemed to have emerged over the course of the Bush, Obama and Trump administrations: deterrence, norms and defend forward/persistent engagement. However, the true intellectual labor in this commission focused not on pitting these concepts against each other but, instead, in weaving these entangled ideas into complementary and reinforcing lines of effort within an overarching strategy. Scholars grappling with the commission’s project had to examine what contradictions existed in current strategy, where redundant lines of effort had emerged, and how the U.S. could best leverage its entire federal government for one strategic purpose in cyberspace.
While the commission’s strategy of layered cyber deterrence incorporates all the instruments of national power, here I focus on the challenges associated with developing a strategy that more specifically addresses the Department of Defense. To be successful, scholars faced with the commission’s intent needed to grapple with three logical problems that existed for the Defense Department within the United States’s current cyber strategies. First, how could the department conduct “defend forward” and “persistent engagement”—two concepts introduced in the 2018 Defense Department Cyberspace Strategy and the Cyber Command Strategic Vision, which advocate for day to day counter-cyber operations against adversaries targeting U.S. critical infrastructure—without triggering escalation? Second, how could the U.S. manage escalation, conduct defend forward, and still signal credible deterrence by punishment for strategic cyberattacks? And, finally, how could the U.S. move from a “be prepared” posture in cyberspace to one of persistent engagement while building norms of stability in cyberspace?
To solve these logical problems and move from competing paradigms to complementary ones, the below chart demonstrates major lines of effort within U.S. cyber strategy, focusing on the Defense Department—as most of the major changes to strategic guidance were with the Pentagon. The figure shows the goal of each line of effort, the target and types of activities. Finally, it depicts these lines of efforts on a purported escalation ladder, which helps define when each line of effort starts and notionally ends. Further, it compares these activities with other uses of force or means of foreign policy to illustrate how the strategy hopes to align lines of effort along the escalatory spectrum across domains.
Examining the strategies reveals five major lines of effort by which the Defense Department can support larger U.S. strategy. The first, resiliency and defense, spans day to day operations through conflict and finally high-end nuclear exchanges. The goal is survivability and perseverance throughout all potential escalation possibilities. For the Defense Department, the focus within resiliency and defense is on building Department of Defense information networks (DODIN), weapons and intelligence platforms that can defend, withstand and gracefully degrade even when under intense cyber and conventional attack. It is also about developing defense and resilience capabilities for key resources within critical infrastructure that are vital to Defense Department operations. Activities include cyber protection teams within services and across combatant commands, but also intelligence support about cyber threats as well as innovation in defense technologies on the DODIN.
In addition to resiliency and defense, the strategies call for the Defense Department to defend forward during day-to-day competition. Defend forward, while euphemistically labeled defense, is distinct from the resiliency and defense line of effort: It is focused not on protecting friendly (“blue”) networks but, instead, on degrading the capability of adversaries to conduct cyber operations. This means that the target of defend forward is the networks, tools, institutions and people who launch cyber operations against the United States, while the goal is to decrease the overall sophistication and preponderance of cyber operations against U.S. critical infrastructure.
There is an important caveat to the extent of defend forward, however. A key critique of defend forward focuses on the potential that these counter-cyber operations might lead to escalation of violence in retaliation. To decrease this possibility, the U.S. must scope its counter-cyber operations at targets that conduct cyber operations and limit effects to virtual or loss of data.
Neither defend forward nor resiliency/defense operations can account for the potential for cyberattacks that cause significant disturbances to either U.S. military operations or civilian way of life. Because of that uncertainty, the U.S. needs other lines of effort to ensure that the government can mitigate the cost of adversary cyberattacks—including the development of crisis response capabilities to mitigate the effects of potential cyberattacks that will allow the U.S. to recover quickly from major cyberattacks on the homeland. The focus here is less on restoring military networks and more about how domestic military units like the National Guard, or foreign-deployed military units within allied nations, might help with network restoration. They might also help ensure humanitarian assistance and disaster recovery operations in the face of even the most destructive cyberattacks against critical infrastructure.
While the National Guard will lead these domestic crisis response efforts for the Defense Department, the backbone of U.S. armed forces cyber effort will have to include cyber support to conventional military campaigns. Unlike defend forward, which includes scoped counter-cyber activities that occur before violent conflict, these operations are designed to support the violent use of armed force in declared conventional campaigns. They therefore exist above a status quo threshold and focus not on U.S. critical infrastructure but, instead, on increasing the effectiveness of military power. The goal is to target adversary military and command-and-control capabilities through cyberattacks as well as intelligence and information sharing within the armed services and their allies.
Finally, undergirding all of these lines of effort is the strategic deterrence of cyberattacks that create large-scale and immediate violence to U.S. citizens or that threaten the viability of the U.S. nuclear arsenal. The question of how to achieve successful strategic deterrence was one of the largest problems for the previous strategies, which advocated for a more active (but undefined) defend forward while also seeking to restrain adversaries’ own cyberattacks. The solution to this is both a scoped defend forward and a tailored strategic deterrence, focusing only on the most violent and expansive cyberattacks against civilians or nuclear capabilities. With such a high bar for strategic deterrence of cyberattacks, the U.S. can rely on its highly capable conventional and nuclear capabilities to credibly threaten cross-domain punishment.