Cybersecurity & Tech

The Pentagon’s New Cyber Strategy: Defend Forward

Dave Weinstein
Friday, September 21, 2018, 11:40 AM

Last month, the Wall Street Journal reported that the Trump administration is taking an “offensive step forward” when it comes to cyberspace operations.

Published by The Lawfare Institute
in Cooperation With

Last month, the Wall Street Journal reported that the Trump administration is taking an “offensive step forward” when it comes to cyberspace operations. The Defense Department’s summary of its 2018 Cyber Strategy, published this week (and not to be confused with the White House’s National Cyber Strategy), bears that reporting out. The strategy’s role in formulating this “offensive step” is particularly clear in its coining of a new doctrinal concept: the notion of “defend forward.”

Much of the document will be familiar to those who have followed the Defense Department’s cyber strategy over time. This text is yet more evidence of the department’s ongoing adaptation to cyberspace as a fifth operational domain, and the notion of integrating cyberspace operations with the Joint Force—Army, Navy, Air Force, Marines and Coast Guard—is a consistent theme throughout the summary. Such integration is critical to maximizing and harmonizing the military’s physical and virtual force projection potential. Likewise, it is necessary for maintaining operational agility in all domains during both peace and wartime, as well as establishing a deterrence regime commensurate with twenty-first century standards.

This commitment to integrating cyberspace operations with sea, air and naval assets animated the Pentagon’s recent activation of 133 Cyber Mission Teams to support each of the services in the digital domain. The department has recently concluded a Cyber Posture Review, which likely revealed that cyberspace operations are far more valuable when coupled with other elements of national power than when employed in isolation.

The Cyber Strategy’s introductory paragraphs also emphasize that the U.S. will “focus ... on the States…particularly China and Russia,” and “ conduct cyberspace operations to collect intelligence and prepare military cyber capabilities to be used in the event of crisis or conflict.” While critically important, these points hardly come as a surprise. China and Russia have long been labeled the United States’ top adversaries in cyberspace, and U.S. Cyber Command was recently elevated to Unified Combatant Command status in large part to prepare for contingencies in this domain.

But one line in particular stands out. It reads, “We will defend forward to disrupt or halt malicious cyber activity at its source…” This is not the only use of the term: “Defend forward” is mentioned four times throughout the document and described in the corresponding fact sheet as “confronting threats before they reach U.S. networks.”

Translating the language of cyberspace operations to policy and strategy is not a trivial task—nor is reverse engineering it. Perhaps the best way to think about this new doctrinal concept is in relation to similar language used by the Defense Department across domains. “Active defense,” or “the employment of limited offensive action and counterattacks to deny a contested area or position to the enemy,” was heretofore the department’s vernacular of choice for navigating the murky space between defense and offense. “Defend forward,” by comparison, can only be construed as active defense plus. It connotes greater geographic latitude with lower limitations on offensive parameters. Whereas active cyber defense, according to the Defense Department’s 2011 Strategy for Operating in Cyberspace, consisted of intrusion prevention at the perimeter and “defeat[ing] adversary activities on DoD networks and systems,” defend forward implies the conduct of operations on non-U.S. networks to “stop threats before they reach their targets.” This posture would mark a clear shift in the military’s strategy outlined by the now-superseded Defense Department Cyber Strategy from April 2015.

There are many outstanding questions about this approach—namely how, when and where the department will defend forward. I’ll offer a few thoughts on each.

How: Any defend forward operations must be highly targeted with a strong bias for limited to no collateral effects. The United States does not want to be responsible for the next NotPetya, an attack that started as a targeted Russian operation against Ukraine and quickly ballooned into a global campaign costing billions of dollars in damages. Not only would this outcome hurt America’s diplomatic standing, but it would also damage international efforts to establish and enforce norms for behavior in cyberspace.

The effectiveness of any defend forward strategy must account for two variables: first, the duration of denial, disruption, or degradation to the adversary’s objective, and second, the deterrence value. In theory, the correlation between collateral effects acceptance—or the willingness to risk cascading or unintended outcomes—and both of these measures of effectiveness should be a positive one.

When: Equally important as how America defends forward is the circumstances under which that defense takes place. The strategy document states that this concept applies to malicious cyber activity that “falls below the level of armed conflict.” This is an important principle: the United States simply cannot allow the current levels of sub-armed conflict in cyberspace to persist unmitigated. On the other hand, the Defense Department risks setting a dangerous and long-lasting precedent if the rules of engagement are too relaxed, granting adversarial states license to operate with impunity against the United States and others. The first consideration for when to defend forward should be focused on the possible consequences of not doing so. The imminence of the threat—or the lack of imminence—is critically important, which is why reliable, real-time and high-confidence intelligence in the form of indications and warnings will be crucial. This assessment must then be analyzed in the context of the aforementioned measures of effectiveness.

Where: Perhaps the most prickly question involves the physical location of the “forward” in “defense forward”—that is, where is the source at which the defense is aimed? Cyber attackers distribute their infrastructure all over the world in order to preserve anonymity and increase ambiguity. So how will the U.S. “disrupt or halt malicious cyber activity at is source” if the source is located in a country that is friendly or allied with the United States? Likewise, what if the source is located in a country that is adversarial to the United States? The former scenario could result in diplomatic backlash, while the latter could potentially lead to military escalation.

There is no easy answer to this problem. Building a norm on the matter will take a coalition of nations and industry stakeholders with progressive values on Internet governance and digital sovereignty. In this respect we cannot continue to think about borders and territory solely in the context of lines on a map. The ideal result would be a framework mapping a spectrum of defend forward activities—each point on the spectrum mapped out with corresponding collateral effects and measures of effectiveness—and a broad range of qualifying scenarios for considering the employment of said activities. This exercise would help build confidence before the United States pursues bilateral or multilateral agreements with friendly and allied countries governing defend forward activities.

At this point defend forward remains a vague concept, but suffice it to say that the administration is—purposely or not—provoking a strategic dialogue on digital sovereignty and nations’ right to self defense in cyberspace. The United States must not lose sight, however, of the ultimate goal: deterrence. In this respect, ambiguity only increases the prospect for miscalculation and misunderstanding. Transparency, on the other hand, breeds credibility.

Dave Weinstein is the Vice President of Threat Research at Claroty, Inc. a Cybersecurity Policy Fellow at New America, and a Visiting Fellow at George Mason University's National Security Institute. Prior to joining Claroty he served as the Chief Technology Officer of New Jersey and formerly served as a senior civilian at U.S. Cyber Command. Dave holds degrees from Johns Hopkins University and Georgetown University’s School of Foreign Service.

Subscribe to Lawfare