Cybersecurity & Tech

SolarWinds Is Bad, but Retreat From Defend Forward Would Be Worse

Gary Corn
Thursday, January 14, 2021, 11:01 AM

Russia launched SolarWinds—the latest in a long series of hostile Russian cyber operations—not because the U.S. has engaged too proactively in cyberspace. Quite the opposite; it did so, very simply, because it could.

Cyber Command sailors stand watch in the Fleet Operations Center. ((U.S. Navy photo by Samuel Souvannason)

Published by The Lawfare Institute
in Cooperation With

The SolarWinds breach has kicked up a lot of dust. It’s thick, obscuring and deeply concerning. It’s also a long way from settling. But that hasn’t slowed the quick and steady drumbeat of postmortems declaring the shortcomings or outright failures of one aspect or another of the United States’s cybersecurity strategy and posture. To some degree this is understandable. In-crisis autopsies are not unusual in the cybersecurity business, and time is not an affordable luxury amid a massive breach. Some mitigation measures simply can’t wait. And as SolarWinds no doubt demonstrates, real cybersecurity continues to elude the nation.

But a number of these critiques have taken an opportunistic aim specifically at the Department of Defense’s 2018 Cyber Strategy, singling out as SolarWinds scapegoats two relatively nascent operational approaches that ground the Defense Department strategy: defend forward and persistent engagement.

Not surprisingly, these critiques have been picked up and amplified in press reporting. These overly precipitous reactions, especially at a time of limited information, are not only unhelpful but also potentially harmful. They come in the midst of a presidential transition and open the possibility that the incoming administration will feel pressure to heed these calls. This would mean curtailing the Defense Department’s use of out-of-network defensive cyber operations and a return to the failed policy of restraint that prevailed in the Obama and prior administrations. This would be a mistake.

To be clear, SolarWinds is bad. As former homeland security adviser Tom Bossert has stated, “[T]he magnitude of this ongoing attack is hard to overstate.” Based on initial indications, it appears the U.S. was significantly out-maneuvered by a strategic adversary. The Russian Federation’s Foreign Intelligence Service, or SVR, has its fingerprints seemingly all over the operation. If nothing else, SolarWinds appears to constitute a major intelligence coup that has compromised a yet-to-be determined but likely large amount of sensitive data. This breach also puts physical and technical infrastructure at risk across the government and private sectors. And while at this stage the facts point to SolarWinds being a broad and sweeping espionage operation, the accesses it generated constitute serious and ongoing vulnerabilities that Russia could potentially leverage for disruptive effect. SolarWinds is another stark reminder that the U.S. remains unacceptably vulnerable to hostile cyber operations and that significant work remains to achieve anything close to an acceptable level of national cybersecurity. It also underscores the strategic reality that threats of retaliation alone do not deter the nation’s adversaries. Their malicious cyber campaigns are constant and unrelenting, and the U.S. cannot simply firewall its way out of this problem.

But this doesn’t prove the failure of the current cyber strategy. Rather, it was precisely in recognition of these realities that the Defense Department devised its current strategy. In 2018 the department adopted a major shift in strategic thinking about cyberspace. Confronting the long-term strategic risk posed by adversaries’ active cyber campaigns requires proactive, not reactive measures. A key element of this proactive posture is the concept of what has come to be called “defend forward”—the use of Defense Department cyber capabilities during day-to-day competition to disrupt or halt malicious cyber activity at or as close as practicable to its source. That is, the 2018 Cyber Strategy embraced out-of-network cyber operations as one means among many to counter adversaries’ malicious cyber campaigns. Gen. Paul Nakasone, the commander of U.S. Cyber Command, also introduced the distinct but related framework of “persistent engagement” as the anchor to his vision for implementing the department’s broader strategy.

So, yes, SolarWinds obviously demands a coordinated, all-hands response to fully assess and mitigate the damage and continuing risk. And of course, as the facts emerge, appropriate lessons should be drawn on how best to adapt to the evolving cyber threat generally, and to respond to Russia’s aggressive move specifically. Having said that, those who cite the 2018 Cyber Strategy as having failed to deter, let alone having somehow precipitated, SolarWinds fundamentally misapprehend the strategy, its antecedents and the logic underlying defend forward and persistent engagement. Russia launched SolarWinds—the latest in a long series of hostile Russian cyber operations—not because the U.S. has engaged too proactively in cyberspace. Quite the opposite; it did so, very simply, because it could.

Although the public record is thin, defend forward thus far appears to have been implemented only on a limited basis. The Defense Department has acknowledged Cyber Command’s operations in defense of the 2018 and 2020 elections, including reportedly successful actions to disrupt Russian interference efforts. However, notwithstanding defend forward’s embryonic track record, a number of commentators have quickly questioned the efficacy of defending forward or cited SolarWinds as evidence of its failure. These critiques generally coalesce around the following assertions: Defend forward failed as a deterrence strategy, Cyber Command failed to either detect or disrupt SolarWinds, and this emphasis on offense has come at the sacrifice of defense. Unfortunately, these claims rest on flawed premises.

What Do Defend Forward and Persistent Engagement Actually Mean?

As an initial matter, it is important to clarify what defend forward and persistent engagement are and are not. Despite frequent misdescription, even within the Defense Department, neither is a strategy in the strict sense nor should they be judged as such. Neither seeks to match ways and means to achieve stated ends. Defend forward is a key element of the Defense Department’s strategy, one way among many applied, when authorized, to achieve the department’s specified cyberspace objectives. In contrast, persistent engagement is broader than defend forward and serves a distinct purpose. It is an operational mindset, a commander’s philosophy or doctrine that emphasizes proaction over reaction. Persistent engagement is intended to drive the Defense Department’s Cyber Mission Force to seize and maintain initiative across all aspects of the command’s assigned mission in order to out-compete the nation’s adversaries. That is why Nakasone talks not only of persistence in contesting adversary operations but also of enabling Cyber Command’s partners and accelerating innovation. In the hyperdynamic, high-threat environment of cyberspace, complacency is tantamount to defeat.

Neither defend forward nor persistent engagement is intended to be a mode of deterrence. At best, they might serve deterrence ends but only secondarily. Measuring them against a deterrence yardstick misses the point. The limits of deterrence in the cyber realm are similar to other strategic threats such as terrorism and espionage, where the ability to deter adversary actions is limited or ineffective. Defend forward is meant to proactively contest, disrupt and degrade cyber aggression at or as close as practicable to its source before it reaches U.S., allied and partner networks. It takes as a given adversary persistence and entrenched will and is, therefore, aimed principally at disruption, not dissuasion.

In a word, “defend forward” is a synonym for “counter cyber operations.” It was incorporated as a foundational component of the 2018 Cyber Strategy precisely because of the experiential recognition that years of applying inapt deterrence theories to the unique environment of cyberspace had failed. The failed theories focused on restraint and on threatened, but not actual consequences.

Rather than deter hostile adversary cyber operations, the policy of restraint encouraged them. The increasing number of disruptive, let alone exploitative adversary operations that have occurred over the past decade are well documented and probative. Given the physical, virtual and normative structure of cyberspace, the strategic incentives for adversaries to engage in hostile cyber operations—at least those not clearly crossing the use-of-force threshold—so significantly outweigh the disincentives that traditional deterrence models hold little to no sway. SolarWinds is simply another case in point.

That is not to say that defend forward and persistent engagement cannot contribute to deterrence, but it is not their primary purpose. With its endorsement of defend forward, the Cyberspace Solarium Commission recognized the strategic imperative to actively “counter adversaries’ use of cyber operations” as a necessary means of enhancing the nation’s overall security posture and achieving defense in depth. Although mistakenly couching the approach in the language of cost imposition, the commission seems to have understood the relationships among active counter cyber operations, defense, and the deterrence concept of benefit denial. As one expert notes, “[D]eterrence and defense are analytically distinct but thoroughly interrelated in practice.” Belying this understanding is the recent claim by Benjamin Jensen, Brandon Valeriano, and Mark Montgomery—three senior members of the commission—that persistent engagement has failed to impose sufficient costs on the Russians to alter their decision calculus.

Defend forward was never intended to serve as a credible threat of cost imposition—one side of a traditional deterrence framework. Deterrence by cost imposition, or punishment, relies on the credible threat of severe penalties if an attack occurs. That is decidedly not what defend forward is about. To the extent that defend forward contributes to deterrence, it does so incidentally by improving overall defense, reducing the likelihood of adversary operational success, and thereby constraining the adversary’s strategic options and resetting its benefit calculus. As Nakasone has said, defend forward and persistent engagement serve to “mak[e] it far more difficult for [the nation’s adversaries] to advance their goals over time.” That is, to the extent that defend forward serves deterrence purposes, it is at most a form of proactive benefit denial but certainly not the sole or primary means. But unlike the inchoate threat of cost imposition, defend forward’s contribution to deterrence depends on more, not less disruption. Those who allege that defend forward failed to deter the Russians are putting forth a straw man, wittingly or not.

The Mistake of Blaming SolarWinds on Defend Forward and Persistent Engagement

The Cyberspace Solarium Commission’s recommendation to incorporate forward defense, that is, out-of-network defensive cyber operations, as a foundational component of national, as opposed to just Defense strategy, is sound and should not be ignored. As the commission also recognized, defend forward is just one component of its broader call for holistic reforms to achieve layered defense. If there is a deterrence indictment to be leveled here, naming defend forward or persistent engagement as the accused is mislaid. Countless studies, including the commission’s report, have pointed out the multiple facets and layers of underresourced and poorly coordinated cybersecurity capabilities, frameworks and efforts that contribute to an insecure environment in which Russian actors can virtually waltz through the back door undetected. There is plenty of blame to spread around and reforms are needed, but abandoning proactive disruption operations will not contribute to deterring the next SolarWinds when it comes.

Laying blame at the feet of defend forward and persistent engagement also misapprehends how these operational constructs have been implemented to this point. The criticisms presume incorrectly that defend forward and persistent engagement translate into the Defense Department’s having the authority and capacity to be everywhere in cyberspace at all times. As noted, these concepts were introduced at the level of strategy and command vision. They do not constitute the Defense Department’s self-written blank check to operate at will. Like all department operations, whether, when, where and against what the Defense Department takes action must ultimately trace back to direction from the president. And of course, even where operational authority exists, it is always fettered by myriad factors, not the least of which is operational capacity. So those who portray SolarWinds as a failure of defend forward either to discover the Russian operation or, if known, to disrupt it, assume much without actual knowledge.

First, although Cyber Command may have some authority and capacity to detect potential cyber threats, it is not an intelligence organization. It is deeply dependent on its partners in the intelligence community to provide substantial pieces of the intelligence necessary to counter emerging and ongoing cyber threats. Whether SolarWinds points to an intelligence gap is a fair question that will surely get the consideration it is due. But neither defend forward nor persistent engagement was ever billed as a means for achieving ubiquitous surveillance and complete knowledge of all adversary cyber threats. That would be an obvious and imprudent over-promise.

The criticism of SolarWinds as a failure of defend forward also ignores the uncomfortable fact that the Russian government, by operating on U.S. domestic infrastructure, exploited a legally imposed blind spot in the intelligence picture. Law and policy strictly limit the government’s ability to surveil domestic cyberspace, and public-private cooperation has yet to effectively fill this gap. That is a separate and difficult discussion, but it is not a feature or flaw of defend forward. The U.S. must do better in this regard, but leveling inapt and premature accusations against defend forward or persistent engagement is not a fruitful path to success. Ensuring that intelligence authorities, resources and priorities are sufficiently aligned to support operational success is, along with greater persistence in building partnerships across the intelligence community and beyond.

As for allegations that Cyber Command failed to defend forward in this instance, the charge presumes without public evidence that, among other things, the Defense Department and Cyber Command were provisioned with the authority to disrupt SolarWinds. It is true that since 2018, when the defend forward and persistent engagement concepts were introduced, significant changes in law and policy have laid the foundation for the Defense Department to engage in out-of-network cyber operations that are critical to forward defense. These were hard-fought changes, and it would be a mistake to roll them back reflexively. There are plenty of legacy items the incoming Biden administration will need to undo or fix, but National Security Presidential Memorandum 13, which governs offensive cyber operations, is not one of them.

That is not to say, however, that the current legal and policy framework gives the Defense Department carte blanche. To the contrary, the department’s cyber mission authorities are limited and circumscribed. For example, Nakasone has been clear that election security, in both 2018 and 2020, were high-priority missions assigned to Cyber Command, and by all accounts its coordinated operations were successful in disrupting Russian and others’ efforts at interference. Those are successes to be built on, not withdrawn from. But there is nothing in the public record to indicate whether Cyber Command also had or has mission authorities that would have positioned it to disrupt Russia’s SolarWinds campaign. Time may shed light on that question, but at this point it is at least as likely that more out-of-network defensive cyber operations were called for here, not less.

Relatedly, the assertion that defend forward, let alone active cyber intelligence collection, prioritizes offense at the expense of defense rests on a false zero-sum dichotomy. Setting aside the fact that the National Security Agency and Cyber Command are resourced for important missions beyond cybersecurity, effective network defense rests on and functions in tandem with good intelligence. And as noted, defend forward proactively contributes to overall defense in depth. These are all pieces of a whole, not trade-offs. The Defense Department has recognized this for some time and made substantial investment in all aspects of this triad. Few will argue that national cybersecurity has been adequately resourced overall, and the current investment strategies deserve a hard look. But budgetary fratricide is not a winning approach.

Finally, the calls to sideline defend forward in favor of a return to the age of restraint rest on the faultiest premise of all: that adversaries such as Russia will take their cues from U.S. moderation and abandon their exploitative and disruptive use of cyber capabilities against us. That is simply wishful thinking, Pollyannaish and counter-historical at best. There is no sound reason to believe that Russia, China or other cyber threat actors will abjure the use of a strategically lucrative capability unless and until they conclude that the juice just isn’t worth the squeeze. Much is needed to alter that mindset, but withdrawing the United States’s pickets behind the ramparts in a reactive crouch is not the answer. The nation tried that and it failed.

Forward defense need not and should not operate to the exclusion of or inconsistently with needed efforts to establish and strengthen normative frameworks or possibly even to achieve some level of cyber détente. But the current environment is not conducive to such efforts succeeding in a vacuum. For now, the U.S. needs to deploy more, not fewer, pickets with the authority and capacity to discover and disrupt hostile cyber operations at scale.

Defend forward and persistent engagement are not cure-alls. They are components of an overdue shift to a more proactive defensive and competitive security posture in cyberspace. As such, defend forward operations must be applied judiciously and in concert with other strategic efforts. This will help to allow the U.S. to out-compete adversaries in the competitive space outside of traditional armed conflict. Now is not a time to overreact in either direction. As bad as SolarWinds is, it does not amount to the too-frequently invoked “act of cyber war.” So to twist an adage, care should be taken not to bring a gun to a knife fight. But policymakers better at least recognize that adversaries are slashing at the U.S. every day with sharp instruments, and they must respond accordingly. President-elect Biden seems to recognize this, stating in response to the SolarWinds breach that “a good defense isn’t enough; we need to disrupt and deter our adversaries from undertaking significant cyber attacks in the first place.” Let’s hope he sticks to his guns.

Gary Corn is the director of the Technology, Law & Security Program and adjunct professor of cyber and national security law at American University Washington College of Law; a senior fellow in national security and cybersecurity at the R Street Institute; a member of the editorial board of the Georgetown Journal of National Security Law and Policy, and the founder and principal of Jus Novus Consulting, LLC. A retired U.S. Army colonel, Corn previously served as the staff judge advocate to U.S. Cyber Command, as a deputy legal counsel to the chairman of the Joint Chiefs of Staff, the operational law branch chief in the Office of the Judge Advocate General of the Army, the staff judge advocate to United States Army South, on detail as a special assistant United States attorney with the United States Attorney’s Office for the District of Columbia, and on deployment to the former Yugoslav republic of Macedonia as part of the United Nations Preventive Deployment Force and as the chief of International Law for Combined Forces Command, Afghanistan.

Subscribe to Lawfare