Published by The Lawfare Institute
in Cooperation With
The Defense Department’s two-page fact sheet summarizing the 2022 National Defense Strategy (NDS) provides notable insights from a cyberspace strategy perspective. Identifying campaigning as one way to advance Department of Defense goals is consistent with the lessons learned by employing the doctrine of persistent engagement for operating in and through cyberspace. Additionally, three of the NDS’s campaigning objectives—to gain advantages against the full range of competitors’ coercive actions, to undermine acute forms of competitor coercion and to complicate competitors’ military preparations—could be supported by persistent engagement. Further, although a fourth objective mentioned in the NDS fact sheet—resilience—is not listed as an objective of campaigning, persistent engagement has demonstrated that campaigning is critical to supporting anticipatory resilience in cyberspace, including ongoing efforts such as the use of hunt forward teams to inoculate the U.S. public and private sectors from malicious cyber activity. Overall, such cyber campaigns support integrated deterrence by undermining an opponent’s confidence that they will prevail in crisis or armed conflict. The forthcoming cyber strategy will be nested within the NDS, and the cyber strategy should be expected to support these same objectives. This post elaborates on each from a cyber strategy perspective and offers an additional objective unique to cyberspace—precluding exploitation and/or inhibiting the cumulation of strategic gains in and through cyberspace that can independently influence the international distribution of power.
The 2022 NDS fact sheet recognizes that for a comprehensive national strategy to achieve security across the full spectrum of strategic competition, it must include strategic approaches for (integrated) deterrence, defense/resilience, and an approach that embodies campaigning—which in cyberspace competition describes initiative persistence to “preclude, mitigate, and counter strategically consequential cyber action occurring continuously short of armed conflict.” Shortly after assuming command at U.S. Cyber Command, Gen. Paul Nakasone described the need for a “cyber persistence force,” rather than a “response force,” to address the cyber strategic campaigns short of armed conflict through which U.S. opponents are reaping strategic political, economic and military gains. Persistent engagement, Cyber Command’s doctrine, reflects an understanding that one-off cyber operations are unlikely to deter or defeat adversaries. Nakasone argues instead that U.S. cyber forces must compete with opponents on a recurring basis, making it far more difficult for them to advance their goals over time. Persistent campaigning that seizes and maintains the initiative in and through cyberspace is the primary way to achieve security in and through the same. The NDS’s focus on campaigning to ensure favorable conditions in strategic competition aligns well with the logic behind Cyber Command’s doctrine.
Targeting and Undermining Coercive Activities
Cyber campaigning can address the full range of an opponent’s coercive actions, including day-to-day strategic competition from states—China, Russia, Iran and North Korea—that employ coercive methods short of war. This includes “gray zone” challenges, which are characterized by ambiguity about the nature of the conflict, opacity of the parties involved, or uncertainty about the relevant policy and legal frameworks.
China’s gray zone tactics in the South China and East China seas involve military and nonmilitary coercion to achieve strategic goals without provoking armed conflict. The U.S. challenged China’s claim to an East China Sea air defense identification zone in 2013 with unannounced military sorties through it. In 2020, the USS America—a light aircraft carrier equipped with a handful of F-35 jets, helicopters and a contingent of U.S. Marines—patrolled near a Chinese maritime force that was trying to intimidate and disrupt Malaysia’s energy exploration activities and coerce Southeast Asian littoral states into accepting joint development with China. However, U.S. responses to China’s gray zone tactics need not be limited to the air and maritime domains. The extraordinary breadth of China’s activities presents opportunities for developing cyber campaigns that could disrupt ongoing coercive tactics or degrade the value or functionality of gains realized to-date in contested zones. Indeed, in recent testimony to the Senate Armed Services Committee, Nakasone acknowledged the formation of a “China Outcomes Group”—a joint Cyber Command and National Security Agency (NSA) task force—to ensure “proper focus, resourcing, planning, and operations” to counter Beijing’s rising global influence, coercive or otherwise.
In the cyber context, acute forms of competitor coercion referenced in the NDS fact sheet are akin to ransomware holding critical infrastructure at risk. U.S. Cyber Command, in a coordinated effort with the FBI and an unidentified third country, reportedly engaged in a limited campaign to disrupt the REvil ransomware group in November 2021. U.S. officials’ concerns about nations hosting ransomware groups and implicitly condoning their behaviors were well founded—recent revelations from analyses of a leaked cache of chat messages and files from the Conti ransomware group illustrated that they or their capabilities could be co-opted by states wanting to leverage them for political rather than monetary gain. U.S. Department of Homeland Security officials, for example, feared that a ransomware attack on U.S. state or local voter registration offices and related systems could disrupt preparations for the 2020 presidential election or cause confusion or long lines on Election Day. To preclude election disruption and interference, Cyber Command engaged in a campaign to temporarily disrupt what is described as the world’s largest botnet—Trickbot, which is a collection of more than 2 million malware-infected Windows PCs that are constantly being harvested for financial data and are often used as the entry point for deploying ransomware within compromised organizations. Additionally, Nakasone in recent testimony implied there is a similar ongoing campaign motivated by the current Russia-Ukraine conflict—“we’re very, very focused on ransomware actors … that might conduct attacks against our allies or our nation.”
Complicating Competitors’ Military Preparations
Cyber campaigns can complicate a competitor’s military preparations through supply chain infiltration, “left of missile launch” efforts, and disruption of military exercises. U.S. Cyber Command deployed “hunt forward” teams to Ukraine at the end of 2021 in anticipation of a Russian invasion. People familiar with the operation described an urgent hunt for dormant Russian malware that would be launched to support a military invasion. Reportedly, a hunt forward team and civilians discovered and mitigated a “wiperware” malware in the Ukrainian Railways capable of disabling computer networks by deleting critical files. In the first 10 days of the Russian invasion, nearly 1 million Ukrainian civilians escaped to safety on the rail network. Had the malware remained undiscovered, “it could have been catastrophic,” according to a Ukrainian official familiar with the issue. Thus, the limited campaign disrupted Russia’s military preparations for inducing post-invasion chaos among the population. By comparison, similar malware went undetected at the Ukraine-Romania border crossing of Siret during the first week of March, causing chaos as hundreds of thousands of Ukrainians sought to flee the country.
Cyber Command’s limited campaign to secure the 2018 U.S. midterm elections from Russian interference serves as another example of complicating an opponent’s preparations. Cyber Command reportedly took the initiative to exploit vulnerabilities in the cyber infrastructure of Russia’s Internet Research Agency (IRA) to constrain its ability to act against the U.S. 2018 elections. This reportedly resulted in IRA organizational friction and Russia shifting its focus and efforts toward defense, both of which served a U.S. strategic objective of taking Russia’s focus away from cyber-enabled information operations directed at U.S. elections.
Reporting on Cyber Command’s campaigns against Russian threats offers insights into possible cyber campaigns targeting the United States’ pacing threat—China. In response to a host nation’s request, Cyber Command could deploy hunt forward teams to support allies and partners subject to China’s coercive actions in or through cyberspace. Campaigns could, hypothetically, set conditions for effects in a Taiwan invasion scenario that complicate China’s abilities to track maritime assets. In 2019, for example, the U.S. reportedly targeted via a cyber operation a critical database used by Iran’s paramilitary arm to plot attacks against oil tankers and degraded Tehran’s ability to covertly target shipping traffic in the Persian Gulf.
The key to the success of all of these actual and possible efforts is persistent campaigning, an approach that allows for opportunistic effects that preclude or inhibit opponents’ gains and advance U.S. interests.
Resilience Through Campaigning
The NDS fact sheet calls for the Department of Defense to increase resilience—an ability to withstand, fight through and recover quickly from disruption. Although not linked to campaigning per se, in cyberspace, campaigning to compete, deter and win requires continuous maneuvering against adversaries. This maneuvering reveals insights about adversary tactics, techniques and procedures that can be shared with interagency and industry partners (as well as allies and international partners) to proactively inoculate vulnerable assets from cyber exploitation, disruption and destruction. This anticipatory resilience leverages insights gained from intelligence, hunt forward, and contesting efforts against highly capable opponents to inform preclusion, preparation, mitigation, response and recovery. Examples of limited Cyber Command campaigns include hunt forward operations in Montenegro to improve American cyber defenses ahead of the 2020 elections and current activities to inoculate U.S. and allies’ systems from Russian cyber actors and/or any proxies supporting its war against Ukraine.
Since July 2019, numerous joint advisories and alerts supported by cyber campaigning have been published by the U.S. government. In early July 2019, Cyber Command and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) coordinated on a limited-disclosure advisory with Cyber Command posting on Twitter that a threat group was actively using a Microsoft Outlook vulnerability previously leveraged by an Iran-linked malware campaign, and CISA sharing an associated Traffic Light Protocol (TLP): Amber-designated advisory with industry. On Feb. 14, 2020, CISA, the FBI, and Cyber Command’s Cyber National Mission Force (CNMF) identified Trojan malware variants used by the North Korean government through six “unlimited disclosure” malware analysis reports (MARs) in an effort to “enable network defense and reduce exposure to North Korean government malicious cyber activity.” On Oct. 29, 2020, CISA, the FBI, and the CNMF co-authored a TLP: White-designated MARs of Zebrocy, malware associated with Russia’s Turla advanced persistent threat group.
Precluding and/or Inhibiting Exploitation
The NDS fact sheet focuses on adversary coercive activities. In cyberspace, these are necessarily preceded by cyber exploitation activities that are also independently consequential for cumulating strategic gains. Cyber exploitation is much more than an intelligence contest. It is a strategic competition with states acting unilaterally—rather than interacting—to gain an advantage by making use of another’s cyberspace vulnerabilities.
It is primarily through exploitation, not coercion, that states are harming U.S. national security interests in and through cyberspace. China’s cyber-enabled intellectual property theft has led to a loss of U.S military overmatch in important areas. North Korea has circumvented sanctions and continued to advance its ballistic missile and nuclear programs with illicit cyber-enabled acquisition of international currencies. Russia’s ubiquitous cyber-enabled efforts to stress-test alliances and erode confidence in democratic institutions continues largely unabated. And Iran continues to use cyber operations to challenge U.S. allies and partners in the Middle East region. This exploitation-based cyber reality must be addressed in the Defense Department’s forthcoming cyber strategy. Campaigning to preclude exploitation and/or inhibit the cumulation of strategic gains should accompany the department’s other campaigning objectives.
The NDS fact sheet makes clear that campaigning is important for achieving security across the full spectrum of strategic competition and supporting integrated deterrence. In cyberspace, it is the essential way, and so the fact sheet’s discussion of campaigning and the objectives it intends to support offer a strong, albeit incomplete, outline for the forthcoming Department of Defense cyber strategy. Given that exploitation must necessarily precede coercion in and through cyberspace, the strategy should prioritize efforts toward precluding the former to limit the number of times the Defense Department must contest the latter. The forthcoming strategy should consider other questions such as which campaigns should be limited and event based (such as helping to ensure the security of U.S. elections) and which must be enduring because they are threat based (like helping to secure intellectual property to prevent loss of overmatch, precluding or disrupting opportunities for states to circumvent sanctions, and enabling anticipatory resilience). Persistent campaigning in and through cyberspace could also increase the stability of the cyber strategic competition by helping to cultivate norms of acceptable and unacceptable behavior. Based on the content of the NDS fact sheet, the NDS promises to offer a strong operational framework for addressing these Defense Department cyber strategy issues.