The Pentagon’s New Cyber Strategy

DoD Cyber StrategyThe increased use of cyberattacks as a political instrument reflects a dangerous trend in international relations. Vulnerable data systems present state and non-state actors with an enticing opportunity to strike the United States and its interests. During a conflict, the Defense Department assumes that a potential adversary will seek to target U.S. or allied critical infrastructure and military networks to gain a strategic advantage. Beyond the attacks described above, a sophisticated actor could target an industrial control system (ICS) on a public utility to affect public safety, or enter a network to manipulate health records to affect an individual’s well-being. A disruptive, manipulative, or destructive cyberattack could present a significant risk to U.S. economic and national security if lives are lost, property destroyed, policy objectives harmed, or economic interests affected.

Leaders must take steps to mitigate cyber risks. Governments, companies, and organizations must carefully prioritize the systems and data that they need to protect, assess risks and hazards, and make prudent investments in cyber security and cyber defense capabilities to achieve their security goals and objectives. Behind these defense investments, organizations of every kind must build business continuity plans and be ready to operate in a degraded cyber environment where access to networks and data is uncertain. To mitigate risks in cyberspace requires a comprehensive strategy to counter and if necessary withstand disruptive and destructive attacks….

Building alliances, coalitions, and partnerships abroad. The Defense Department engages in a broad array of activities to improve cybersecurity and cyber operations capacity abroad. DoD helps U.S. allies and partners to understand the cyber threats they face and to build the cyber capabilities necessary to defend their networks and data. Allies and partners also often have complementary capabilities that can augment those of the United States, and the United States seeks to build strong alliances and coalitions to counter potential adversaries’ cyber activities. Strategically, a unified coalition sends a message that the United States and its allies and partners are aligned in collective defense. In addition to the Five Eyes treaty partners, DoD works closely with key partners in the Middle East, the Asia-Pacific, and Europe to understand the cybersecurity environment and build cyber defense capacity….

The Defense Department has three primary cyber missions. First, DoD must defend its own networks, systems, and information. The U.S. military’s dependence on cyberspace for its operations led the Secretary of Defense in 2011 to declare cyberspace as an operational domain for purposes of organizing, training, and equipping U.S. military forces. The Defense Department must be able to secure its own networks against attack and recover quickly if security measures fail. To this end, DoD conducts network defense operations on an ongoing basis to securely operate the Department of Defense Information Network (DoDIN). If and when DoD detects indications of hostile activity within its networks, DoD has quick-response capabilities to close or mitigate vulnerabilities and secure its networks and systems. Network defense operations on DoD networks constitute the vast majority of DoD’s operations in cyberspace.

In addition to defense investments, DoD must prepare and be ready to operate in an environment where access to cyberspace is contested. During the Cold War, forces prepared to operate in an environment where access to communications could be interrupted by the adversary’s advanced capabilities, to include the potential use of an electromagnetic pulse that could disrupt satellite and other global communications capabilities. Commanders conducted periodic exercises that required their teams to operate without access to communications systems. Through years of practice and exercise, a culture of resilience took root in the military and units were ready and prepared to operate in contested environments….

For its second mission, DoD must be prepared to defend the United States and its interests against cyberattacks of significant consequence. While cyberattacks are assessed on a case-by-case and fact- specific basis by the President and the U.S. national security team, significant consequences may include loss of life, significant damage to property, serious adverse U.S. foreign policy consequences, or serious economic impact on the United States. If directed by the President or the Secretary of Defense, the U.S. military may conduct cyber operations to counter an imminent or on-going attack against the U.S. homeland or U.S. interests in cyberspace. The purpose of such a defensive measure is to blunt an attack and prevent the destruction of property or the loss of life. DoD seeks to synchronize its capabilities with other government agencies to develop a range of options and methods for disrupting cyberattacks of significant consequence before they can have an impact, to include law enforcement, intelligence, and diplomatic tools. As a matter of principle, the United States will seek to exhaust all network defense and law enforcement options to mitigate any potential cyber risk to the U.S. homeland or U.S. interests before conducting a cyberspace operation….

Third, if directed by the President or the Secretary of Defense, DoD must be able to provide integrated cyber capabilities to support military operations and contingency plans. There may be times when the President or the Secretary of Defense may determine that it would be appropriate for the U.S. military to conduct cyber operations to disrupt an adversary’s military-related networks or infrastructure so that the U.S. military can protect U.S. interests in an area of operations. For example, the United States military might use cyber operations to terminate an ongoing conflict on U.S. terms, or to disrupt an adversary’s military systems to prevent the use of force against U.S. interests. United States Cyber Command (USCYBERCOM) may also be directed to conduct cyber operations, in coordination with other U.S. government agencies as appropriate, to deter or defeat strategic threats in other domains….

Among DoD’s cyber personnel and forces, the Cyber Mission Force (CMF) has a unique role within the Department. In 2012, DoD began to build a CMF to carry out DoD’s cyber missions. Once fully operational, the CMF will include nearly 6,200 military, civilian, and contractor support personnel from across the military departments and defense components. The Cyber Mission Force represents a major investment by the Department of Defense and the United States as whole, and a central aim of this strategy is to set specific goals and objectives to guide the development of the Cyber Mission Force and DoD’s wider cyber workforce to protect and defend U.S. national interests.

The Cyber Mission Force will be comprised of cyber operators organized into 133 teams, primarily aligned as follows: Cyber Protection Forces will augment traditional defensive measures and defend priority DoD networks and systems against priority threats; National Mission Forces and their associated support teams will defend the United States and its interests against cyberattacks of significant consequence; and Combat Mission Forces and their associated support teams will support combatant commands by generating integrated cyberspace effects in support of operational plans and contingency operations. Combatant commands integrate Combat Mission Forces and Cyber Protection Teams into plans and operations and employ them in cyberspace, while the National Mission Force operates under the Commander of USCYBERCOM. Outside of this construct, teams can also be used to support other missions as required by the Department….

Specific risks and opportunities inform this new strategy. For example, DoD’s own network is a patchwork of thousands of networks across the globe, and DoD lacks the visibility and organizational structure  required to defend its diffuse networks effectively. The Defense Department must further develop adequate warning intelligence of adversary intentions and capabilities for conducting destructive and disruptive cyberattacks against DoD and the United States. Beyond its own networks, DoD relies on civil critical infrastructure across the United States and overseas for its operations, yet the cybersecurity of such critical infrastructure is uncertain.

To mitigate these and other risks and improve U.S. national security, this strategy sets strategic goals for the Department to achieve, and prescribes objectives and metrics for meeting each goal. All of the goals and objectives within this strategy reflect the goals of the 2015 United States National Security Strategy and the 2014 Quadrennial Defense Review.

DoD sets five strategic goals for its cyberspace missions:
1.  Build and maintain ready forces and capabilities to conduct cyberspace operations;
2.  Defend the DoD information network, secure DoD data, and mitigate risks to DoD missions;
3.  Be prepared to defend the U.S. homeland and U.S. vital interests from disruptive or destructive cyberattacks of significant consequence;
4.  Build and maintain viable cyber options and plan to use those options to control conflict escalation and to shape the conflict environment at all stages;
5.  Build and maintain robust international alliances and partnerships to deter shared threats and increase international security and stability.

Excerpts from The Department of Defense Cyber Strategy, April 2015.

Image: DoD Cyber Strategy (graphic: Department of Defense)