The Department of Defense’s new cyber strategy, (known as “Cyber 3.0” in the Pentagon) is being released this afternoon and many cyber security professionals who read it may be disappointed that it does not say more. While there is some validity to that concern the strategy does cover important new ground on the most pressing needs such as partnering with the private sector and other nations, improving the workforce, and making a stand on defense.
The DoD has been working on far more than is in this document —which is not so much a strategy as a focus on five interrelated strategic initiatives. These are discussed below along with some of the key strengths and weaknesses in the latest of this administration’s growing cyber canon.
The five strategic initiatives, or what DoD is calling the Five Pillars, should be no surprise to DoD watchers. This has been a long windup to an underarm throw, as the Pillars are essentially unchanged from what Deputy Secretary of Defense Lynn published last year in Foreign Affairs:
First Pillar: The DoD will “treat cyberspace as an operational domain to organize, train, and equip so that DoD can take advantage of cyberspace’s potential.” The showcase task in this effort has been the standup of Cyber Command and assignment of component Service forces, with accompanying command and control. As Lynn put it, they are moving from a “loose confederation of joint task forces” to a more consolidated chain of command. DoD is treating cyberspace both as unique–requiring a central command to coordinate operations–but also normal and integrated into traditional DoD operations and processes.
Second Pillar: The Department will “employ new defense operating concepts,” especially good “cyber hygiene” of safe practices along with more advanced “active defense.” Active defense, according to Lynn, is “made possible by consolidating the Defense Department’s collective cyberdefense capabilities under a single roof and by linking them with the signals intelligence needed to anticipate intrusions and attacks.” DoD officials have, in private, said this does not include capabilities to reach outside of their own perimeter to shut down malicious sites. “Active defense” here seems to mean only actions taken within their own network, though this is not made clear in the new Strategy.
DoD officials have also stressed the need to “operate through” untrusted networks, understanding they may never be able to perfectly protect their systems. This is an important revelation, but another point that is poorly reflected in the Strategy.
Third Pillar: The Department will partner with other departments in the US government and the private sector. Though private sector partnerships will generally have the Department of Homeland Security in the lead, DoD must also participate—and sometimes lead. Accordingly, this pillar is a commitment to continue existing efforts, such as the DIB Cyber Pilot and Enduring Security Framework, and hopefully to start additional such pilots. Lynn said in his article, “The best-laid plans for defending military networks will matter little if civilian infrastructure—which could be directly targeted in a military conflict or held hostage and used as a bargaining chip against the US government—is not secure.”
Fourth Pillar: DoD “will build on robust relationships with US Allies and international partners to strengthen collective cybersecurity.” In the words of Lynn, “Just as the United States’ air and space defenses are linked with those of allies to provide warning of an attack from the sky, so, too, can the United States and its allies cooperatively monitor computer networks for intrusions”.
This pillar is rooted in strengthening the existing relations with traditional military allies, such as the “five eyes” countries of the United Kingdom, Canada, Australia, New Zealand, and the United States. Of course, the DoD has been involved in other discussions, such as with Russia, but these are not the focus.
Fifth Pillar: The Department will “leverage the nation’s ingenuity through an exceptional workforce and rapid technological innovation”. In his article last year, Lynn bemoaned the acquisition process as it “takes the Pentagon 81 months to make a new computer system operational once it is first funded. The iPhone was developed in just 24 months.” Accordingly, it seems the DoD is always lagging both the private sector and the Department’s many adversaries in cyberspace, a problem made worse by the lack of sufficient trained cyber professionals.
This Strategy has many strengths:
- It brings high-level attention to cyber issues, particularly important as many cyber-savvy senior leaders (especially Lynn and Deputy Assistant Secretary for Cyber Policy Butler) are leaving the Pentagon.
- Also, the Strategy covers generally worthwhile topics. There are no major missteps here.
- DoD has finally issued a major document on cyberspace that focuses on productive, defensive steps. Past strategies pounded the war drums by seeking “dominance” of cyberspace and overemphasized the offensive side of cyber operations. Many countries, both friendly and not, are convinced the United States wants war, and not peace, in cyberspace. Together with the recent White House International Strategy for Cyberspace, this document helps to redress that balance.
However, the Strategy also misses some important points.
- The “strategic initiatives” are five solid proposals but do not tackle that the system is “highly complex and tightly coupled”. These problems might need more radical solutions since many cannot be solved piecemeal or serially: they must be solved simultaneously. For example, the Department wants to rapidly prototype and deploy systems, get control of their supply chain, and have a workforce that is well trained on a known baseline of systems. These are in many ways conflicting goals, especially with the existing bureaucratic processes and the Strategy falls short of squaring that circle.
- The Department will need to move beyond the low-hanging fruit of working with like-minded allies and more fully engage the larger international community. Greg Rattray suggests working with a handful of influential countries in each major region, such as Brazil, Kenya and South Africa, and Japan and South Korea, to more fully engage the world.
- Surprisingly the new Strategy says little about deterrence and declaratory policies, both of which featured heavily in the International Strategy from the White House. The DoD is working hard on these issues but, as they do not fit neatly in the Five Pillars, do not appear in this Strategy.
The Department has had a long history working cyber issues and this Strategy reflects some, but not nearly all, of past or current efforts. Still, it is thought out and will be a good roadmap for the DoD’s future efforts.
Jason Healey is the Director of the Cyber Statecraft Initiative at the Atlantic Council of the United States. You can follow his comments on cyber cooperation, conflict and competition on Twitter, @Jason_Healey.