New DOD cyber strategy notes limits of digital deterrence

Cyber effects alone have proved to be ineffective deterrents of malicious activity, according to the Department of Defense’s new cyber strategy.

The Pentagon on Tuesday released an unclassified summary of its 2023 cyber strategy, the first update since 2018. A fact sheet about the document was previously unveiled in May when the blueprint was delivered to Congress.

One of the key developments since the 2018 iteration was rolled out is the observation of real-world military cyber operations, both by the United States — mainly U.S. Cyber Command — and throughout the Russia-Ukraine conflict.

The 2018 strategy first articulated the concept of “defend forward,” which involves the Pentagon’s digital warriors operating on networks outside the United States in order to confront threats before they ever reach domestic networks — which Cybercom achieves through persistent engagement, or challenging adversary activities daily and wherever they operate.

However, prior to 2018, the DOD conducted a surprisingly limited number of actual cyber ops. This was a key driver of the development of the persistent engagement concept, which sources have referred to as a counter remedy to inaction given there was previously too much bias for inaction. Following new authorities from the executive branch and Congress, Cybercom was able to operate more frequently in cyberspace and gain more experience.

“The 2023 DoD Cyber Strategy is grounded in real-world experience. Since 2018, the Department has conducted a significant number of cyberspace operations through its policy of defending forward, actively disrupting malicious cyber activity before it can affect the U.S. Homeland,” the strategy states. “This strategy is further informed by Russia’s 2022 war on Ukraine, which has seen a significant use of cyber capabilities during armed conflict. In this saturated cyber battlefield, military operations conducted by states and non-state proxies have collided with the cyber defense efforts of numerous private sector actors. The conflict has demonstrated the character of war in the cyber domain. Its lessons will shape the maturation of our cyber capabilities.”

The document notes that DOD’s “experiences have shown that cyber capabilities held in reserve or employed in isolation render little deterrent effect on their own. Instead, these military capabilities are most effective when used in concert with other instruments of national power, creating a deterrent greater than the sum of its parts.”

“The strategy draws from our experience conducting offensive and defensive operations. It’s also informed by DOD’s close observation of the Russia-Ukraine war and the integration of cyber into large-scale military operations. Which is to say, this is not an aspirational document, it reflects hard won lessons and truths,” Mieke Eoyang, deputy assistant secretary of defense for cyber policy, told reporters Tuesday during a briefing at the Pentagon.

She noted that one the main lessons from the Russia-Ukraine conflict is that cyber is not decisive by itself and must be used in concert with other military capabilities.

“I think prior to this conflict, there was a sense that cyber would have a much more decisive impact in warfare than what we experienced,” she explained. “What this conflict is showing us is the importance of integrated cyber capabilities in and alongside other warfighting capabilities. And that is consistent with the approach in the [National Defense Strategy] on integrated deterrence and is an important lesson for us to think about that cyber is a capability that is best used in concert with those others and may be of limited utility when used all by itself.”

Overall, the new strategy remains largely unchanged from its 2018 predecessor, highlighting many of the same tenants such as take action in cyberspace during day-to-day competition with adversaries; collaborate with interagency, industry and international partners; increase the resilience of U.S. critical infrastructure; and build trusted private sector partnerships, among others.

Major advancements since 2018 includes “hunt-forward” operations. These involve physically sending defensively oriented cyber protection teams from U.S. Cyber Command’s Cyber National Mission Force (CNMF) to foreign countries to hunt for threats on their networks at the invitation of host nations.

“Since 2018, the Department has regularly worked with our Allies and partners to help identify vulnerabilities on their government-operated networks. These operations and assessments, conducted by USCYBERCOM, have aided U.S. cybersecurity preparedness, contributed to the warfighting capability of the Joint Force, and established or enhanced strong information-sharing relationships with a number of nations, including Ukraine,” the new strategy states. “They have also bolstered the cyber resilience of Allies and partners by exposing hostile [tactics, techniques and procedures] and malware. We will continue to conduct these operations in the years ahead, illuminating adversary actions in cyberspace and frustrating the designs of malicious cyber actors. Our efforts will bolster collective cybersecurity and improve relationships with Allies and partners.”

Cybercom on Tuesday announced its second hunt-forward operation in Lithuania in so many years.

Additionally, for the first time, the 2023 strategy commits the department to building partner cyber capacity.

“Distinct from previous iterations of the DOD cyber strategy, this strategy commits to building the cyber capability of global allies and partners and to increase our collective resilience against cyberattack,” Eoyang said. “Allies and partners are a strategic advantage that no competitor can match.”