The new US Department of Defense Cyber Strategy that was published last week offers a remarkably clear and comprehensible insight to the US military view on cybersecurity and is the first official update to the DoD strategy published in 2011.
So what can we learn from how the US DoD thinks about “cyber” in 2015?
“Cyber” is indisputably a military domain
The strategy repeatedly refers to cyber, cyberspace, cybersecurity, cyberattacks (the list goes on) but since there are no definitions of either concept it is not very clear exactly what the DoD is talking about when it comes to “cyber”. What is clear however, is the fact that cyber is indisputably a military domain. A concept that was, and in some corners continue to be, widely contested during the evolution of the Internet seems to have cemented itself in the global policy debate along with the notion that nation states continue to be key actors in Internet governance and global cybersecurity issues.
However, the DoD does not claim ownership of “cyberspace” but instead frequently stresses the importance of cooperation and multilateralism – both in terms of cooperation with domestic industry as well as international partners. The strategy, presented at Stanford University, especially seeks to appease the somewhat tense relations between the Pentagon and Silicon Valley through the idea that “if we cannot get Silicon Valley to come to the Pentagon, we’re going to bring the Pentagon to Silicon Valley”.
A catastrophic attack is no longer the primary focus
Since 2013, the Director of US National Intelligence has named the “cyber threat” as the number one strategic threat to the United States but the new strategy indicates a shift in what kind of threat the US is actually concerned with. When cybersecurity began its rise to prominence following 9/11 the debate was littered with warnings of catastrophic, crippling attacks and metaphors of “cyber 9/11s” and “cyber Pearl Harbors”.
In contrast, the DoD has now shifted their attention to persistent low level attacks that could damage individuals, firms, and some industrial systems as well cyberespionage that steals U.S. intellectual property to undercut the US technological and military advantage. The strategy also (unsurprisingly) singles out China, Russia, Iran, North Korea, and the Islamic State (IS) as actors that have displayed an overt level of hostile intent towards the United States and its interests in cyberspace.
Concern for malware proliferation and zero-day markets
The strategy highlights the proliferation and marketisation of malware as a key security challenge for the United States. The opportunities for nation states, non-state actors, or individuals to purchase destructive malware and other capabilities continue to increase and has created a dangerous and uncontrolled market that serves multiple actors within the international system, often for competing purposes.
This will most likely be an increasingly important policy issue for the US government where it will be faced with the two-pronged challenge of creating norms or regulation that can appease both political adversaries and the legitimate information security research sector.
A new found belief in deterrence
The concept of deterrence (and comparisons to the nuclear weapons proliferation debate) have been present in the cybersecurity debate for a long time. However, very few policy makers and scholars have found Cold War deterrence frameworks to be applicable or relevant to cybersecurity – mainly due to the low barrier of entry and attribution problems. There have been signs that the US policy has been slowly shifting in relation to “cyberdeterrence” and it is now clear that the DoD believes deterrence is not only possible but necessary for a secure US cyberspace.
The DoD presents a three-fold deterrence strategy of response, denial, and resilience.
- Response – The US needs to convince a potential adversary that it will suffer unacceptable costs if it conducts an attack on the United States and the strategy makes it clear that the US will continue to respond to cyberattacks at a time, in a manner, and in a place of their choosing, using appropriate instruments of US power and in accordance with applicable law.
- Denial – In essence making the US infrastructure so difficult to successfully attack that potential adversaries will be deterred to try.
- Resilience – To achieve a national infrastructure that is so resilient and redundant that it continues to operate even if an adversary is successful in a disruptive or destructive attack.
There seems to be little concern for attribution problems as the DoD quotes “significant investments” from both Pentagon and the intelligence community in the collection, analysis, and dissemination capabilities to reduce the anonymity of state and non-state actor activity in cyberspace.
The US capability for attribution will be key in dissuading actors from conducting cyberattacks and will grow increasingly important for deterrence as activist groups, criminal organisations, and other actors acquire advanced cyber capabilities over time.
Offense is the new defense
The new strategy presents a clear policy shift from the DoD when it comes to openness with offensive cyber capabilities, which previously have been (mostly) absent from public strategy documents. While the strategy does not disclose the specifics of what offensive capabilities the US currently possesses it is made clear that the “DoD must be able to provide the President with a wide range of options for managing conflict escalation” – including disrupting an adversary’s command and control networks, military-related critical infrastructure, and weapons capabilities.
The strategy also gives some hints when it would be appropriate for the US military to conduct (offensive) cyber operations to protect U.S. interests in an area of operations.
For example, the United States military might use cyber operations to terminate an ongoing conflict on U.S. terms, or to disrupt an adversary’s military systems to prevent the use of force against U.S. interests. United States Cyber Command (USCYBERCOM) may also be directed to conduct cyber operations, in coordination with other U.S. government agencies as appropriate, to deter or defeat strategic threats in other domains.
These offensive cyber capabilities are to be developed and deployed to achieve key security objectives with precision and minimal loss of life and destruction of property. The DoD also envisions that these capabilities will be synced with kinetic operations across all domains of military operations.
Aggressive defence policy can create security dilemmas
Whereas the DoD acknowledges the need for offensive capabilities, it is also concerned with the potential negative consequences of offensive policy. An increasingly aggressive cyber policy may create a security dilemma with a global escalation of offensive capabilities that could endanger US interests in cyberspace.
To ensure that the DoD supports the overall US policy for an open, free, and prosperous Internet it is made clear that the DoD will always act in a way that reflects enduring US values, including support for the rule of law, as well as respect and protection of the freedom of expression and privacy, the free flow of information, commerce, and ideas.
Any decision to conduct (offensive) cyber operations will be made with the utmost care and deliberation and under strict policy and operational oversight, and in accordance with the law of armed conflict. This is also in line with recent US policy efforts to build influence over Internet policy and cybersecurity issues by promoting norms supportive of US policy objectives. How successful this cautionary offensive doctrine will be remains to be seen but it will undoubtedly be challenging for nation states to justify why certain actors are entitled to offensive capabilities and others are not.
However, the strategy also makes it clear that not all cyberattacks will warrant a military response and that the US will continue to be flexible in its responses, including the possibilities for diplomatic action, legal action, and economic sanctions.