The Department of Defense released the latest chapter of its cyber strategy on Tuesday, which takes a more offensive stance than its 2015 predecessor and directs DoD to “defend forward, shape the day-to-day competition, and prepare for war” in cyberspace.
At the top level, the strategy highlights five objectives for the department:
- Ensuring the Joint Force can achieve its missions in a contested cyberspace domain;
- Enhancing Joint Force military advantages through the integration of cyber capabilities into planning and operations;
- Deterring, preempting, or defeating malicious cyber activity targeting U.S. critical
infrastructure that is likely to cause a significant cyber incident; - Securing DoD information and systems, including on non-DoD-owned networks, against cyber espionage and malicious cyber activity; and
- Expanding DoD cyber cooperation with allies, partners, and private sector entities.
To accomplish these goals, the strategy lays out a strategic approach based on five methods:
- Build a more lethal force;
- Compete and deter in cyberspace;
- Expand alliances and partnerships;
- Reform DoD; and
- Cultivate talent
“The department must take action in cyberspace during day-to-day competition to preserve U.S. military advantages and to defend U.S. interests,” the strategy states. “Our focus will be on the States that can pose strategic threats to U.S. prosperity and security, particularly China and Russia.” The strategy also makes mention of state actors like North Korea and Iran, who have a history of attacking U.S. targets with cyber operations.
To build a more lethal force, DoD said it plans to accelerate the development of capabilities. “The Joint Force will be capable of employing cyberspace operations throughout the spectrum of conflict, from day-to-day operations to wartime, in order to advance U.S. interests,” the document says. DoD also highlighted the importance of moving from a zero-defect culture to one that fosters innovation, using automation and big data analytics to improve its defensive posture, and leveraging off-the-shelf solutions.
To compete and deter in cyberspace, the strategy describes the need to “use all instruments of national power to deter adversaries from conducting malicious cyberspace activity that would threaten U.S. national interests, our allies, or our partners.” The Pentagon highlights the importance of persistently contesting malicious cyber activity in day-to-day operations, including “defending forward to intercept and halt cyber threats and by strengthening the cybersecurity of systems and networks that support DoD missions.”
To expand alliances and partnerships, the strategy notes the importance of both the private sector and nation-state allies. The strategy also states DoD’s readiness to streamline information sharing with agency and industry partners and increase the resiliency of critical infrastructure.
On the international front, DoD notes the importance of utilizing allies’ cyber capabilities that complement U.S. abilities, and strengthening partner capabilities. The strategy reaffirms the U.S. commitment to existing norms of state behavior in cyberspace, and endorses United Nations guidance prohibiting attacks on critical infrastructure and using national territory to launch intentionally wrongful cyber activity in peacetime.
To reform the department, DoD establishes that “leaders and their staffs need to be ‘cyber fluent’ so they can fully understand the cybersecurity implications of their decisions and are positioned to identify opportunities to leverage the cyberspace domain to gain strategic, operational, and tactical advantages.” The strategy also describes how DoD will increase accountability for cybersecurity measures, embrace technology that is scalable and keeps up with commercial IT, and embrace crowd-sourced vulnerability searches.
To cultivate talent, the strategy notes the importance of sustaining a robust cyber workforce within DoD. The strategy also aims to promote STEM education, establish a career track for computer science-related specialties, and establish a cyber talent management program that “provides its most skilled cyber personnel with focused resources and opportunities to develop key skills over the course of their careers.”
In addition to the publicly available version of the cyber strategy, DoD also conducted a classified cyber posture review, which “identified that we must continue investments in our people, capabilities, and processes to meet fully the objectives set forth in the Strategy.” The implementation of the strategy will be overseen by DoD’s Principal Cyber Advisor within the department. “Taken together, these mutually reinforcing activities will enable the Department to compete, deter, and win in the cyberspace domain,” the report states.