The U.S. Department of Defense Cyber Strategy
The May 2011 Department of Defense Strategy for Operating in Cyberspace guided the DoD cyber activities and operations in support of U.S. national interests until the strategy was updated in 2015. The updated strategy sets prioritized strategic goals and objectives for DoD’s cyber activities and missions to achieve over the next five years. It focuses on building capabilities for effective cybersecurity and cyber operations to defend DoD networks, systems, and information; defend the nation against cyberattacks of significant consequence; and support operational and contingency plans. The updated strategy builds on previous decisions regarding DoD’s Cyber Mission Force and cyber workforce development and provides new and specific guidance to mitigate anticipated risks and capture opportunities to strengthen U.S. national security.
As a matter of first principle, cybersecurity is a team effort within the U.S. Federal government. To succeed in its missions the DoD must operate in partnership with other Departments and Agencies, international allies and partners, state and local governments, and, most importantly, the private sector.
To support its missions in cyberspace, the DoD conducts a range of activities outside of cyberspace to improve collective cybersecurity and protect U.S. interests. For example, the DoD cooperates with agencies of the U.S government, with the private sector, and with international partners to share information, build alliances and partnerships, and foster norms of responsible behavior to improve global strategic stability.
DoD seeks to share information and coordinate with U.S. government agencies in an integrated fashion on a range of cyber activities. For example, if DoD learns of malicious cyber activities that will affect important U.S. networks and systems that are vital for U.S. national and economic security or public safety, DoD supports agencies like the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) as they reach out to U.S. entities, and often other countries, to share threat information such as technical indicators of a potential attack. Such information sharing can significantly improve an organization’s ability to defend itself against a broad range of cyber attacks. In addition to sharing information, DoD partners with other agencies of the U.S. government to synchronize operations and to share lessons-learned and cybersecurity best practices. This includes incident management and network defense response.
From application developers to Internet Services Providers, private companies provide the goods and services that make up cyberspace. The DoD relies on the private sector to build its networks, provide cybersecurity services, and research and develop advanced capabilities. The DoD has benefited from private sector innovation throughout its history. Going forward, DoD will work closely with the private sector to validate and commercialize new ideas for cybersecurity for the Department.
The Defense Department engages in a broad array of activities to improve cybersecurity and cyber operations capacity abroad. DoD helps U.S. allies and partners to understand the cyber threats they face and to build the cyber capabilities necessary to defend their networks and data. Allies and partners also often have complementary capabilities that can augment those of the United States, and the United States seeks to build strong alliances and coalitions to counter potential adversaries’ cyber activities. Strategically, a unified coalition sends a message that the United States and its allies and partners are aligned in collective defense. In addition to the Five Eyes treaty partners, DoD works closely with key partners in the Middle East, the Asia-Pacific, and Europe to understand the cybersecurity environment and build cyber defense capacity.
Three Primary Missions in Cyberspace
The Defense Department has three primary cyber missions. First, DoD must defend its own networks, systems, and information. The U.S. military’s dependence on cyberspace for its operations led the Secretary of Defense in 2011 to declare cyberspace as an operational domain for purposes of organizing, training, and equipping U.S. military forces. The Defense Department must be able to secure its own networks against attack and recover quickly if security measures fail. To this end, DoD conducts network defense operations on an ongoing basis to securely operate the Department of Defense Information Network (DoDIN). If and when DoD detects indications of hostile activity within its networks, DoD has quick-response capabilities to close or mitigate vulnerabilities and secure its networks and systems. Network defense operations on DoD networks constitute the vast majority of DoD’s operations in cyberspace.
In addition to defense investments, DoD must prepare and be ready to operate in an environment where access to cyberspace is contested. During the Cold War, forces prepared to operate in an environment where access to communications could be interrupted by the adversary’s advanced capabilities, to include the potential use of an electromagnetic pulse that could disrupt satellite and other global communications capabilities. Commanders conducted periodic exercises that required their teams to operate without access to communications systems. Through years of practice and exercise, a culture of resilience took root in the military and units were ready and prepared to operate in contested environments.
Since the end of the Cold War, however, a younger generation has grown increasingly more accustomed to an environment of connectivity. The generation of military men and women that grew up since the end of the Cold War have had near constant access to information and communications, and the information revolution has led to a more agile and globally adaptive force. In the face of an escalating cyber threat, the lessons of the previous generations must now be passed down. The Defense Department must be able to carry out its missions to defend the country. Organizations must exercise and learn to operate without the tools that have become such a vital part of their daily lives and operations.
For its second mission, DoD must be prepared to defend the United States and its interests against cyber attacks of significant consequence. While cyber attacks are assessed on a case-by-case and fact specific basis by the President and the U.S. national security team, significant consequences may include loss of life, significant damage to property, serious adverse U.S. foreign policy consequences, or serious economic impact on the United States.
If directed by the President or the Secretary of Defense, the U.S. military may conduct cyber operations to counter an imminent or on-going attack against the U.S. homeland or U.S. interests in cyberspace. The purpose of such a defensive measure is to blunt an attack and prevent the destruction of property or the loss of life. DoD seeks to synchronize its capabilities with other government agencies to develop a range of options and methods for disrupting cyber attacks of significant consequence before they can have an impact, to include law enforcement, intelligence, and diplomatic tools. As a matter of principle, the United States will seek to exhaust all network defense and law enforcement options to mitigate any potential cyber risk to the U.S. homeland or U.S. interests before conducting a cyberspace operation.
The United States government has a limited and specific role to play in defending the nation against cyber attacks of significant consequence. The private sector owns and operates over ninety percent of all of the networks and infrastructure of cyberspace and is thus the first line of defense. One of the most important steps for improving the United States’ overall cybersecurity posture is for companies to prioritize the networks and data that they must protect and to invest in improving their own cybersecurity. While the U.S. government must prepare to defend the country against the most dangerous attacks, the majority of intrusions can be stopped through relatively basic cybersecurity investments that companies can and must make themselves.
Third, if directed by the President or the Secretary of Defense, DoD must be able to provide integrated cyber capabilities to support military operations and contingency plans. There may be times when the President or the Secretary of Defense may determine that it would be appropriate for the U.S. military to conduct cyber operations to disrupt an adversary’s military related networks or infrastructure so that the U.S. military can protect U.S. interests in an area of operations. For example, the United States military might use cyber operations to terminate an ongoing conflict on U.S. terms, or to disrupt an adversary’s military systems to prevent the use of force against U.S. interests. United States Cyber Command (USCYBERCOM) may also be directed to conduct cyber operations, in coordination with other U.S. government agencies as appropriate, to deter or defeat strategic threats in other domains.
To ensure that the Internet remains open, secure, and prosperous, the United States will always conduct cyber operations under a doctrine of restraint, as required to protect human lives and to prevent the destruction of property. As in other domains of operations, in cyberspace the Defense Department will always act in a way that reflects enduring U.S. values, including support for the rule of law, as well as respect and protection of the freedom of expression and privacy, the free flow of information, commerce, and ideas. Any decision to conduct cyber operations outside of DoD networks is made with the utmost care and deliberation and under strict policy and operational oversight, and in accordance with the law of armed conflict. As it makes its investments and builds cyber capabilities to defend U.S. national interests, the Defense Department will always be attentive to the potential impact of defense policies on state and non-state actors’ behavior.
A New Cyber Mission Force
The Defense Department requires the commitment and coordination of multiple leaders and communities across DoD and the broader U.S. government to carry out its missions and execute this strategy. Defense Department law enforcement, intelligence, counterintelligence, and policy organizations all have an active role, as do the men and women that build and operate DoD’s networks and information technology systems. Every organization needs to play its part. For example, network service providers across DoD must be adaptive and active to follow cybersecurity best-practices and cyber defense orders. U.S. Cyber Command must synchronize its activities with other DoD organizations, particularly combatant commands, to respond to emerging challenges and opportunities. Installation owners and operators must partner with the Military Departments’ Computer Emergency Response Teams (CERTs), DHS, and USCYBERCOM to build adaptive defenses and continuity plans for mission-critical systems and the civil systems that support them. Success requires creative and strong intra-Departmental and interagency partnerships.
Among DoD’s cyber personnel and forces, the Cyber Mission Force (CMF) has a unique role within the Department. In 2012, DoD began to build a CMF to carry out DoD’s cyber missions. Once fully operational, the CMF will include nearly 6,200 military, civilian, and contractor support personnel from across the military departments and defense components. The Cyber Mission Force represents a major investment by the DoD and the United States as whole, and a central aim of this strategy is to set specific goals and objectives to guide the development of the Cyber Mission Force and DoD’s wider cyber workforce to protect and defend U.S. national interests.
The Cyber Mission Force will be comprised of cyber operators organized into 133 teams, primarily aligned as follows: Cyber Protection Forces will augment traditional defensive measures and defend priority DoD networks and systems against priority threats; National Mission Forces and their associated support teams will defend the United States and its interests against cyber attacks of significant consequence; and Combat Mission Forces and their associated support teams will support combatant commands by generating integrated cyberspace effects in support of operational plans and contingency operations. Combatant commands integrate Combat Mission Forces and Cyber Protection Teams into plans and operations and employ them in cyberspace, while the National Mission Force operates under the Commander of USCYBERCOM. Outside of this construct, teams can also be used to support other missions as required by the Department.
In 2013 the Department began to integrate the CMF into the larger multi-mission U.S. military force to achieve synergy across domains, assure the CMF’s readiness within the force, and restructure the military and civilian workforce and infrastructure to execute DoD’s missions. During the course of implementing this strategy, DoD will continue to build the CMF, and will continue to mature the necessary command, control, and enabling organizations required for effective operations. DoD will focus on ensuring that its forces are trained and ready to operate using the capabilities and architectures they need to conduct cyber operations, continue to build policy and legal frameworks to govern CMF employment, and integrate the CMF into DoD’s overall planning and force development. This strategy recognizes that effective cybersecurity will require close collaboration within DoD and across the federal government, with industry, with international allies and partners, and with state and local governments.
The pursuit of security in cyberspace requires a whole-of-government and international approach due to the number and variety of stakeholders in the domain, the flow of information across international borders, and the distribution of responsibilities, authorities, and capabilities across governments and the private sector. For each of DoD’s missions, DoD must continue to develop routine relationships and processes for coordinating its cyber operations. Specific risks and opportunities inform this new strategy. For example, DoD’s own network is a patchwork of thousands of networks across the globe, and DoD lacks the visibility and organizational structure required to defend its diffuse networks effectively. DoD must further develop adequate warning intelligence of adversary intentions and capabilities for conducting destructive and disruptive cyber attacks against DoD and the United States. Beyond its own networks, DoD relies on civil critical infrastructure across the United States and overseas for its operations, yet the cybersecurity of such critical infrastructure is uncertain.
To mitigate these and other risks and improve U.S. national security, DoD strategy sets strategic goals for the Department to achieve, and prescribes objectives and metrics for meeting each goal. All of the goals and objectives within this strategy reflect the goals of the 2015 United States National Security Strategy and the 2014 Quadrennial Defense Review.
DoD sets five strategic goals for its cyberspace missions:
1. Build and maintain ready forces and capabilities to conduct cyberspace operations;
2. Defend the DoD information network, secure DoD data, and mitigate risks to DoD missions;
3. Be prepared to defend the U.S. homeland and U.S. vital interests from disruptive or destructive cyber attacks of significant consequence;
4. Build and maintain viable cyber options and plan to use those options to control conflict escalation and to shape the conflict environment at all stages;
5. Build and maintain robust international alliances and partnerships to deter shared threats and increase international security and stability.
Key Cyber Threats
From 2013-2015, the Director of National Intelligence named the cyber threat as the number one strategic threat to the United States, placing it ahead of terrorism for the first time since the attacks of September 11, 2001. Potential state and non-state adversaries conduct malicious cyber activities against U.S. interests globally and in a manner intended to test the limits of what the United States and the international community will tolerate. Actors may penetrate U.S. networks and systems for a variety of reasons, such as to steal intellectual property, disrupt an organization’s operations for activist purposes, or to conduct disruptive and destructive attacks to achieve military objectives.
Potential adversaries have invested significantly in cyber as it provides them with a viable, plausibly deniable capability to target the U.S. homeland and damage U.S. interests. Russia and China have developed advanced cyber capabilities and strategies. Russian actors are stealthy in their cyber tradecraft and their intentions are sometimes difficult to discern. China steals intellectual property (IP) from global businesses to benefit Chinese companies and undercut U.S. competitiveness. While Iran and North Korea have less developed cyber capabilities, they have displayed an overt level of hostile intent towards the United States and U.S. interests in cyberspace.
In addition to state-based threats, non-state actors like the Islamic State in Iraq and the Levant (ISIL) use cyberspace to recruit fighters and disseminate propaganda and have declared their intent to acquire disruptive and destructive cyber capabilities. Criminal actors pose a considerable threat in cyberspace, particularly to financial institutions, and ideological groups often use hackers to further their political objectives. State and non-state threats often also blend together; patriotic entities often act as cyber surrogates for states, and non-state entities can provide cover for state-based operators. This behavior can make attribution more difficult and increases the chance of miscalculation.
Malware Proliferation
The global proliferation of malicious code or software (“malware”) increases the risk to U.S. networks and data. To conduct a disruptive or destructive cyber operation against a military system or industrial control system requires expertise, but a potential adversary need not spend billions of dollars to develop an offensive capability. A nation-state, non-state group, or individual actor can purchase destructive malware and other capabilities on the black market. State and non-state actors also pay experts to search for vulnerabilities and develop exploits. This practice has created a dangerous and uncontrolled market that serves multiple actors within the international system, often for competing purposes. As cyber capabilities become more readily available over time, the Department of Defense assesses that state and non-state actors will continue to seek and develop cyber capabilities to use against U.S. interests.
Risk to DoD Networks and Infrastructure
The Defense Department’s own networks and systems are vulnerable to intrusions and attacks. In addition to DoD’s own networks, a cyber attack on the critical infrastructure and key resources on which DoD relies for its operations could impact the U.S. military’s ability to operate in a contingency. DoD has made gains in identifying cyber vulnerabilities of its own critical assets through its Mission Assurance Program – for many key assets, DoD has identified its physical network infrastructure on which key physical assets depend – but more must be done to secure DoD’s cyber infrastructure.
In addition to destructive and disruptive attacks, cyber actors steal operational information and intellectual property from a range of U.S. government and commercial entities that impact the Defense Department. Victims include weapons developers as well as commercial firms that support force movements through U.S. Transportation Command (USTRANSCOM). State actors have stolen DoD’s intellectual property to undercut the United States’ strategic and technological advantage and to benefit their own military and economic development. Finally, the Defense Department faces a risk from the U.S. government’s continued budgetary uncertainty. Although DoD has prioritized the allocation of resources in its budget to develop cyber capabilities, continued fiscal uncertainty requires that DoD plan to build its cyber capabilities under a declining overall defense budget. DoD must continue to prioritize its cyber investments and develop the capabilities required to defend U.S. interests at home and overseas.
Deterrence in the Future Security Environment
In the face of an escalating threat, the Department of Defense must contribute to the development and implementation of a comprehensive cyber deterrence strategy to deter key state and non-state actors from conducting cyber attacks against U.S. interests. Because of the variety and number of state and non-state cyber actors in cyberspace and the relative availability of destructive cyber tools, an effective deterrence strategy requires a range of policies and capabilities to affect a state or non-state actors’ behavior.
As DoD builds its Cyber Mission Force and overall capabilities, DoD assumes that the deterrence of cyberattacks on U.S. interests will not be achieved through the articulation of cyber policies alone, but through the totality of U.S. actions, including declaratory policy, substantial indications and warning capabilities, defensive posture, effective response procedures, and the overall resiliency of U.S. networks and systems. The deterrence of state and non-state groups in cyberspace will thus require the focused attention of multiple U.S. government departments and agencies. The Department of Defense has a number of specific roles to play in this equation.
Deterrence is partially a function of perception. It works by convincing a potential adversary that it will suffer unacceptable costs if it conducts an attack on the United States, and by decreasing the likelihood that a potential adversary’s attack will succeed. The United States must be able to declare or display effective response capabilities to deter an adversary from initiating an attack; develop effective defensive capabilities to deny a potential attack from succeeding; and strengthen the overall resilience of U.S. systems to withstand a potential attack if it penetrates the United States’ defenses. In addition, the United States requires strong intelligence, forensics, and indications and warning capabilities to reduce anonymity in cyberspace and increase confidence in attribution.
Attribution is a fundamental part of an effective cyber deterrence strategy as anonymity enables malicious cyber activity by state and non-state groups. On matters of intelligence, attribution, and warning, DoD and the intelligence community have invested significantly in all source collection, analysis, and dissemination capabilities, all of which reduce the anonymity of state and non-state actor activity in cyberspace. Intelligence and attribution capabilities help to unmask an actor’s cyber persona, identify the attack’s point of origin, and determine tactics, techniques, and procedures. Attribution enables DoD or other agencies to conduct response and denial operations against an incoming cyber attack.
Public and private attribution can play a significant role in dissuading cyber actors from conducting attacks in the first place. The Defense Department will continue to collaborate closely with the private sector and other agencies of the U.S. government to strengthen attribution. This work will be especially important for deterrence as activist groups, criminal organizations, and other actors acquire advanced cyber capabilities over time.
Finally, cyber capabilities present state and non-state actors with the ability to strike at U.S. interests in a manner that may or may not necessarily warrant a purely military response by the United States, but which may nonetheless present a significant threat to U.S. national security and may warrant a non-military response of some kind. In response to certain attacks and intrusions, the United States may undertake diplomatic actions, take law enforcement actions, and consider economic sanctions.
III. STRATEGIC GOALS
To mitigate risks and defend U.S. interests in the current and future security environment, the Defense Department outlines five strategic goals and specific objectives for its activities and missions.
STRATEGIC GOAL I: BUILD AND MAINTAIN READY FORCES AND CAPABILITIES TO CONDUCT CYBERSPACE OPERATIONS.
To operate effectively in cyberspace, DoD requires forces and personnel that are trained to the highest standard, ready, and equipped with best-in-class technical capabilities. In 2013 DoD initiated a major investment in its cyber personnel and technologies by initiating the CMF; now DoD must make good on that investment by training its people, building effective organizations and command and control systems, and fully developing the capabilities that DoD requires to operate in cyberspace. This strategy sets specific objectives for DoD to meet as it mans, trains, and equips its forces and personnel over the next five years and beyond. The objectives in this goal are:
Build the cyber workforce. To make good on DoD’s significant investment in cyber personnel, and to help achieve many of the objectives in this strategy, DoD’s first priority is to develop a ready Cyber Mission Force and associated cyber workforce. This workforce will be built on three foundational pillars: enhanced training; improved military and civilian recruitment and retention; and stronger private sector support.
Build technical capabilities for cyber operations. In 2013, DoD developed a model for achieving CMF readiness and for developing viable cyber military options to present to the President and Secretary of Defense. DoD must have the technical tools available to conduct operations in support of combatant command missions. Key initiatives include the following: