The Implications of Defending Forward in the New Pentagon Cyber Strategy
Ben Buchanan is an assistant teaching professor at Georgetown University and the author of The Cybersecurity Dilemma. You can follow him @BuchananBen
Last week, the Department of Defense launched a new cyber strategy. Although the details of the strategy are classified, the unclassified summary has attracted a lot of attention. Much of it has focused on the U.S. military’s plan to “defend forward” to better protect U.S. networks. This is an approach pushed by the Donald J. Trump administration, which is eager to highlight how it is loosening Obama-era restrictions on military cyber operations. Beyond the political posturing, the strategy does seem to reflect a freeing of U.S. Cyber Command to do more outside U.S. networks in order to interdict adversarial hackers before they can have malicious effects.
Conceptually, this is not nearly as new as some of the analyses have suggested. In my book The Cybersecurity Dilemma, I outlined several cases of the National Security Agency (NSA) undertaking activities that would seem to fit easily under the broad heading of defending forward. In one instance that I recounted at some length, the NSA’s intrusion group (then known as Tailored Access Operations) hacked digital infrastructure used by the Third Department of the People’s Liberation Army, then made their way upstream and hacked into the computers from which the PLA was conducting their operations. In so doing, the NSA developed an excellent picture of the Chinese operations and used that intelligence to thwart specific Chinese intrusion attempts against U.S. networks. It is probably reasonable to assume that the modern conception of defending forward gives the military authority to conduct similar kinds of operations and perhaps also the ability to interfere directly with adversary operations by manipulating their devices and infrastructure.
This change highlights an important point: the study of escalation in cyber operations is still nascent. My scholarly work has focused on how difficult it is for a nation that suffers an intrusion into a critically important network to interpret the intruders’ intent—a variant on the classic security dilemma. I argued that it was hard to know if the intruders were setting up for a significant cyberattack or if they were just gathering intelligence. In light of this ambiguity, and due to some particular operational factors endemic to hacking efforts, nations are likely to assume the worst and not give the intruders the benefit of the doubt. It seems reasonable to expect that, as hard as it is to differentiate between intelligence collection and attack in cyber operations, it is even harder still to distinguish between defending forward and attacking forward. If the new strategy permits U.S. operators to be more aggressive than what the NSA was previously doing, that could have significant implications for escalation risks.
Since the publication of The Cybersecurity Dilemma, I am often asked about why we do not see more escalation in cyber operations. There are at least three reasons. First, an enormous amount of activity, including direct interactions between hackers from different nations, takes place out of public view; it is naïve to assume that outside observers know all of what actually happens. Second, nations thus far seem to prefer it that way, and have worked to not perform cyber activities that would cause a spillover into non-cyber areas, especially kinetic military operations. Third, the Obama administration in particular exhibited a tremendous caution in the world of offensive cyber operations, to the critique of some analysts. For example, the 2015 DOD cyber strategy spoke of the need to mitigate risk but also explicitly highlighted the goal of controlling escalation—a topic that is mostly out of view this time.
If President Trump’s Department of Defense is taking off the gloves as much as this strategy claims to, we should expect the potential for notable effects. General Paul Nakasone, in his confirmation hearing as the new head of the NSA and Cyber Command, noted that U.S. adversaries do not fear the United States when it comes to cyber operations. He’s right. Matching the high risk tolerance of our adversaries, especially Russia, with more aggressive operations may prove to be a wise policy choice. It may enable the United States to better thwart their operations and re-establish fear of what Washington can do. But policymakers and scholars should not pretend that defending forward is an entirely new concept nor one without its own associated dangers.