The Defense Department's new cyber strategy, just over two months old, is an outline of overarching goals fleshed out with narrower objectives and plans for implementation, hits on Pentagon cyber ambitions. Perhaps chief among them: The U.S. military has the means to retaliate in the digital realm and a willingness to do so.
The strategy, released by Defense Secretary Ash Carter on April 22, lays out five central goals, many of which build on a 2011 Pentagon strategy that officially introduced cyber into the military domain. In addition, the new strategy furthers the ideas of offense and deterrence — previously touchy among defense officials.
"The new strategy reflects achievement of the goals we had four years ago, which was to pull cyber into the mainstream military thinking," said William Lynn, the former deputy secretary of defense who introduced the 2011 strategy and is now CEO of Finmeccanica North America and DRS Technologies. "The most definitive thing about the first strategy was to treat cyber as a new domain of warfare, and that meant we needed to have a force dedicated to cyber; we needed to train, equip and maintain that force; we needed doctrine. Now it reads like a military strategy."
While the idea of deterrence may hark back to the Cold War, it is a critical piece of the new strategy and one that Carter underscored in an April 23 address at Stanford University in which he unveiled the new plan.
"Adversaries should know that our preference for deterrence and our defensive posture don't diminish our willingness to use cyber options if necessary," Carter said. "And when we do take action — defensive or otherwise, conventionally or in cyberspace — we operate under rules of engagement that comply with international and domestic law."
Those rules of engagement might not include a military retaliation to a high-profile hacking incident like the one that recently hit Sony. But when such events happen and all eyes are on cybersecurity, the cyber strategy signifies the U.S. military's presence and capabilities if something similar were to happen to a .mil network or another network deemed to be a U.S. national interest meriting defense from DoD. It also outlines how the Pentagon may coordinate with other key agencies in such a situation.
"This fits into strengthening deterrence, which is important after Sony, and even more important to signal to the Russians and Chinese," said Jim Lewis, director and senior fellow of the Strategic Technologies Program at the Center for Strategic and International Studies. "They also want to get the public more comfortable with what DoD can and can't do in cyberspace. It reiterates the defensive mission outside borders, offensive and defensive capabilities, and also an objective to support the Homeland Security Department and the FBI."
Details related to those offensive or defensive capabilities in DoD's cyber arsenal may be new to the DoD cyber discussion, at least as far as the general public is concerned. But insiders say it's no different than the ways weapons are discussed in relation to operations on land, in the air and at sea.
Since the new strategy looks to better align cyberspace with the other military domains with official doctrine — and not just as a mantra among Pentagon leadership — it is fitting that the military shows a little bit more of its hand. The approach also falls in line with calls for greater insight into cyber operations, as well as organizations that oversee them.
"A lot of people have been beating up on DoD to be more transparent, so they wanted to use this document to be more transparent about the capabilities they've built," Lewis said. "For another thing, they wanted to show that CYBERCOM can finally stand on its own. A couple of years ago it was a command structure without any troops, dependent on the National Security Agency. The strategy shows people that they'll have 6,200 operators and a pipeline to produce them."
Besides demonstrating to the public that there now is an official structure in place, the strategy also helps clarify internally the various roles and responsibilities of DoD cyber organizations — and how those organizations might coordinate with other government agencies and with the private sector.
In particular, the strategy's objectives targeting the build-up and maintenances of forces, the defense of U.S. vital interests, the use of options to "shape conflict" and the emphasis on partnerships and alliances all are critical in better defining roles and responsibilities.