The prominence of cybersecurity and cyber defense as paramount elements of national security took a significant step forward, as demonstrated through the 2023 Cyber Strategy of The Department of Defense (DoD). Released to the public in September 2023, the unclassified version of the report, which supersedes its 2018 counterpart, provides a forward-looking outline of the DoD’s priorities in the cyber domain only; it does not establish policy for what the DoD calls “the information environment.”

While the document reveals some modified imperatives, the DoD’s new strategy “draws on lessons learned from years of conducting cyber operations and our close observation of how cyber has been used in the Russia-Ukraine war,” as stated by Assistant Secretary of Defense for Space Policy John Plumb. “It has driven home the need to work closely with our allies, partners, and industry to make sure we have the right cyber capabilities, cyber security, and cyber resilience to help deter conflict, and to fight and win if deterrence fails.”

The DoD cites four areas where it plans to focus its efforts: Defend the nation, prepare to fight and win the nation’s wars, protect the cyber domain with allies and partners, and build enduring advantages in cyberspace. Let’s delve a bit deeper into what this means for our nation moving forward.

The DoD’s Focus Areas: A Closer Look

The summary report gives a 50,000-foot view of the department’s vision going forward. There are no key performance indicators, no indication where the new strategy starts or when it ends and nothing that necessarily describes what “success” looks like. And that’s understandable, as this is not the classified version with detailed milestones and tactics.

What the report does say, however, is that there is a new battlefield. Just as the Navy focuses on sea dominance, the Air Force controls the sky and the Army establishes ground supremacy, cyberspace has become a new domain where battles will be fought, and the military unveiled its general plan to establish dominance here as well.

Proactive defense in cyberspace

A new code of conduct is required for proactive defenses — simply responding to incoming cyberattacks will not be enough. This is a sea change in that it says we will explore all aspects of the web to see what’s going on, gather threat intelligence and then determine a preemptive course of action.

We also can choose to allow the intelligence to play out, should that be appropriate. Additionally, the nation-state enemies of the United States have advanced the sophistication of their own cyberattacks greatly over the years. The strategy indicates that we will invest in shoring up defenses and identifying threats and vulnerabilities with an eye to eliminating these threats in the cyber domain where they exist.

Certainly, the U.S. has been active covertly on the internet; most nations have been. But these likely have been small teams, probably from the National Security Agency or a similar entity. What this document lays out are the ground rules for a national, public effort to defend ourselves, our allies and our partners. We will be defending forward.

I expect this new effort will operate the same way that the military operates. If they think that a country or group is doing something illegal against U.S. interests, they will send in a covert ops team, verify it, validate it and gather as much intelligence as they can. When they find it, they want to tap into the source. So, if you look at this from the cybersecurity personnel and functional standpoint, they will operate in cyberspace just as they operate other branches of service.

If we look at this holistically, we will find where a potential attack is coming from and attempt to eliminate it at the source. There likely will be a status of forces agreement, a legal framework that establishes how U.S. military personnel operate in a foreign country. The military will be working within the law, but the difference is they will be doing so proactively, rather than waiting for a cyber version of Pearl Harbor to the nation’s or an ally’s critical infrastructure.

New rules of engagement will be defined for this unregulated space, and layers upon layers of cybersecurity and network defenses will protect the nation’s IT systems and major commands just as the other services protect their domains.

Domestic implications and challenges

We will undoubtedly see the Defense Department enforce more rules on itself to harden its own environment. The DoD is a prime target for threat actors from unfriendly countries. Will it be making a concerted effort to reduce its own vulnerabilities and invest in more cybersecurity defenses to make itself less of a target? That is unknown for now, but it would be a very big task.

The DoD is a huge organization with diverse IT systems. Getting Congress to invest in the network upgrades required by the new cybersecurity guidance will be challenging. However, this summary document and its implications are necessary first steps in shifting our nation’s military focus on cyber threats from primarily defensive to a more proactive stance, where the potential for offensive efforts in defense of the country, its allies and partners are mandated.

Kevin Paige is CISO & VP of Product Strategy at Uptycs.

More In Opinion