DOD’s 2018 Cyber Strategy document is drawing attention because of its reference to “defense forward.” What does that mean? Let’s have a close look, in context with the recently-enacted NDAA and recent changes to PPD-20.
1. Hold up. Is this “DOD Cyber Strategy” the same thing as the “National Cyber Strategy”?
Nope. There were two “cyber strategy” documents announced last week. One of them is the National Cyber Strategy, available in full here. The National Cyber Strategy document is interesting in its own right (especially and, perhaps, surprisingly, in light of robust language about the importance of international law and—gasp!—“norms” to regulate cyber activity), but it is not the document I’m writing about here. I’m writing about the “Defense Department Cyber Strategy 2018,” which also dropped last week. As the name suggests, this a DOD-specific document framing the military’s roles in relation to cyberspace. We don’t actually have access to the full DOD document, mind you, but we do have about 6 pages of content in the form of an official “summary.” That’s my focus here.
2. Okay. What if anything is interesting about how the DOD Cyber Strategy 2018 Summary describes the military’s role in the cyber domain?
Not surprisingly, there is much talk in the summary about the role of cyber-domain operations in the context of the Joint Force. That is to say, the summary of course calls for effective employment of cyber-domain capacities, including offensive capacities, in support of the “full spectrum of conflict.” Nothing newsworthy there. The more interesting passages are the ones that address three distinct operational concepts: intelligence collection, preparation of the battlefield (or battlespace as some prefer) and the idea of defending “forward.” Here’s the key language from page 1:
“We will conduct cyberspace operations to collect intelligence and prepare military cyber capabilities to be used in the event of crisis or conflict. We will defend forward to disrupt or halt malicious cyber activity at its source, including activity that falls below the level of armed conflict.” (emphasis in the original)
Let’s unpack that.
a. Collecting intelligence:
The opening phrase makes clear the unsurprising point that DOD assets at times will engage in cyber activities in order to obtain intelligence. That presumably could be intelligence about conventional order of battle considerations, cyber-specific capabilities, leadership intentions and motivations or anything else (whether the information sought after pertains to cyber activities or not). Not much to see here, in short.
b. Preparing the battlefield
The second half of the first sentence refers expressly to preparing military cyber capabilities that would be used in the event of a crisis or conflict, as distinct from the intelligence-collection aims described in the first half of the sentence. This reflects, at a minimum, an expectation that the familiar concept of “preparation of the battlefield” (which, in the kinetic space, is a concept encompassing an array of activities the military might undertake in advance of hostilities in order to maximize success once hostilities begin) has a cyber analogue. And what might that be? Intrusions into the systems of potential adversaries in order to secure access of a kind that can be exploited for disruptive or destructive effect if and when the need later arises.
c. Digression: Note the fuzzy line between an operation to prepare the battlefield and a hold-at-risk strategy
I pause here to note an important but often-overlooked conceptual category for cyber operations, one that can be tricky to distinguish from battlefield preparation in the cyber domain: a “hold-at-risk” operation. Let me explain that.
Sometimes a goal (or even the goal) of establishing access to a potential adversary’s system is to bolster one’s deterrence posture by making clear to the adversary that you are capable, as a practical matter, of overcoming their defenses and harming something they value (that is, you “hold it at risk”). Naturally, execution of a hold-at-risk operation requires the adversary eventually to know—or at least to strongly suspect—that you have in fact penetrated a relevant system. If that occurs, then the adversary is on notice by definition, and may be able to evict you. So it is not to be pursued lightly, lest you blow access that might have proven more valuable if kept secret in order to facilitate intelligence collection, preparation of the battlefield or both. On the other hand, it is possible the adversary may not actually be able to evict you on a sustained basis, or, at any rate, may not be able to do so with sufficient certainty to feel no-longer-at-risk (and decisionmakers also may be left anxious, wondering where else we might have gained access in similar fashion). But the important point for present purposes is that a preparation-of-the-battlefield operation and a hold-at-risk operation, both targeting the same system, might look identical to the defender who discovers the intrusion. Were they meant to discover it, so as to support a hold-at-risk dynamic? Or was it meant to stay hidden, as preparation of the battlefield? (These are questions that arise with us in the defensive posture, notably, when Iranian hackers turn up in industrial control systems). And at least where the system in question has data that may of intelligence value, we can add that the defender also must consider the possibility that it’s just a matter of espionage. Perhaps the intruder hasn’t even decided in a particular instance, or intends to have the option of converting from one model to another as circumstances dictate.
Opportunities for misunderstanding obviously abound. But the important point for now is simply that all these moves are important aspects of nation-state jostling in cyberspace below the threshold of armed attack or uses of force. And it seems to me that the “preparation” language quoted above, particularly with its reference to “crisis,” can encompass both preparation and hold-at-risk activities.
d. Defending forward (and the NDAA)
Now we come to the part that is getting all the media attention: “We will defend forward to disrupt or halt malicious cyber activity at its source, including activity that falls below the level of armed conflict.”
What counts as “defending forward”? The summary does not offer a definition. One can imagine the actual version says something to the effect of “actions via cyber means intended to disrupt, defeat, and deter actions by foreign actors to cause harm via cyber means to U.S. national defense, critical infrastructure, etc.” But nevermind the rank guesswork, lets see what we can glean from the text and the context.
First, “defense forward” plainly concerns activity outside of U.S. networks. That’s the “forward” part (some might say that this makes “defending forward” comparable to the more-aggressive end of the “active defense” spectrum, where one finds out-of-network operations conducted in the name or spirit of defense). Second, as Dave Weinstein points out in his excellent primer on the summary, “defense forward” expressly contemplates DOD cyber activities that are not part of an armed conflict.” Combined with the fact that a separate sentence already referred to intelligence collection and to preparation of the battlefield, this leaves us with the conclusion that defense forward entails operations that are intended to have a disruptive or even destructive effect on an external network: either the adversary’s own system or, more likely, a midpoint system in a third country that the adversary has employed or is planning to employ for a hostile action.
This reading is strongly consistent, notably, with Section 1642 of the recently enacted John S. McCain National Defense Authorization Act. I wrote about this in detail here back in July (see point 3 in that post), but to spare you the pain of wading through that earlier summary here are the key points. First, the Conference Report accompanying the NDAA makes very clear that Congress sought to eliminate doubt that DOD may use cyber capabilities to respond to malicious cyber activities such as Russia’s 2016 information operations. Second, the text of Section 1642 provides express authority for DOD “to take appropriate and proportional action in foreign cyberspace to disrupt, defeat, and deter” in response to “an active, systematic, and ongoing campaign of attacks against the Government or people of the United States in cyberspace, including attempting to influence American elections and democratic political processes,” so long as the malefactor in question is Russia, China, North Korea or Iran. The same provision also clarifies that such operations shall be deemed to count as “traditional military activities” (for purposes of the Title 50 exception to the statutory definition of covert action, thus reinforcing similar but broader language elsewhere in the NDAA). (note: be sure also to read Ben Buchanan’s excellent post on this topic, at CFR here)
Of course, by making it clear DOD has authority to act in that specific scenario, Congress may have inadvertently raised doubts about DOD’s authority to act in other scenarios. We cannot tell from the summary whether the “defense forward” directive will call for operations limited to what I’ll call the Section 1642 scenario or if, instead, it is broader. If the latter, then CYBERCOM and other DOD lawyers sooner or later will probably wrestle with two classic questions. First, does the executive branch have authority to conduct the activity absent legislative delegation (remember, at least some defense forward scenarios are meant to be below the threshold of armed conflict)? Second: even if so, does the Section 1642 grant of authority constitute, by negative implication, an expression of congressional opposition to the use of similar authority in other scenarios, thus placing the executive branch in the weak position of Justice Jackson’s “Category 3” from Youngstown? For what it is worth, my initial, off-cuff reaction is that Congress was simply trying to make things extra-clear and beyond-dispute in the Section 1642 scenario, and was not trying to implicitly deny authority for out-of-network defensive operations in other scenarios.
3. How does this relate to the reported demise of interagency vetting under old PPD-20?
It’s not at all clear, but this arguably is the most important question. Put another way: the big issue here is not whether CYBERCOM should ever have a defense-forward mission, but rather what the process might be like for deciding to take action under that heading in a particular case. It has been widely reported that, under PPD-20, a great deal of interagency vetting had to take place for out-of-network operations involving intrusions into systems located in third countries not currently the site of active hostilities. And it has been widely reported that President Trump recently removed at least some amount of that vetting, though precisely how thorough the gutting was I do not think can be discerned from the public record. Separately, but relatedly, we have reason to think that this change (or others like it) have resulted in pushing final decisionmaking say away from POTUS and down towards commanders. But I don’t think we know from public reporting whether it has been pushed down to the point that General Nakasone, head of CYBERCOM, has sole decision-making authority to conduct operations of this kind.
To sum up, then, we know the reins have been loosened, but it’s not clear just how loose they are either on the vertical or the horizontal dimensions within the executive branch. Until we know the answer to those questions, it’s hard to assess the significance of the summary’s clear embrace of “defense forward” as an operational category.
4. But is “defense forward” perhaps limited to threats to the government’s own networks?
Here’s an interesting puzzle raised by the summary. It seems to go out of its way to say that the defense forward model is an option for threats to DOD’s own network, yet it is (at least by way of contrast) conspicuously silent about whether that is true for the other, privately-held networks that the summary confirms DOD will defend:
We will defend forward to halt or degrade cyberspace operations targeting the Department, and we will collaborate to strengthen the cybersecurity and resilience of DoD, DCI, and DIB networks and systems.
I suspect that’s just an unintended contrast, particularly since the next sentence goes to speak of preempting, defeating and deterring malicious activity directed at critical infrastructure, when such activity rises to the level of a significant cyber incident (as that term is defined in PPD-41). Still, it’s interesting to ponder whether the complete version of the strategy actually confines resort to defense forward in this sort of way.
Ok, that’s enough for now. If you read this far, my hat is off to you!
