The Department of Defense (DoD) is pledging to use offensive cyber capabilities to defend the U.S. and its allies against adversaries – particularly the Peoples Republic of China (PRC) – as part of its latest cybersecurity strategy.
DoD on Sept. 12 unveiled an unclassified version of its 2023 Cybersecurity Strategy, months after a classified version of the plan was shared with Congress, which calls on the Pentagon’s cyber workforce to use offensive cyber operations to frustrate and disrupt adversaries, like the PRC, in cyberspace to minimize threats to the U.S.
The new strategy – which supersedes the Pentagon’s 2018 cyber strategy – shows the department’s commitment to “persistently engage” adversaries in offense operations rather than merely play defense on U.S. networks.
The strategy also acknowledges the risks of escalation in cyberspace, emphasizing that in its persistent offensive engagement with adversaries, the department will manage the risk of unintended escalation.
In addition, the strategy emphasized the need to help U.S. partners and international allies build their own cyber capacity. It also emphasizes the need for the DoD to work with a variety of partners, across the U.S. government and the private sector, to ensure U.S. cyber efforts do not go to waste.
The China Problem
DoD officials, and other government officials, have pinpointed China as posing the most significant challenge to the U.S. in the cyber landscape.
According to the full strategy report, in a time of conflict China will likely use destructive cyberattacks “to hinder military mobilization, sow chaos, and divert attention and resources,” and will “also likely seek to disrupt key networks which enable Joint Force power projection in combat.”
U.S. officials have also sounded the alarm that China seeks to gain an advantage in cyberspace to emerge as a superpower with global influence in the cyber and emerging technology domain.
Speaking at a separate event on Tuesday, a National Security Agency (NSA) official echoed these concerns. The assistant deputy director for NSA’s newly implemented China Strategy Center, David Frederick, said that China is the pacing challenge for the whole DoD.
“China was very active in targeting the DoD Information Networks. There is multi-decade history of the PRC trying to target or attempting to target our critical infrastructure,” Frederick said during a webinar hosted by the Intelligence and National Security Alliance. “The National Security Strategy highlights that China is the only competent competitor that we face. It has an intent to redesign the international rules and increasingly the capability to do so.”
Frederick – who earlier this year was appointed NSA’s first assistant deputy director for China – explained that the NSA is also developing a “China Strategy” which outlines the NSA’s shift to undertaking U.S. competition with China.
“We are working within our new [office] to better align multiple innovation activities within NSA and across our [intelligence community] partners to focus on the China problem, and so we’ll be working with industry and the defense industrial base partners,” Frederick said, explaining that more news on the strategy will come out in the upcoming months.
Russia-Ukraine Lessons: Cyber Capabilities Alone Are Not Enough
The new cyber strategy also incorporates lessons from Russia’s invasion of Ukraine, most notably Russia’s inability to use its cyber capabilities to gain an advantage in the conflict.
DoD’s Deputy Assistant Secretary for Cyber Policy, Mieke Eoyang, told reporters during a press briefing that Russia’s illegal invasion proved that cyber capabilities are not decisive on their own, and must be used in concert with other military capabilities.
“Prior to this conflict, there was a sense that cyber would have a much more decisive impact in warfare than what we experienced,” Eoyang said. “What this conflict has shown us is the importance of integrated cyber capabilities in and alongside other warfighting capabilities … Cyber is a capability that is best used in concert with those others and may be of limited utility when used all by itself.”
According to the DoD strategy, cyber capabilities are most effective when used in concert with other instruments of national power. However, the strategy does not offer any further insight into what other tactics the U.S. or its allies should use.
Some “instruments of national power” U.S. officials often use against hackers and adversaries are sanctions and arrests.
Building Partnerships, Enhancing Cyber Workforce
The strategy also outlines the Pentagon’s plans to prioritize efforts to increase the effectiveness of international allies and partners in cyberspace.
According to the report, the department will work toward this goal by augmenting partner capacity, expanding partners’ access to cybersecurity infrastructure, and maturing their cyber workforce through combined training events and exercises.
“Distinct from previous iterations of the DoD cyber strategy, this strategy commits to building the cyber capability of global allies and partners and to increase our collective resilience against cyberattack,” said Eoyang.
In addition to strengthening the cyber capacity of allies, the strategy explains the need to expand the DoD’s cyber workforce. It outlines some efforts for increasing cybersecurity staffing levels, some of which are already underway within the department.
The strategy mentions increasing reservists and the length and number of tours in cyber fields. It also calls on the National Guard to facilitate partnerships between Federal, state, local, territorial, and tribal agencies to support cyber defense responses. And it says incentives will be adequately funded and targeted towards specific skills in hiring and retention.