The State of U.S. Cyberstrategy
In 2011, the U.S. Department of Defense unveiled a new Strategy for Operating in Cyberspace. That document, which since has become the touchstone for American military thinking on the subject, represents a seminal evolution of military doctrine, recognizing cyberspace as the fifth operational domain, one equal to air, land, sea, and space in strategic importance.(1) It does so for good reason. In modern warfare, all battlefield domains are interconnected via cyberspace operations, and cyber attacks are expected to become a common part of future conflicts.
At least for the moment, the U.S. is judged to be one of the most technologically advanced countries in the cyber domain. But its dependence on computer networks is a potential vulnerability—one that creates opportunities for foreign nations, terrorists, “hactivists,” and criminals. According to former Defense Secretary Bob Gates, DoD operates “more than 15,000 local, regional, and wide-area networks, and approximately 7 million IT devices.”(2) It is well known that government networks are being constantly probed for vulnerabilities and have occasionally been compromised, as they were by campaigns such as Moonlight Maze(3) (1998), Titan Rain(4) (2003), and a 2011 theft of more than 24,000 computer files from an unnamed defense contractor.(5)
The U.S. government has begun to mobilize in response, publishing a number of documents on national cybersecurity strategy. Several common themes are prevalent throughout, among them a need for public-private sector cooperation, reduction of vulnerabilities, more cybersecurity training, and international cooperation. But existing American cyberstrategy also contains significant omissions, and confronts a number of practical hurdles.
How the Pentagon thinks about cyberspace
The current approach of the U.S. to securing the cyber domain is represented by the 13-page unclassified 2011 DoD Strategy for Operating in Cyberspace(6) (the contents of a longer classified version have not been disclosed). Whereas the Obama administration’s broader May 2011 International Strategy for Cyberspace focuses on diplomacy, the Pentagon’s version can be considered a complementary approach—and one focused mainly on actions designed to ensure military superiority and the protection of American assets. To do so, the DoD strategy outlines five strategic initiatives:
DoD will treat cyberspace as an operational domain to organize, train, and equip. This initiative is tantamount to an official declaration that cyberspace is seen as a battlespace domain equal to air, land, sea, and space, and one where the Pentagon should build up its capabilities. This priority has led to the establishment of the U.S. Cyber Command (USCYBERCOM) as a sub-unified command of U.S. Strategic Command (USSTRATCOM) under the Secretary of Defense. USCYBERCOM is responsible for coordinating the relevant military branches, including U.S. Army Cyber Command, U.S. Fleet Cyber Command/U.S. 10th Fleet, the 24th Air Force, U.S. Marine Corps Forces Cyber Command, and U.S. Coast Guard Cyber Command. It is deliberately co-located with the National Security Agency (NSA) under the same director. This organization is intended to maximize resources and efficiency, and directly link cyber operations with intelligence.
DoD will employ new defense operating concepts to protect DoD networks and systems. That initiative includes four specific actions: implementing cyber hygiene best practices; addressing insider threats by strengthening workforce communications, workforce accountability, and internal monitoring; implementing active cyber defenses against external threats; and developing new defense operating concepts and computing architectures.
DoD will partner with other U.S. government departments and agencies and the private sector. The Pentagon depends on the private sector, including Internet service providers (ISPs) and global supply chains, over which it has no direct authority. Therefore, a broad level of cooperation with other government departments (particularly the Department of Homeland Security) and private companies is clearly necessary.
DoD will build robust relationships with U.S. allies and international partners to strengthen collective cybersecurity. Cooperation with other nations can support “collective self-defense and collective deterrence” through timely information sharing about cyber threats. Other shared activities include capacity building, training, sharing best practices, and the pursuit of “international cyberspace norms and principles that promote openness, interoperability, security, and reliability.”
DoD will leverage the nation’s ingenuity through an exceptional cyber workforce and rapid technological innovation. The initiative aims to maintain U.S. superiority in cyberspace by investing in people as well as research and development to create new technologies. The first part of the initiative consists of improvements to personnel recruiting and training; the second revises processes for acquisition of information technology.
Nevertheless, current Pentagon strategy downplays or omits several important topics.
One is jurisdictional. The strategy posits that cyberspace will be an integral part of future warfare. However, this “militarization of cyberspace” raises a question about the exact boundaries of cyberspace considered to be within military jurisdiction. Most critical network infrastructure is owned and operated by the private sector, making it unclear exactly how far the Pentagon’s reach will extend—and what will be deemed a casus belli by defense planners.
Another unanswered question is how cyber attacks warranting a military response will be differentiated from other malicious acts, such as cyber crime. For instance, spear phishing (social engineering) to install malware may be a tactic that is used in both cyber crime and military cyber espionage. Will the U.S. military deem such an event an act of war, and respond accordingly?
DoD strategy likewise does not distinguish between different types of adversaries (e.g., nation-states, foreign intelligence, hacktivists, criminals, hackers, and terrorists). As a result, responses that might be appropriate to specific types of adversaries are not discussed. Yet threat actors are likely to have vastly different objectives and capabilities, depending on who and what they are.
Clear rules for proper response to cyber attacks are needed as well. A widely-accepted security principle holds that a response should be proportional to the threat. However, if a cyber attack causes death or physical damage, could the response undertaken as a result by the United States escalate into physical warfare?
Counterintelligence was mentioned in previous strategy documents, but downplayed in the current one, which only hints at the subject in describing the establishment of U.S. Cyber Command co-located with the National Security Agency under the same director.
The notion of deterrence is also downplayed. Deterrence is implied in the description of collective security created by international cooperation. Presumably, strength in numbers will help to deter future attacks.
The DoD strategy clearly emphasizes defense and protection of the information infrastructure. However, it is obvious that the U.S., like all modern nations, would be foolish not to build up offensive as well as defensive capabilities. The 2004 National Military Strategy of the United States of America recognizes this fact, stating plainly that cyber capabilities, “both offensive and defensive, are key to ensuring U.S. freedom of action across the battlespace.”(7) Also, the Air Force has said that “cyberspace operations seek to ensure freedom of action across all domains for U.S. forces and allies, and deny that same freedom to adversaries,” implying the capability for offense.(8)
It has been reported that the U.S. and Israel were jointly responsible for developing the Stuxnet malware that was used to sabotage the Natanz uranium enrichment plant in Iran.(9) If this is true, Stuxnet would serve as evidence of U.S. capabilities to damage another state’s physical infrastructure. Yet an approach to building such offensive capability is not mentioned in the current DoD strategy, most likely to avoid provocation of a global cyber arms race.
And, although the importance of research and development is recognized, no clear strategy is articulated for how research will be stimulated. For example, nothing is mentioned about investment in universities or scientific labs for basic research. Likewise, no strategy is articulated for quantifying the security of a computer system. It is difficult to have confidence or trust in a protected system without meaningful security metrics (beyond the number of vulnerabilities).
…and practical challenges
At the same time, the current cybersecurity strategy faces a number of practical challenges.
In terms of organization, establishment of the U.S. Cyber Command and supporting organizations in 2009 was undoubtedly an improvement. But cybersecurity responsibilities are still spread across various offices in DoD. Broadly speaking, the DoD is responsible for defending the military networks (nominally against cyber warfare) while DHS is responsible for defending civilian government networks (against cybercrime). DHS also helps critical infrastructure owners with cybersecurity. At the same time, arguably the best defense capabilities reside in the DoD. It is not clear which government agency has the lead for cybersecurity; which would respond to a given cyber attack; and how DoD could help in the defense of civilian networks.
Strategic initiative 1 calls for building advanced technologies for network resilience and robustness into DoD’s computer networks. Research in resilient networks has delved into advanced technologies such as self-healing and intrusion tolerance for many years. The technologies are fairly well understood, but implementing them in DoD’s 15,000 networks would be enormously challenging and costly.
Strategic initiative 2 presumes that good hygiene (e.g., updating and patching software, running antivirus software, avoiding untrusted email attachments and untrusted web sites) can prevent most malicious acts. While certainly helpful, safe practices will not protect users against advanced attacks that often make use of sophisticated social engineering and zero-day exploits.
The DoD Strategy makes a point to contrast “active” defense with traditional “passive” defense. By active defense, the DoD Strategy means that the network will be monitored in real time to “discover, detect, analyze, and mitigate threats and vulnerabilities”—or in other words, real-time intrusion detection and prevention. Research in intrusion detection has been conducted for decades, and real-time detection is still an open question due to the continual inventiveness of resourceful adversaries. Existing intrusion detection systems can monitor computer networks in real time, but the accuracy of detection (and hence prevention) remains uncertain.
Public-private cooperation has been a recurring theme in national cybersecurity strategies. An obvious example is information sharing about vulnerabilities and threats. However, it is not clear how to facilitate and properly incentivize cooperation on these and other issues, due to conflicting interests.
The advantages of international cooperation for collective defense are obvious. Interestingly, the Article 5 “mutual defense” clause of NATO has already been tested by the April 2007 cyber attacks against the websites of the Estonian parliament, banks, ministries, newspapers and media. The Estonian Foreign Minister accused the Kremlin of being responsible, raising the question of whether NATO member countries would respond collectively. The event highlighted the need for clear legal definitions on cyber attacks that would qualify for Article 5 mutual defense.
Strategic initiative 4 implies that international cooperation can deter cyber attacks through strength in numbers. However, it is questionable whether deterrence is possible in cyber warfare in the same way that nuclear deterrence worked by fear of “mutually assured destruction.” It is challenging to forge and enforce effective treaties for international cooperation due to competing interests, different attitudes towards cyber warfare, and different definitions of malicious cyber acts (e.g., starting with “cyber warfare”).
One of the biggest challenges is attack attribution—being able to identify the real source of a cyber attack. Remote cyber attacks can be anonymized in many ways, for example by using proxies or stolen computer accounts. The Internet was not designed to trace back packets of data. In addition, the lack of international laws hinders such forensics when packets cross national boundaries. Plausible deniability afforded by anonymity is a great contributing factor to cyber attacks. The 2003 National Strategy to Secure Cyberspace proposed to improve capabilities for attack attribution and response, but this seems to be omitted from the 2011 DoD Strategy.
As mentioned earlier, the U.S. is arguably the most advanced nation in the world, which is also a potential weakness that could be exploited by its adversaries. Therefore, it makes a great deal of sense that the U.S. strategy focuses almost entirely (at least publicly) on defense and protection of its military networks and critical infrastructure. By eliminating vulnerabilities, increasing resilience, and strengthening collective defense through collaboration, the U.S. can minimize its vulnerability and thereby maintain its lead in the cyber domain.
However, the strategy depends on some factors beyond the U.S. government’s immediate control. For instance, new technologies to maintain U.S. superiority are assumed to come from the private sector. Yet, with globalization, many companies today are multinational. And many are building up their cyber capabilities, meaning that innovation will not be unique to the U.S.
Another factor beyond control may be competing interests among nations preventing international cooperation. Even if treaties could be established for “normal rules of behavior” in cyberspace, they would be difficult to monitor and enforce due to the anonymous nature of cyberspace. Nations may cooperate when their interests coincide, but they are largely free to pursue their own political agendas with plausible deniability. It makes more sense for nations to stealthily compete with one another than to voluntarily limit their freedom to act through binding treaties. Even smaller nations which might normally benefit from alliances with larger ones have less reason to enter alliances in the cyber domain.
The cyber domain, then, represents a great equalizer. The weapons that are used by small and large nations are the same.
Thomas M. Chen is a Professor in Cyber Security at City University London, which he joined in 2013 after serving for several years as a Professor at Swansea University in Wales. He received his BS and MS from the Massachusetts Institute of Technology, and PhD from the University of California, Berkeley.
1. U.S. Department of Defense, “Department of Defense Strategy for Operating in Cyberspace,” July 2011, http://www.defense.gov/news/d20110714cyber.pdf.
4. Nathan Thornburgh, “The Invasion of the Chinese Cyberspies,” Time, August 29, 2005, http://www.time.com/time/magazine/article/0,9171,1098961-1,00.html.
6. U.S. Department of Defense, “Department of Defense Strategy for Operating in Cyberspace,” July 2011, http://www.defense.gov/news/d20110714cyber.pdf.
7. Chairman of the Joint Chiefs of Staff, The National Military Strategy of the United States of America, 2004, http://www.defense.gov/news/mar2005/d20050318nms.pdf.
8. U.S. Air Force, “Cyberspace Operations Air Force Doctrine Document 3-12,” November 2011, http://www.docstoc.com/docs/137067830/AF-Cyberspace-Operations-Doctrine-....
9. David Sanger, “Obama Order Sped Up Wave of Cyber-attacks Against Iran,” New York Times, June 1, 2012, http://www.nytimes.com/2012/06/01/world/middleeast/obama-ordered-wave-of....