U.S. Department of Defense Strategy for Operating in Cyberspace

The 2011 U.S. Department of Defense Strategy for Operating in Cyberspace is a formal assessment of the challenges and opportunities inherent in increasing reliance on cyberspace for military, intelligence, and business operations. Although the complete document is classified and 40 pages long, this 19 page summary was released in July 2011 and explores the strategic context of cyberspace before describing five “strategic initiatives” to set a strategic approach for DoDʼs cyber mission.^[1]

The strategy for operating in cyberspace first outlines DoD strengths, including rapid communication and information sharing capabilities as well as knowledge in the global information and communications technology sector, including cybersecurity expertise. These are considered “strategic advantages in cyberspace.”^[1] Additional emphasis is placed on furthering U.S. international cyberspace cooperation through international engagement, collective self-defense, and the establishment of international cyberspace norms.

The DoD begins discussion of current cyber threats by focusing on threats to DoD daily operations, with a progressively expanding scope to encompass broader national security concerns. The DoD is aware of the potential for adversaries to use small scale-technology, such as widely available hacking tools, to cause a disproportionate impact and pose a significant threat to U.S. national security. The DoD is concerned with external threat actors, insider threats, supply chain vulnerabilities, and threats to the DoDʼs operational ability. Additionally, the document mentions the DoDʼs need to address “the concerted efforts of both state and non-state actors to gain unauthorized access to its networks and systems.”^[1] The DoD strategy cites the rapidly evolving threat landscape as a complex and vital challenge for national and economic security.

In light of the risks and opportunities inherent in DoD and U.S. Government use of cyberspace, this strategy presents five strategic initiatives as a roadmap to "operate effectively in cyberspace, defend national interests, and achieve national security objectives."^[1] According to the DoD, pursuit of this strategy will see the DoD capitalize on the opportunities of cyberspace, defend against intrusions and malicious activity, strengthen cybersecurity, and develop robust cyberspace capabilities and partnerships.

"Treat cyberspace as an operational domain to organize, train, and equip so that DoD can take full advantage of cyberspace’s potential."^[1]

According to the DoD, this consideration allows them "to organize train and equip for cyberspace as we do in air, land, maritime, and space to support national security interests.” Consequently they established the U.S. Cyber Command under the U.S. Strategic Command to coordinate cyber activities of the Army, the U.S. fleet cyber command/U.S. 10th fleet, the 24th air force, USMC cyber command, and USCG cyber command. U.S. Cyber Command is collocated with the National Security Agency, with the head of the NSA also serving as the commander of Cybercom. This serves to coordinate training for operations in a "degraded" environment, including the use of red teams in war games, operating with presumption of a security breach, and development of secure networks for redundancy purposes.^[1]

"Employ new defense operating concepts to protect DoD networks and systems."^[1]

This includes enhancing best practices and “cyber hygiene," featuring updated software and better configuration management. The DoD will take steps to strengthen workforce communications, accountability, internal monitoring, and information management capabilities to mitigate insider threats. The DoD will also focus on maintaining an active cyber defense to prevent intrusions. In addition to these reactionary concepts, the DoD will develop new defense operating concepts and computing architectures including mobile media and secure cloud computing to embrace evolutionary and rapid change.^[1]

"Partner with other U.S. government departments and agencies and the private sector to enable a whole-of-government cybersecurity strategy."^[1]

Many critical functions of DoD rely on commercial assets such as Internet Service Providers and global supply chains, constituting a vulnerability that DoD and DHS will work together to mitigate. The formalized structure of DOD and DHS understanding sets limits to DoD and DHS policy. Their joint planning will increase effectiveness of cyber needs while respecting privacy and civil liberties and will conserve budget resources.

The DoD also maintains a partnership with the Defense Industrial Base to protect sensitive information. The DoD launched the Defense Industrial Base Cyber Security and Information Assurance program in 2007.

The DoD is also establishing pilot public-private partnership to enhance information sharing. They will continue to work with interagency partners towards a collaborative national effort to develop solutions to increase cybersecurity. A Whole-of-government approach will lead DoD to continue to support interagency cooperation with DHS to analyze and mitigate supply chain threats to government and private sector technology.^[1]

"Build robust relationships with U.S. allies and international partners to strengthen collective cybersecurity."^[1]

In support of the U.S. International Strategy for Cyberspace, the DoD will seek “robust” relationships to develop international shared situational awareness and warning capabilities for self-defense and collective deterrence. The DoD will assist US efforts to help develop international cyberspace norms and principles, dissuade and deter malicious actors, reserve the right to defend vital national assets as necessary and appropriate. The DoD will also advance cooperation with allies to defend allied interests in cyberspace, work to develop shared warning capabilities, build capacity, conduct joint training, share best practices and develop burden sharing arrangements.^[1]

"Leverage the nation’s ingenuity through an exceptional cyber workforce and rapid technological innovation."^[1]

The DoD intends to "catalyze US scientific, academic, and economic resources to build a pool of talented civilian and military personnel to operate in cyberspace and achieve DoD objectives.” The DoD will foster rapid innovation and invest in people, technology and R&D to create and sustain cyber capabilities vital to national security.

The DoD outlines 5 principles for the acquisition of information technology:

1. Speed is a critical priority.
2. Incremental development and testing.
3. Sacrifice/defer customization for speedy incremental improvement.
4. Adopt differing levels of oversight based on prioritization of critical systems.
5. Improved security measures for hardware and software.

The DoD will also promote opportunities for small and medium businesses, work with entrepreneurs in technology innovation hubs to develop concepts quickly. Targeted investments and joint ventures will enable the DoD to foster the development of impactful and innovative technologies.

The DoD also developed the National Cyber Range to allow rapid creation of models of networks intended to enable the military to address needs by simulating and testing new technologies and capabilities.

Development and retention of cyber workforce is central to strategic success outlined in this strategy. Consequently, the DoD will work to streamline hiring for their cyber workforce, enable crossflow of professionals between public and private sectors. As part of this plan, the DoD will also endeavor to develop reserve and national guard cyber capabilities, as well as continue educating their cyber workforce.^[1]

Xinhua News Agency cited the opinion of Li Shuisheng, a research fellow with the top military science academy of the People's Liberation Army, alleging the document is "fundamentally an attempt of the US to maintain its unparalleled global military superiority.^[2]" Li noted that the strategy "clearly aims at sovereign nations in retaliating to cyber attacks,^[2]" which could lead to a mistake in attribution that may provoke war. Furthermore, the president of Beijing University of Posts and Telecommunications, Fang Binxing, alleged that the United States is "more often on the offensive not the defensive side of cyber warfare, " and consequently can "fulfill its political and military purposes, including interference in domestic affairs of other countries and military intrusion, by making up technological effects on the Web.^[2]" Essentially, Chinese media reporting considers the 2011 Department of Defense Strategy for Operating in Cyberspace clearly stated ambitions for enhancing U.S. hegemony.

The day after the DoD strategy document was published, The Voice of Russia published an article citing a recent admission that the Pentagon was successfully hacked in March 2011. The author suggested "the Pentagon admission could be just a strategic solution to gain support for its new program of cyber defense."^[3] The article states that the strategy received "a serious amount of criticism," and concludes by stating that in light of the recent announcement of attacks in March, "the scared public should be much more supportive to the controversial strategy."^[4]

CRN News.com cited the opinions of several American cyber security experts who believe the DoD strategy is "too vague, lacks enforcement and likely won't warrant an immediate uptick of future business." Furthermore, security experts cite DoD plans to recruit experts from the private sector as a risk for weakening public technological development. At best, the experts observed the document "represented a collective growing awareness around the issue" and could be "a public affirmation from the government about activities and plans already in progress."^[5]

CRN News.com Australia covered the strategy release, focusing on the DoD's consideration of cyberspace as the fifth warfighting domain. The attitude of the article suggested the DoD strategy is a reaction to reports of data breaches, and should have been developed sooner.^[6]