Despite long-held beliefs by cybersecurity leaders that military operations in the physical world and in cyberspace are strategically no different, one of the Department of Defense’s top cyber officials is challenging that conventional wisdom.
“What if the way we’ve structured Cyber Command and our thinking about this space, what if it’s wrong?” Lt. Gen. Vincent Stewart, deputy commander of U.S. Cyber Command, said during a keynote presentation at the CyCon U.S. conference in Washington Nov. 14.
Cyberspace, in many regards, is strategically confounding. For example, what does sovereignty look like in cyberspace that knows no geographic bounds? How does one hold a target at risk in cyberspace without telegraphing what vulnerabilities in an adversary’s system has been exploited? Is there such thing as deterrence in cyberspace below the threshold of armed conflict? These are all still questions that many academics and even the government are still wrestling with.
Stewart contended that cyber is different than the physical world.
If during a ground maneuver, a commander encounters a river, Stewart said the river cannot be moved. However, in cyberspace, with a couple of keystrokes, the terrain can be changed and even moved.
As a result, the Department of Defense has had to reevaluate competition within cyberspace in recent years. Stewart said adversaries have discovered that they can’t compete with the U.S. kinetically, meaning they would lose a battle with missiles or tanks, but they can successfully engage below the level of conflict through cyber. They’re doing this everyday across all elements of national power to include diplomatic, information and economic networks.
“We are in a period where our adversaries are looking to really take us on below that level of armed conflict, to be able to steal our intellectual property, to be able to leverage our personally identifiable information, to be able to sow distrust within society, to be able to attempt to disrupt our elections,” Gen. Paul Nakasone, commander of Cyber Command, said in October. “This is what great-power competition looks like today.”
Cyber Command’s latest command vision states that adversaries are exploiting cyberspace on a daily basis for their own national interests below the threshold of armed conflict, and “in order to improve security and stability, we need a new approach.”
The new approach
In recent months, Cyber Command leaders have been preaching a philosophy they call “persistent engagement.”
Despite praising new offensive cyber authorities, officials are still unclear how the process will work exactly.
Stewart described this approach as not allowing adversaries to move in cyber without facing consequences.
“We’re going to impose cost on their behavior and make sure that we are going to shape norms and behavior in this space,” he said.
Persistent engagement also relies on another new concept Cyber Command officials called "defending forward. " This follows the idea of the best defense is a great offense. In other words, from a cyber perspective, that means gaining access to networks in order to better understand what an adversary might be planning against friendly forces or networks.
“Defend forward is nothing more than being active in your defense, just like we’ve always done, fight forward, disrupt forward, deny forward, make his servers less effective and have minimal level of clean up issues in blue space,” Stewart said.
The Department of Defense’s new cyber strategy also makes reference to taking action in cyberspace on a day-to-day basis in order to preserve military advantages and defend U.S. interests.
“We will conduct cyberspace operations to collect intelligence and prepare military cyber capabilities to be used in the event of crisis or conflict. We will defend forward to disrupt or halt malicious cyber activity at its source, including activity that falls below the level of armed conflict,” the strategy reads.
While Cyber Command is often discussed as working at the forefront to defend against such daily affronts during peacetime, officials often point to a whole-of-government approach to cyber defense and deterrence. Stewart noted that to be successful in cyberspace, “we need to open up the aperture and think about how we fight and win, compete in this domain, across all the elements of power, not just military. I don’t know that we’ve given that with as much intellectual rigor as we ought to.”
The United States has regularly touted its leverage in crafting responses that span the entire government. This tool kit involves military action, diplomatic action, sanctions and indictments, among others.
“This is not a battle that we or other nations, for that matter, are going to win based on capability and there needs to be other instruments of national power and diplomatic leverage at play here,” Dave Weinstein, vice president of threat research at Claroty, told Fifth Domain in an October interview.
Current and former officials know foreign hackers may never see the inside of a U.S. courtroom, but they feel there are strong reasons to pursue them.