The Pentagon’s 2018 cybersecurity strategy provides clarity for an issue the Department of Defense and strategic thinker have struggled with: What role does it have in defending the nation in cyberspace?
In the physical world, defense of the nation is very clear; however, in cyberspace questions regarding what role DoD has in protecting non-government entities from nation-state level threats has been less clear, especially since most networks are not government owned.
“What the 2018 strategy did is drive consensus that ... our comparative advantage in this space is by projecting power, defending forward, shaping the environment and addressing threats before they come to the homeland,” Madeline Mortelmans, principal director for cyber policy within the Office of the Under Secretary of Defense for Policy, said during a Feb. 27 event hosted by the Atlantic Council in Washington.
“Many of our previous strategies talked about DoD having a role in terms of defend the nation. That’s a traditional DoD mission, but what does that mean in cyberspace? What do we, as the Department of Defense, bring as a comparative advantage that helps us better defend the nation?”
Recent changes in policy and authority have largely remedied this concern. Empowered by new authorities provided by the White House and Congress for DoD to operate in this space, Cyber Command has followed a new approach of “defending forward,” essentially fighting adversaries in networks before they manifest themselves in U.S. networks.
The debate over DoD’s role in homeland defense from a cyber perspective came to a head in 2017 when Sen. John McCain,R-Ariz., clashed with a top defense official, who argued that the department should not take a leading role when it comes to election security because it does not fall under the banner of defending the homeland.
“[T]he United States has a long normative and legal tradition limiting the role of the military in domestic affairs. This strict separation of the civilian and the military is one of the hallmarks of our democracy and was established to protect its institutions. Designating DoD as the lead for the domestic cyber mission risks upsetting this traditional civil-military balance,” Kenneth Rapuano, assistant secretary of defense for homeland defense and global security and a principle cyber adviser, wrote in prepared testimony to the Senate Armed Services Committee at the time.
McCain was not satisfied: “I am in fundamental disagreement with you about requirements of the Department of Defense to defend the fundamental of this nation, which is a free and fair election, which we all know the Russians tried to affect … It’s the Department of Defense’s job to defend this nation; that’s why it’s called the Department of Defense.”
Since then, the question has simmered in national security communities.
In a paper released in fall 2018, the first commander of U.S. Cyber Command, Keith Alexander, and the founder of the National Security Institute at George Mason University, Jamil Jaffer, wrote that one of the challenges for Cyber Command was that it lacked clear authorities to the defend the nation. This has been remedied by the recent changes in authorities and paradigm shift of defending forward.
Alexander and Jaffer wrote that the goal should not be to respond to attacks, but rather protect against them before infrastructure is damaged.
“This requires advance authority for USCYBERCOM to take action and clear [rules of engagement] that provide a broad range of options to use in appropriate circumstances while also limiting action to appropriate bounds outside the United States,” they wrote.
“Although the idea of providing advance authority to take action that admittedly might spark a larger conflict is almost certainly controversial, if structured properly with appropriate limitations, effective civilian oversight, and significant, timely reporting to the legislative branch, many of the key concerns can be effectively mitigated.”