When the U.S. Department of Defense released its latest cyber strategy last week, it laid more than just another brick in the edifice of cybersecurity that the government has been building for decades. Coming just a few weeks after President Barack Obama’s Executive Order setting out a policy framework for sanctioning malicious cyber actors, the new strategy marks a significant evolution in Washington’s understanding and approach to providing security in the digital age. That’s because it comes with a warning to potential adversaries: The United States will no longer only be reactive in its cyber defenses, as the Pentagon will be armed and ready to retaliate against cyberattacks or even strike first to pre-empt them. The strategy is careful to note, however, that the U.S. seeks to exhaust all network defense and law enforcement options before moving to cyber operations.
The new strategy builds on an earlier approach announced in July 2011 that focused on how the Pentagon would operate in cyberspace. That document’s initiatives included treating cyberspace as an operational domain and revolved around a primary mission of defending Defense Department networks. The Pentagon planned to do the latter with new operational concepts, partnering with other agencies, building relationships with international partners and exploiting national innovation capabilities—that is, working with Silicon Valley and other parts of the private sector. Thematically, it was a defensive strategy, downplaying the importance of the adversary’s decision-makers and accepting that the tactical battle would occur on networks of an adversary’s choosing.
The 2015 strategy is decidedly more assertive. It broadens the Pentagon’s defense of its own networks to a more explicit mission of defending the entire nation’s networks against foreign threats. This involves building and maintaining cyber-capable forces able to conduct a range of cyber operations in a contested environment. While not entirely new, these newly declared Cyber Mission Forces will conduct operations to counter imminent or ongoing attacks on the U.S. homeland or cyber interests. Nominally, this posture endorses pre-emption, though much of the language in the new strategy is broad enough to be open to interpretation.