Two Observations About The New DOD Cyber Strategy

The publication of DOD's new cyber strategy is a milestone and a major step forward in the cyber policy debate. In particular, the strategy is notable for its relative openness about the use of offensive options. For example, the strategy says explicitly (p. 5):

…if directed by the President or the Secretary of Defense, DoD must be able to provide integrated cyber capabilities to support military operations and contingency plans. There may be times when the President or the Secretary of Defense may determine that it would be appropriate for the U.S. military to conduct cyber operations to disrupt an adversary’s military-related networks or infrastructure so that the U.S. military can protect U.S. interests in an area of operations. For example, the United States military might use cyber operations to terminate an ongoing conflict on U.S. terms, or to disrupt an adversary’s military systems to prevent the use of force against U.S. interests. United States Cyber Command (USCYBERCOM) may also be directed to conduct cyber operations, in coordination with other U.S. government agencies as appropriate, to deter or defeat strategic threats in other domains.

It goes on to say (p. 14):

During heightened tensions or outright hostilities, DoD must be able to provide the President with a wide range of options for managing conflict escalation. If directed, DoD should be able to use cyber operations to disrupt an adversary’s command and control networks, military-related critical infrastructure, and weapons capabilities.

From my perspective, here’s the key points in the above quotations. • Offensive operations in cyberspace have a role as instruments of U.S. military power. • Targets of offensive cyber operations include adversary command and control networks, military-related critical infrastructure, and weapons capabilities. • Offensive cyber operations may be conducted during periods of heightened tension (i.e., before the outbreak of outright hostilities). • The strategy places no explicit limits on the other US Government agencies on whose behalf Cyber Command might conduct cyber operations, and these cyber operations may be offensive in nature. Note that Operation Neptune Spear, which resulted in Osama Bin Laden’s death, was under the command and direction of the Central Intelligence Agency, although U.S. Special Operations command provided the vast majority of operational assets used in the mission. In a similar fashion, Cyber Command might well be directed in the future to provide offensive cyber capabilities for the Intelligence community. • The targeting of military-related infrastructure raises the possibility that the infrastructure may be dual use, and that planning for offensive cyber operations against such infrastructure may have to account for possible collateral damage to civilian interests. This point is consistent with the long-standing view in U.S doctrine that war-supporting infrastructure constitutes a valid military target under the Geneva Conventions, but this view is not universally held. (We will see how, if at all, U.S. views change when U.S. war-supporting infrastructure is targeted by an adversary through cyberspace.) A second observation about the strategy is that despite the new openness, the word “offensive” only appears twice in the document. One must read the document carefully to find the (multiple) times where the phrase “cyber operations” is used where the phrase “offensive cyber operations” should have been used. That is, one must infer the offensive character of the operations being discussed at various points in the document. My guess is that this is not an accidental feature of the document, but rather a deliberate one. Third, Henry Farrell makes a key observation about what is missing from the strategy: at last, there’s no cyber Pearl Harbor. Coupled with the February 26, 2015 testimony of Director of National Intelligence James Clapper, the discussion of threat in the document is more moderate in tone. It acknowledges the seriousness of the cyber threat, but is not hyperbolic in its rhetoric. A refreshing change! In any case, the document provides lots of real food for thought and argument and debate.