What the Defense Department’s Cyber Strategy Says About Cyber Conflict
Published by The Lawfare Institute
in Cooperation With
In September, the Department of Defense released the unclassified summary of the 2023 Cyber Strategy. The strategy builds on the strategic reorientation toward cyber persistence first introduced in 2018 but marries the framework of persistent engagement with experience. Whereas the 2018 strategy was based on theory and behavioral observations, the intervening years and especially the war in Ukraine have added practical know-how to refine America’s cyber doctrine. The 2023 strategy summary notes specifically that the U.S. has been acutely informed “by Russia’s 2022 war on Ukraine, which has seen a significant use of cyber capabilities during armed conflict.” Although many aspects of the cyber war in Ukraine remain obscure and shielded from the public eye (cyber operations are often by their nature covert), the 2023 strategy provides insights into lessons learned from the conflict that have not been directly addressed in previous U.S. government documents. Moreover, by examining the evolution from the 2018 strategy, it is possible to glean wider insights into how the war in Ukraine has influenced the Pentagon’s evolving view of strategic competition in cyberspace.
How I Learned to Stop Worrying and Love Cyber Campaigning
As noted by others, a defining feature of the 2023 strategy is its grounded view of cyber capabilities as geopolitical tools. This emphasis on practical insights gained from learned experience reflects a larger evolution in America’s understanding of cyber conflict that has been reinforced by the Ukraine war. When cybersecurity first gained attention as a national security issue, concerns centered on Hollywood-inspired scenarios where a surprise cyberattack would degrade or destroy the government’s ability to function.
Fears of this digital Pearl Harbor not only undergirded U.S. strategy but also colored predictions of how cyber means would be employed in armed conflict. On the eve of Russia’s invasion of Ukraine, commentators envisioned the arrival of the long-feared “cyber war.” Russia possessed advanced cyber capabilities that it had previously used against Ukraine, and a physical invasion could have been preceded by a devastating cyberattack designed to undermine Ukraine’s defenses. Yet Moscow’s devastating cyber offensive never arrived. While Russia did conduct some cyber operations against Ukraine, notably an attack on ViaSat designed to disrupt Kyiv’s command-and-control network, cybersecurity scholars have been surprised by the limited scale of cyber conflict during the Russian invasion. Initial observations suggest that Russia’s cyber activities leading up to and during the invasion can be understood as a failure that had little effect on battlefield outcomes and provided little strategic effects.
However, the unrealized cyber war says as much about misaligned expectations as Russian ineptitude. Recent data by Cyber Peace Institute tracking the use of cyber capabilities in Ukraine shows strong evidence of cyber activity during the war, including DDoS (distributed denial-of-service) attacks against Ukrainian internet service providers, water supplier websites, and others. That being said, we cannot expect that any open-source reporting of cyber incidents represents a full universe of cyber events happening in the Russo-Ukrainian battlefield. In fact, this is most likely just the tip of the iceberg. However, reported activities indicate an underlying truth about the utility of cyber means as strategic tools. While early narratives focused on massive, one-off attacks, such attacks are strikingly rare and operationally difficult. Rather, cyber operations are best understood as an incremental tool where the sustained uses of small operations as part of cyber campaigns can have a cumulative effect of reshaping security conditions and helping actors achieve their objectives. Particularly as Ukraine transitions into a long war, the cumulative effects of cyber campaigns may gain strategic significance. Already, Russia has leveraged a “global propaganda campaign” to defend its actions in the war that has directly fueled increasingly contentious debates over additional military aid to Ukraine.
This shift in philosophy from episodic cyberattacks to campaigns was posited initially in the 2018 strategy, but there, the focus was on campaigns being used by adversaries to erode U.S. national security. The strategy called on the U.S. to contest “persistent campaigns in and through cyberspace that pose long term strategic risk to the Nation as well as to our allies and partners.” But the experience of Ukraine has shown the United States that it cannot just be reactive to malicious cyber campaigns. Instead, the same incremental measures that have been used against the U.S. can also be leveraged to advance American national security. The 2023 Defense Department strategy states that “the Department will also use cyberspace operations for the purpose of campaigning, undertaking actions to limit, frustrate, or disrupt adversaries’ activities below the level of armed conflict and to achieve favorable security conditions.” This recognition of linked operations influencing strategic outcomes is a break from the episodic past and evidences a clear shift in how cyber conflict can be won following the experience of the Ukraine war.
Cyber Escalation: The New Name of the Game Is Adversary Perception and Risk Management
The growth of cyber campaigning builds on a willingness to be proactive in the use of cyber operations. This represents a rejection of the Obama-era approach that emphasized “a doctrine of restraint” and deterrence, which failed to defend American interests. In 2018, the Defense Department initially proposed the idea of “defending forward” and expressed a willingness to conduct operations outside of U.S. networks in order to “halt malicious activity at its source.” This approach was initially criticized for various reasons, including its risk of escalation and potential backlash from allies. These fears have not been realized. Out-of-network operations to defeat malicious actors as well as the experience with Ukraine have shown that proactivity in cybersecurity is not inherently escalatory. As such, the 2023 strategy evidences a continued commitment to cyber persistence and proactive action as an alternative to cyber deterrence. The new strategy explicitly states that the Defense Department’s “experiences have shown that cyber capabilities held in reserve or employed in isolation render little deterrent effect on their own.”
Even as the 2023 strategy embraces proactive competition in cyberspace, key changes since 2018 indicate that the central lesson for the Defense Department is in better managing the risks of such operations rather than abandoning them. Anxieties about cyber escalation are derived from a long-standing fear about conflict dynamics in cyberspace and whether cyber operations may be uniquely destabilizing. Yet multiple quantitative studies of cyber operations have found this not to be the case (including our own research). In fact, research shows that cyber operations are poor coercive and escalation tools. Similarly, research on U.S. public opinion has shown that Americans are not supportive of retaliating against cyberattacks with force, even when it comes to incidents of high magnitude. Cyber operations can spark retaliations, but these measures largely are reciprocal in nature and avoid either significant escalation or spillover into noncyber domains. This is because while the digital domain has its unique characteristics, it does not exist in a human vacuum and measures can be taken to mitigate the risks of cyber operations. For example, while U.S. efforts to dismantle the Islamic State’s digital infrastructure risked a backlash from allies whose networks were ensnared in the operation, the 2023 strategy emphasizes collaboration with partners to avoid misunderstandings and promote common goals: “We will continue to hunt forward operations and other bilateral technical collaboration, working with Allies and partners to illuminate malicious cyber activity on their networks.”
Likewise, even as the U.S. embraces proactive cyber operations against adversaries to preemptively defeat malicious activities, the 2023 strategy recognizes the need to engage with opponents to avoid misperceptions. Specifically, “as it campaigns in cyberspace, the Department will remain closely attuned to adversary perceptions and will manage the risk of unintended escalation.” This commitment has been reinforced by behavior. In particular, even as the Defense Department identifies China as Washington’s primary adversary in cyberspace, the Pentagon also held a working-level meeting with Chinese counterparts to discuss the 2023 strategy and related cyber issues. Given the opacity of cyberspace, such engagement initiatives across lines of geopolitical competition are essential for communicating intent and avoiding misperceptions and miscalculations.
The Benefits of Friends With Benefits
The 2023 strategy reflects a greater appreciation for the diversity of security actors in cyberspace and the key roles that non-state actors can play in cyber conflicts. Since cybersecurity first gained traction as a national security issue in the early 2000s, policymakers have voiced concern over both the vulnerabilities of the private sector and how terrorist groups may be able to use cyber means to strike at the American homeland. The Ukraine war has not alleviated this fear, but it has added new insights into roles that such entities can play in cyber conflicts and their utility within a whole-of-nation approach to cybersecurity.
The lack of large-scale cyber terrorism led to a premature dismissal of non-state actors in cyber conflict. Indeed, the declassified summary of the 2018 strategy did not even mention non-state actors as potential threats. Yet the Ukraine war has corrected this misperception as non-state and semi-state actors have played a significant role on both sides of the conflict. The 2023 strategy captures this realization and holds that, “in this saturated battlefield [of the war in Ukraine], military operations conducted by state and non-state proxies have collided with the cyber defense efforts of numerous private sector actors.”
Indeed, while non-state actors have reemerged as meaningful players, the experience of the Ukraine war has shown that the private sector is not only a cybersecurity partner but also a critical ally in cyber conflicts. Building public-private partnerships in cybersecurity has been a long-standing goal for the Pentagon. Previously, the issue was framed largely as the private sector being a target and cooperation being needed to protect American critical infrastructure. As described in the 2018 strategy, “the private sector owns and operates the majority of U.S. infrastructure and is on the frontlines of nation-state competition in cyberspace.”
Indeed, the private sector and industry partners have emerged as Kyiv’s most critical allies in the digital domain. Companies such as Microsoft have worked closely with Ukraine to assist their cyber defenses and share key lessons learned through public reports. Less constructively, Starlink and its controversial CEO, Elon Musk, have shown both the promise and the perils of private-sector patrons as the satellite-internet firm has both helped keep Ukraine online but also afforded the querulous Musk undue say over Ukrainian military operations. A key takeaway from the conflict is that private companies are not merely targets, but potential co-combatants who may have capabilities that are essential to national defense but outside governmental purview. Consequently, bridging the public-private divide cannot be delayed until a crisis occurs, and the 2023 strategy commits the Defense Department to nurturing this essential partnership: “We will expand public-private partnerships to ensure that DoD resources, expertise, and intelligence are made available to support key private sector initiatives. We will also draw upon the private sector's technical expertise and analytic capabilities to identify foreign-based malicious cyber activity and mitigate vulnerabilities on a global scale.”
***
The 2023 Defense Department Cyber Strategy complements the previous cyber strategy with important added experience. The 2018 strategy was a significant reorientation of the U.S.’s approach to cybersecurity. It constituted a recognition that the previous emphasis on cyber deterrence had failed to secure the United States, and prescribed persistence and proactivity as a new method for defending America’s digital frontier.
Bold as this realignment was, the 2018 strategy can best be understood as a new hypothesis for strategic competition in cyberspace—which the 2023 Defense Department document supplements with real-world experience. While only an initial case for how war in cyberspace will unfold, the conflict in Ukraine has nevertheless provided evidence for what cyber means can and cannot do. State-crippling cyberattacks amid armed conflict have not yet come to fruition, but this is an outcome rather than an inevitability. Persistence within the digital domain to both rebuff adversaries and support partners has shaped the conditions of the cyber conflict and meaningfully aided Ukrainian resistance. This practical experience has directly informed the 2023 strategy and must become further integrated into the larger discourse on cybersecurity. To be able to provide critical insights into the evolving nature of cybersecurity, more data and transparency about cyber events is needed. Especially in the context of the Ukraine war, to fully appreciate the effectiveness of a grounded cyber strategy, cyber operations must be removed from the shadows of speculation and integrated into a larger public dialogue of geopolitical competition in the 21st century.