Cybersecurity

Defend Forward as a Whole-of-Nation Effort

By Erica D. Borghard, Mark Montgomery
Wednesday, March 11, 2020, 4:31 PM

Editor's note: This article is part of a series of short articles by analysts involved in the Cyberspace Solarium Commission, among others, highlighting and commenting upon aspects of the commission's findings and conclusion.

The Cyberspace Solarium Commission puts forth a strategic approach of layered cyber deterrence, which combines a number of traditional deterrence mechanisms and extends them beyond the government for a whole-of-nation approach to defend the United States against cyberattacks of significant consequence. An essential element of layered cyber deterrence is the concept of defend forward. The commission builds on the Department of Defense’s original defend forward concept, found in the 2018 Department of Defense Cyber Strategy and focused on the military instrument of power, to include all the instruments of national power, including law enforcement actions, economic sanctions and attribution. In doing so, the commission integrates defend forward into a coherent approach that applies a diverse set of authorities, accesses and capabilities across the interagency to defend the nation in cyberspace. This post reviews how the commission extends defend forward to encompass multiple instruments of power. Specifically, we detail three components of the commission’s new conceptualization of defend forward that go beyond employing military authorities and capabilities to counter adversary cyber operations and organizations: strategic communications and signaling, the role of international engagement, and public-private collaboration and resilience.

First, the commission recognizes that the U.S. government needs to improve how it conducts strategic communications and signaling around the concept of defend forward. One of the crucial deficits that emerged from the commission’s research is that there is confusion among multiple audiences—including within the U.S. government—and inconsistencies in official documents about strategic approach definitions and end states. For instance, the 2019 National Defense Authorization Act (NDAA) that created the commission refers to strategies of “active disruption” and “persistent denial.” U.S. Cyber Command’s 2018 Command Vision, which was published prior to the 2018 Department of Defense Cyber Strategy, emphasizes persistent engagement, while the latter is anchored in defend forward. The 2018 National Cyber Strategy does not even mention defend forward, despite being issued alongside the Defense Department’s Cyber Strategy. Furthermore, U.S. strategy documents contain varying definitions of the desired strategic objective, which range from defending the American people and way of life, to improving the resilience of critical infrastructure, to preserving warfighting capabilities and military advantage, and even to changing the contours of competition itself in cyberspace.

The U.S. government needs to do a better job of strategic communications to the American people, allies and partners, and adversaries. The first, and most critical, step is for the executive branch to issue an updated National Cyber Strategy that includes defend forward as a key element and clearly defines the concept and what it seeks to achieve. Indeed, this is the commission report’s very first and anchoring recommendation. The updated National Cyber Strategy should clearly express that defend forward is an integral part of a comprehensive approach that encompasses all the instruments of national power beyond the employment of strictly military capabilities. Moreover, the strategy should explicitly and deliberately clarify the fact that defend forward is an inherently defensive strategy—despite the fact that there are offensive components at the tactical and operational levels. To achieve defensive strategic objectives in cyberspace, forces and capabilities must be forward-positioned, both geographically and virtually. This is analogous to historical strategies of forward defense, which was the foundation for the U.S. and NATO grand strategy during the Cold War.

Furthermore, for the employment of defend forward to sufficiently change adversary behavior while minimizing the risks of escalation, it must include signaling. Signals are statements or actions that are intended to influence the perceptions of the recipient. Signaling is important in cyberspace because the intent of cyber operations can be difficult to discern. Indeed, qualitative, quantitative and war gaming academic research has demonstrated that cyber operations in themselves are poor tools of signaling. The U.S. must also communicate how it seeks to change adversary behavior and shape adversary perception of the strategic environment. Signaling is also essential for escalation management so that actions taken in support of defend forward are not unintentionally perceived as escalatory. Therefore, signaling should entail coordinated employment of various instruments of power, rather than the current approach, which is inconsistent (if it exists at all) and varies by agency. The State Department is a key stakeholder in this effort. Diplomatic efforts must be deliberately and seamlessly integrated into defend forward. Specifically, the strategic level of signaling should involve overt, public diplomatic signaling through traditional mechanisms, as well as private diplomatic communications through mechanisms such as hotlines and other nonpublic channels (including through third parties when the U.S. may lack robust diplomatic relationships). Allies and partners also play an essential role, as discussed further below.

The second way the commission broadened the defend forward concept beyond military capabilities is to more explicitly link it to public-private collaboration and resilience. Increasing the costs to adversaries of conducting malicious campaigns includes not just military cyber operations. It also entails reducing the perceived benefits of attacking the U.S., particularly where adversaries seek to target entities in the private sector. For instance, if the private sector is resilient (if it can withstand and rapidly recover from a disruptive event), then adversary gains are reduced. As the Cyber Mission Force, for example, conducts hunt forward operations and maneuvers in cyberspace where the adversary operates, it can gain valuable information about adversary organizations and capabilities to support proactive private-sector defensive efforts. Relatedly, improving U.S. intelligence collection against adversary collection requirements (essentially, knowing what the adversary is looking to collect on) can enable us to better anticipate where they are likely to strike. Moreover, this is information that is most likely to be held by the private sector and needs to be shared effectively with the U.S. government to drive its prioritization of intelligence collection efforts. Rapidly passing information gained from U.S. government intelligence collection to network defenders enables them to take actions in anticipation of impending adversary threats.

Finally, international engagement and norms are vital for a whole-of-nation conception of defend forward. Defend forward is not incompatible with favorable international norms—in fact, the opposite is true and the U.S. must clearly communicate this, particularly to allies and partners. Clearly, diplomatic efforts to generate consensus around norms of behavior in cyberspace are foundational. However, to be meaningful, norm-building initiatives must be coupled with consistent (and, when possible, collective and transparent) action to support and enforce them when they are violated. In addition to law enforcement, sanctions, and collective attribution efforts after norms are violated, defend forward cyber operations can help establish norms the U.S. seeks to promote in the first place. Defend forward cyber operations and campaigns should deliberately counter and impose costs against adversaries for malicious behavior that is inconsistent with norms as defined by the U.S. and like-minded nations. This includes countering adversary activities such as cyber-enabled influence operations to undermine democratic processes, offensive cyber operations against civilian critical infrastructure in peacetime, or cyber-enabled intellectual property theft. Moreover, the more the U.S. can self-attribute these kinds of cyber operations, when operationally feasible, the greater the impact on norms creation.

The importance of allies and partners in this effort cannot be understated. The U.S. government needs to recognize that there is enormous variation across our allies and partners in terms of their own offensive and defensive cyber capabilities; definitions of sovereignty; willingness to conduct attributable versus unattributable cyber effects operations; willingness to allow the U.S. to operate on their networks in support of defend forward; and preference for notification prior to, during and following U.S. activities in allied cyberspace. Our diplomatic outreach to allies and partners must take into account this diversity. In particular, given the occasions when even close U.S. allies may have expressed frustration with U.S. cyber operations (and, of course, vice versa), cultivating the trust required for defend forward will require dedicated diplomacy. The State Department must play a critical role in leading and mobilizing allies and foreign partners to facilitate cyber diplomacy consistent with the strategic objectives of defend forward, taking into account their diverse perspectives and capabilities.

Broadening the application of defend forward to encompass all the instruments of national power can improve the U.S. government’s ability to create costs for adversaries and impede their ability to conduct undesirable behavior in cyberspace, while fostering stability and the preservation of shared norms and values over the long term.

Topics: