Operationalizing Defend Forward: How the Concept Works to Change Adversary Behavior

By Erica D. Borghard
Thursday, March 12, 2020, 3:28 PM

Editor's note: This article is part of a series of short articles by analysts involved in the Cyberspace Solarium Commission, among others, highlighting and commenting upon aspects of the commission's findings and conclusion.

Defend forward is a crucial component of the Cyberspace Solarium Commission’s strategic concept of layered cyber deterrence, particularly in terms of defend forward’s role in creating costs for adversaries conducting malicious behavior in cyberspace. The commission reimagines defend forward, originally articulated in the 2018 Department of Defense Cyber Strategy, as a whole-of-nation concept. That said, here I will focus on the logic of defend forward in its military application and detail how the concept should be operationalized. Defend forward, as defined by the commission, entails the proactive observing, pursuing, and countering of adversary operations and imposing costs in day-to-day competition to disrupt and defeat ongoing malicious adversary cyber campaigns, deter future campaigns, and reinforce favorable international norms of behavior, using all the instruments of national power. This piece traces the emergence of the logic of defend forward and describes how the commission built on existing concepts to more fully articulate defend forward’s theory of victory and how defend forward seeks to accomplish desired end states.

Defend forward, as a strategic concept, grew out of a number of related realizations about the strategic environment in cyberspace. First, Defense Department entities governed under Title 10 of the U.S. Code have to be able to more routinely operate outside of the department’s own networks, known as the Department of Defense Information Network. Adversary operations span global cyberspace because the environment is not defined by geographic boundaries or even shared understandings about how sovereignty applies in this domain. If the Defense Department’s ability to operate outside of its own networks was more limited and circumscribed, as envisioned in the 2015 Department of Defense Cyber Strategy, the department would be giving free reign to adversary actors that traverse global networks constrained only by capabilities.

Second, intelligence collection in cyberspace against an adversary cannot be conducted solely through static, passive collection. Observing adversaries as they maneuver—and understanding their evolving organizations, capabilities, techniques and personas—requires the U.S., or its allies and partners, to gain access to networks and systems where adversaries operate. The challenge is that this infrastructure is owned by some entity, whether by the U.S. government, private companies or individuals, allied and partner governments, or the adversary. In other words, unlike in other domains, there are no “high seas” or “international waters” in cyberspace. It is important to acknowledge this reality and be transparent about its implications for how the U.S. can and should operate to achieve defensive strategic objectives consistent with international law.

Third, to rapidly generate effects in cyberspace at the desired time, forces and capabilities have to routinely operate where the adversary is. In cyberspace, a decision-maker cannot simply call for fires and reliably anticipate that the desired effect will be delivered against the intended target at the right time. Cyber operations and campaigns demand operational preparation of the environment; prior intelligence collection and operations to identify vulnerabilities and exploits; the development or procurement of tools to deliver the intended effects; and the ability to hold targets at risk over time to deliver the appropriate effect on a decision-maker’s request. Relatedly, capabilities are dynamic—today’s tools may be irrelevant tomorrow—and opportunities are fleeting—today’s access may be gone by tomorrow. Therefore, maintaining cyber capabilities and forces in reserve cedes the initiative to adversaries.

The above understanding coalesced into a new Defense Department strategy anchored in the defend forward concept. Its operationalization, as demonstrated by U.S. efforts to counter Russian interference in the 2018 U.S. midterm elections, was enhanced by further changes to policymaking processes, the delegation of authorities and law. But the Cyberspace Solarium Commission recognized that further work remained to be done to parse the strategic logic of defend forward, identify its desired end states, and trace the causal processes that link its implementation with those objectives.

The commission addresses a central question posed by defend forward: How can the U.S. positively change adversary behavior in cyberspace short of war to produce a more favorable status quo in the short to medium term, while cultivating stability in the international system over the long term?

This question implies a number of desired end states. The first is to change the status quo for activities below the level of war, in which adversaries operate in and through cyberspace to contest U.S. interests on a routine basis. Specifically, defend forward seeks to reduce the magnitude and effects of malicious adversary behavior, recognizing it is impossible to stop or prevent all unwanted activities. The second is to maintain the status quo regarding managing within- and cross-domain escalation dynamics. The U.S. should be able to preserve deterrence of cyberattacks of significant consequence, while being able to employ cyber capabilities below the level of armed attack without triggering significant adversary retaliation or escalation. Third, over the long term, defend forward aims to contribute to the establishment and enforcement of favorable international norms of behavior. Norms do exist in cyberspace, but not all are consistent with U.S. interests and values.

Here, I want to focus on the first end state: the theory of victory for how defend forward can change adversary behavior below the level of armed attack. Defend forward hypothesizes the U.S. can change adversary behavior through making attacks less effective and, cumulatively, by altering the adversary’s decision calculus regarding the perceived benefits, costs and risks of conducting malicious campaigns against the United States.

There are two specific pathways that link defend forward with the desired outcome. The first is driven by a logic of cost imposition. Specifically, adversary behavior will change when adversaries experience (or perceive) an increase in the direct and indirect costs of conducting malicious activities. This includes U.S. efforts to counter adversaries’ offensive cyber capabilities and infrastructure, the organizations that support their cyber operations and campaigns, and the locus of their decision-making. In addition to making it more difficult for adversaries to conduct malicious operations and campaigns, this will force them to divert resources from other lines of effort and shift to secondary and tertiary plans, and it will also increase their uncertainty about the likelihood of success. The second pathway stems from a bargaining logic—to reduce the information asymmetries between the U.S. and its adversaries. The idea is to improve intelligence about adversary capabilities, provide early warning of impending attacks, and enable rapid counter-cyber responses and information-sharing with targeted owners and operators, while simultaneously reducing their access to U.S. information.

Together, increasing costs to adversaries and improving U.S. situational awareness about adversary behavior and capabilities can reduce information asymmetries and help the U.S. get “left of boom,” with the potential to yield cascading positive effects. Additionally, disrupting adversary capabilities and infrastructure, in some instances, may have an aggregate effect of disrupting infrastructure, organization and capabilities that could have supported multiple operations by adversaries. Moreover, affecting the adversary’s decision-making cycle can increase the domestic costs for the adversary’s regime if defend forward creates costs for stakeholders that support the government.

Defend forward has a number of detractors, some with important concerns. The commission strove to address these, including by providing recommendations for how the U.S. can improve engagement with international allies and partners; detailing an enhanced signaling strategy to mitigate potential risks of inadvertent escalation; and proposing investments in resilience to shore up the private sector’s ability to withstand and rapidly recover from adverse events. However, if we agree that the current status quo in cyberspace is not acceptable, this raises the question: What is a viable alternative to defend forward to change adversary behavior? Defend forward seeks to create costs for adversary military organizations and capabilities and improve U.S. situational awareness—as well as the situational awareness of U.S. allies and partners—in support of defensive strategic objectives. Unlike in the realm of nuclear deterrence, in cyberspace we cannot expect a binary outcome—the use of a capability versus nonuse, for example—but the U.S. can and should take steps to reduce the frequency and magnitude of malicious adversary behavior.