An employee of Global Cyber Security Company Group-IB develops a computer code in an office in Moscow, Russia, Wednesday, Oct. 25, 2017.

An employee of Global Cyber Security Company Group-IB develops a computer code in an office in Moscow, Russia, Wednesday, Oct. 25, 2017. AP Photo/Pavel Golovkin

What Happens When the US Starts to ‘Defend Forward’ in Cyberspace?

The author of DoD’s 2015 cyber strategy takes a look at the 2018 version.

A couple of weeks ago, the U.S. Defense Department took the first step in executing its new “defend forward” doctrine in cyberspace. The Pentagon telegraphed this step in its new cyber strategy, which told Russia, China, and others that if they continue to conduct cyberspace operations against U.S. interests, the U.S. will push back by targeting their military cyberspace infrastructure and disrupting their operations.

Now the U.S. has warned Russian hackers that if they interfere in tomorrow’s midterm elections, there will be consequences. 

How does this step fit into broader cybersecurity strategy, and what are the next steps for the United States to take to defend itself? Soon enough the Pentagon may directly target foreign cyberspace infrastructure to blunt incoming attacks. It is the right posture — but it comes with risks. The country must make itself ready for what comes next.

When I drafted the DoD Cyber Strategy of 2015 for the Pentagon, for the first time we publicly outlined that the United States would prepare to “defend the nation” against cyberattacks of significant consequence on U.S. interests. Then as now, the U.S. military was focused on blunting cyberattacks on critical infrastructure from Russia, China, Iran, and North Korea. This mission would by necessity mean stopping threats before they hit their targets; “defend the nation” meant almost the same thing as “defending forward” does today.

Related: Why Haven’t Terrorists Hit the US with a Devastating Cyber Attack?

Related: No, the US Won’t Respond to A Cyber Attack with Nukes

Related: Major Cyber Attack Will Cause Significant Loss of Life By 2025, Experts Predict

But with some important historical and policy distinctions. 

In 2015, we had not yet suffered a cyberattack of national consequence — but things changed when Russia conducted an influence operation and cyberattack on the U.S. presidential election. It caught the country off-guard, wounded America’s trust in democracy, and made the country aware of its digital vulnerability.

The defend-forward doctrine is now being put to the test with tomorrow’s midterms. Putin has been warned. The fact remains, however, that he has much to gain and little to lose. If he opts to escalate, the time will come to test his will as well as ours. So how might this defend-forward scenario unfold, and what should the country do to ready itself?

There are a few feasible options for the military. If Putin escalates, the U.S. could remotely target Russia’s military command-and-control infrastructure with malware or implant malware through human-enabled close access. Potentially, the U.S. could shut off power around Russian military bases responsible for cyberspace activities, or partner with private-sector players to kick the Russians off private networks and shut off elements of the Russian internet.

Any operation would aim to limit collateral damage and, to maintain international legitimacy, should be done in close partnership with key allies. The United States has already begun cooperating with European allies to shore up their own cyber defenses. An allied attribution of Russian activities — like the U.S.-UK attribution of North Korea’s responsibility for WannaCry — could bolster international support for a counter-offensive operation against Putin.

While the U.S. could blunt an incoming attack, we don’t know how Putin would react.

He may opt to disrupt parts of the U.S. electric grid, where Russia has already implanted malware, or try to assassinate Russians living abroad who speak out against his regime. These are actions he has taken in the past, in both Ukraine and London. 

Is the United States ready for such outcomes? If Putin forces the United States to defend forward by disrupting Russia’s cyberspace infrastructure, there will be consequences for U.S. interests, yet the U.S. cannot sit back and allow Russia’s malicious behavior to continue without reprisal.

Over the medium term, the country needs to continue to invest in cyberdefense and resiliency measures to withstand attacks. In the short term, the time may have come to impose costs and control escalation.

The good news is that the four-star Army general in charge of U.S. Cyber Command, Gen. Paul Nakasone, understands deterrence and escalation. He’s been a part of Cyber Command since before it launched and taken part in many of DoD’s cyber deterrence studies. 

Strong, strategic leadership will be increasingly important as the U.S. navigates this complicated gray area of conflict in our digital world. Any action could easily tip us into conflict and the country needs to prepare for follow-on steps.

Direct messages to the Russians matter, but the U.S. may need to defend forward faster than we thought on Russia’s command and control infrastructure. When we do it, with whom, and at what cost will make all the difference. If we defend forward in cyberspace – a scenario that’s unfolding right now – the U.S. needs to be prepared for what happens next.