An employee of Global Cyber Security Company Group-IB develops a computer code in an office in Moscow, Russia, Wednesday, Oct. 25, 2017.

An employee of Global Cyber Security Company Group-IB develops a computer code in an office in Moscow, Russia, Wednesday, Oct. 25, 2017. AP Photo/Pavel Golovkin

Ideas

What Happens When the US Starts to ‘Defend Forward’ in Cyberspace?

The author of DoD’s 2015 cyber strategy takes a look at the 2018 version.

Jonathan Reiber

|
Jonathan Reiber
By Jonathan Reiber
Senior Director, Cybersecurity Strategy and Policy, AttackIQ

A couple of weeks ago, the U.S. Defense Department took the first step in executing its new “defend forward” doctrine in cyberspace. The Pentagon telegraphed this step in its new cyber strategy, which told Russia, China, and others that if they continue to conduct cyberspace operations against U.S. interests, the U.S. will push back by targeting their military cyberspace infrastructure and disrupting their operations.

Now the U.S. has warned Russian hackers that if they interfere in tomorrow’s midterm elections, there will be consequences. 

How does this step fit into broader cybersecurity strategy, and what are the next steps for the United States to take to defend itself? Soon enough the Pentagon may directly target foreign cyberspace infrastructure to blunt incoming attacks. It is the right posture — but it comes with risks. The country must make itself ready for what comes next.

When I drafted the DoD Cyber Strategy of 2015 for the Pentagon, for the first time we publicly outlined that the United States would prepare to “defend the nation” against cyberattacks of significant consequence on U.S. interests. Then as now, the U.S. military was focused on blunting cyberattacks on critical infrastructure from Russia, China, Iran, and North Korea. This mission would by necessity mean stopping threats before they hit their targets; “defend the nation” meant almost the same thing as “defending forward” does today.

Related: Why Haven’t Terrorists Hit the US with a Devastating Cyber Attack?

Related: No, the US Won’t Respond to A Cyber Attack with Nukes

Related: Major Cyber Attack Will Cause Significant Loss of Life By 2025, Experts Predict

But with some important historical and policy distinctions. 

In 2015, we had not yet suffered a cyberattack of national consequence — but things changed when Russia conducted an influence operation and cyberattack on the U.S. presidential election. It caught the country off-guard, wounded America’s trust in democracy, and made the country aware of its digital vulnerability.

The defend-forward doctrine is now being put to the test with tomorrow’s midterms. Putin has been warned. The fact remains, however, that he has much to gain and little to lose. If he opts to escalate, the time will come to test his will as well as ours. So how might this defend-forward scenario unfold, and what should the country do to ready itself?

There are a few feasible options for the military. If Putin escalates, the U.S. could remotely target Russia’s military command-and-control infrastructure with malware or implant malware through human-enabled close access. Potentially, the U.S. could shut off power around Russian military bases responsible for cyberspace activities, or partner with private-sector players to kick the Russians off private networks and shut off elements of the Russian internet.

Any operation would aim to limit collateral damage and, to maintain international legitimacy, should be done in close partnership with key allies. The United States has already begun cooperating with European allies to shore up their own cyber defenses. An allied attribution of Russian activities — like the U.S.-UK attribution of North Korea’s responsibility for WannaCry — could bolster international support for a counter-offensive operation against Putin.

While the U.S. could blunt an incoming attack, we don’t know how Putin would react.

He may opt to disrupt parts of the U.S. electric grid, where Russia has already implanted malware, or try to assassinate Russians living abroad who speak out against his regime. These are actions he has taken in the past, in both Ukraine and London. 

Is the United States ready for such outcomes? If Putin forces the United States to defend forward by disrupting Russia’s cyberspace infrastructure, there will be consequences for U.S. interests, yet the U.S. cannot sit back and allow Russia’s malicious behavior to continue without reprisal.

Over the medium term, the country needs to continue to invest in cyberdefense and resiliency measures to withstand attacks. In the short term, the time may have come to impose costs and control escalation.

The good news is that the four-star Army general in charge of U.S. Cyber Command, Gen. Paul Nakasone, understands deterrence and escalation. He’s been a part of Cyber Command since before it launched and taken part in many of DoD’s cyber deterrence studies. 

Strong, strategic leadership will be increasingly important as the U.S. navigates this complicated gray area of conflict in our digital world. Any action could easily tip us into conflict and the country needs to prepare for follow-on steps.

Direct messages to the Russians matter, but the U.S. may need to defend forward faster than we thought on Russia’s command and control infrastructure. When we do it, with whom, and at what cost will make all the difference. If we defend forward in cyberspace – a scenario that’s unfolding right now – the U.S. needs to be prepared for what happens next. 

NEXT STORY: US Diplomatic Vacancies Are Straining Alliances

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.