Earlier this month, the Department of Defense (DOD) released an unclassified summary of its classified 2023 Cyber Strategy which is the baseline document for how the department will operationalize priorities of the 2022 National Security Strategy, 2022 National Defense Strategy and the 2023 National Cybersecurity Strategy. The strategy builds upon the 2018 DOD Cyber Strategy and will set a new strategic direction for the DOD.
"This strategy draws on lessons learned from years of conducting cyber operations and our close observation of how cyber has been used in the Russia-Ukraine war," Assistant Secretary of Defense for Space Policy John Plumb said in a press release. "It has driven home the need to work closely with our allies, partners and industry to make sure we have the right cyber capabilities, cyber security, and cyber resilience to help deter conflict, and to fight and win if deterrence fails."
According to the summary, the DOD has conducted a “significant number of cyberspace operations through its policy of defending forward, actively disrupting malicious cyber activity before it can affect the U.S. Homeland” since 2018. The summary further states that both the People's Republic of China (PRC) and Russia have embraced malicious cyber activity.
“Globally, malicious cyber activity continues to grow in both volume and severity, impacting the U.S. Homeland and placing Americans at risk,” the summary states.
The document continues that the DOD will pursue four complementary lines of effort to address current and future cyber threats: 1. Defend the nation; 2. prepare to fight and win the nation's wars; 3. protect the cyber domain with allies and partners; and 4. build enduring advantages in cyberspace.
“The 2023 Cyber Strategy plan is a step in the right direction to overcome the asymmetric challenge of defending our nation and obtaining an asymmetric advantage in cyberspace,” said Landen Brown, Federal CTO at Symmetry Systems. “It reinforces the DOD’s commitment to defending our nation’s mission critical systems and infrastructure and that of our broader allies, as well as empowering the future by building enduring advantages in cyberspace capabilities.”
Security leaders weigh in
Jonathan Trull, Chief Security Officer and Head of Solutions Architecture at Qualys:
I was happily surprised by the direction they took with the document. The DOD is going to be extremely proactive in cyberspace based on their strategy. Being forward leaning in their approach means a lot more proactive disruption to defend our critical infrastructure. They mention more threat hunting and threat hunting with allies and taking lessons learned from the Russia-Ukraine conflict. I would expect to see the DOD take a significantly more proactive posture in the cybersecurity space.
The other thing they got right is that ultimately the success of the DOD is based on the talent they retain. Historically, the military was slow to move to adding designators for enlisted or for officers. I have firsthand experience of this, so it was great to see career progression for the cyber workforce called out specifically in the document. This needs to be one of their core priorities. It’s difficult when you have private sector companies recruiting out of the military. Calling out this effort directly in their strategy is a positive sign. Having and retaining the right people matters more than anything.
They also called out working with the science and technology community for automation and artificial intelligence-driven cyber capabilities. Over the last six months, generative AI has opened people’s eyes to what’s possible with AI. We’ve talked about this as a community for over a decade, and AI has been called the nirvana cure-all for years. I want to see AI drive automation and changes moving forward, and I’m glad they’re looking at it carefully.
The one area that’s left a little open is that the document calls out the DOD as the primary stakeholder for the Defense Industrial Base (DIB) — all the suppliers of ships, missiles and clothing for troops. Essentially, anyone that is a critical supplier. The thing that was a little surprising is that we still have critical infrastructure, civilian companies providing very significant services and they called out a lot of public-private partnerships and interagency work, but they’re not the primary department that would be responsible for defending or responding to cyberattacks in those instances. There are a few scenarios where the President could call out the DOD. In certain situations, the President can specifically call on the National Guard to help. My experience has been that this is still a fairly immature convoluted space in terms of the National Guard’s involvement in state and local issues and cyberattacks. For example, how would they engage a civilian company if they asked for assistance? There’s a lack of clarity against non-DIB entities. Who can you count on to support here? Would it be Homeland Security, would they have to coordinate with the DOD? That may be in the classified version, but it’s not clear who would be the authority to defend them.
Edward Debish, Director, Public Sector at Tanium:
The DOD highlights an imperative to fight and win the nation’s war. In this section, they discuss the need to be “resilient against malicious cyber activity and ready to operate in a contested environment." I fully agree with this emphasis, but this thought needs to be broadened to include a line of effort to maintain “Cyberspace Lines of Communication." Much like how Sea Lines of Communication (SLOCs) are secured to ensure the free movement of maritime shipping, the DoD should focus on ensuring that in a contested environment, electronic commerce, information sharing, critical infrastructure and services, as well as warfighting networks are resilient and operational when the nation needs them most. Lastly, with China as our pacing threat, we need to maintain our Cyberspace Lines of Communication (CLOCs) in peacetime as well as war. The CLOCs are the critical enabler to all warfighting functions and the key to winning.
Landen Brown, Federal CTO at Symmetry Systems:
For the last five-plus years, the DOD has made a concerted effort to move mission critical workloads to the cloud with both success and challenges. Most challenges that have been presented this far, outside of cloud cost, have been related to monitoring, alerting and defending these mission critical systems in their new cloud domain against existing and emerging adversaries. This new domain brought new vulnerabilities and advanced exploits that adversaries continue to use, compounded by the current cloud engineering skill and viable cybersecurity solutions gap. The 2023 Cyber Strategy plan acknowledges this gap and makes investment in the cyber workforce a clear priority.
In order to defend the nation and protect the cyber domain, the approach to cybersecurity and intelligence sharing between allies and partners will need to evolve further. It is becoming more and more clear that the need for new capabilities including Zero Trust and evidence-based data security is rapidly growing. Solutions and the companies that develop them are now under a tight window to create capabilities that no longer service just a single pillar of the Zero Trust model, but instead evolve to treat Zero Trust as a fabric — covering multiple pillars simultaneously. The focus on building enduring advantages in cyberspace will require the tools and tactics to allow greater collaboration with more certainty on the security of the data being shared.
Further, it is clear from the Cyber Strategy that the solutions that our nation’s cybersecurity leaders choose are going to be under strict scrutiny to integrate with the broader ecosystem and fix the handicap that currently exists with point solutions. Holistic visibility across each mission critical domain will only be possible with innovation and integration with each other.
Gareth Lindahl-Wise, CISO at Ontinue:
As a strategy for a department focused on military operations and protection, the 2023 Defense Department Cyber Strategy makes a great deal of sense. However, what is not as clear is the link between this and the National Cybersecurity Strategy for commercial organizations and what their role will be as ‘partners.’
National governments need to incentivize the private sector.
Many organizations will weigh out what this means for them and will question how it could affect them in terms of their responsibilities to deliver components of the strategy to their ecosystems, whether they should adopt the recommendations internally and how this could impact vendors they work with.
The answers to these questions will obviously depend on what the organization does. The National Strategy makes it clear that there are expectations for larger organizations, critical infrastructure providers and ‘foundational’ providers for the digital marketplace to play a role. It will be interesting to see if some of the intent of the strategy makes its way into the realm of corporate social responsibility. Will demonstrable adoption of this strategy be a differentiator in selecting products and services? If this takes hold, market forces could supercharge adoption. This means buyers will give a clear preference to those organizations clearly executing their responsibilities to implement the strategy.