Cyber Brief: Who gets to make U.S. cybersecurity strategy?
35+ YEARS OF FREEDOM OF INFORMATION ACTION
UPDATE: USCYBERCOM has put flesh on the bones of its skeletal strategy declaration initially released in February 2018. A month later, on March 23, the Command made public a new, 12-page “Command Vision” that substantially expands on the earlier paper (posted below). Several analysts have already remarked on its significance. For example, Richard J. Harknett at the University of Cincinnati, who was consulted on the new approach, writes in Lawfare that it “marks a significant evolution in cyber operations and strategic thinking.”
The Archive is adding this new paper to its posting, along with two recent, fundamental strategy documents promulgated by the current administration.
Original posting: The U.S. Cyber Command has stepped into the fray over the nation’s cybersecurity strategy with a pithy but loaded statement of intent. The brief declaration reproduced here appeared in February 2018. It may be truncated but its calls for “cyberspace superiority,” “agility” in the cyber “battlespace,” and increasing “our ... lethality” are clearly the tip of a deeper policy iceberg. Look for these and other concepts in the earlier strategy documents, attached to this posting for context, to be the subject of much future debate in cyber/military circles.
New
Source
Jason Healey
USCYBERCOM circulated this document at a conference at National Defense University (just outside Washington, D.C.), on February 15, 2018. Looking like a heavily pruned strategy paper, its length – just a single page – is reportedly the result of disagreements within the U.S. government over whether it is the business of operational commands to promulgate strategy rather than simply carry it out. The Command’s statement of goals is already prompting debate over how to interpret and assess them. (See for example Jason Healey’s original comment and Max Smeets’ reply in The Cipher Brief.)
Source
Lawfare Blog
This 12-page “Command Vision” expands on an earlier outline of a new strategic conception that seeks to place cybersecurity squarely within the larger framework of national security. By arguing that a broader structural approach will be required to make a new cyber strategy work, it appears to be an attempt to take the initiative in recasting the nation’s strategy that would oblige the rest of the government to take action.
Source
The White House
This statutorily required policy statement from the Trump administration provides a government-wide backdrop to the new Cyber Command paper. It takes a major step toward elevating cybersecurity as an integral part of the wider approach to national security. It further directs a number of measures to boost defenses and preventive measures, including prioritizing efforts to modernize technology.
Source
U.S. Department of Defense
Remarked upon for its brevity and bluntness, the public version of Defense Secretary Jim Mattis’ NDS offers relatively little detail about the cyber elements of U.S. strategy. But it does acknowledge the growing threat to the homeland from hackers and other malicious actors. It also pledges to “invest in cyber defense, resilience, and the continued integration of cyber capabilities into the full spectrum of military operations” – concepts that clearly resonated with the authors of the new USCYBERCOM paper.
From the Vault
2008-02-28
Source: NSArchive FOIA request
This document provides cyberspace strategy for Strategic Command. It provides a framework for the execution of tasks to generate effects in cyberspace in support of DoD objectives and within pre-planned authorities
2009-08-28
Source: https://cyberwarfare.nl
This document notes that "a new operational environment has emerged as evidenced by the increasing frequency and destructiveness of attacks and exploits launched against the United States through cyberspace." The central aspects of the strategy are the definition of mission objectives (e.g. neutralizing intelligence activities targeting U.S. and DoD interests in cyberspace) and enterprise objectives (e.g. achieving unity of effort in cyberspace).
2010-05-21
Source: U.S. Strategic Command Freedom of Information Act Release
This message notifies recipients that the U.S. Strategic Command has established a subordinate command, the U.S. Cyber Command, with initial operational capability as of May 21, 2010. It also specifies the mission of the new command, its responsibilities, organization, and command relationships.
2010-09-21
Source: U.S. Strategic Command Freedom of Information Act Release
This memo from the head of the U.S. Strategic Command, the parent command of the U.S. Cyber Command, recommends that the latter, established that May (Document 6), be declared fully operational. It also summarizes the Cyber Command's six key missions, including one that is partially classified.
2013-02-03
Source: www.dtic.mil/doctrine/new-pubs/jp3-12R.pdf
This formerly restricted publication discusses cyberspace (including national intelligence) operations; authorities, roles, and responsibilities (including legal considerations); and planning and coordination (including inter-organizational and multinational considerations).
Department of Defense, The DOD Cyber Strategy, April 17, 2015. Unclassified.
2015-04-17
Source: www.defense.gov
The two main components of this strategy document are the identification of five strategic goals (including establishing forces and capabilities to conduct cyberspace operations and the ability to defend against disruptive or destructive cyber attacks) and the implementation objectives associated with the strategic goals.
2015-06-03
Source: www.defense.gov
This vision document identifies key objectives for the U.S. Cyber Command (including integrating cyberspace operations in support of joint force operations), and identifies the "enablers" that are expected to allow achievement of those objectives.
Source: FOIA
This document outlines the cyber mission to counter ISIL. See also: USCYBERCOM to CDRUSACYBER
2016-05-05
Source: U.S. Strategic Command Freedom of Information Act Release.
The unit established by this order, the subject of an article in the Washington Post, was assigned the mission of developing malware and other cyber-tools in order to escalate operations to damage and destroy ISIS networks, computers, and mobile phones.
2016-09-00
Source: Federation of American Scientists.
This hearing document contains the prepared statement and testimony of the commander of the U.S. Cyber Command as well as responses to questions asked during and after the hearing.
2017-02-00
Source: Office of the Undersecretary of Defense for Acquisition, Technology, and Logistics.
This report specified, and elaborated on, four guiding principles that the task force believed the Defense Department and other elements of the U.S. government should take account of in working to enhance the U.S. cyber deterrence posture. Principles include developing a cyber deterrence posture which has deterrence by denial and by cost imposition components, understanding the values of key adversary decision makers, development of credible response options at different levels of conflict, and ensuring that the issues in the event of an attack are how and when to respond as well as how to connect the response to the attack.
2017-03-01
Source: House Committee on Armed Services.
In this testimony, Dr. Libicki discusses four prerequisites for an effective cyberdeterrence posture: the ability to attribute attacks, the communication of thresholds (what actions will lead to reprisals), the credibility of threats to retaliate, and the capability to carry out reprisals.
2017-03-02
Source: Senate Armed Services Committee.
This testimony notes the studies conducted by the Defense Science Board on cyber issues, identifies fundamental principles of cyber deterrence, and discusses three cyber deterrence challenges (plan and conduct tailored deterrence campaigns, create a cyber-resilient "thin line" of key U.S. strike systems, and pursue foundational capabilities)
2017-05-09
Source: Senate Armed Services Committee.
In his testimony, the commander of the U.S. Cyber Command (and director of the National Security Agency) covers the cyber threat environment, the Cyber Command in operation, and conclusions.