The Department of Defense’s New Cyber Strategy Points to Continued Investments

Published: September 27, 2018

Critical Infrastructure ProtectionCybersecurityDEFENSEPolicy and Legislation

The Pentagon’s new cyber strategy points to both offensive and defensive plans and priorities in the networked world of today and tomorrow.

The Department of Defense (DoD) recently released an updated cyber strategy for the first time in three years. The complete strategy document remains classified, but the DoD has released an unclassified summary as well as a two-page fact sheet describing their vision to address  cyber threats and related priorities within the latest National Security Strategy and National Defense Strategy.

The strategy describes a cyberspace environment that is increasingly contested, where “competitors deterred from engaging the United States and our allies in an armed conflict are using cyberspace operations to steal our technology, disrupt our government and commerce, challenge our democratic processes, and threaten our critical infrastructure.” To address these strategic risks the DoD intends to leverage a full spectrum of cyber capabilities and tactics to deter, defend and protect the U.S. and its interests.

Defending Forward

A key theme of the strategy is proactivity. The DoD will step up its day-to-day efforts to maintain competitive supremacy in cyberspace by “defending forward” to confront threats before they reach U.S. networks and infrastructure. The DoD will also leverage cyber capabilities to increase overall military lethality and effectiveness.

The strategy outlines the Department’s five-fold cyberspace objectives as a mix of cyber-, organizational and defense-wide priorities (emphasis added):

  1. Promote Mission Assurance – Ensuring the Joint Force can achieve its missions in a contested cyberspace environment;
  2. Project Strength through Cyber – Strengthening the Joint Force by conducting cyberspace operations that enhance U.S. military advantages;
  3. Protect Critical Infrastructure – Defending U.S. critical infrastructure from malicious cyber activity that alone, or as part of a campaign, could cause a significant cyber incident;
  4. Protect Information – Securing DoD information and systems against malicious cyber activity, including DoD information on non-DoD-owned networks; and
  5. Partner More – Expanding DoD cyber cooperation with interagency, industry, and international partners.

Continued Investment – FY 2019 and Beyond

The FY 2018 National Defense Authorization Act (NDAA) directed the DoD to conduct a comprehensive review of the Department’s cyber posture, including their workforce, cyber capabilities and processes to assess their ability to execute the cyber strategy. The DoD’s findings, while classified, determined that continued investments in each of these areas – people, capabilities and processes – are needed to meet the new strategy’s objectives. As a result, the Pentagon is identifying budget and resource impacts for their fiscal year 2019 and 2020 budgets and ways they will increase and improve their cyber workforce.

The strategy also priorities increasing cyber- technology innovation and leveraging cloud, scalable computing, automation and data analytics as well as increasing the speed of acquisitions and their use of COTS offerings. In support of a comprehensive approach, the DoD plans to lead efforts to formalize standards and increase information sharing among Defense industry partners and private critical infrastructure owners.

Industry partners that process or store DoD information on their systems have increasingly been required to sure-up their internal cybersecurity, share information and co-defend key systems or data sets and those capacities will continue to develop and be a requirement for doing business with the DoD.

The DoD will need both tools and the intellectual know-how from industry to continue to up their game in cyberspace – on offense and on defense. Offerings that integrate seamlessly with existing capabilities and can support a wide variety of activities like multi-domain warfare and critical infrastructure protection will find growing opportunities.