The newest strategies for cyber warfare, recently announced by President Trump and the Department of Defense, clearly have looked at the history of warfare and have learned from prior mistakes.
During war, the ability for the warfighter who is knee-deep in grenade pins to make split-second decisions is paramount, as recounted by former SEALs Jocko Willink and Leif Babin in their book “Extreme Ownership,” but when bureaucracy intervenes, things go south.
During the Vietnam War it was the bureaucratic obsession with quantitative analysis and graduated pressure – and resultant strategic micromanagement by Secretary of Defense Robert McNamara and Lyndon Johnson – that hobbled the warfighter. President Johnson remarked on one occasion “I won’t let those Air Force Generals bomb the smallest outhouse without checking with me.”
Bureaucracy knows no boundaries and – unlike the warfighter in the field – is not constrained by time.
The tension over who is best suited to decide to act and precisely how has continued to bedevil us.
When General David Petraeus took over in 2010 as Commander of US and ISAF forces in Afghanistan, he attempted to streamline the military bureaucracy by actually tightening the Rules of Engagement (RoE). While met with resistance by troops in the field, Petraeus prohibited lower-ranking officers from adding any stricter requirements unless it was expressly approved. The proliferation of varying RoE’s caused confusion on when US forces could engage the enemy, and under what circumstances. It varied commander by commander.
With the arrival of Defense Secretary James Mattis, things have changed. There is no longer the requirement that US forces be in proximity to the enemy. In testimony before the Senate Armed Services Committee, Mattis and Gen. Joe Dunford, USMC, Chairman of the Joint Chiefs of Staff, laid out his plan for changing our approach to the enemy. Dunford explained a key aspect of the plan:
“The new approach supports the President’s broader strategy by expanding our advisory efforts to the tactical level, increasing the combat support we provide to our Afghan partners, and enhancing authorities to our commanders.”
Enhancing authorities is all about the Rules of Engagement and providing more flexibility to the commanders on the ground to make decisions quickly and decisively.
Mattis put a finer point on it in his earlier testimony before the House Armed Services Committee: “If they are in an assembly area, a training camp, we know they are an enemy and they are going to threaten the Afghan government or our people, [Gen. John Nicholson, commander of U.S. Forces Afghanistan] has the wherewithal to make that decision,” he added.
What does this have to do with cyber warfare? Plenty. The buildup to the new policy governing warfare in the fifth domain has taken years, but it has finally arrived. In March of this year in a previous column, I outlined the threat from Russia (Russia is already warmed up for a massive attack on US energy grid) and how the lack of a strategy for cyber warfare was hurting the United States.
In April, President Trump sent his cyber warfare strategy to Congress. Although the document is classified (as it should be), information coming out now sends clear signals about what was probably in it. The biggest takeaway? The rules of engagement have also changed in cyberspace, and closely model our RoE for kinetic warfare.
The 2018 DoD Cyber Strategy is the first major revision since 2015. The very first page of the summary stakes out clear positions on the use of a full range of tools. “The Joint Force will employ offensive cyber capabilities and innovative concepts that allow for the use of cyberspace operations across the full spectrum of conflict.”
This new approach is called “defend forward”, and allows the U.S. military to “disrupt or halt malicious cyber activity at its source, including activity that falls below the level of armed conflict.” DoD’s role in homeland defense is also called out. “Our primary role in this homeland defense mission is to defend forward by leveraging our focus outward to stop threats before they reach their targets.”
That means even disrupting computer networks in friendly countries when we see Russia, China, Iran or North Korea preparing to launch a cyber-attack against United States interests anywhere in the world.
The big change is how a response is handled. Previously, the National Security Agency (NSA) had to approve the response. In addition, if the NSA saw malicious activity and wanted to disrupt the bad actors, the National Security Council (which reports directly to the president) would need to be in the decision-making loop. Government bureaucracy has never deterred anything except productivity. No more.
This is all incorporated into a new national policy. Officially, it’s known as the National Security Presidential Memorandum 13 (NSPM 13). The bulk of the new authorities can be found under the heading “Peace Through Strength.” While the echoes of Ronald Reagan still ring, the approach is as true today as it was during the cold war. Reagan’s ‘Peace Through Strength’ was the foundation to our nuclear deterrence strategies.
The new strategy contains a section called “Attribute and Deter Unacceptable Behavior in Cyberspace.” It calls for ensuring “that there are consequences for irresponsible behavior that harms the United States and our partners. All instruments of national power are available to prevent, respond to, and deter malicious cyber activity against the United States. This includes diplomatic, information, military (both kinetic and cyber), financial, intelligence, public attribution, and law enforcement capabilities.”
This answered one of the most pressing questions I posed in my previous column, notably when does a bit and a byte get a bomb and a bullet? We’re closer to an answer with NSPM 13. It also address the issue of Russian influence operations I wrote about back in July.
“The United States will use all appropriate tools of national power to expose and counter the flood of online malign influence and information campaigns and non-state propaganda and disinformation. This includes working with foreign government partners as well as the private sector, academia, and civil society to identify, counter, and prevent the use of digital platforms for malign foreign influence operations while respecting civil rights and liberties.”
In a news conference announcing the new strategy, National Security Advisor John Bolton was very clear about what this meant. “We will respond offensively as well as defensively,” Bolton said, adding that “it’s important for people to understand that we’re not just on defense.”
Peace through strength in cyberspace has arrived. Time to go win one for the Gipper.
Morgan Wright is an expert on cybersecurity strategy, cyberterrorism, identity theft and privacy. He previously worked as a senior advisor in the U.S. State Department Antiterrorism Assistance Program and as senior law enforcement advisor for the 2012 Republican National Convention. Follow him on Twitter @morganwright_us.