New cyber strategies the Pentagon and White House released this week present a unified effort to deterring growing threats, Atlantic Council analysts said Friday, but provide scant details on strategic considerations for more aggressive offensive operations and the plan for better leveraging industry capabilities.
Senior fellows on the Atlantic council said the White House’s national cyber strategy would be better with a clear direction for how to improve threat intelligence sharing with the private sector and the Pentagon must to define its forward-leaning posture with the potential to “destroy norms and stability.”
“The strategies show a remarkable degree of consistency, but also that makes their differences very, very acute,” Brandon Valeriano, a senior fellow and the Marine Corps University’s chair of armed politics, said during the call. “It seems to be written from a preventive posture not a preemptive posture, and that’s a big difference that has large legal implications.”
Both the Pentagon’s updated cyber plan and the White House’s national strategy emphasized an easing of restrictions on offensive operations and the use of cyber weapons to deter growing threats from nation-state actors, such as China and Russia. The Pentagon released their plan Tuesday and the president signed the administration’s strategy on Thursday (Defense Daily, September 21).
Valeriano said DoD must still define how this cyber forward posture will operate and clarify how cyber forces will be prepared to respond to threats that fall below the level of armed conflict.
Christopher Porter, a fellow and chief intelligence strategist with cyber security company FireEye [FEYE], said DoD, the White House and Department of Homeland Security’s recently updated plans present a unified picture for addressing the growing cyber threat while providing few details on the legal framework implementing an offensive-minded strategy
“I feel like the DoD strategy doesn’t really think about what you can do with cyber powers, so much as it tries to correct a series of what they probably viewed as mistakes,” Porter said. “This strategy envisions long-term day-to-day competition. I think for a long time U.S. policy focused on preventing a cyber Pearl Harbor and keeping U.S. capabilities a secret until the very last minute. And this is really cyber trench warfare where we’re fighting this long day-to-day resource-intensive conflict, where we’re gearing up for that.”
Porter said DoD and the White House have to consider the risk to allies’ networks if partner nations are going to be brought into this increasingly risk-intensive offensive fight.
The consensus among the group seemed to be the new strategies’ tread the same ground on private sector partnerships as previous plans, while also providing few details on how to better leverage technological development in industry.
“I was a little bit disappointed in the private sector [part], at least in my readings so far, because it has the same kinds of things that we’ve seen in almost every national strategy in the latest 15 years,” Jason Healey, a fellow and senior research scholar at Columbia University said.
Healey cited an example of a tangible change he implemented as part of a previous task force, where officials made a plan to feature private sector innovations that give cyber defenders the greatest advantage over attackers at the greatest scale and least cost.
Valeriano said the new plans do emphasize a greater level of broader private partnerships than previous DoD efforts that will require both parties to address challenges with sharing threat intelligence.
“So it’s going to be more of a partnership than the U.S. government is used to. [The private sector] is an important player, but they’re not the center or only player anymore,” Valeriano said.