Essentials of Military Cyber Security Strategies
There are considerable, even astonishing, differences between the old and new versions of Department of Defense (DoD) cyber strategies. There is a four-year period between the two strategies and the new version explicitly states that the United States may take offensive actions against its persistent adversaries in cyber space. In this article, the major changes in the new strategy are shared with the reader. Secondly, cyber-attacks against the assets of the US in a four-year period have been summarized. Probably, these persistent attacks may be the primary reason for the offensive nature of the new strategy. This article also shares the essentials of a military cyber security strategy, which are in parallel with the evolution of the DoD cyber strategy.
Evolution of DoD Cyber Strategy
Most of the readers probably know that DoD has prepared two cyber strategies until now. The first strategy was published in July 2011. The title of the strategy is “Department of Defense Strategy for Operating in Cyberspace” . The updated strategy is dated April 2015. Its title is more generic compared to the old one: “The DoD Cyber Strategy” .
Once read quickly, it can be easily realized that the first one is more moderate, implicit, indirect compared to the new strategy. As a quick and striking example, the phrase “cyber operation” was not used in the old strategy. However, it is used 31 times in the updated strategy. In the updated strategy, three primary cyber missions are declared:
- Defending the DoD’s own assets;
- Being prepared to defend the United States;
- Providing integrated cyber capabilities to support military operations and contingency plans.
It is clear that third mission is a completely offensive theme. Additionally, when one reads the explanation of the second mission, it is apparent that it is semi-offensive in nature. As a result, two of the three missions of the updated strategy include offensive measures.
These are 6 concepts where the new strategy document exhibits its differences compared to the first iteration of the strategy:
- Offensive nature (as mentioned);
- Managing the strategy;
- Countries with malicious activities;
- International relationships.
Quick explanations of the other five concepts are as follows:
- Deterrence: the old version gives limited coverage to the term “deterrence”. However, the new version furnishes a dedicated section to “deterrence”, embraces it comprehensively, and makes the term one of the outstanding themes of the strategy;
- The first version did not assign importance to the “attribution” and its challenges. The new version greatly expands on attribution. It is written that “Attribution is a fundamental part of an effective cyber deterrence strategy as anonymity enables malicious cyber activity by state and non-state groups”;
- The first strategy gives only strategic initiatives and does not detail how to execute the strategy. Whereas the new version has a section titled “Managing the strategy”;
- The first version does not include the name of other countries of the World. It uses the word “adversary” / “adversaries” in five different places. However, the new version states the names of Russia, China, North Korea and Islamic state terror group. It is interesting to see the country names in a strategy document. It can easily be deduced that the United States expects to be threatened by these countries for a long time. This is not surprising because one or more of these countries/group was specified as the source of the APT (Advanced Persistent Threat) attacks;
- The old strategy uses general words to describe international relationships. The new strategy mentions Middle Eastern Countries, Asia Pacific Countries, NATO, Five Eyes Treaty explicitly in terms of building alliances and partnerships. The new strategy mentions building dialogues with China and Russia as well.
Significant Recent Incidents
The critical question is “What may be the primary reason of this evolution?”. The answer to this question is quick and simple. When we examine the cyber-attacks between the publication years of the first and second strategy (2011 and 2015), we see the proliferation of cyber-attacks between these years.
There is a Non-Profit Organization called “Center for Strategic & International Studies”. In the website of this organization, there is a report titled “Significant Cyber Incidents Since 2006” .
In this regularly updated report, there are 94 security incidents and breaches between July 2011 and April 2015. Most of these attacks were against the US assets including critical sectors, research organizations, federal organizations, and the private sector.
If we are talking about persistent cyber-attacks against the US networks, Mandiant’s February 2013 APT1 report is worth mentioning . This is because it attributes the attacks to China with the subtitle “Exposing One of China’s Cyber Espionage Units”. Any and every line of this report is very striking. It contains solid proofs of cyber-attacks against the US assets originating from China. It traces back to the one of the most effective hacker groups of China. The report is not only composed of digital evidence but also physical findings like the photographs of a building and maps.
It is important to state that this report can be regarded as a means of deterrence as well. The US says that “I have the technology and expertise of tracing back and spotting you physically”.
Essentials of Military Cyber Security Strategies from the Perspective of DoD Strategy Updates
After the literature, including but not limited to the NATO CCD COE (Cooperative Cyber Defence Centre of Excellence) and governmental documents of the US, have been review comprehensively, five essential elements for cyber military strategies are extracted [5, 6, 7, 8, 9]:
We can assume that cyber risk will increase every passing day. By taking this reality into account, if a country has very valuable and sensitive assets like intellectual property, critical infrastructures, and confidential information, that country has to consider increasing its offensive capabilities seriously. Therefore, current and future cyber military strategies have to give pride of place to offensive actions. This is both because of deterrence purposes and in order to make necessary preparations for hard times. This reality is reflected in the updates to the new DoD strategy.
A military strategy should have elements dedicated to capacity building efforts. Capacity building can be regarded as one of the prerequisites for offensive measures. This is because it would be impossible to build effective offensive measures without building the qualified teams and structures. It is also true that offensive measures are effective means of deterrence. As a result, two important updates of the new DoD strategy, offensive measures and deterrence, depend to some extent on the capacity building efforts.
Cyber military strategies have to give sufficient importance to the intelligence activities. It is very important because they support operations and provide input to the situational awareness mechanisms of a country. Intelligence also provides insights to perform attribution, which is also a notable difference of the updated strategy of the DoD.
Collaborating, cooperating, and partnering with the other countries even with the conflicting states is essential. As an example, in June 2013, the US and Russia signed a bilateral agreement that establishes a hotline and some confidence building measures on cyber issues . The new version of the DoD Cyber Strategy also gives importance to this aspect by mentioning building dialogues with China and Russia.
Countries have to pay attention to cross-border legal actions against adversaries. This is important for deterrence. The US is already making international indictments. For example, in May 2014, the US indicted five Chinese military officers on charges of computer hacking and economic espionage against six targets in the United States’ nuclear power, metals, and solar power industries. China has denied the charges. According to the US Attorney General at the time “This was the first ever charges against a state actor for this type of hacking” .
 Department of Defense Strategy for Operating in Cyberspace: https://csrc.nist.gov/CSRC/media/Projects/ISPAB/documents/DOD-Strategy-for-Operating-in-Cyberspace.pdf
 The DoD Cyber Strategy: https://www.defense.gov/Portals/1/features/2015/0415_cyber-strategy/Final_2015_DoD_CYBER_STRATEGY_for_web.pdf
 CSIS Significant Cyber Incidents Since 2006: https://www.csis.org/programs/cybersecurity-and-governance/technology-policy-program/other-projects-cybersecurity
 Mandiant APT1 Report: https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf
 NATO CCDCOE National Cyber Security Framework Manual: https://www.ccdcoe.org/publications/books/NationalCyberSecurityFrameworkManual.pdf
 The National Military Strategy for Cyberspace Operations: https://www.hsdl.org/?view&did=35693
 Cyberspace Operations: http://www.jcs.mil/Portals/36/Documents/Doctrine/pubs/jp3_12R.pdf
 Stocktaking study of military cyber defence capabilities in the European Union (milCyberCAP): https://www.rand.org/pubs/research_reports/RR286.html
 Resilient military systems and the advanced cyber threat: https://nsarchive2.gwu.edu/NSAEBB/NSAEBB424/docs/Cyber-081.pdf
 International Cyber Norms: Legal, Policy & Industry Perspectives: https://ccdcoe.org/sites/default/files/multimedia/pdf/InternationalCyberNorms_Ch7.pdf
 Cyber Operations in DOD Policy and Plans: Issues for Congress: https://fas.org/sgp/crs/natsec/R43848.pdf