Defending Forward in the Cyber Domain

Thirty years ago, on August 2, 1990, Saddam Hussein invaded Kuwait. When the United States decided to respond, it took months to send hundreds of thousands of troops and thousands of tanks, armored vehicles, artillery pieces, helicopters, aircraft, ships, and associated equipment to the Gulf. Washington conducted this massive deployment essentially unhampered and unchecked by adversary actions. More than five months after Iraq’s invasion, the United States and its partners finally launched Operation Desert Storm on January 17, 1991. Following six weeks of air attacks, the ground campaign concluded after only 100 hours.¹

This outcome was not a foregone conclusion. In fact, it could have ended quite differently if a cyberattack against U.S. national security assets in the run-up to the conflict had succeeded. Early in 1990, hackers broke into computer networks at numerous Department of Energy labs and leveraged their access to breach systems at U.S. military commands, downloading large tranches of information about military personnel, materiel, and maneuvers. The hackers tried to sell the information to Saddam Hussein. Fortunately, he declined the offer.²

What if Saddam had accepted? When Air Force General Hansford Johnson, then-commander of U.S. Transportation Command (USTRANSCOM), gave the order to activate his Crisis Action Team on August 4, 1990, the enemy might have already infiltrated his systems, thereby undermining “C-Day” – the beginning of deployment. The first Military Airlift Command flight might not have arrived in the area of operations on August 7. Network outages and corrupted data might have prevented hundreds of U.S. C-5 and C-141 aircraft, along with planes volunteered by the airlines, from taking off in the first place.

The ships of Maritime Prepositioning Squadrons 2 and 3 might not have been ready for the first-ever wartime test of the Afloat Prepositioning Force. Military Sealift Command might not have received the messages to activate the remaining five Fast Sealift Ships and might not have issued the request to activate all 17 of the Ready Reserve Force’s Roll-On/Roll-Off vessels. The 217-ship “steel bridge” across the Atlantic might not have been created by December 31, 1990.³

Thankfully, that did not happen. The United States, however, will almost certainly not be so lucky in any future crisis. “The world is changing,” General Stephen Lyons, the current commander of USTRANSCOM, testified on February 25, 2020. “In the past, we were able to deploy our forces when we wanted, assemble them where we wanted, and employ them how we wanted.” Today, this is an advantage America’s enemies seek to counter and deny.⁴

The days of uncontested and lengthy large-scale deployments that amass combat power for American military conflicts have come to an end, especially against adversaries such as Russia or China. After carefully studying the Gulf War, Beijing and Moscow spent the intervening decades developing a variety of means to prevent the U.S. military from even arriving in the prospective conflict zone. Both countries have established and openly published military concepts for using cyber and other tools of disruption. In a potential great power conflict, Pentagon planners must assume that adversaries will use cyber capabilities against forces based in the continental United States, power projection forces, logistics capabilities, and supporting national critical infrastructure.

As General Lyons testified, adversaries seek to subject U.S. forces to “persistent, all-domain attack” – including through the cyber domain. With roughly 85 percent of U.S. military forces residing in the continental United States, the ability to disrupt the projection of U.S. combat forces to a potential conflict zone in the Baltics, Taiwan Strait, or South China Sea, for example, could leave U.S. national security interests dangerously unprotected.⁵ Indeed, the bipartisan National Defense Strategy Commission expressed concern in its report that China and Russia might conduct fait accompli attacks before U.S. forces could even arrive.⁶

Given that the majority of U.S. forces reside in the United States, the Pentagon relies upon “just in time power projection,” shipping and receiving materiel only when needed. While such a process may increase efficiency and reduce costs, it creates vulnerabilities that adversaries can exploit. One of the major weaknesses of “just in time” deployments is the cyber vulnerabilities inherent to the commercial and military networked systems required for planning, force generation, and force projection over vast distances at scale.

This is not a theoretical threat or one relegated to some future conflict. Today, U.S networks and systems are in constant contact with a multitude of cyber adversaries. The growing use of cyber weapons against the United States, ranging from intellectual property theft, disinformation, data destruction, and denial of service attempts, is a clear sign that a purely defensive strategy will fail.

For the U.S. military, countering cyber threats is an ongoing, persistent, global operation. In 2018, for example, David Bennett, director of operations for the Defense Information Systems Agency, said the Defense Department blocks 36 million malicious emails on a daily basis.⁷ The volume of malicious activity in cyberspace has been growing each year, with no sign of slowing down.

By moving some U.S. combat capability from the United States forward – closer to the point of potential adversary aggression – the Pentagon can reduce the cyber opportunities adversaries currently enjoy to target U.S. forces en route to a conflict. Due to the changing character of war, however, that step is not enough to ensure America retains the ability to deter adversary aggression.

The Pentagon has long-understood that there are multiple phases of warfare: Phase 0 (shape the battlefield), Phase 1 (deter), Phase 2 (seize initiative), Phase 3 (dominate), Phase 4 (stabilize), and Phase 5 (enable civil authority).⁸ Utilizing new capabilities and technologies, America’s adversaries have developed structures and capabilities to integrate and blend these phases into simultaneous operations that target U.S. vulnerabilities and block traditional U.S. strengths. Americans typically believe they are either at war or at peace with a particular country. Beijing and Moscow have rejected that binary equation and instead engage in perpetual modulated gray-zone aggression – much of it in the cyber domain.

In recognition of this, the Defense Department’s 2018 Defense Cyber Strategy⁹ called for a comprehensive reevaluation of the way the Pentagon operates in the cyber environment. Rather than just attempting to respond to cyberattacks, the strategy calls for the United States to “defend forward to disrupt or halt malicious cyber activity at its source, including activity that falls below the level of armed conflict.” This also requires the United States to integrate its cyber capabilities into the other U.S. warfighting domains, making the adversary defend itself across the full spectrum of its infrastructure.

The congressionally mandated Cyberspace Solarium Commission report,¹⁰ released in March 2020, also elaborated on the concept of “defend forward.” The Commission said that “to disrupt and defeat ongoing adversary [cyber] campaigns, the United States must pro-actively observe, pursue, and counter adversaries’ operations and impose costs short of armed conflict.” Such an approach would drive the United States to conduct rapid defensive action at the point of origin before real damage is done inside the United States.

In short, “defend forward” calls for early understandings and early warnings of potential adversaries’ actions rather than waiting for indicators of attack within the United States. “Defend forward” means protecting America’s most critical networks and working to thwart cyberattacks on U.S. infrastructure well before they become reality. The monitoring of adversary target selection and techniques – while inside the adversaries’ environment – enables the United States to support and protect at-risk U.S. systems.

Normally, cyberattacks would be first identified, if discovered at all, as an anomaly in the network, long after the initial breach. Statistically, it is known that after-the-fact detection occurs weeks or months after the initial breach.¹¹ By that point, the damage is already done. The “defend forward” concept is intended to prevent that from happening.

Proactive observance, pursuit, and countering of adversary cyber operations requires authorities to interact with adversary’s operations outside of the United States. And while the United States is still getting up to speed, the fiscal year 2019 National Defense Authorization Act legislation significantly improved the ability to execute offensive cyber operations with sections that (1) established cyber surveillance and reconnaissance as a “traditional military activity”; and (2) established the authority to disrupt, defeat, and deter cyberattacks from China, Russia, Iran, and North Korea. The Trump administration then created the policy process to conduct these operations with National Security Presidential Memorandum 13. By rapidly embracing and employing this policy of “defend forward” and imposing costs on cyber aggressors in the gray zone, Washington will, over time, establish deterrence throughout cyberspace.

America’s capabilities in cyberspace are rapidly evolving, as are those of its adversaries. For the United States to be effective, such capabilities must be buttressed by forward-stationed and forward-deployed forces in all domains, including cyber capabilities. For it is the integration of capabilities across all domains and elements of national power that can best secure American security interests for decades to come.