New Pentagon cyber strategy: Building new capabilities, expanding allied info-sharing

WASHINGTON — Learning from the Russia-Ukraine conflict and watching out for China, the Pentagon is working to develop new cyber capabilities and expanding information sharing with allies and partners in order to stay ahead of any threats posed by adversaries, according to an unclassified summary of a new department-wide cyber strategy announced today.

“Both the People’s Republic of China (PRC) and Russia have embraced malicious cyber activity as a means to counter U.S. conventional military power and degrade the combat capability of the Joint Force,” according to an unclassified summary of the strategy. “The PRC in particular sees superiority in cyberspace as core to its theories of victory and represents the Department’s pacing challenge in cyberspace.” 

The summary [PDF] lays out four lines of effort that are consistent with a fact sheet released earlier this year after DoD formally submitted the strategy to Congress: defending the nation, preparing to fight and win the nation’s wars, protecting the cyber domain with allies and partners, and building enduring advantages in cyberspace. Many of the themes presented in the unclassified summary today are similar to what officials have talked about previously when it comes to protecting the department’s cyberspace operations.

DoD Chief Information Officer John Sherman previously told Breaking Defense the strategy would also “directly align” with the White House’s National Cyber Strategy released earlier this year. Both strategies emphasize defending the cyber domain from threats posed by China and Russia. 

China “poses a broad and pervasive cyber espionage threat,” while Russia remains an acute threat to the US, according to the summary. In particular, the summary cited Russia’s cyberattacks against Ukraine. 

“Russia has repeatedly used cyber means in its attempts to disrupt Ukrainian military logistics, sabotage civilian infrastructure, and erode political will,” the summary says. “While these efforts have yielded limited results, this is due largely to the resilience of Ukrainian networks and support from the international community. In a moment of crisis, Russia is prepared to launch similar cyber attacks against the United States and our Allies and partners.”

During a briefing with reporters today, Mieke Eoyang, deputy assistant secretary of defense for cyber policy, said that prior to the Russia-Ukraine conflict, “there was a sense that cyber would have a much more decisive impact in warfare than what we experienced.”

“What this conflict has shown us is the importance of integrated cyber capabilities in and alongside other warfighting capabilities,” she said. “And that is consistent with the approach in the [National Defense Strategy] on integrated deterrence, and is an important lesson for us to think about that cyber is a capability that is best used in concert with those others, and may be of limited utility when used all by itself.”

The unclassified summary notes that DoD is going to prioritize allies and partners in order to build cyber resiliency through efforts like “augmenting partner capacity, expanding partners’ access to cybersecurity infrastructure and maturing their cyber workforce though combined training events and exercises.” DoD also wants to emphasize information-sharing with allies and partners. 

“Allies and partners are a strategic advantage that no competitor can match,” Eoyang said. “Adversaries continually attempt to undermine the capabilities of our partners and it’s in our interest to strengthen the network defense of our allies and partners.”

When it comes to building new cyber capabilities, a zero trust architecture, autonomy and artificial intelligence-enabled technologies remain a priority. According to the summary, DoD “will prioritize technologies that can confound malicious cyber actors and prevent them from achieving their objectives in and through cyberspace.

“These include Zero Trust architectures and their associated cybersecurity technologies, advanced endpoint monitoring capabilities, tailored data collection strategies, enhanced cyber forensics, automated data analytics, and systems that enable network automation, network restoration, and network deception,” the summary says. 

The department has laid out a timeline that gives it until fiscal 2027 to implement a baseline level of zero trust across the DoD enterprise and released a specific zero trust strategy in November. Sherman said on Sept. 7 that the Pentagon will begin reviewing zero trust plans from each of its components in the coming weeks to make sure they align with DoD’s vision. 

DoD will also invest in building its cyber workforce, according to the summary — something that will require the department to think “outside the box” to solve its challenges, Mark Gorak, principal director for resources and analysis for the DoD CIO told Breaking Defense in August. DoD released its cyber workforce strategy in March meant to guide the department on how to close its cyber workforce development gaps and retain talent. 

“The Department will also empower the Services to implement effective talent management and career progression for the cyber workforce,” according to the summary. “We will encourage the development of expertise via options including extended tour commitments or repeat tour requirements, rotations within mission areas, and career progression models that reward development of such skills. The Department will also explore greater use of reserve components as a way to share talent with the private sector, like those adopted in National Guard cyber units.