Sketching out the rules for offensive cyber operations

The White House’s new National Cybersecurity Strategy could lead to more precise guidance on how the Pentagon conducts offensive cyber operations when it releases its own strategy in the coming weeks. 

“There continues to be, I think, some frustration in different parts of the ecosystem about how much and how often, whether it's defending forward or other capabilities that DOD can bring to the table are deployed,” said Megan Stifel, the chief strategy officer for the Institute for Security and Technology. 

The Pentagon’s upcoming cyber strategy will most likely focus on defending its own networks and the security of the defense industrial base. But Stifel said she hopes it will also address offensive cyber operations.

According to the national strategy, “DOD’s new strategy will clarify how U.S. Cyber Command and other DOD components will integrate cyberspace operations into their efforts to defend against state and non-state actors capable of posing strategic level threats to U.S. interests,” while bolstering partnerships with law enforcement, intelligence, and other federal agencies.

The potential for new policy is especially pertinent because it can be difficult to contain the effects of cyber actions, said John Sahlin, General Dynamics Information Technology’s director of cyber solutions for its defense division.

“I think what will be very interesting is the notion of disrupting adversarial actors. And I think that's going to give us the most interesting changes from a policy perspective” especially when it comes to determining what a proportional response is from offensive cyber attacks, he said. 

Defining what Sahlin called the “gradation of evaluating adversarial activity of engagement” could clarify the challenges around delivering a proportional response. 

“The challenge with cybersecurity and cyber actors in terms of any kind of response is that there's this idea of a reciprocal and proportional measured response. And it's difficult to rein in a cyber response to limit the effect,” Sahlin said. 

“But I think the biggest set of policies that could come from this is a more clear set of rules of engagement or rules of here's what a proportional response to this type of activity is. Because if everything is characterized as an attack, nothing is.”

The national strategy hints at this, stating that the U.S. will “hold irresponsible states accountable when they fail to uphold their commitments,” such as the United Nations mandate to refrain from using cyber operations to “intentionally damage critical infrastructure contrary to their obligations under international law.” 

But experts are hoping for more—even if the public doesn’t get to see it.  

Rob Carey, the president of Cloudera’s government solutions, likes that the strategy leaves room for “pushing back” against threat actors, because cyber defense sometimes means taking offensive actions. 

“The document talks about ‘disrupt and dismantle threat actors.’ I love that because that's the ability to push back. Sometimes defense is good offense. And while successive presidents have opened up that gate, they have been, you know, a little conservative in how they do that,” Carey said. 

Details on that may not be publicly disclosed due to their sensitivity, he said, “but they are talking about the right set of actions.”