Moves to put in place another aspect of the national cybersecurity strategy environment occurred recently with the release of the Department of Defense Strategy for Operating in Cyberspace.
The strategy, delivered by Deputy Secretary of Defense, William J. Lynn III, marks an important step in supporting our national interests in cyberspace, with the definition of five initiatives:
- Elevate cyberspace to a domain of DoD
- Adopt active defenses
- Increase cooperation between Department of Homeland Security and the private sector
- Cooperate with NATO and other partners
- Invest in technology and training to make the Internet more secure
While wide-ranging, the strategy does not address fully or resolve clearly, all aspects of cyberspace, reflecting the reality that our national policy has remaining gaps. For example, the strategy does not make clear what differentiates the use of cyber as an instrument of national power in a contested environment from armed conflict, or cyber war, reflecting that such considerations are still a “work in progress.”
Though many have called on the government to discuss cyber war explicitly, unanswered questions remain addressing cyber war and offensive operations. There may be strategic advantage in retaining ambiguity on this topic, however.
Addressing these questions may need to take place within the larger context of the foreign relations and national security responsibilities of other government departments and agencies. We are just beginning to see the outline of a policy architecture that should lead to a whole-of-government approach to cyber policy and operations.
In addition, the strategy does not touch yet on some of the principal challenges that continue to impede public-private information sharing.
Private sector interests must consider and address potential liabilities associated with both providing or receiving and acting on cybersecurity information. And, in the global economy, effective information sharing across governments and foreign companies or companies operating globally is critical.
Cybersecurity is a team sport. The essence of successful collaborative partnership is trust, teamwork, and information sharing about threats and best practices to mitigate those threats.
In the end, the DoD strategy provides evidence that the public sector’s policy architecture is beginning to emerge – and that may be its most important feature. We are beginning to define our national interests in cyberspace, to determine who will develop what aspects of policy to support those interests, what policies are needed, and how resources will be allocated in support of those policies.
While much work remains to be done, we see the DoD Strategy for Operating in Cyberspace as a step in the right direction. We look forward to helping address the many challenges that remain.