SolarWinds Is Bad, but Retreat From Defend Forward Would Be Worse

The SolarWinds breach has kicked up a lot of dust. It’s thick, obscuring and deeply concerning. It’s also a long way from settling. But that hasn’t slowed the quick and steady drumbeat of postmortems declaring the shortcomings or outright failures of one aspect or another of the United States’s cybersecurity strategy and posture. To some degree this is understandable. In-crisis autopsies are not unusual in the cybersecurity business, and time is not an affordable luxury amid a massive breach. Some mitigation measures simply can’t wait. And as SolarWinds no doubt demonstrates, real cybersecurity continues to elude the nation. 

But a number of these critiques have taken an opportunistic aim specifically at the Department of Defense’s 2018 Cyber Strategy, singling out as SolarWinds scapegoats two relatively nascent operational approaches that ground the Defense Department strategy: defend forward and persistent engagement. 

Not surprisingly, these critiques have been picked up and amplified in press reporting. These overly precipitous reactions, especially at a time of limited information, are not only unhelpful but also potentially harmful. They come in the midst of a presidential transition and open the possibility that the incoming administration will feel pressure to heed these calls. This would mean curtailing the Defense Department’s use of out-of-network defensive cyber operations and a return to the failed policy of restraint that prevailed in the Obama and prior administrations. This would be a mistake. 

To be clear, SolarWinds is bad. As former homeland security adviser Tom Bossert has stated, “[T]he magnitude of this ongoing attack is hard to overstate.” Based on initial indications, it appears the U.S. was significantly out-maneuvered by a strategic adversary. The Russian Federation’s Foreign Intelligence Service, or SVR, has its fingerprints seemingly all over the operation. If nothing else, SolarWinds appears to constitute a major intelligence coup that has compromised a yet-to-be determined but likely large amount of sensitive data. This breach also puts physical and technical infrastructure at risk across the government and private sectors. And while at this stage the facts point to SolarWinds being a broad and sweeping espionage operation, the accesses it generated constitute serious and ongoing vulnerabilities that Russia could potentially leverage for disruptive effect. SolarWinds is another stark reminder that the U.S. remains unacceptably vulnerable to hostile cyber operations and that significant work remains to achieve anything close to an acceptable level of national cybersecurity. It also underscores the strategic reality that threats of retaliation alone do not deter the nation’s adversaries. Their malicious cyber campaigns are constant and unrelenting, and the U.S. cannot simply firewall its way out of this problem.

But this doesn’t prove the failure of the current cyber strategy. Rather, it was precisely in recognition of these realities that the Defense Department devised its current strategy. In 2018 the department adopted a major shift in strategic thinking about cyberspace. Confronting the long-term strategic risk posed by adversaries’ active cyber campaigns requires proactive, not reactive measures. A key element of this proactive posture is the concept of what has come to be called “defend forward”—the use of Defense Department cyber capabilities during day-to-day competition to disrupt or halt malicious cyber activity at or as close as practicable to its source. That is, the 2018 Cyber Strategy embraced out-of-network cyber operations as one means among many to counter adversaries’ malicious cyber campaigns. Gen. Paul Nakasone, the commander of U.S. Cyber Command, also introduced the distinct but related framework of “persistent engagement” as the anchor to his vision for implementing the department’s broader strategy. 

So, yes, SolarWinds obviously demands a coordinated, all-hands response to fully assess and mitigate the damage and continuing risk. And of course, as the facts emerge, appropriate lessons should be drawn on how best to adapt to the evolving cyber threat generally, and to respond to Russia’s aggressive move specifically. Having said that, those who cite the 2018 Cyber Strategy as having failed to deter, let alone having somehow precipitated, SolarWinds fundamentally misapprehend the strategy, its antecedents and the logic underlying defend forward and persistent engagement. Russia launched SolarWinds—the latest in a long series of hostile Russian cyber operations—not because the U.S. has engaged too proactively in cyberspace. Quite the opposite; it did so, very simply, because it could.

Although the public record is thin, defend forward thus far appears to have been implemented only on a limited basis. The Defense Department has acknowledged Cyber Command’s operations in defense of the 2018 and 2020 elections, including reportedly successful actions to disrupt Russian interference efforts. However, notwithstanding defend forward’s embryonic track record, a number of commentators have quickly questioned the efficacy of defending forward or cited SolarWinds as evidence of its failure. These critiques generally coalesce around the following assertions: Defend forward failed as a deterrence strategy, Cyber Command failed to either detect or disrupt SolarWinds, and this emphasis on offense has come at the sacrifice of defense. Unfortunately, these claims rest on flawed premises.

What Do Defend Forward and Persistent Engagement Actually Mean? 

As an initial matter, it is important to clarify what defend forward and persistent engagement are and are not. Despite frequent misdescription, even within the Defense Department, neither is a strategy in the strict sense nor should they be judged as such. Neither seeks to match ways and means to achieve stated ends. Defend forward is a key element of the Defense Department’s strategy, one way among many applied, when authorized, to achieve the department’s specified cyberspace objectives. In contrast, persistent engagement is broader than defend forward and serves a distinct purpose. It is an operational mindset, a commander’s philosophy or doctrine that emphasizes proaction over reaction. Persistent engagement is intended to drive the Defense Department’s Cyber Mission Force to seize and maintain initiative across all aspects of the command’s assigned mission in order to out-compete the nation’s adversaries. That is why Nakasone talks not only of persistence in contesting adversary operations but also of enabling Cyber Command’s partners and accelerating innovation. In the hyperdynamic, high-threat environment of cyberspace, complacency is tantamount to defeat. 

Neither defend forward nor persistent engagement is intended to be a mode of deterrence. At best, they might serve deterrence ends but only secondarily. Measuring them against a deterrence yardstick misses the point. The limits of deterrence in the cyber realm are similar to other strategic threats such as terrorism and espionage, where the ability to deter adversary actions is limited or ineffective. Defend forward is meant to proactively contest, disrupt and degrade cyber aggression at or as close as practicable to its source before it reaches U.S., allied and partner networks. It takes as a given adversary persistence and entrenched will and is, therefore, aimed principally at disruption, not dissuasion.

In a word, “defend forward” is a synonym for “counter cyber operations.” It was incorporated as a foundational component of the 2018 Cyber Strategy precisely because of the experiential recognition that years of applying inapt deterrence theories to the unique environment of cyberspace had failed. The failed theories focused on restraint and on threatened, but not actual consequences. 

Rather than deter hostile adversary cyber operations, the policy of restraint encouraged them. The increasing number of disruptive, let alone exploitative adversary operations that have occurred over the past decade are Become a supporter of IT Security News and help us remove the ads.