Introduction
Thank you, Richard, and thank you to the Center for a New American Security for hosting today's event. I'm honored to be here and glad to have the opportunity to roll out the Department's strategy to achieve our national objectives in and through cyberspace.
Embarking on a New Chapter
We are at a pivotal moment for cyber policy. The cyber threat environment has evolved significantly in recent years.
China, the Department's pacing challenge, continues to be actively engaged in campaigns of espionage, theft, and compromise against key defense networks and critical infrastructure—not only against the U.S. but around the world.
China views cyber as central to its theory of victory, and dedicates its enormous resources and state control over industry to both reshape the global technology ecosystem and empower proxy organizations to pursue malicious cyber activity.
Russia, North Korea, and Iran remain persistent cyber threats that engage in reckless and irresponsible activity against critical infrastructure, conduct cyber espionage, and support criminal cyber activity.
And profit-motivated transnational criminal organizations target hospitals, educational institutions, and other civilian entities. As the U.S. witnessed with the disruption of Colonial Pipeline systems, ransomware attacks on critical infrastructure can have a significant impact on our society.
But beyond the threat picture, there is something else making this a pivotal moment for cyber policy: Russia's unjustified and illegal war against Ukraine. Here is what some people call the first cyber war, and yet the impact of using cyber in that war has not been anywhere close to the dreaded magnitude many had worried about.
Taking all this together, DoD began internalizing some important lessons, and we are now embarking on a new chapter in our approach to cyber. This new chapter is laid out in our 2023 DoD Cyber Strategy. Being DoD, this is a classified document. But to make sure we can discuss the strategy with allies, partners, industry, and other key stakeholders—including all of you in this room and online right now—it is important to have an unclassified summary, and I'm excited to present that today.
But before I get into the strategy and where things are headed, let me take a few minutes to retrace the steps that got us here today.
I find it helpful to break up the last 10-15 years into three distinct chapters in DoD's evolution of our approach to cyber.
Chapter 1
Chapter 1 begins in 2010 with the establishment of U.S. Cyber Command, or CYBERCOM, as a sub-unified command.
CYBERCOM was created to bring together the cyber forces from across the different services, but its placement under US Strategic Command—the Command that oversees U.S. nuclear forces—reflected our early thinking when it came to cyber operations. Instead of viewing cyber as a domain that could be leveraged in both competition and conflict, at that time the Department viewed cyber operations as something analogous to nuclear weapons: you wanted them in reserve as a deterrent, then worked very hard to make sure you'd never have to use them.
Back then in 2010, the Department was most concerned with the prospect of what senior leaders termed a "Cyber Pearl Harbor"—a massive hack that would dismantle the U.S. power grid, transportation system, financial networks, and government.
But it turns out that was not the real problem.
Instead of a crippling cyberattack, the predominant threat at the time was actually cyber-enabled espionage. In other words, states— primarily China—stealing our secrets and our intellectual property.
Over 22 million records of security clearance investigations were exfiltrated in the 2015 data breach of the Office of Personnel Management. Blueprints to our cutting-edge aircraft, IP for our breakthrough pharmaceuticals, and even innovations in agriculture have all been stolen. Over the years it has added up to trillions of dollars of economic theft. There was a clear trend of cyber being employed below the threshold of armed conflict but to the strategic benefit of our competitors.
And while the "Cyber Pearl Harbor" didn't materialize, something new did: a coordinated cyber operation to influence the 2016 U.S. presidential election. It was abundantly clear to even the casual observer that we needed to do more to protect our nation. And that led us to the next chapter in our cyber approach.
Chapter 2
Chapter 2. Starting in 2018, we began to address these problems. First, CYBERCOM was elevated to a unified combatant command.
Second, the Department received new authorities to streamline the approval process for cyber operations. And third, the Department unveiled a new strategy we called Defend Forward – defending our networks by disrupting malicious cyber activity before it can affect the U.S. homeland.
Those changes ushered in a new approach to cyberspace operations. Early success in Defending Forward to deter and prevent interference in the 2018 midterm election led to new operations to actively disrupt malicious activity at its source.
We also tried a novel idea: helping our allies and partners, not only by sharing threat information, but also by operating side-by-side with them on their networks, at their invitation, to track down malicious activity. We called these Hunt Forward operations, and it took our cyber cooperation to the next level by helping build capacity and resilience, not just for our own country but for others.
Chapter 3
It is against this backdrop that we arrived at Chapter 3 in our approach to cyber. With Russia's further invasion of Ukraine in 2022, we have, for the first time, witnessed the role that sophisticated cyber operations can play in a modern conventional conflict. This is something we continue to see in real time, but there are already some clear lessons we have internalized.
For example, Russian operations have demonstrated that cyber does not take place in a vacuum—nor is it especially decisive on its own.
In conflict, cyber operations are best understood as a complement to conventional missions rather than a standalone capability. Despite an initial burst of malicious cyber activity by Russia against Ukrainian networks to cut off or control access to information and communications, Russia was unable to use cyber to produce strategic effects.
This is in large part due to Ukraine's excellent and enduring cyber security and cyber resilience. Ukraine has been dealing with malicious cyber activity from Russia for years.
In fact, Ukraine was one of our first partners for Hunt Forward operations. Ukraine credited a Hunt Forward on their rail networks with keeping the trains operating during the initial phase of the invasion – allowing nearly one million civilians to escape to safety and critical supplies to be delivered to the war zone.
The private sector also stepped up in ways to support Ukraine that we could not have predicted. In advance of Russia's 2022 invasion, Amazon Web Services facilitated the transfer of Ukrainian state databases to cloud storage outside of the country to enable continuity of Ukraine's government.
Google restricted access to certain features of its maps and blocked access to several YouTube channels of Russian state media.
Starlink donated thousands of terminals to Ukraine, helping to enable command and control of Ukrainian forces on the battlefield. Microsoft, Mandiant, and others provided free cyber defense support to Ukraine, sharing information about threats to their networks and setting up special cyber defense teams that provided direct support to Ukrainian network defenders.
The remarkable and innovative measures taken by the private sector have had a direct impact on the course of the war in Ukraine in ways that we are only beginning to fully understand. But what has become abundantly clear to the United States is that cyber resilience is the best cyber defense. And that extends to our allies and partners, including industry. Being resilient in cyber requires all of us.
What's Next
That brings us to today. The 2023 Department of Defense Cyber Strategy is the next chapter in our approach to cyber. This is the Department's fourth cyber strategy, and it represents the Secretary's vision for operationalizing the 2022 National Defense Strategy in cyberspace. It also complements the Biden Administration's National Security Strategy and National Cybersecurity Strategy.
This is not an aspirational document—it is grounded in real-world experience.
It builds on the 2018 strategy by drawing on the lessons learned from years of conducting cyber operations as well as our close observation of how cyber has been used in the Russia-Ukraine war.
Four Lines of Effort
With that experience, our new strategy outlines four complementary lines of effort the Department will pursue.
LOE #1: First, we will defend the nation by campaigning in and through cyberspace to generate insights about malicious cyber actors, and defend forward to disrupt and degrade these actors' capabilities and supporting ecosystems. But unlike in the past, today we have a better appreciation for both the potential and limitations of cyber operations. Cyber capabilities are most effective when used in concert with other instruments of national power, creating a deterrent greater than the sum of its parts—what we call integrated deterrence.
In election security, for instance, cyberspace operations may work in concert with FBI investigations or sanctions from the Department of Treasury.
Coordinated efforts by government and non-government entities have proven effective in frustrating the malicious cyber activity of foreign governments, criminal, and other threat actors at scale. That is why the U.S. Government has been increasing our capacity to work together with the private sector to deny adversaries use of U.S. based infrastructure and thwart malicious global campaigns.
LOE #2: Second, we will be prepared to fight and win the Nation's wars by ensuring the cybersecurity of the DoD Information Network and investing in the Joint Force's cyber resilience. We once aspired to defend every network, but that is impractical. To deter aggression and prevail in conflict, we must demonstrate resilience in cyberspace—the ability to take a punch without losing a critical function. One of the many ways we are getting after this is by migrating to a Zero Trust Architecture, which is a difficult but essential goal to work towards to drive down risk.
The Department will also use cyberspace operations to create advantages in support of Joint Force plans and operations. In large-scale conflict, U.S. cyberspace operations may enable the delivery of kinetic effects.
LOE #3: Third, we will build enduring advantages in cyberspace. We will optimize the organizing, training, and equipping of the Cyber Operations Forces and Service-retained cyber forces, and we will invest in enablers of cyberspace operations, including intelligence and science and technology. Our most important cyber capability is our people: those with the talent, creativity, and sense of mission necessary to defend the Nation in cyberspace. The Department will prioritize reforms to our cyber workforce and empower the Services to implement effective talent management.
LOE #4: Fourth, and perhaps most significantly, we will prioritize cooperation with Allies and partners by helping build their cyber capacity and capability. Our Allies and partners are an asymmetric advantage and force multiplier that China and Russia can never hope to match. That is why cooperation with Allies and partners is central to the National Defense Strategy. And with our new cyber strategy, cooperation with Allies and partners is now one of the Department's core missions in cyberspace. We will help build out our partners' cyber capacity, shore up their networks through Hunt Forward operations, and enhance information sharing relationships to share more actionable threat information.
We will expand the number of partners with whom we engage and work to knock down institutional barriers that inhibit cooperation. And we will ensure that our definition of "partner" extends to the private sector. The private sector is absolutely essential in our collective efforts to become more cyber resilient, from adopting cyber best practices to mitigating threats in a crisis.
Conclusion
So that is where we are in the story right now, but there is much left to write. The speed, scale, and sophistication of cyber attacks, from states or criminal organizations, will continue to increase. We cannot let our guard down.
It is up to all of us—including everyone in this room and everyone watching online—to help build the cyber resilience necessary to confront the threats of today, and to be ready to adapt to the threats of tomorrow. This is a team effort.
I want to be clear: while the Secretary is tasking the Department via this new Cyber Strategy, our success as a nation is not just up to the US military. It cannot be. It requires close cooperation across the U.S. interagency and with Allies and partners—both nations and industry. Because in the cyber domain, as in so many things, we are stronger together.
Thank you again for this opportunity, and thank you again to the Center for a New American Security for hosting today's event.