Those who believe that cybersecurity should occupy a more central role in national defense should keep their eyes open for the release of the 2022 National Defense Strategy, a senior Pentagon official suggested.
“We’re thinking about the role of cyber as a tool in the National Defense Strategy,” said Mieke Eoyang, deputy assistant secretary of Defense for cyber policy, at CyberNext DC last week. “I think you all will be interested in what we say about this.”
Every four years, by law, the Defense Department is required to release a National Defense Strategy (formerly known as the Quadrennial Defense Review, or QDR). This is where DOD looks ahead and outlines what it sees as emerging threats; for instance, the 2010 QDR was the first time the department identified climate change as a national security threat.
In 2018, when the name changed, the new National Defense Strategy “recognized that we can’t defend our way out of the [cyber threat] problem,” Eoyang said. That is when the concept of “defending forward” and a persistent engagement strategy emerged. “As a result, the department’s cyber strategy became much clearer.”
She said the department has three main missions in cyberspace: to defend DOD networks, to extend network capabilities to the warfighters, and to defend the nation as a whole. “And by that we mean whole-of-government actions.”
Eoyang pointed out that DOD played a role in election security in 2018 and 2020. “We were one of the prime players, [and] we’re posed to do so again in 2022.”
The growing threat of ransomware is another area where the Pentagon’s cyber capabilities are brought into play, because many attackers are either agents of, or sheltered by, a hostile nation-state.
“While DOD is not responsible for all cyber crime … when it hits infrastructure [in the U.S.] we’re resourced to be able to address it,” Eoyang said. “Some of our adversaries have tremendous resources in this area.”
She said the Pentagon is seeing hostile countries pursuing “below-threshold” cyberattacks, that is, not serious enough to elevate to an act of war, but that there’s the growing risk of unintended consequences if things get out of hand.
Eoyang made a request to the in-person and online audience listening—that defense contractors help the department get U.S. allies and international partners more cyber secure.
“Some of these countries have companies that are incredibly capable, but … we need to help our partners and allies get better at cyber defense,” she said. “I think there are many cases where [they] would be more comfortable if they could work directly with the companies. [It does no good] if they buy F-35s but the networks that run the F-35s” are compromised.