Defend Forward: Adapting Offense and Defense Strategy to Cyberspace

By: Scott Graber, YLS ‘23

The US Department of Defense published its then-new Defend Forward strategy as part of its Cyber Strategy in 2018. Dr. Erica Borghard notes that the Cyberspace Solarium Commission, in considering Defend Forward, addressed a question presented by the strategy: “[h]ow can the U.S. positively change adversary behavior in cyberspace?” Defend Forward, itself an answer to this question, is defined by the Commission (according to Borghard) as “the proactive observing, pursuing, and countering of adversary operations and imposing costs in day-to-day competition to disrupt and defeat ongoing malicious adversary cyber campaigns, deter future campaigns, and reinforce favorable international norms of behavior, using all the instruments of national power.”

Since its inception, and particularly following the SolarWinds hack, some commentators have maligned the Defend Forward strategy as too focused on offense, forgetting defense at home. These criticisms undervalue the unique attributes of the cyber domain as it pertains to offense and defense. Defend Forward instead reflects an adaption to the uniqueness of the cyber domain, which inherently favors offense over defense, by emphasizing attacking tactics in a defensive strategy.

Offense and Defense in the Kinetic Domains

Offense and Defense pre-date cyberwarfare, and their kinetic application must be understood to see why they are now misapplied in cyber. Classically, at the strategic level, offense and defense relate to seizing and protecting territory, respectively. It is important, however, to disaggregate strategic purposes from tactical concepts. For the sake of clarity, in this article “offense” and “defense” will refer strictly to strategy, while “attack” and “protect” will refer to the tactical level. In the kinetic domains of land, sea, and air, many attacking and protecting tactics can be used for both offensive and defensive strategic purposes. For example, bombing can be considered an attack, as it is actively done against an enemy, generally in the adversary’s territory. Germany bombed England heavily in World War II in an attempt to conquer the country. Israel bombs Syria regularly today, but it does so not in an attempt to conquer Syrian territory, but to defend itself. Some weapons more inclined for protective tactics can also be used in multiple strategic ways. For example, anti-aircraft weapons do not seize territory on their own. Their purpose is primarily to protect against an adversary’s air forces. However, the USA can use anti-aircraft guns on its territory to protect itself (defense), and can also bring them to Iraq or Libya to enforce a no-fly zone, the offensive purpose of controlling another state’s territory. Importantly, many tactically defensive kinetic tools, such as anti-aircraft weapons or mines, still damage would-be aggressors, raising potential costs for attacking. Other “passive” protecting tactics, however, such as walls or trenches, do no harm to the aggressor, and can serve only a limited offensive purpose, if any. These protecting tools deter by making attacks more difficult. Passive protections may not, however, create costs of the same magnitude as protections which harm the aggressor.

Attacking and Protecting in Cyberspace

Compared to the kinetic domains, defensive tactics are much more limited in cyberspace. Cyberattacks consist of finding vulnerabilities in a network and exploiting them. The main protection is to make the system as impervious as possible to attack. This can be done via a passive protection, like a wall. But even “active cyber defense” does not harm the attacker, it merely attempts to block any attack. The DoD described its active defenses in 2011 as its “real-time capability to discover, detect, analyze, and mitigate threats and vulnerabilities.” Thus, neither active nor passive cyber defenses harm the adversary in any way, as many kinetic defenses do.

An additional limitation on cyber defense is that deterrence is limited due to attribution problems. In general, a counter-attack can be threatened as part of a defensive strategy in situations where a use of force rises to an armed attack under Article 51 of the UN Charter. The counter-attack is an attacking tactic; it is not meant strategically to gain territory, but has defensive purposes, such as to deter an adversary from threatening in the first place. Cyberattacks, however, are often difficult to attribute, reducing the possibility of threatening counter-attacks as part of a defensive strategy. A second problem for counter-attacking is the issue of a proportional responses. It is still unclear what cyberattacks reach the threshold of counting as armed attacks for purposes of Article 51. Thus, even if the attack is discovered and attributed, it may be difficult to find an appropriate response. These issues with reactive responses create issues in deterrence, as there is less fear of reprisals than there may be for a kinetic attack.

With only passive protections, many theorists say that the cyber domain heavily favors attacking tactics (although see arguments that it does not). A single vulnerability in a network allows for an attack. The attacker is not harmed as it examines the network, allowing it to take as much time as necessary and dictate the timing of the eventual attack. The famous Stuxnet attack, for example, was most likely developed over a span of several years and two presidents. Furthermore, the defense is rather blind. Inherent in the need for the protecting state to plug all of their vulnerabilities is the concept that they don’t know what vulnerabilities remain unfound. If an attacker finds a vulnerability, there is no warning to the victim. There is no massing of troops at a border, or missile that gets picked up on radar. There is often no warning that a cyberattack is coming. Even afterwards, the victim may not even know that a vulnerability has been found and exploited by an attacker. SolarWinds, for example, was not detected for months.

Defend Forward, Defense Strategy, and Offensive Tactics in Cyberspace

As Gary Corn has said, “the U.S. cannot simply firewall its way out of this problem” of malicious cyber campaigns. Of course, passive protections are an important aspect of a defensive strategy, and the US should, can, and does work to improve the strength of its networks. As discussed above, however, the cyber domain is inherently geared towards attacking tactics. As such, attacking tactics must be included in a defensive strategy, or the strategy puts itself at a grave disadvantage.

Arguments that Defend Forward is too focused on offense do not give appropriate weight to the reduced capabilities of protective tactics in cyberspace as compared with kinetic defenses that harm aggressors. The Defend Forward policy instead recognizes the inherent advantages to attacking tactics and proactive operations in cyberspace, and thus integrates them into a defensive strategy. Aggressive attacking tactics on external networks can disrupt adversaries in ways that passive protective measures do not. Understanding the limited ability to deter through reprisals in cyberspace, the policy treats proactive measures as more important. To return to the Commission’s question of how to “positively change adversary behavior in cyberspace,” the policy reflects that proactive attacking tactics are necessary to do so, even in a defensive strategy. Passive defense alone may frustrate the enemy, but will not cause a fundamental shift in how they operate vis-à-vis the United States.

While effective, active defenses must still be used in a restricted manner. The distinction between an active defense and an offensive attack may lie in the eye of the beholder. A nation that suffers an attack is doubtful to acquiesce because of the allegedly “defensive” purposes. As Defend Forward is meant to be a defense strategy, the U.S. must operate externally in a limited way that is unlikely to trigger a response. The United States does not want its defensive actions to accidentally result in a claim of self-defense by the adversary, or worse yet, a spiral into armed conflict. Such results would be antithetical to the strategy’s goals. The cyber domain, however, offers a grey zone to work that is in between espionage and warfare. SolarWinds, for example, is considered by many to be an act of espionage, a proactive response to which could be considered counter-espionage, as opposed to a use of military force. The U.S. has a certain amount of flexibility to operate Defend Forward in this space without legally using force. By working in the ambiguous area short of warfare that cyberspace provides, the U.S. can gain the benefits of defending on external networks while limiting its potential legal and political liabilities. With the laws of cyber still in flux, American defense strategy can use Defend Forward to adapt to the inherent offensive advantages and unique characteristics of the domain.