In Pentagon's Overhauled Cyber Strategy, Offense is the New Defense

The cyber domain is one that is constantly being updated, patched, modified as technology changes,” she told Pentagon reporters while briefing them on the updated cyber strategy. “So outside of an armed conflict, there is a need for us in the department to remain engaged with the cyber domain, to be able to deny adversaries advantageous positions.”

The new Pentagon cyber strategy also incorporates lessons from Russia’s invasion of Ukraine, notably the Kremlin’s failure, so far, to use its cyber capabilities to its advantage.

Prior to this conflict, there was a sense that cyber would have a much more decisive impact in warfare than what we experienced,” Eoyang said.

What this conflict has shown us is the importance of integrated cyber capabilities in and alongside other war fighting capabilities,” she said. “Cyber is a capability that is best used in concert with those others and may be of limited utility when used all by itself.”

U.S. and Ukrainian officials say that is a lesson Russia’s cyber forces have started to learn. And the new cyber strategy warns that Moscow could apply that knowledge in future dealings with the West.

Russia has repeatedly used cyber means in its attempts to disrupt Ukrainian military logistics, sabotage civilian infrastructure, and erode political will,” according to the unclassified strategy. “In a moment of crisis, Russia is prepared to launch similar cyberattacks against the United States and our Allies and partners.”

But while the new strategy describes the cyber threat from Russia as acute, it points to China as posing the most significant challenge.

Malicious cyber activity informs the PRC’s [People’s Republic of China] preparations for war,” the strategy said, echoing a warning shared even by U.S. civilian officials.

In the event of conflict, the PRC likely intends to launch destructive cyberattacks against the U.S. homeland in order to hinder military mobilization, sow chaos, and divert attention and resources,” the report added. “It will also likely seek to disrupt key networks which enable Joint Force power projection in combat.”

Speaking separately Tuesday, a key U.S. National Security Agency official was equally blunt.

PRC officials have gone as far as to state that they view technology as the main battlefield between the United States and the PRC,” NSA Assistant Deputy Director David Frederick told a virtual forum.

We’ve got indications all the way back to that 2010 to 2012 timeframe, and more recently, that the PRC would use attacks on critical infrastructure as part of a conflict,” Frederick said of Beijing’s willingness to fight in the cyber domain.

They would not only aim to achieve disruptions to a U.S. military plan, but also induce societal panic,” he added.

Officials at the Chinese Embassy in Washington, who in the past have accused the U.S, of “distorting the truth” on Beijing’s cyber policies, called the allegations by the Pentagon and the NSA “groundless.”

The Chinese government’s position on cybersecurity is consistent and clear. We firmly oppose and combat cyberattacks of any kind,” embassy spokesperson Liu Pengyu told VOA in an email.

Liu further cited PRC reports detailing alleged U.S. government cyberattacks on China’s critical infrastructure.

The U.S. must take seriously and respond to the concerns from the international community, and immediately stop carrying out cyberattacks around the world,” Liu added. “We will continue to take necessary action to prevent and stop all kinds of cyberattacks that threaten the security of our critical infrastructure.”

VOA also reached out to the Russian Embassy in Washington for comment.

Russian officials have routinely denied any involvement in cyberattacks, especially those aimed at civilian infrastructure.

Pentagon officials, however, believe the new cyber strategy will help them push back against China and Russia by positioning U.S. cyber forces to identify malicious cyber activity “in the early stages of planning and development.”

The strategy further calls on U.S. cyber teams to “defend forward by disrupting the activities of malicious cyber actors and degrading their supporting ecosystems.”

As for whether such an approach could spark a larger conflict with U.S. adversaries, the strategy acknowledges the concern.

As it campaigns in cyberspace, the Department will remain closely attuned to adversary perceptions and will manage the risk of unintended escalation,” it said.

Jeff Seldin is VOA national security reporter.  This article is published courtesy of the Voice of America (VOA).