New 2023 DOD Cyber Strategy outlines approach to cyberspace, enhances defense priorities

On Tuesday, the U.S. Department of Defense (DOD) released an unclassified summary of its classified 2023 Cyber Strategy. This unclassified summary aims to provide an overview of the key priorities within the 2023 DOD Cyber Strategy and should not be viewed as an exhaustive account. It focuses exclusively on matters within the cyber domain, and outlined that to address current and future cyber threats, apart from the four complementary lines of effort that the agency will pursue. 

The strategy document highlights DOD’s actions to invest in and ensure the defense, availability, reliability, and resilience of its cyber networks and infrastructure to support non-DOD agencies in their related roles and to protect the defense industrial base. The latest strategy document is the fourth iteration for the department, and the first to be informed by years of significant cyberspace operations. 

The 2023 DOD Cyber Strategy establishes how the DOD will implement the four priorities of the 2022 National Defense Strategy. The 2022 NDS establishes four defense priorities, including defending the Homeland, paced to the growing multi-domain threat posed by the People’s Republic of China (PRC); deterring strategic attacks against the U.S., allies, and partners; deterring aggression, while being prepared to prevail in conflict when necessary—prioritizing the PRC challenge in the Indo-Pacific region, and then the Russian challenge in Europe; and building a resilient Joint Force and defense ecosystem. 

The document said that these priorities will guide the Department’s plans, programs, policies, and operations across all theaters and domains, including cyberspace, in the years to come. It added that it outlines how the cyber enterprise will adjust its missions and supporting activities to advance these priorities. It also outlines four complementary lines of effort – defend the nation, prepare to fight and win the nation’s wars, protect the cyber domain with allies and partners, and build enduring advantages in cyberspace. 

“This strategy draws on lessons learned from years of conducting cyber operations and our close observation of how cyber has been used in the Russia-Ukraine war,” John Plumb, assistant secretary of defense for space policy, said in a media statement. “It has driven home the need to work closely with our allies, partners, and industry to make sure we have the right cyber capabilities, cyber security, and cyber resilience to help deter conflict, and to fight and win if deterrence fails.”

The 2023 DOD Cyber Strategy, which DOD transmitted to Congress in May, is the baseline document for how the Department is operationalizing the priorities of the 2022 National Security Strategy, 2022 National Defense Strategy, and the 2023 National Cybersecurity Strategy. It builds upon the 2018 DOD Cyber Strategy and will set a new strategic direction for the Department. 

“Distinct from previous iterations, the strategy commits to increasing our collective cyber resilience by building the cyber capability of allies and partners,” according to Mieke Eoyang, deputy assistant secretary for cyber policy. “It also reflects the department’s approach to defending the homeland through the cyber domain as well as prioritizing the integration of cyber capabilities into our traditional warfighting capabilities.”

The 2023 DOD Cyber Strategy detailed that as the Department’s cyber capabilities evolve, “so do those of our adversaries. Both the People’s Republic of China (PRC) and Russia have embraced malicious cyber activity as a means to counter U.S. conventional military power and degrade the combat capability of the Joint Force,” it added. 

The document identified that the “PRC in particular sees superiority in cyberspace as core to its theories of victory and represents the Department’s pacing challenge in cyberspace. Using cyber means, the PRC has engaged in prolonged campaigns of espionage, theft, and compromise against key defense networks and broader U.S. critical infrastructure, especially the Defense Industrial Base (DIB). Globally, malicious cyber activity continues to grow in both volume and severity, impacting the U.S. Homeland and placing Americans at risk.” 

“As cyber threats grow and intensify, every soldier, sailor, airman, marine, guardian, coast guardsman, DOD civilian, and contractor is responsible for exercising cyber awareness and helping to manage the risk of the Department,” the document said. “At the same time, senior leaders of the Department, Military Departments and Services, and the Joint Warfighting community must work together with counterparts across other Federal departments and agencies to build a robust and integrated cyber capability: one that is ready and available to respond rapidly across the spectrum of conflict.”

The 2022 NDS directs the Department to act urgently to sustain and strengthen U.S. deterrence, with the PRC as the pacing challenge. “The PRC seeks advantages in cyberspace in order to facilitate its emergence as a superpower with commensurate political, military, and economic influence. By exercising effective state control over businesses with large market share in the telecommunications, commercial hardware and software, and cybersecurity industries, the PRC tries to shape the global technology ecosystem. It exports dangerous cyber capabilities to like-minded nations and works to accelerate the rise of digital authoritarianism around the globe,” the document added. 

The document also identified that the PRC poses a broad and pervasive cyber espionage threat. “It routinely conducts malicious cyber activity against the United States as well as our Allies and partners. It steals technology secrets and undermines the DIB in an effort to erode U.S. military advantage. It undertakes cyber intrusion and surveillance efforts against individuals living beyond its borders, including U.S. citizens, whom it considers enemies of the state,” it added. 

Apart from the PRC, the 2023 DOD Cyber Strategy also assessed that Russia remains an acute threat to the U.S. in cyberspace. “Russia has undertaken malign influence efforts against the United States that aim to manipulate and undermine confidence in U.S. elections. Russia targets U.S. critical infrastructure as well as that of Allies and partners. It continues to refine its espionage, influence, and attack capabilities,” it added.

“In Russia’s war on Ukraine, Russian military and intelligence units have employed a range of cyber capabilities to support kinetic operations and defend Russian actions through a global propaganda campaign,” according to the 2023 DOD Cyber Strategy document. “Russia has repeatedly used cyber means in its attempts to disrupt Ukrainian military logistics, sabotage civilian infrastructure, and erode political will. While these efforts have yielded limited results, this is due largely to the resilience of Ukrainian networks and support from the international community. In a moment of crisis, Russia is prepared to launch similar cyber attacks against the United States and our Allies and partners.”

It also added that North Korea, Iran, and violent extremist organizations remain persistent threats to the U.S., demonstrating ‘varying levels of sophistication in their malicious cyber activity.’

The 2023 DOD Cyber Strategy document said that U.S. interests in cyberspace are also threatened by profit-motivated transnational criminal organizations: ransomware gangs, hacktivists, and state-sponsored cyber mercenaries. Small groups of experienced hackers, harnessing sophisticated TTPs, are capable of achieving cyber effects similar to those caused by professional intelligence and military services. 

The document recognizes that the actions of these transnational criminal organizations often align with the interests of their host nations. “These malicious cyber actors target the DIB and other U.S. critical infrastructure, as well as government functions at the Federal, state, and local levels. Ostensibly independent hackers in the PRC, for instance, target U.S. companies that produce technology relevant to the PRC’s military priorities. Russia, Iran, and North Korea all provide safe havens to ransomware gangs and their own state employees involved in cybercrime.” 

It added that these criminal enterprises cause billions of dollars in direct and calculable losses to the U.S. each year and disrupt critical services worldwide, while also  increasingly threatening national security.

Commenting on the release of the 2023 DOD Cyber Strategy, operational technology (OT) cybersecurity company Shift5 wrote in a LinkedIn post that it “appreciates the steps outlined in the United States Department of Defense’s 2023 Cyber Strategy to break down barriers between public and private sectors. We look forward to continuing to work with our government partners to secure our nation’s most critical weapon systems against cyberattacks.”

Shift added that, in recent weeks, “we’ve heard Deputy Secretary of Defense Kathleen Hicks and other senior DOD leaders renew the call to accelerate the adoption of innovative commercial solutions. Yesterday’s release of the DOD’s updated cybersecurity strategy only confirms that urgency.”

Last month, the DOD released its 2023-2027 Cyber Workforce (CWF) Strategy Implementation Plan that directly addresses the department’s cyber talent gap and puts in place the necessary initiatives to cultivate the future cyber workforce. The CWF Strategy Implementation Plan document will assist the department in advancing talent management initiatives for a more diverse and effective cyber workforce.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.