New FDD research report highlights need to build partner capabilities for cyber operations

A U.S. research organization identified that the U.S. government conducts partner cyber capacity-building programs across multiple federal departments, including the Departments of State, Justice, Energy, Homeland Security, Treasury, and Defense and the intelligence community. The Foundation for Defense of Democracies (FDD) said that these programs help allies and partners build cyber resilience, develop national cyber strategies, prosecute cyber criminals, and evict malicious cyber hackers from critical networks.

In a Thursday memo, the FDD said that capacity-building programs help other countries learn to defend themselves in cyberspace. “More resilient partners are less likely to succumb to an attack or need recovery assistance. But the U.S. government also helps partners recover, remediate, and conduct forensic analysis to determine the cause and culprit when cyberattacks succeed. These efforts can yield valuable insights about attacker techniques that can then be shared with other governments and the public,” it added.

The research, authored by Mark Montgomery, CCTI senior director and senior fellow, and Annie Fixler, CCTI director and research fellow, recognizes that the Department of Defense (DoD) has developed comprehensive partner capacity-building efforts with its North American Treaty Organization (NATO) allies and others. As part of this effort, U.S. Cyber Command conducts numerous cyber military exercises to practice planning, improve joint actions, and assess interoperability. These exercises reinforce what the U.S. military has long known — military communications and the ability to mobilize, deploy, and sustain forces require resilient U.S. and partner telecommunications systems, electrical power grids, water utilities, rail lines, airfields, ports, and other logistics infrastructure. 

The FDD recognizes that if an adversary can cripple the backbone of these critical infrastructures, America and its partners could be slow to mobilize or even paralyzed, and their tools of economic statecraft will be weakened. “The U.S. military has thus conducted dozens of overseas missions in the past few years to shore up allied infrastructure and gather insights to inform U.S. homeland defense,” it added. 

The report said that the Biden administration’s National Cybersecurity Strategy argues that a prosperous future requires resilient global digital infrastructure built on the values of democracy, free speech, and innovation. “This means building and strengthening international partnerships to reinforce norms of responsible behavior, disrupt malicious actors, and enhance the ability of allies and partners to secure themselves against cyber threats. The 2023 U.S. Defense Cyber Strategy calls these allies and partners America’s ‘foundational advantage in the cyber domain,’” it added.

Earlier this month, the U.S. administration prescribed a 69-point roadmap called the National Cybersecurity Strategy Implementation Plan (NCSIP) to ensure transparency and continued path for coordination. The plan outlines various federal initiatives aimed at protecting jobs, combating cybercrimes, and developing a skilled workforce. It also details that these high-impact initiatives require executive visibility and interagency coordination that the federal government will carry out to achieve the Strategy’s objectives.

The FDD research said that while the U.S. government should prioritize, organize, and expand existing cyber defense programs, it should also address the next step in ally and partner capacity building: offensive cyber capabilities. 

“While not all partners have the means or desire to conduct these operations, by refusing to begin to conceptualize how to help select allies and partners responsibly develop these capabilities, Washington is putting its partners and itself at risk,” the report said. “In the middle of a conflict, partners who want to use offensive cyber operations may turn to makeshift, volunteer offensive operators, as has occurred with the ‘Ukraine IT Army,’ if they do not have a professionally trained, accountable force, which takes years to develop.” 

Addressing the role of the private sector, the FDD report said that to close the cyber workforce gap globally, private companies are also offering free cybersecurity training. “Microsoft, for example, partners with global and local organizations to train cyber educators and to encourage more women to join the field. The World Economic Forum also offers free training in partnership with Salesforce, Fortinet, and the Global Cyber Alliance.” 

Identifying that these private initiatives complement rather than replicate U.S. government efforts, the FDD research said that they do not directly address the ability of governments to protect their citizens, implement national strategies, and prosecute cyber criminals, but private companies are often crucial to identifying cyber threats and remediating attacks, as demonstrated repeatedly during the war in Ukraine. 

The report said that American cyber capacity-building efforts should promote and reinforce the cyber resiliency of allies and partners to help maintain their warfighting capabilities, ensure the mobility of U.S. forces within the host nation, and support global economic productivity. While the U.S. needs allies and partners with more skilled cyber defenders, Washington also must begin thinking about training select partners and allies in elements of offensive cyber operations. 

FDD provided eight recommendations that outline how to meet these challenges. They also offer an organized, prioritized, and resourced effort to help embattled democratic U.S. allies and partners operate effectively in cyberspace. 

It suggests making allied and partner cybersecurity capacity building a key element of the forthcoming international cybersecurity strategy. The strategy should assess current activities and develop a plan of action to advance the administration’s cyber strategy internationally and prioritize resources from both military and civilian U.S. agencies, remove redundancies, and close any seams. 

The report also recommends prioritizing building allied and partner cyber resilience in critical infrastructure. Building cyber resilience of partner critical infrastructure, especially ports, rail systems, and air transport systems, which protect military mobility for both the host nation and U.S. forces. Other critical infrastructures such as power, water, financial services, and pipelines, also undergird economic productivity. 

It also suggests providing additional funding for capacity building. The Biden administration should request, and Congress should appropriate, additional funding to expand existing, successful cyber capacity-building efforts and create new ones. State and Defense capacity building should receive the lion’s share of the increases. At the same time, Congress should conduct increased oversight to ensure that authorized programs are getting the resources they require.

The FDD report also suggests consolidating State Department cyber capacity-building funding under its Bureau of Cyberspace and Digital Policy. Having been tasked with the international cyber strategy and given its existing work in traditional and non-traditional cyber capacity building, this bureau is best positioned to prioritize programs and funding.

It also recommends conducting more bilateral and multilateral cyber exercises. More military and civilian exercises are needed outside of the transatlantic theater. Washington should also explore replicating the annual U.S.-Israel cyber military exercise with other partners, including Taiwan, Japan, and South Korea. The report also selectively uses bilateral memoranda of understanding (MOUs) to improve military cyber defense capabilities of American allies. They should emphasize bilateral cybersecurity training, exercises, and joint operations to defend military networks, infrastructure, and systems. 

FDD also recommends developing offensive cyber force employment training capability. “The United States should develop and offer training events where U.S. operational, intelligence and legal practitioners provide cyber-specific guidance on basic operational issues, including due diligence, sovereignty, collateral damage assessments, deconfliction with espionage operations, attribution techniques, and targeting processes,” it added.

Lastly, the FDD report suggests assessing future elements of offensive cyber force generation. In preparation for a future in which today’s operational, legal, and resource concerns are mitigated, the Department of Defense should study how best to build or support a partner’s ability to conduct force generation for an offensive cyber capability and determine the resources required to execute such tasking.

In November 2021, FDD research revealed that the cybersecurity of the water sector has been brewing in the national infrastructure, which could affect health and human safety, national security, and economic stability. Significant cybersecurity deficiencies were observed in the drinking water and wastewater sectors resulting in part from structural challenges. These systems operate with limited budgets and even more limited cybersecurity personnel and expertise.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.