WASHINGTON — The Biden administration in its highly anticipated cyber strategy pledged to use “all instruments of national power” to disrupt and dismantle malicious cyber actors near and far, while also promising to invigorate international relationships, including with nations previously untapped.
The strategy, rolled out March 2 after much buzz and speculation within the cybersecurity community, describes the digital domain the world has become reliant upon as a reflection of its users and its architects — and one that needs protecting, even if it means upheaval in the short-term.
“We must make fundamental changes to the underlying dynamics of the digital ecosystem, shifting the advantage to its defenders and perpetually frustrating the forces that would threaten it,” it reads. “Our goal is a defensible, resilient digital ecosystem where it is costlier to attack systems than defend them, where sensitive or private information is secure and protected, and where neither incidents nor errors cascade into catastrophic, systemic consequences.”
The document, more than two-dozen pages and spanning five “pillars,” is colored by Russia’s latest invasion of Ukraine, which days ago ground past its bloody one-year anniversary. It specifically calls out China, Russia, Iran, North Korea and other autocratic states for alleged “reckless disregard for the rule of law and human rights in cyberspace.”
The Russia-Ukraine war, so far killing more than 8,000 civilians and hundreds of thousands of troops, according to the U.N. human rights office, has been punctuated by cyber paroxysms, including an early-days assault on Viasat, a California-based satellite specialist and defense contractor, meant to cripple command and control.
“Looking back at the last 24 months of the Biden-Harris administration, and especially over the last year, as we recently hit the one-year mark of the war in Ukraine, we’ve seen the cyberthreat be at the forefront of geopolitical crises,” Anne Neuberger, deputy national security adviser for cyber and emerging technology, told reporters this week. “And as we know, the threat is not only Russia. We’ve seen disruptive cyber and ransomware attacks executed by cybercriminals and other countries across the globe.”
The U.S. dispatched cyber experts to Ukraine in late 2021, as tensions in Eastern Europe boiled and lawmakers pressed the White House to slap Russian President Vladimir Putin with sanctions.
The so-called hunt-forward operation — a defensive and cooperative measure, undertaken at the invitation of a foreign government — was designed to root out malign activity, identify network weaknesses and glean information about the tools hackers use.
Spearheaded by Cyber Command, the operation has since been credited with blunting Russia’s cyber efficacy.
Such endeavors are part of CYBERCOM’s persistent engagement strategy: a means of being in constant contact with adversaries and ensuring proactive, not reactive, moves are made. The command, tasked with guarding Department of Defense information networks and coordinating cyberspace operations, has conducted dozens of similar missions across many countries.
“Cyberthreats are fundamentally transnational threats,” Neuberger said. “They cross borders.”
Looking abroad
The Biden administration’s strategy “will definitely expand on partnership,” Col. Candice Frost, commander of the Joint Intelligence Operations Center at CYBERCOM, said ahead of its release. “That’s been because of what’s going on with Russia and Ukraine, in the work that we’ve done with them.”
“I think it was very unique when we look at Russia and Ukraine,” she said Feb. 28 at an event hosted by Billington Cybersecurity. “In the military, we have a supporting and supported kind of relationship. Cyber Command at one point was the supported command.”
Cyber specialists were previously sent to Croatia, Estonia, Lithuania, Montenegro and North Macedonia.
While some deployments were tied to stateside elections, efforts in Lithuania, specfically, were related to the perceived Russian threat. The work there lasted three months and marked the first shared operation between Lithuania’s cyber forces and U.S. experts overseas.
“We’re leaning forward in looking at partner nations that just typically haven’t been as close with us in the past,” Frost said. “It’s been really exciting to see that form.”
Exactly how the U.S. plans to bear down on and punish malicious cyber actors, senior officials would not say. Military operations in cyberspace are often clandestine; details rarely emerge, let alone in a timely fashion.
Generally speaking, though, the idea is to combine intelligence and military might, both kinetic and non-kinetic, with diplomatic, financial and legal options to suffocate malfeasance, according to the strategy. The aggressiveness can be seen as a continuation from the Trump administration, which empowered CYBERCOM and took digital action against Russia and Iran.
“We want to shrink the surface of the Earth that people can conduct malicious cyber activity on with impunity, and put pressure on them and make their lives a little bit less pleasurable,” one senior U.S. official said, speaking on condition of anonymity. “And if a criminal is restricted to living in Russia and can’t leave the borders, then, perhaps, that might create a bit of a deterrent effect.”
Cooperative crackdown
Stamping out cyber misconduct, a lofty goal, will require the cooperation of many governments, the coordination of many moving parts and the corralling of many influential thinkers.
The strategy anticipates this. The Biden administration intends to lean on like-minded nations “to counter threats,” enforce online norms and develop “new collaborative law enforcement machanisms for the digital age.”
Disruptive ransomware attacks, as seen with Colonial Pipeline and JBS Foods in 2021, are increasingly common, and are often traced to sources outside the U.S. The blueprint cites successes of the European Cybercrime Centre, set up by Europol in 2013, and vows to support the model in other regions.
The document, said Matt Hayden, vice president of cyber client engagement at General Dynamics Information Technology, transcends traditional “protection of U.S. domestic critical infrastructure by amplifying the effort to impose costs on bad actors internationally in partnership with our allies.”
“An example,” he said in a statement Wednesday, “is the partnership in Ukraine that involves sharing cyber threat intelligence, tools and training to thwart attacks and maintain resilient critical systems.”
Washington and Kyiv in July agreed to grow its cyber relationship with an agreement struck between the Cybersecurity and Infrastructure Security Agency and its Eastern European analogue, the State Service of Special Communications and Information Protection.
The arrangement is designed to expand cyber education, joint exercises and avenues for sharing best practices.
“We need to ensure that we are prepared for threats, for incursions against our critical infrastructure, whether it’s state supported actors, criminally aligned ransomware groups, or even the cascading attacks, with attacks in Ukraine that could bleed over to Russia or could bleed over to the U.S., as we saw with NotPetya in 2017,” CISA Director Jen Easterly, who has more than two decades of military intelligence and cyber experience, said last year.
NotPetya malware incapacitated vital systems the world over, resulting in massive financial loses. Russia was blamed for the devastation. Like Notpetya, the Biden Administration strategy states, Russia’s cyberattacks “in support of its 2022 brutal and unprovoked invasion of Ukraine have resulted in irresponsible spillover impacts onto civilian critical infrastructure in other European countries.”
The president’s fiscal 2023 budget request included $2.5 billion for CISA, approximately 18% more than what was sought in 2022. The budget request also included some $11.2 billion for Pentagon cyber, nearly 8% over the administration’s previous ask.
Biden’s latest request, for 2024, is expected to be unveiled later this month.
Colin Demarest was a reporter at C4ISRNET, where he covered military networks, cyber and IT. Colin had previously covered the Department of Energy and its National Nuclear Security Administration — namely Cold War cleanup and nuclear weapons development — for a daily newspaper in South Carolina. Colin is also an award-winning photographer.