The Department of Defense Cyber Strategy is a model for clear writing and thinking on cybersecurity. Unlike earlier DoD strategies, gone is tone-deaf language about “dominating” cyberspace. Instead, the strategy recognizes an important but limited role for the DoD in the security of cyberspace. The strategy divides that role into three missions: (1) defense of the DoD Information Network (DoDIN); (2) defense of the United States against nationally significant cyberattacks; and (3) conduct of cyber operations in support of conventional military operations.
How the DoD fulfills the first and third missions is clear based on what the strategy says (and does not say). Cyber Protection Forces will carry out the first mission; their role is pure network defense. In turn, the Combat Mission Forces will engage in cyber operations in support of military operations around the world. Their role is pure offense. In between the two is the second mission. Per the strategy, defending the United States in cyberspace is the job of the National Mission Forces. Yet, how the National Mission Forces will carry out their mission is left unanswered by the strategy. Many pundits assume that the answer will be a mixture of offense and defense—assisting private companies with network defense as well as conducting offensive operations to stop cyberattacks that overwhelm these defenses. While the DoD has a monopoly on offensive operations, the assumption that the DoD will also provide defensive support to the private sector is problematic. It could lead the DoD down a dangerous path, one that could upset long-standing traditions on the respective roles of civilian and military organizations in our democracy.