Defensive cyber operations are operations that work to defend a country, region, or related infrastructure from cyber threats on the behalf of foreign actors. For example, a defensive cyber operation could prevent a threat of stealing information from government networks. The authority of defensive cyber operators is used to defend systems and infrastructure designated as important, including:
- Energy grids
- Telecommunication networks
- Healthcare databases
- Banking systems
- Elections infrastructure
The defensive cyber operations are often helmed by military departments, which provide the hardware and software tools to proactively defend and enable a military's and country's network in order to operate free from the threat of cyber attacks. The actions of defensive cyber operations can be passive and active in order to preserve the ability to utilize friendly cyberspace capabilities and protect data, networks, net-centric capabilities, and designated systems.
Defensive cyberspace operations direct and synchronize actions to detect, analyze, counter, and mitigate cyber threats and vulnerabilities, to outmaneuver adversaries, and to protect mission critical systems. This defense can trigger offensive cyberspace operations or other response actions to defend DoD networks. Dynamic Network Defense Operations is the key US Cyber Command operational method for defensive cyberspace operations. The types of Department of Defense Defensive Cyber Operations (DCO) include: DCO internal defensive measures and DCO response actions.
DCO internal defensive measures (DCO-IDM) are those measures that are conducted within the DODIN. They include hunting for advanced internal threats as well as the internal responses to these threats. Internal defensive measures respond to unauthorized activity or alerts or threat information within the DODIN and use the intelligence, CI, law enforcement, and other military capabilities as required.
DCO response actions (DCO-RA) are deliberate, authorized, defensive actions taken external to the DODIN to defeat ongoing or imminent threats to defend DoD cyberspace capabilities or other designated systems. DOC-RA must be authorized in accordance with the standing rules of engagement and any applicable supplemental rules of engagement and may rise to the level of use of force. In some cases, countermeasures are all that are required, but often the effects of countermeasures are limited and will only degrade, not defeat, an adversary's activities.
USCYBERCOM emblem.
The United States Cyber Command, USCYBERCOM, is the department within the Department of Defense responsible for the direction, synchronization, and coordination of cyberspace planning and operations to defend and advance national interests in collaboration with domestic and international partners. USCYBERCOM has three main focus areas:
- Defending the DODIN
- Providing support to combatant commanders for execution of their missions around the world
- Strengthening the United State's ability to withstand and respond to cyber attack.
USCYBERCOM was created in 2009 at the National Security Agency headquarters. The department cooperates with NSA networks and has been concurrently headed by the director of the national Security Agency. USCYBERCOM was initially created with a defensive mission in mind, but has since been viewed as more of an offensive force and was elevated to a full and independent unified combatant command on May 4, 2018.
In the context of the US Army, the defensive cyber operations program works to deliver dominant cyberspace capability and information technology solutions to national, joint, and allied partners for warfighting information advantages. The overall US Army Defensive Cyber Operation is comprised of five programs.
AIT program badge.
The Allied Information Technology program works to enhance United States and partner nation security and interoperability by delivering non-standard command, control, communications, computers, cyber, and intelligence capabilities under the auspices of Defense Security Cooperation and Assistance programs.
ACT program badge.
The Applied Cyber Technologies program works to deliver cyber capabilities to the Army's cyber force. ACT develops innovative, rapid acquisition processes to procure cyber capabilities, and integrates and fields those technologies.
CAD program badge.
Cyber Analytics and Detection (CAD) works to provide capabilities and help soldiers analyze and detect external and internal cyber threats to the Army. CAD focuses on software-based programs that support mission command, planning, integration, analysis, and execution at all levels.
CPS program badge.
Cyber Platforms and Systems (CPS) provides life cycle management capability to the cyber defense programs. CPS focuses on the procurement and delivery of cyber platforms and cybersecurity tools for the Armed Forces.
DCO program badge.
The Defensive Cyber Operations (DCO) program provides the hardware, software, and tools to proactively defend and enable the Army's Network to operate unfettered from the threat of cyber attacks. DCO equips partner nations with information and infrastructure capabilities.
United States military commanders work to act within a network of authorities derived from law, policy, and regulation, which provides the permissions needed to conduct military operations. Permissions include the authority to use force, for which rules of engagement (ROE) are a critical component. With the increased use of cyberspace, cyber operations, and related cyber weapons incorporated into military planning, policy makers and field commanders increasingly confront the issue of how to formulate the rules of engagement for forces in regards to engaging with cyberspace.
In cyber intelligence operations, there are proposed roles and responsibilities, including activities related to defense, assurance, and attack to achieve objectives in or through cyberspace. Cyber operations and cyber intelligence operations are intended to support a cyber commander and ensure cyberspace intelligence superiority. Cyber intelligence is a cyber-discipline that exploits a number of information collection and analysis approaches to provide direction and decision to cyber commander and cyber operation units.
Any defensive cyber operation has to be comprised of passive cyber defenses and active cyber defenses. A passive cyber defense framework is, as it sounds, not an active form of cyber defense; many passive systems do not require constant monitoring, but rather only require periodic updates to keep systems and securities relevant. Passive cyber defense operation systems include:
- Physical security
- Security practices
- Access control
- Asset inventory
- Device hardening
- Device management
- Firewalls
- Unidirectional gateways
- Anti-malware
- App whitelisting
- Zone firewalls
- Device firewalls
In a competent and capable defensive cyber operation framework, passive cyber systems should be complemented by active cyber defense systems; neither system works without the other. The use of active cyber defense systems cannot protect against all threats, such as those posed by user access or identity management issues. Whereas, if a user is only using a defensive system, active attacks or intrusions cannot be adequately responded to.
Cybersecurity model juxtaposing passive to active defense measures.
Active cyber defense (ACD) is a component of the approach to defensive cyber operations, and more than an enhancement of defensive cybersecurity capabilities for the DoD and Intelligence community. ACD includes the ability to understand threat information and analysis, cyber activity alerts, and response action to detect and defend against cyber attacks.
These processes are intended to complement preventative and regenerative cyber-defense efforts through synchronized real-time detection, analysis, and mitigation of threats. ACD is active within a network these efforts work to protect. However, active does not mean offensive, and the capabilities are focused only on the networks in which they are installed. The essential ACD elements include real-time detection and mitigation of threats at every tier in cyber environments, including the integration, synchronization, and automation of sensing, sense-making, decision making, and acting capabilities through automated orchestration and development of messaging and command and control (C2) infrastructure.
The infrastructure for ACD requires messaging fabric for real-time secured communications, sensors for reporting data on the state of the network, sense-making analytics to understand the state of the network, and automated decision making tools to react to current state information and the capabilities to act to defend the network. ACD is used outside of the DoD and Intelligence Community to support federal, state, and local government agencies and organizations, defense contractors, critical infrastructure segments, and industry.
Software-defined networks (SDNs) offer network defenders the opportunity to choose from a variety of protection techniques in response to different threats. In contrast, traditional network architectures often lack the flexibility to implement threat-specific security controls. The research into SDNs and their capabilities were conducted on a hardware SDN testbed running custom security applications to observe, orient, decide, and act upon suspicious activities in the network.
There is an assumption amongst policymakers and analysts that cyberspace favors offense. However, with a focus on offense, there are possible side effects that include increasing international tensions, augmenting a state's readiness to launch a counter-offensive after a cyberattack, and heightening cyber vulnerabilities. With an increased awareness of the possible side effects of an offense-first cyber defense policy, there is an increased emphasis on using a cyber offense-defense balance, which can be based on a cost-benefit analysis.
In the military context, the difficulty of understanding the difference between offense and defense is the concept of a decisive victory. These victories are elusive enough in the context of traditional warfare, while in the context of cyberspace the idea of a decisive victory may be impossible to quantify or justify, especially as many victories are dependent on the negation or destruction of physical assets and capabilities.
In the larger context, the definition of offense or defense in cyberwar is the use of either term with little thought for the context. As a result, tools for espionage, propaganda, theft, and disruption are often labeled acts of cyberwar. Cyberwar, like its regular counterpart, requires material damage such as destroying assets, disabling weapons with digital components, and disabling the critical infrastructures that power the machinery of war. These physical effects and their complimenting of military actions determine whether a weapon is defensive or offensive in nature.
The calculation of such a cost-benefit analysis would include the benefit of offense less the cost of offense relative to the benefit of defense less the cost of defense. This kind of calculation emphasizes the costs of defense, which are increased with the relative complexity of cyberspace operations. But it also helps understand the complexity of an organizations capabilities in managing the goals of offense and defense and their relative costs.
Studies into the character of cyber conflicts or actions from 2000 to 2016 showed a restrained domain with few aggressive attacks that seek a dramatic, decisive impact. These studies found that attacks do not beget attacks, nor do they deter them. But if few operations are effective in compelling the enemy and fewer still lead to responses in the domain, it suggests that a policy of offensive operations to deter rivals would not be useful in cyberspace.
In April 2018, United States Cyber Command released a new vision statement calling for "persistent action" to maintain cyber superiority. The document echoed other studies portraying the United States as ceding the digital high ground to adversaries. An example of such a study was a 2018 Defense Science Board study, which claimed the "United States has fallen behind its competitors in the cyber domain, both conceptually and operationally." In response to these, and in response to threats from strategic competitors, Cyber Command contends that the United States needs a more aggressive strategy and a new era of persistent action that retains cyber superiority for the United States.
These policies draw on traditional military doctrine and define cyberspace superiority as "the degree of dominance in cyberspace by one force that permits the secure, reliable conduct of operations by that force and its related land, air, maritime, and space forces at a given time and place without prohibitive interference by an adversary." Cyber Command sees cyberspace as a domain fraught with risk, where strategic competitors can undermine American power, and the perspective suggests policy solutions and direction continue to be offensive. However, studies into effective cyber defense and the cyber domain tends to be optimized for defense and deception, not offensive blows. Not only do these studies suggest offense is the weaker form of competition in cyberspace, but the studies continue to suggest that an offensive strategy also risks inadvertent escalation.
