A series of high-profile cyberattacks from Russia, China and criminal networks in recent years have served as a wake up call to the Defense Department that cyberwarfare has changed.
And that reckoning has forced one of its most secretive branches — U.S. Cyber Command — to come to an unusual conclusion: Going it alone is no longer an option.
Hackers are increasingly infiltrating private companies and government agencies far outside the Pentagon’s usual purview, and the hacks are being perpetrated by cybercriminals who honed their strategies abroad before striking the United States.
So Pentagon leaders have started opening up communications with other federal agencies and the private sector on cyber threats to elections and other critical systems, and increasing assistance to foreign allies. They’ve codified the changes in a new cybersecurity strategy viewed by POLITICO that is set to be released Tuesday.
It’s “a more calibrated thinking about cyber, and realistic thinking about cyber,” said Mieke Eoyang, DOD deputy assistant secretary for cyber policy, in an interview ahead of the strategy rollout.
It’s also a big bet for a Defense Department that already has a shortage of cybersecurity-trained personnel and isn’t used to sharing key intelligence outside agency walls. And if it doesn’t work, the U.S. could find itself spread thin in its efforts to keep up with increasingly sophisticated and savvy digital adversaries.
But those familiar with Pentagon cyber operations say opening up is the only way to keep up.
For decades, the Pentagon focused its Cyber Command defense operations on protecting U.S. military networks from cyberattacks. But that left openings for other infiltrations — those at civilian government agencies and ransomware cyberattacks in which criminals shut down the networks of private businesses essential to the U.S. economy and demand payments to hand back control.
“DOD's cyber strategy was extremely reactive in nature and led U.S. Cyber Command to really only be prepared to help recover from a cyber event and to develop capabilities that would only be used during war,” said Lt. Gen. Charlie Moore, who served as deputy commander of Cyber Command from 2020 to 2022. “During those days, I would frustratingly refer to Cyber Command as the ‘clean up on Aisle 6’ and ‘break glass in time of war’ command.”
But during Moore’s tenure, the increasing number and variety of cyber strikes garnered wider attention. In December 2020, the U.S. discovered that Russian government hackers had infiltrated the networks of at least a dozen federal agencies in what became known as the SolarWinds hack. In 2021, a ransomware strike on Colonial Pipeline forced the shutdown of the line that provided around half the East Coast’s gas supply.
Ransomware attacks later in the year on meat producer JBS Foods and on IT management group Kaseya, both linked to Russian-based cybercriminal groups, added to the sense throughout the government and the country that the U.S. didn’t have the cyber defenses it needed.
“2021, this is the inflection point for the nation in cyberspace, this is when cybersecurity became national security,” said Gen. Paul Nakasone, head of both the National Security Agency and Cyber Command, in an interview at the NSA headquarters in Fort Meade, Md.
The Colonial Pipeline hack showed a particular gap. It was carried out by a cybercriminal group on a private business — a company the federal government did not directly protect — and involved a major disruption to daily life.
DOD had always left such ransomware attacks to law enforcement agencies to handle, Nakasone said. Colonial Pipeline got the Pentagon to rethink that.
“This is for our Department of Defense. This is how we have to defend our nation,” he said.
The Biden administration has since buckled down on working with critical infrastructure owners and operators to enhance security for sectors including water, the electric grid and oil and gas pipelines.
DOD is now aiming to tighten these bonds with the private sector— which controls almost 90 percent of all critical U.S. networks — by providing more resources and intelligence to those companies, according to the strategy.
Rather than merely asking companies to share information about breaches after they’d occurred, DOD started saying to companies: “‘we owe you actionable intelligence, and you will defend the networks yourselves,’” said Eoyang, the deputy assistant secretary.
At the same time, DOD has been slowly increasing its joint cyber operations with allies — a shift for a branch that previously focused its foreign operations on defending its own networks against attackers.
The document highlights DOD’s increased cooperation with partners such as Ukraine and others — and promises more ahead.
Cyber Command first started deploying “hunt forward” teams — which travel to allied nations to check critical networks for vulnerabilities — after revelations of Russian attempts to spread divisive content online ahead of the 2018 U.S. midterm elections. The idea was to look for ways that Russia or other adversaries could interfere in foreign nations, and both assist partners in preventing this and learn lessons to bring home.
At the time, Nakasone “told CyberCom, ‘if you want to know what Russia is doing in cyberspace, go to Ukraine, because that is where they are extremely active,’” Moore said.
Ukraine was one of the first countries to receive such teams, said Moore, adding that the missions were “extremely successful.” The teams brought back information about Moscow’s tactics in cyber warfare, plans for interference in the elections and actual Russian malware.
Since then, Cyber Command has conducted dozens of hunt forward operations around the world, including in Estonia, Lithuania, Albania and Latvia. The teams normally comprise eight to 10 people from the command’s Cyber National Mission Force, now headed up by Maj. Gen. Joe Hartman, and are deployed at the request of the partner nation.
“It provides us insights on what our adversaries are doing so we can secure our own networks,” Nakasone said.
Cyber Command deployed a hunt forward team to Ukraine again in December 2021 — just weeks before Russia began launching cyberattacks on Kyiv’s networks ahead of its full-scale invasion in February. Sitting side-by-side with Ukrainian cyber professionals, the team hunted for malicious activity on Kyiv’s networks until they left in February.
The team has continued to work remotely with the Ukrainian cyber forces from the U.S., said Holly Baroody, executive director of Cyber Command.
“Because we're developing that relationship, where we have a team on the ground and they’re actually being able to exchange information, what we've started to find is that there's a willingness to share other cyber threat information even beyond the networks that we're hunting on,” Baroody said.
But putting more resources into hunt forward operations could take away from efforts to “fight and win the nation's wars,” according to retired Rear Adm. Mark Montgomery, now senior director of the Foundation for Defense of Democracies’s Center on Cyber and Technology Innovation.
Cyber Command is also taking its fight more into the public sphere, such as through calling out “malicious” cyber activities by China. This pointed language is a marked shift from the last strategy in 2018, which only called out China in regards to hacking operations to steal U.S. intellectual property and its larger “strategic threat.”
It states that in a conflict, the Chinese government “likely intends to launch destructive cyberattacks against the U.S. Homeland,” following similar warnings from other top officials in recent months.
“China represents to us an order of magnitude different challenge than the others,” Eoyang said, noting that China can “limit our operational capability.”
As recently as July, it was revealed that China-linked hackers had breached emails of officials at the State and Commerce departments.
The strategy also highlights the Pentagon’s own offensive cyber activities, a rare acknowledgement that DOD conducts such operations. The strategy states that “our adversaries will be made to doubt the efficacy of their military capabilities as well as the belief that they can conduct unattributed coercive actions against the United States.”
The new strategy will face a major test next year with the U.S. presidential elections. Nakasone said DOD is forming an “election security group” with personnel from the NSA and Cyber Command, and is also working with “foreign partners,” the private sector and academia.
Further work with other federal agencies and private sector groups, such as social media platforms, to protect elections is also in the works, he added.
Pentagon officials acknowledge that they’re taking on big tasks despite having limited resources and personnel. DOD has struggled to hire and retain cybersecurity personnel in a highly competitive market.
“How to most effectively use our limited offensive cyber resources continues to be an area that still needs a bit of maturation,” Moore said.
Some argue that the Pentagon should be focusing more on solving that problem, such as pushing for the creation of a Cyber Force — a new branch of the military at the level of the Navy or Space Force — that would be responsible for manning, training and equipping personnel, and would likely involve a major boost to DOD cyber personnel, funding and attention. DOD has studied the idea, and Sen. Kirsten Gillibrand (D-N.Y.) proposed language in this year’s National Defense Authorization Act to require a study of whether a Cyber Force is needed at the Pentagon.
“At least they acknowledge they need institutional reforms,” Montgomery said, referring to the changes coming in the new strategy. But, he said, the chance of carrying them out without a fundamental restructuring to include a Cyber Force is unlikely.
"The good news is they are absolutely doing a good job at expanding their definition of who is in the defense industrial base and inside the tent,” Montgomery said.