Cyber Primer: Assessment and Recommendations of the National Defense Strategy Commission

On Wednesday, the United States’ bipartisan National Defense Strategy Commission released its assessments and recommendations for the Trump administration, titled “Providing for the Common Defense.” The following is a short summary of the document’s cyber-related findings.

1) Catch up on staffing, America.

“America is losing its advantage in key warfighting areas such as power projection, air and missile defense, cyber and space operations, anti-surface and anti-submarine warfare, long-range ground-based fires, and electronic warfare,” the Commission found. It is “painfully clear,” the report adds, “that America is not competing or deterring its adversaries as effectively as it should in cyberspace. We must operate more nimbly, aggressively, and effectively in this crucial domain.”

On Tuesday, November 13, the House of Representatives unanimously passed legislation transforming the National Protection and Programs Directorate (NPPD) into the Cybersecurity and Critical Infrastructure Agency (CISA) within the Department of Homeland Security, aimed at bolstering America’s defenses against physical and digital threats to infrastructure. This comes off the back of a series of recent think tank reports (including our own) on closing the so-called cyber enforcement gap, bolstering the domestic cybersecurity workforce, and building a United States Cybersecurity Civilian Corps—the last of which was subsequently endorsed by Jeanette Manfra, the assistant secretary for cybersecurity at DHS. The Commission’s report and these other items make it clear: America needs to get it together.

2) Surprise: watch China.

“The challenge China presents is particularly daunting,” the Commission wrote. It’s probably because the country is putting time, money, and effort into building its national strategies. Among many other existing documents on cybersecurity and digital planning, the Cyberspace Administration of China released a public statement in September about propaganda and opinion management online, and on November 5, Chinese President Xi Jinping reemphasized the country’s New Generation Artificial Intelligence Development Plan.

Just a few days later, on November 8, senior NSA official Rob Joyce said that China is “well beyond the bounds” of its prior agreement with President Obama to end cyber-enabled economic espionage—meaning its hacking of American companies has evidently come back to life. This arrives around a recent report from the Center for a New American Security on China’s efforts to attain quantum superiority and the country’s proposal to the UN General Assembly on ICT and international security. Most recently, November 15 rules issued by the Cyberspace Administration take even stronger steps to police online speech, The Wall Street Journal reported.

3) Also, watch Russia.

As for Russian cyber threats, “Moscow has invaded and dismembered neighboring states,” the report writes, and “used cyberwarfare and other tactics to attack democratic nations’ political systems.” This is coupled with additional information warfare campaigns designed to undermine trust in global institutions, as the United States and countries across Europe have grappled with over the past few years.

Just this week, it was reported that Google internet traffic was rerouted through Russia and China—in yet another effort to undermine trust in the global internet. Russia also introduced the October 22 proposal to the UN General Assembly along with China, which is one item in a long line of attempts to influence the global conversation on cyber norms. As for the US midterms, those likely suffered from Russian interference too, experts say (after the US government allegedly took steps to deter it).

4) And also watch Iran.

Iran, meanwhile, is growing its military capabilities in a number of areas including through “more sophisticated cyber forces.” As Trey Herr and Laura Bate wrote last year, the Iranian cyber threat is real. US intelligence officials commented back in July, for instance, that “Iran is making preparations that would enable denial-of-service attacks against thousands of electric grids, water plants, and health care and technology companies in the U.S., Germany, the U.K. and other countries in Europe and the Middle East.”

5) Review US cyber policy—at the highest level.

The report’s final cyber recommendation? “Congress should appoint a high-level commission to review U.S. cyber policy, particularly relevant authorities and organizational relationships and responsibilities within the U.S. government.” This group, according to the report, should offer recommendations on streamlined decision-making, deterring or responding to malign actions, and protecting civil liberties.

Last year’s National Security Strategy and, subsequently, this year’s National Defense Strategy both promote the notion that great power conflict is back in, with much contestation taking place in the grey zone, below the threshold of armed conflict. Both the Commission and the drafters of these strategies seem to accept that cyber and information conflict will be a big part of that. Nonetheless, the Commission report hits on an important point: It’s one thing for the United States to publish a national cyber strategy and talk about the importance of cyberspace in its future; it’s entirely another for the defense and intelligence apparatuses to cohesively implement that strategy in their day-to-day operations—and, indeed, to embrace cultural changes that will further advance American cyber power. This is perhaps more than one can ask from an unclassified strategy document, but it will be the primary challenge for those tasked with implementation of its recommendations.