为美国网络战略的下一阶段做准备

ATLANTIC COUNCIL1Preparing the next phase of US cyber strategyISSUE BRIEFJENNY JUN Nonresident Fellow, Cyber Statecraft Initiative, Atlantic CouncilPhD Candidate, Department of Political Science, Columbia UniversityMARCH 2022EXECUTIVE SUMMARY This paper considers tensions in the current US cyber strategy for the Defense Department and the broader cyber policy community in the Biden-Harris administration as they form the next phase of the strategy. Specifically, it argues that the current strategy may not incentivize other cyber powers to conduct cam-paigns in ways that minimize accidents and reckless behavior. In addition, the paper highlights a lingering, and deleterious, ambiguity in how Defend Forward relates to the concept of deterrence in cyberspace. These tensions reveal that simply hoping that states will arrive at common “rules of the road” through tacit interactions is not sufficient. A renewed US strategy also needs active diplomacy and explicit bargaining among states, with the United States proactively shaping the contours of that debate. The revised strategy should also streamline how, when, and under what conditions Defend Forward can best serve as a means to the goal of achieving superiority in cyberspace.INTRODUCTIONFour years after the 2018 Cyber Posture Review, the Department of Defense (DoD) will likely soon complete a review of how cyber capabilities and opera-tions relate to the broader US military strategy. A key strategic concept in the current US cyber strategy is Defend Forward, which aims to “disrupt or halt malicious cyber activity at its source” in order to “stop threats before they reach our targets.”1 Several documents articulate this concept including the 2018 Command Vision for US Cyber Command, the 2018 DoD Cyber Strategy, and the 2020 Cyberspace Solarium Commission Final Report.21 “2018 Department of Defense Cyber Strategy” (Department of Defense, September 18, 2018), https://media.defense.gov/2018/Sep/18/2002041658/-1/-1/1/CYBER_STRATEGY_SUMMARY_FINAL.PDF.2 “Achieve and Maintain Cyberspace Superiority: Command Vision for US Cyber Command” (US Cyber Command, March 23, 2018), https://www.cybercom.mil/Portals/56/Documents/USCYBERCOM%20Vision%20April%202018.pdf?ver=2018-06-14-152556-010; “2018 Department of Defense Cyber Strategy”; “Cyberspace Solarium Commission Final Report” (Cyberspace Solarium Commission, March 11, 2020), https://www.solarium.gov/report.#ACcyberThe Scowcroft Center for Strategy and Security works to develop sustainable, nonpartisan strategies to address the most important security challenges facing the United States and the world. The Center honors General Brent Scowcroft’s legacy of service and embodies his ethos of nonpartisan commitment to the cause of security, support for US leadership in cooperation with allies and partners, and dedication to the mentorship of the next generation of leaders.The Cyber Statecraft Initiative works at the nexus of geopolitics and cybersecurity to craft strategies to help shape the conduct of statecraft and to better inform and secure users of technology. This work extends through the competition of state and non-state actors, the security of the internet and computing systems, the safety of operational technology and physical systems, and the communities of cyberspace. The Initiative convenes a diverse network of passionate and knowledgeable contributors, bridging the gap among technical, policy, and user communities. #ACcyberPREPARING THE NEXT PHASE OF US CYBER STRATEGYATLANTIC COUNCIL2Though scholars have debated on the merits of this concept in the past four years, at least for this cycle of review, Defend Forward as a strategic concept is likely here to stay. That is not to say that the concept is not without unresolved tensions. First, while proponents of Defend Forward argue that there is a downstream positive effect by forcing the adversary to spend its resources on defense, this may only be true in some conditions. The review should recognize that Defend Forward can also directly lead to downstream negative effects in other cases, such as increased reckless behavior due to a shortening tempo of operations. Second, key US documents on Defend Forward are not in alignment as to whether the United States seeks to achieve deterrence in cyberspace or not, and if so, against whom and for what level of activities. Furthermore, some actions taken in cyberspace for purely defensive purposes can potentially undermine the deterrence that the United States purports to seek. The next iteration of US cyber strategy must work to resolve these tensions and find ways to explicitly link with other instruments of policy to complement the strategic concept. DEFEND FORWARD AND ITS RISKSDoes the current strategy incentivize others to minimize accidents and reckless behavior?One of the stated objectives of Defend Forward is to shape adversary behavior