Nov 04 2015

Offensive Cyber Strategy the Right Call

The government long resisted an offensive cyber strategy, but increased threats call for a new plan.

The government’s cybersecurity challenge, in a way, began the day ARPANET sent its first packet between computers.

As the Internet grew and became an integral part of modern existence, the government — in particular, the military — faced a hard decision: Should it attack foes inside cyberspace?

For more than 50 years, the answer was no. The reason was simple: An escalating cyberoffensive on the part of the United States would surely result in a similar response from the nation’s enemies.

In the ensuing fight, everyone would lose, as systems crashed, interrupting everyday life for both sides.

Changes In Thought About Cyber Strategy


The number of active-duty cybersecurity teams the U.S. Cyber Command wants to have ready by the end of 2016

SOURCE: Military Times, “Cyber force grows, along with retention concerns,” March 2015

That thinking changed this spring. Even before the attack on the Office of Personnel Manage­ment, President Obama and Secretary of Defense Ashton Carter had announced a new strategy for the Defense Department that, for the first time, publicly detailed the use of offensive cyber capabilities. The plan laid out a reasoned and measured approach that set strict rules for when the government should go on the offensive.

For years, malicious hackers attacked the government without fear of retribution.

By announcing the willingness to go on the attack, federal leaders hope to discourage — or at least reduce — such attacks and attempts.

It’s a smart strategy that comes as a matter of necessity.

Training Cyber Warriors

“We’re at a tipping point,” Adm. Michael Rogers, director of the National Security Agency, told a Senate committee earlier this year. “We need to think about: How do we increase our capacity on the offensive side to get to that point of deterrence?” Ultimately, Rogers said, a “purely defensive, reactive strategy” will be both too late and very resource-intensive.

As part of its effort, the U.S. Cyber Command, which was created in 2009 under the umbrella of the military’s U.S. Strategic Command, wants to hire approximately 6,200 cybersecurity professionals to undertake this mission and others.

Their job will focus on defending the nation from large-scale cyberthreats, protecting the Pentagon’s internal networks from attack and working with combatant commanders to support offensive operations.

So far the news is good, as people are lining up to take these positions. The Army, for instance, met 75 percent of its annual cyber recruiting goal in the first quarter of this year without offering bonuses. The Air Force allows recruits to enter the military at a higher rank if they join with civilian credentials in cybersecurity, which has aided the government in recruitment.

These reports are encouraging. Public- and private-sector leaders have long bemoaned the lack of cyber talent, but these recruiting efforts suggest that more people are gaining these skills or want to learn them.

Industry has a role to play in this mission. Cybersecurity is not the job solely of the military or government; it’s a collaborative process between the government and industry that demands sharing information, insight, best practices and training techniques.

Aleksandar Nakic/Getty Images

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT