A decade ago, then-Secretary of Defense Leon Panetta uttered a phrase that would go on to live in infamy: “cyber Pearl Harbor.” Panetta was using his platform as the country’s leading national security official to warn of dire future digital assaults on the United States. Energy infrastructure, transportation systems, financial platforms, and more were vulnerable to exploitation, he warned. The media, pundits, and politicians have used the phrase, along with the similarly evocative “cyber 9/11” and “cyber Katrina,” galvanize support for national efforts to address cybersecurity challenges.
The infamy of the “cyber Pearl Harbor” meme lies in its utter disloyalty to the realism of global cyber conflict. The idea of Western society collapsing around our shoulders due to digital disruption, the argument goes, ignores the fact that such disruption offers no strategic utility to those actors most capable of executing such an attack, beyond the context of a shooting war with a peer state competitor. Substantial disruptions, as seen in incidents like NotPetya, are inevitable, but they are unlikely to be common, endemic, or as cataclysmic as the “Pearl Harbor” mnemonic implies. Instead, cyber usage by belligerents in recent major conflicts in Ukraine and Israel – both limited and lacking a “cyber blitzkrieg,” often with a performative focus – feel much more exemplary of cyber conflicts to come.
2023 Cyber Strategy offers pragmatism
A major driver of the campaign against cyber doom nomenclature is the argument that such framing creates a disconnect between government concerns about national cyber defense and the realism of industry efforts to build a healthier cyber ecosystem. Given this, the recent publication of the Department of Defense’s 2023 Cyber Strategy should be seen as a welcome evolution of government perspective on the scope of defense and deterrence challenges in the cyber domain.
Unlike previous manifestations of the defense community’s strategic vision for operation in cyberspace, the 2023 document is extremely conservative. It forwards no major conceptual developments, no new branding for emergent ideas around digital operations, and no radical reactionary takes on the war in Ukraine. While cyber strategy “with the brakes on” might sound risky at first glance, this restraint in the face of recent changes that enable the activities of US Cyber Command introduces a measure of stability to national cybersecurity policymaking. More importantly, it offers breathing room within which civilian, industry, and government can find balance that has perennially been absent in public-private relations in this space.
Greater cross-sector consideration for national cyber defense
Prior to the release of the 2023 document, the 2022 National Defense Strategy outlined a new concept that will drive the vision, planning, and actions of the Pentagon called “campaigning.” The concept is not cyber-specific. Instead, it is a more holistic representation of the idea that national security and foreign policy objectives are invariably secured via sequential and cumulative activities planned across multiple domains of government and national capacity. That distinction between government and national capacities is noteworthy, as the campaign idea emphasizes that military activities must align with those that are strategically relevant. This includes non-military actors, their interests, their infrastructures, and their own capacities to impact international politics and commerce.
The point of the 2022 strategy, now brought forward in cyber-specific terms in the 2023 Cyber Strategy, is that the concepts of defending forward in a domain defined by persistent engagement with adversary forces demand delegation and co-reliance across public-private boundaries. The Pentagon recognizes, quite practically relative to years past, that most cybersecurity activities occur entirely beneath the threshold of armed conflict between countries.