The Defense Department will need to expand its cyber workforce and strengthen its international alliances to meet the goals laid out in its new cyber strategy. The plan draws from lessons learned in Russia’s invasion of Ukraine and it seeks to maintain an edge against China.
DoD went public with the new strategy Tuesday when it released the unclassified summary — the full, classified version was finalized earlier this year. The summary lays out four lines of effort that the department says are intended to align with the 2022 National Defense Strategy. The lines of effort include:
Defend the nation
Prepare to fight and win the nation’s wars
Protect the cyber domain with allies and partners
Build enduring advantages in cyberspace
Mieke Eoyang, deputy assistant secretary of Defense for cyber policy, said the new strategy represents a change from previous editions because it includes building the cyber capability of global allies and partners.
“Allies and partners are our strategic advantage that no competitor can match. Adversaries continually attempt to undermine the capabilities of our partners, and it’s in our interest to strengthen the network defense,” Eoyang said at a Pentagon press briefing Tuesday.
The unclassified summary included addressing institutional barriers that inhibit cooperation in cyberspace and leveraging security cooperation tools to advance DoD’s defense priorities with partners. It also prioritized the timely sharing of information those partners need to increase the effectiveness of combined cyberspace operations and improve collective cybersecurity efforts.
The strategy offered some avenues for increasing cybersecurity staffing levels, mostly with ideas already in use. It mentioned increasing the use of reservists and increasing the length and number of tours in cyber fields.
It also called for using the National Guard to facilitate partnerships between federal, state, local, territorial, and tribal agencies to support cyber defense responses.
The strategy stated DoD will “proactively identify cyber talent with experience in the [defense industrial base], commercial information technology sector, academia, intelligence community and military.”
It also said incentives would be adequately funded and targeted towards specific skills in hiring and retention.
Eoyang said she did not have specific numbers of how many new workers the Pentagon planned to hire, and exactly what new incentive programs would look like.
“It’s a really important question for us to think about how we are incentivizing the cyber workforce here, especially as we face competition from the private sector. It is part of the study that we are undertaking to be able to better understand our human capital requirements,” Eoyang said.
The DoD currently offers hiring incentives and has a Cyber Excepted Service that offers a wage structure designed to be more competitive with private industry.
“People are essential to our capability in cyber, which is why we talk about cyber forces as the number one critical enabler in the context of defense cyber strategy. Our focus on making sure that we are getting the people part right is a key line of effort for us in this strategy,” Eoyong said.
Defending against outside cyber attacks will focus both on China and Russia along with organized crime, terrorists and other antagonistic state actors.
“It establishes the role of cyberspace operations in integrated deterrence, which is employing cyberspace operations in concert with other instruments of national power, especially in defending the homeland and ensuring the resilience of the joint force,” Eoyang said.
New technology will also play a part in future defense. Eoyang didn’t mention specific initiatives but said DoD would look at ways to improve its cyber defense.
“We have seen adversaries, tactics and techniques change and evolve. There are technologies we think about as part of a zero-trust architecture that would enable us to better identify malicious and anomalous behavior on DoD networks. We are interested in the development of those technologies among others,” she said.
DoD is the sector risk management agency for the defense industrial base. In that role it works with companies, monitors threats, oversees incident management and provides technical assistance. The strategy includes aligning contract incentives with DoD cybersecurity requirements and expanded implementation of the Cybersecurity Maturity Model Certification Program.