Defend forward is the operational concept articulated in the 2018 U.S. Department of Defense Cyber Strategy, which committed the Pentagon to "defend forward to disrupt or halt malicious cyber activity at its source, including activity that falls below the level of armed conflict." It represents a shift from a primarily reactive, perimeter-based posture toward proactive engagement with adversaries in foreign or "gray" cyberspace.
The concept is closely tied to persistent engagement, the operating doctrine adopted by U.S. Cyber Command (USCYBERCOM) under General Paul Nakasone. Where defend forward describes where operations occur — outside U.S. networks, often on infrastructure used by adversaries — persistent engagement describes how forces continuously contest adversary activity rather than waiting for incidents. Both ideas were elevated by the 2018 National Cyber Strategy and reinforced by the Cyberspace Solarium Commission report (March 2020), which endorsed defend forward as part of a broader "layered cyber deterrence" framework.
Authorities enabling these operations expanded significantly in 2018. National Security Presidential Memorandum 13 (NSPM-13) delegated greater authority for offensive cyber operations from the White House to the Defense Department, and the John S. McCain National Defense Authorization Act for FY2019 clarified that clandestine military activities in cyberspace are traditional military activities. Reported applications include USCYBERCOM operations against the Internet Research Agency around the 2018 U.S. midterms and against ISIS networks under Joint Task Force ARES.
Critics raise several concerns:
- Escalation risk — operating on third-country infrastructure may provoke responses or diplomatic friction.
- Sovereignty and international law — questions about whether such operations comply with the principle of non-intervention.
- Transparency and oversight — the classified nature of operations complicates congressional and public accountability.
- Private-sector exposure — adversary infrastructure often sits on commercial networks.
Allies including the United Kingdom (through the National Cyber Force, announced in 2020) have developed analogous concepts, though terminology and legal frameworks vary.
Example
In 2018, U.S. Cyber Command reportedly conducted defend-forward operations to disrupt the Russian Internet Research Agency's network access during the U.S. midterm elections.
Frequently asked questions
It was formally articulated in the 2018 U.S. Department of Defense Cyber Strategy summary and reinforced in the 2018 National Cyber Strategy.
Keep learning