White House National Cyber Strategy: An AnalysisSecurity Experts Examine Administration's Document and Rhetoric
A national cybersecurity strategy document released by the White House last week - along with comments from a top Trump administration official that the U.S. would step up its offensive cyber measures - are getting mixed reviews from cybersecurity experts.
See Also: The Global State of Online Digital Trust
The White House document released on Sept. 20 contains four main "pillars" that experts say appear mainly defensive in nature.
The document follows an executive order President Trump quietly signed earlier this year that reportedly revokes a set of Obama-era guidelines for offensive cyber operations. That order was intended to loosen restrictions on U.S. use of cyber weapons against adversaries (see Trump Pulls of Gloves on Offensive Cyber Actions).
At a Sept. 20 media briefing, national security adviser John Bolton said the U.S. would act more aggressively in cyberspace, confirming that the Trump administration had rescinded Obama administration guidance on how to handle cyberattacks by signing a replacement policy that puts the U.S. on the offense, according to The Hill news site.
Policy change was needed "not because we want more offensive operations in cyber space, but precisely to create the structures of deterrence that will demonstrate to adversaries that the cost of their engaging in operations against us is higher than they want to bear," Bolton said, according to Reuters.
'Great Step Forward' or Nothing New?
Some cybersecurity experts praise the Trump strategy that appears to be unfolding.
"The new National Cyber Strategy is a great step forward and demonstrates a thoughtful interagency approach to protecting national prosperity and security in our information-enabled world," Retired Brigadier General Greg Touhill, president of Cyxtera Federal Group - and the nation's first federal CISO, who served under President Obama - tells Information Security Media Group. "It builds upon the lessons learned from previous administrations and presents a solid approach to managing cyber risk."
But others argue that the White House strategy document contains little new.
"It is mostly a follow-up to the May 2017 [Trump] executive order, which is a set of issues following up on the Obama National Action Plan from 2016," says Ari Schwartz, managing director of cybersecurity services at the law firm Venable. He served as a former special assistant to the president and senior director for cybersecurity in the Obama administration.
For instance, the White House document appears to promote U.S. collaboration with other countries to fight adversaries, as well as taking a "consequence-driven approach" that includes "imposing costs" on cybercriminals and their sponsors "by leveraging a range of tools, including but not limited to prosecutions and economic sanctions, as part of a broader deterrence strategy."
"I would recommend that the Trump administration demonstrate their policy with action rather than continuing to escalate it with words."
—Ari Schwartz, Venable
The White House document doesn't describe what potential offensive measures might be considered as part of a "broader deterrence strategy" that's not limited to prosecution and economic sanctions.
Touhill doesn't think it's a problem that the details in the document issued by the White House do not exactly mesh with Bolton's more aggressive tone.
"Frankly, the public document did not reflect everything that Bolton said ... but it's largely congruent on the way we've been going, and I like the tone and direction it's taking," Touhill says.
"We've got a wide variety of actors out there that range from criminal groups to nation-states. We as a nation need to try to address all enemies."
Mac McMillan, president of the security consultancy CynergisTek, who's a former information security leader in the Department of Defense, notes a number of possibilities for moves the U.S. can make.
"This could mean offensive cyber action against nation-state actors that engage in cybercriminal activity; it could mean economic or political responses to cyber events," he says. "Hopefully, it will mean carefully measured responses, regardless of form, and careful application to only affect those involved. The real challenge in doing anything over the internet is being able to avoid expansion or collateral damage."
When countries engage in cyber war, there are likely to be unintended consequences, McMillan says. "Our national security is sacred, and protecting our national interests is important; so cyber action may be an appropriate response," he adds.
The Obama administration also sometimes used sanctions in response to cyberattacks, and that proved effective, Schwartz contends. "Even the threat of sanctions was clearly successful in efforts to get China to pay attention to the rampant IP theft that the PLA [People's Liberation Army] was responsible for," he notes.
McMillan also says that sanctions have generally worked, "and the Chinese dramatically curbed their cyber activity after the Obama Administration applied sanctions. The reason is quite simple: Our economies are closely linked, and the Chinese stand to lose considerably if sanctions are imposed."
Shift in Tone
The biggest shift in tone came in Bolton's remarks hinting that the White House would take a more offense approach than what seems to be called for in its new document.
"Bolton's comments are clearly more aggressive than the strategy [document] itself," Schwartz says.
"I do not think that many of the United States' adversaries will be deterred by Bolton's statement; it's far easier to talk about response than to do it," Schwartz notes." Once there is actually some actions, we can better understand whether this is actually implementable on a broader scale or not."
The U.S. has "a range of tools at its disposal" including sanctions against individuals, organizations or countries, kinetic military operations and cyber operations, Schwartz says. "I'd also hope they are continually looking for new tools to use," he adds.
The "four pillars" in the White House document are:
- Protecting the American people, homeland and way of life, which includes a strategy for securing government systems and critical infrastructure;
- Promoting American prosperity, which encourages investments in adoption of cybersecurity technologies and innovation, and development of the cybersecurity workforce;
- Preserving peace through strength - including attributing and deterring "unacceptable behavior in cyberspace;"
- Advancing American influence including "promoting an open, interoperable reliable and secure internet."
The responsibility to secure the nation's critical infrastructure and manage its cybersecurity risk is shared by the private sector and the federal government, the document notes.
"We will collectively use a risk management approach to mitigating vulnerabilities to raise the base level of cybersecurity across critical infrastructure," the document states. "We will simultaneously use a consequence-driven approach to prioritize actions that reduce the potential that the most advanced adversaries could cause large-scale or long-duration disruptions to critical infrastructure.
"We will also deter malicious cyber actors by imposing costs on them and their sponsors by leveraging a range of tools, including but not limited to prosecutions and economic sanctions, as part of a broader deterrence strategy."
The document notes the Trump administration will work with Congress "to update electronic surveillance and computer crime statutes to enhance law enforcement's capabilities to lawfully gather necessary evidence of criminal activity, disrupt criminal infrastructure through civil injunctions and impose appropriate consequences upon malicious cyber actors."
The document also states that the U.S. "will push other nations to expedite their assistance in investigations and to comply with any bilateral or multilateral agreements or obligations." The imposition of consequences will be more impactful and send a stronger message if it is carried out in concert with a broader coalition of like-minded states, it notes.
"The United States will launch an international Cyber Deterrence Initiative to build such a coalition and develop tailored strategies to ensure adversaries understand the consequences of their malicious cyber behavior," according to the document.
Room for Improvement
Although the Trump strategy, as outlined in the document, is a step in the right direction, it's deficient in several key areas, says Tom Kellerman, chief cybersecurity officer at Carbon Black Inc. He held a seat on the Commission on Cyber Security for the 44th President of the United States and served as an adviser to the International Cyber Security Protection Alliance.
"It is high time that the U.S. pursue proportional active response to national state activity that is attempting to colonize or destroy American infrastructure, whether it be civilian or public sector."
—Tom Kellerman, Carbon Black
"While attempting to address cybersecurity is a step in the right direction, this strategy falls short. It does not account for the dark web's economy of scale and the advanced kill chains used by modern attackers," Kellerman says. "The Commission on Cybersecurity [during the Obama administration] outlined dozens of opportunities for strategic action, and these recommendations have largely been ignored."
While encouraged by the bolder offensive cyber approach that Bolton implies the Trump administration will take, Kellerman remains skeptical.
"As much as Bolton needs to understand the nuance and nature of the ephemeral horizontal that is cyber, I agree with him. I think it is high time that the U.S. pursue proportional active response to national state activity that is attempting to colonize or destroy American infrastructure, whether it be civilian or public sector," Kellerman says.
"I'm actually heartened that you're getting those kinds of declarations from the national security adviser. But then again, it's not secretary of defense or the president. Does General [Paul] Nakasone - who's in charge of cyber command - have unfettered capacity to react? Can he really take his gloves off?" Kellerman asks.
The administration needs to do much more to empower the Department of Homeland Security for cybersecurity, he says. "Even where the [document] says to empower DHS, it is still under the oversight of OMB [the Office of Management and Budget]," he notes. "That has to end. No more."
Exercise Restraint in Rhetoric
In the meantime, Schwartz suggests White House officials exercise restraint to avoid overstating policies.
"I would recommend that the Trump administration demonstrate their policy with action rather than continuing to escalate it with words," Schwartz says. "It harms national security to make empty threats and that is what most of the world hears from them today."
McMillan notes that going on the offense also requires having an effective defensive strategy.
"My advice is to be just as aggressive in helping U.S. industry, especially critical infrastructure like our healthcare system, get prepared for what might come," he says. "I worry that several critical industry segments are not ready and that we won't invest in time to ensure that they are. We need stronger security standards in healthcare for information systems and data protection."