New National Cyber Strategy Message: Deterrence Through U.S. Strength

The new White House cybersecurity strategy makes one message clear: America will not sit back and watch when attacked in cyberspace. On the contrary, in areas ranging from critical infrastructure to space exploration to intellectual property protection, the USA will respond offensively as well as defensively in cyberspace. Here’s what you need to know about President Trump’s new cyber strategy.

by / September 29, 2018

The best defense is a good offense. That well-known sports saying is true not only in football but also in cybersecurity.

And according to the National Cyber Strategy of the United States of America, just released by the Trump administration on Sept. 20, 2018, the need to deter adversaries through cybersecurity strength is paramount.   

In pronouncing the “First fully articulated cyber strategy for the United States since 2003,” the White House press release also highlighted actions that President Trump has taken so far on cybersecurity.  

The briefing statements on the cyberstrategy began with this quote from Trump describing the reason the strategy is needed: We must protect the American people, the homeland, and our great American way of life.”

“The Administration recognizes that the United States is engaged in a continuous competition against strategic adversaries, rogue states, and terrorist and criminal networks. Russia, China, Iran, and North Korea all use cyberspace as a means to challenge the United States, its allies, and partners, often with a recklessness they would never consider in other domains. These adversaries use cyber tools to undermine our economy and democracy, steal our intellectual property, and sow discord in our democratic processes. …”

The new strategy includes four main pillars of priority:

  • Pillar I: Protect the American People, the Homeland, and the American Way of Life by securing federal networks and information, securing critical infrastructure, combating cybercrime and improving incident reporting.
  • Pillar II: Promote American Prosperity by fostering a vibrant and resilient digital economy, fostering and protecting U.S. ingenuity and developing a superior U.S. workforce.
  • Pillar III: Preserve Peace through Strength by enhancing cyber stability through norms of responsible state behavior and attributing and deterring unacceptable behaviors in cyberspace.
  • Pillar IV: Advance American Influence by promoting an open, interoperable, reliable and secure Internet and building international cyber capacity.

USA Today highlighted these comments from the rollout of the new cyberstrategy.

"We will respond offensively as well as defensively," national security adviser John Bolton said.

Bolton would not specify what kinds of operations or which adversaries — it's classified, he said — but said the goal is to deter attacks.

The plan directs agencies across the government to periodically review and update defenses against cyberattacks. It also requires federal agencies to work with state and local governments, as well as private businesses, to improve the common defense against cyberwarfare. …

Arthur Herman offered these comments on the strategy in Forbes:  

“The White House also recognizes the longer-term problem of building a workforce ready and capable for cyber response. As I have also pointed out in this space, when only twenty-one percent of computer science majors and graduate students in our universities are actually American nationals, we have an issue [that] needs the full engagement of the federal government as part of implementing a comprehensive cybersecurity strategy.”  

The New York Times offered this analysis:

“President Trump has authorized new, classified orders for the Pentagon’s cyberwarriors to conduct offensive attacks against adversaries more freely and frequently, the White House said on Thursday, wiping away Obama-era restrictions that his advisers viewed as too slow and cumbersome.

“Our hands are not as tied as they were in the Obama administration,” John R. Bolton, the national security adviser, told reporters in announcing a new cyberstrategy.

Mr. Bolton rewrote a draft of the strategy after joining the administration in April. Many of his remarks on Thursday focused on a secret order — which Mr. Trump signed in August but which has never been publicly described — that appears to give far more latitude for the newly elevated United States Cyber Command to act with minimal consultation from a number of other government agencies.

The order essentially delegates more power to Gen. Paul M. Nakasone, who took over this year as the director of the National Security Agency and the commander of United States Cyber Command. During his Senate confirmation hearing in March, General Nakasone complained that America’s online adversaries attacked with little concern about retaliation.

Part of the strategy calls for the United States to develop what it describes as an international cyberdeterrence initiative, which sounds similar to efforts to develop a theory of nuclear deterrence.”

Lexology’s commentary focused on the dramatic changes for government contractors that this new cyber strategy may bring.

“The Strategy continues to reinforce the role of the U.S. Department of Homeland Security (DHS) in securing federal departments and agency networks, other than those run by the U.S. Department of Defense (DoD) and U.S. Intelligence Community (IC) systems. Pillar I includes two main areas of impact to government contractors — "Strengthen Federal Contractor Cybersecurity" and "Improve Federal Supply Chain Risk Management."

Under this first area, implementation of the National Cyber Strategy will affect federal contractors in important ways. It envisions a more proactive government role in assuring that contractors' information systems are adequately protected. The Strategy explicitly states that "The United States cannot afford to have sensitive government information on systems inadequately secured by contractors." It requires federal contracts to contain provisions authorizing the government to review contractor cyber protections by "testing, hunting, sensoring, and responding to incidents on contractor systems." It therefore contemplates government officials accessing and testing contractor systems, rather than its previous primary reliance on contractors to attest to the security of their systems. …”

Other Analysis from Industry Experts

In an informative article from The Cipher Brief several experts offered their critique:

  • Lt. Gen. Kevin McLaughlin (ret.), Former Deputy Director, U.S. Cyber Command: “I believe one of the issues of our time is figuring out how we secure our critical infrastructure from cyber attack.  I like the focus on this issue in the document. The two greatest opportunities here are: the direction to refine roles and responsibilities between the federal government and the private sector and identifying ICT providers as enablers in this space.”
  • Kate Charlet, Former Deputy Assistant Secretary of Defense for Cyber Policy: “I see significant continuity in this strategy, but there are notable additions. The strategy emphasizes cybersecurity in space, which gives new focus to increasingly worrisome cyberthreats to capabilities like position, navigation, and timing (PNT). (Fellow Cipher Brief expert Lt. Gen. (ret.) Kevin McLaughlin has commented thoughtfully on the need to examine whether space should be considered its own critical infrastructure sector.) The boost given to maritime and transportation cybersecurity, likewise, will reinforce the Pentagon’s need to better assure its vulnerable logistics networks. Finally, the only new program in the strategy — the Cyber Deterrence Initiative — gives needed momentum to coordinate responses to malicious activity among allies and partners; this strengthens both deterrence and norm-setting. I saw one major missed opportunity, which was the need to increasingly focus federal cybersecurity initiatives around identifying and prioritizing critical federal functions and missions, similar to the approach used for broader critical infrastructure initiatives.”
  • Dmitri Alperovitch, Co-Founder and CTO, Crowdstrike: “I am very pleased to see the new National Cyber Strategy formally establish the precedent to make routine the ‘work with like-minded partners to attribute and deter malicious cyberactivities.' This is a key and necessary step that has been lacking in U.S. cyberpolicy for many years.”

 

Security Week offered this industry reaction from Bryson Bort, Founder & CEO of Scythe:

“This is the most comprehensive cybersecurity strategy document ever published — firmly stating a vision of the United States as ensuring a secure Internet by cooperation or force. It reads like a response to former NSA Director Admiral Mike Rogers’ February congressional testimony where he acknowledged current constraints in responding to the active threat landscape the US faces.

The ambitious scope is easily reflected in a just few stand out items: replacing social security numbers for identify management; addressing IOT security through the full life cycle, although not post-deployment; a global “Cyber Deterrence Initiative” to strength partner law enforcement and information sharing capabilities; and the promise of “swift and transparent consequences” to deter attacks. The message appears to be: you will see an American Flag planted on your scorched computer(s).”

The Fifth Domain reported that security companies see opportunity in Trump’s new cyberplan.

“The approach could lead to increased business opportunities for cybersecurity contractors, Deon Viergutz, vice president of Lockheed Martin Cyber Solutions, one of four primary DoD cybersecurity contractors, told Fifth Domain in an email. “The President’s National Cyber Strategy and the Department of Defense Cyber Strategy further reinforce the groundswell of support for the growing cyber mission needs and requirements.”

A September report from Frost & Sullivan, a market research organization, also said the use of commercial cybersecurity tools is expected to “accelerate” in the coming years.

“For the most sensitive networks, the government is likely to use [National Security Agency]-approved equipment. But for the bulk of material the government will use off-the-self software,” said Brad Curran, an analyst at Frost & Sullivan. …”

And in Australia, IT News described the new cyberstrategy as an attempt to create global norms for e-war and as a warning for attackers that they will face consequences.

“The United States has revealed a new national cyber security strategy and warned it will increase its use of aggressive cyber-ops. The move comes as US intelligence officials expect a flurry of digital attacks ahead of the November 6 midterm elections.”

My Thoughts

I have written about Trump's infrastructure plans as well as his cybersecurity executive order over the past 18 months.

After reading through the new National Cyber Strategy of the United States of America several times, I am impressed with the goals articulated, the forward-leaning approach and the overall contents of the new strategy. There is no doubt that this document goes further than any previously articulated cybersecurity strategy for our nation.

With several other expert commentators, I am interesting in seeing more details on how this will be achieved. I find it very interesting that the Department of Defense (DoD) also rolled out its new cybersecurity strategy at the same time as the White House cybersecurity strategy. The DoD cybersecurity strategy focuses on government contractors in the defense industrial base (DIB).

The scope of the global cyberchallenges cannot be underestimated. Nevertheless, articulating a stronger offensive plan of deterrence for the U.S. is a noticeable change that raises the stakes moving forward.

The Trump administration is making it clear that significant cyberattacks against U.S. public and private interests will be met with consequences that include online retaliation and even offline impacts to financial assets and much more. Only time will tell what happens next.