While the National Cyber Strategy released by the Trump administration in September may not include many differences in policy compared to the prior version from 2015, the real change comes in the shift from policy to action, including an implementation plan for the National Cyber Strategy, said Grant Schneider, the Federal government’s chief information security officer, on Thursday.
“If you read the National Cyber Strategy, and some of the feedback I get from people, there’s not a lot of new. There’s not some new solution to the cyber problem … there aren’t miracle solutions to the cyber challenges we’re facing. What is new in the National Cyber Strategy is a movement from policy and process to one of action and accountability,” said Schneider during an event hosted by Fifth Domain.
That move to action includes an implementation plan being developed alongside the strategy – but don’t expect to see it anytime soon.
“If you look at the strategy, you might say, ‘it’s kind of high level.’ We are developing an implementation plan for the strategy. It is not going to be a public implementation plan, because we don’t want to give our implementation plan to our adversaries, and because we want to leverage all the good work that’s already underway across the Federal government,” said Schneider.
But what does action and accountability mean in the terms of the National Cyber Strategy?
Between action and accountability, “I think the action piece is more important. What are we doing proactively, as opposed to the accountability being on the reactive side,” said Schneider.
However, action does not necessarily mean offensive action.
“A lot of it is about the basics. It’s doing the basics, day in and day out, over and over again, and everyday forever, because most cyber incidents we have come in through known vulnerabilities,” he said.
On the subject of the National Cyber Strategy and the Department of Defense Cyber Strategy adopting more offensive measures to counter adversaries, “it’s not the wild, wild west where everyone in the government can go do hacking,” said Schneider.
“Just before we put the National Cyber Strategy out, we rescinded PPD-20 (presidential policy directive 20), which was the governance around offensive cyber activity across the Federal government, and we replaced it with what we feel is a far more agile governance structure,” he said. “It is a tool and a capability, which I think is inherently governmental, that we need to have available to use appropriately and when we need to.”
The latter half of “action and accountability” also received praise from Schneider, despite complaints of ineffectiveness against nation-state actors.
“I think you’ve seen, in the last year and a half, a good number of sanctions, and a good number of indictments. I often hear, ‘well, they’re probably not going to come to America, they’re probably not going to see a judge and stand before a court,’ and they may or may not. However, that indictment limits where they can go in the world. It ends up having a personal impact on the people indicted as much as it does on the institution and the adversary who they’re working for. I think there’s value, whether they ever see the light of a courtroom,” said Schneider.