The National Cyber Strategy policy document released by the White House late Thursday tracks in tone and wording with the tough stance adopted in the Defense Department’s cyber strategy announced earlier this week–including its adoption of a more offensive-minded position than previous written policies–and appears to respond in tone to demands from across the political spectrum that the U.S. fashion policy that will do a better job in creating a deterrence effect against adversaries.
In summary, much of the White House policy keys in on and continues Federal government imperatives that have been in place for many years–securing Federal networks and data through means including better supply chain risk management and better contractor security; securing U.S. critical infrastructure both in the Federal and private sector arenas; stepping up efforts to combat cyber criminals; and taking steps to expand and improve the U.S. cybersecurity workforce.
The policy also aims at loftier goals than simple defense–including promoting “American Prosperity” by prioritizing innovation and promoting cross-border data flows–and advancing “American Influence” by advocating for Internet freedom and promoting multi-stakeholder models of Internet governance.
Where the policy appears to sharpen its teeth, however, is in the third of its four stated “pillars” centered on preserving “peace through strength,” with a stated objective to “Identify, counter, disrupt, degrade, and deter behavior in cyberspace that is destabilizing and contrary to national interests, while preserving United States overmatch in and through cyberspace.”
“This Administration will issue transformative policies that reflect today’s new reality and guide the United States Government towards strategic outcomes that protect the American people and our way of life,” the policy document states. “Cyberspace will no longer be treated as a separate category of policy or activity disjointed from other elements of national power. The United States will integrate the employment of cyber options across every element of national power,” it says.
On the deterrence front, the policy says, “As the United States continues to promote consensus on what constitutes responsible state behavior in cyberspace, we must also work to ensure that there are consequences for irresponsible behavior that harms the United States and our partners.”
“All instruments of national power are available to prevent, respond to, and deter malicious cyber activity against the United States,” the policy says. “This includes diplomatic, information, military(both kinetic and cyber), financial, intelligence, public attribution, and law enforcement capabilities.”
“The United States will formalize and make routine how we work with like-minded partners to attribute and deter malicious cyber activities with integrated strategies that impose swift, costly, and transparent consequences when malicious actors harm the United States or our partners,” it says.
That language of that portion of the White House policy statement appears to pair closely with DoD’s cyber strategy made public earlier this week, which takes a more offensive stance than its 2015 predecessor and directs DoD to “defend forward, shape the day-to-day competition, and prepare for war” in cyberspace.
To compete and deter in cyberspace, the DoD strategy describes the need to “use all instruments of national power to deter adversaries from conducting malicious cyberspace activity that would threaten U.S. national interests, our allies, or our partners.” And the Pentagon highlights the importance of persistently contesting malicious cyber activity in day-to-day operations, including “defending forward to intercept and halt cyber threats and by strengthening the cybersecurity of systems and networks that support DoD missions.”
Along those same lines, Grant Schneider, the Federal government’s chief information security officer, said in a statement late Thursday upon the release of the White House strategy that the Federal government “will never stop defending our interests,” and that “we will bring every element of American power to bear to protect our people in the digital domain.”
“In the face of growing threats, the Federal Government has the responsibility to do its part to ensure America has the best cybersecurity in the world,” he said, while asserting that “failures to prioritize cybersecurity by both government and industry have left our Nation less secure.” He said the White House policy document represents the “first fully articulated cyber strategy” for the U.S. since 2003.
White House National Security Advisor John Bolton said in a news conference on Thursday that “We’re going to do a lot of things offensively, and I think our adversaries need to know that.” He also said that the government’s hands were no longer “tied” on how the military will be allowed to respond to cyber attacks.
On Capitol Hill, reviews of the White House policy were somewhat mixed.
Sen. Mike Rounds, R-S.D., said he was “glad to see the admin. prioritize our nation’s cybersecurity and recognize the need for a strong deterrent that includes the use of offensive capabilities. Taking a more offensive approach to cyber-attacks will allow us to swiftly and preemptively address an imminent attack.”
Sen. James Lankford, R-Okla., said, “It is good for the US to finally have a National Cyber Strategy in place to secure critical networks, effectively deter & respond to bad actors, & protect our economy while promoting a free and open internet. This has been a significant need for years.”
Rep. Jim Langevin, D-R.I., found less to like. He said the White House policy “is in line with the bipartisan progress that has been made over the past two decades, it does not go far enough in accelerating the reforms that need to be made. Cybersecurity is the national and economic security challenge of the 21st Century, and it deserves a whole-of-government treatment. Unfortunately, the strategy is largely a restatement of recommendations that have carried through the last several Administrations.”
He referenced Bolton’s statement on offensive intentions, and said, “I agree that our adversaries need to know that we can–and will–challenge them in cyberspace. But as the country with the most innovative economy in the world, we must also acknowledge the abiding interest of the United States in encouraging stability in this domain.” He continued, “It is incontrovertible that we must respond to malicious activity violating well-established norms of responsible behavior, but that response must be whole-of-government and need not always include a cyber component.”
“I look forward to leading the cyber subcommittee’s collaboration with the administration to critically examine the key principles of the National Cyber Strategy,” said Rep. John Ratcliffe, R-Texas, in a statement. “We must define DHS’ specific role in its implementation, so we can ensure a robust approach is utilized to most effectively address our top cyber priorities both foreign and domestic.”