The Trump Administration continued to put its stamp on federal cybersecurity policy last week, as the White House issued its National Cyber Strategy while the Pentagon announced the Department of Defense Cyber Strategy. The former document is a helpful step forward that continues and advances the cyber policies the Trump Administration inherited from the Obama and Bush Administrations, while the Pentagon’s release primarily focused on the Strategy’s endorsement of “Defense Forward,” which was taken as a signal the United States would be adopting a more aggressive operational posture in the future. Data Matters readers will want to study both strategies, as each contains interesting insights into how the Trump Administration envisions the development of the cybersecurity ecosystem and see the public and private sectors working together to mitigate cyber risks.
White House National Cyber Strategy
The National Cyber Strategy outlines four broadly defined “pillars”:
- Defend the homeland by protecting networks, systems, functions and data;
- Promote American prosperity by nurturing a secure, thriving digital economy and fostering domestic innovation;
- Preserve peace and security by strengthening the ability of the United States and its allies and partners to deter and if necessary, punish those who use cyber tools for malicious purposes; and
- Expand American influence abroad to extend the key tenets of an open, interoperable and secure Internet.
These pillars would not seem out of place in either an Obama or Bush Administration document, and, indeed the Strategy is more about continuity of approach than dramatic change. Beyond this, while this piece does not summarize the entire 40-page document, it is worth highlighting a few aspects here:
- Increased Cybersecurity Measures for Federal Contractors: While much of the Strategy’s first pillar either continues or builds on existing initiatives, its stance with respect to the vetting of federal contractors who host federal data is more aggressive than existing approaches. In particular, the Strategy notes that relevant contracts should allow agencies to assess data security along the supply chain by reviewing Federal contractor risk management practices and responding to incidents on contractor systems.
- Foreign Investment and Cyber Workforce: Emphasizing themes that have attracted much attention over the past couple of years, the second pillar of the strategy strongly endorses both updating mechanisms to review foreign investment and operation in the United States and investing in the development of a superior cybersecurity workforce.
- Focus on legal development and reform: In a couple of places, the Strategy recognizes the importance of developing an international and domestic legal architecture for cyber operations. Specifically, the Strategy both called for reforms of domestic surveillance and computer crime laws to better enable detection, disruption, and accountability, while simultaneously – and perhaps more surprisingly – calling for the development of a “framework of responsible state behavior in cyberspace built upon international law, adherence to voluntary non-binding norms of responsible state behavior that apply during peacetime, and the consideration of practical confidence building measures to reduce the risk of conflict stemming from malicious cyber activity.”
- Attribution and Deterrence: Finally, the plan makes a point to call for the attribution and deterrence of unacceptable cyber behavior, certainly a goal of the both the Bush and Obama Administrations. To do so, the Strategy calls for the launch of an International Cyber Deterrence Initiative under which the United States, in conjunction with a coalition of like-minded nations, will take steps to address malign actors.
Summary of DoD Cyber Strategy
Not surprisingly, the summary of the DoD Cyber Strategy is primarily focused on securing military infrastructure and preserving the U.S. military’s ability to fight and win wars in any domain. Under the plan, which will not be unfamiliar to those who have followed the development of the Pentagon’s cyber strategy over time, the DoD also seeks to preempt, defeat or deter malicious cyber activity targeting U.S. critical infrastructure, and to work with allies to strengthen cyber capacity and facilitate information sharing.
Of particular note, the Strategy states that the Department of Defense is prepared to “defend forward to disrupt or halt malicious cyber activity at its source.” While the precise meaning of the concept “defend forward” is unclear, it may contemplate cyber operations outside U.S. networks outside the context of armed conflict. Along with the reporting that the Trump Administration has relaxed the interagency process the Obama Administration had in place to vet certain cyber operations, this raises a number of key question about such “defense forward” activities. What type of operations will be undertaken and in response to what threats? Where will the operations occur? Who will have the authority to approve them? And what agencies will be involved in vetting the operations? As the above description suggestions, such operations raise interesting questions under both domestic (concerning, among other things, the separation of powers) and international law, and it will thus be worth watching whether the Trump Administration provides more information on this potentially important development.