The New Cyber Strategy Frees Up U.S. Cyber Muscle. How Will It Be Flexed?

The White House has recently published its new National Cyber Strategy, rescinding an Obama-era memorandum Presidential Policy Directive-20 (PPD-20) that laid forth the process by which the United States would undertake cyber attacks against cyber foes, to include foreign state actors.  The Strategy consists of four primary pillars designed to guide how the United States will undergo defensive, and perhaps more importantly, offensive actions in order to preserve its interests in cyberspace.  Per the Strategy, the four pillars are:

• Protect the American People, the Homeland, and the American Way of Life. The themes in the first pillar focus on key aspects of U.S. homeland security to include critical infrastructure protection, securing federal networks, supply chain management, third party contractors, and improving incident reporting to mitigate the threat of cyber crime.
• Promote American Prosperity. This pillar focuses on technology that supports the digital infrastructure.  The themes of innovation, protecting intellectual property, designing and implementing next generation infrastructure, and developing and sustaining workforce capability to support the talent pipeline.
• Preserve Peace through Strength. The third pillar focuses on responsible state behavior in cyberspace and implementing deterrent strategies to influence state behavior. Such activities include building a credible deterrence strategy, imposing consequences to hostile actors, and countering influence operations.
• Advance American Influence. The fourth pillar addresses collaborating with other governments in order to make the Internet safer and more reliable.  Focus in on a multi-stakeholder approach involving government and private sector to come to consensus on topics such as Internet freedom and Internet governance.

The Strategy follows in line with the President’s May 2018 Executive Order that called for government agency cybersecurity audits designed to identify “areas of improvement, or areas where specific legislation would be needed.”  The EO primarily focused on defensive aspects of the larger cyber umbrella, focusing on federal agencies need to adopt the National Institute of Standards and Technology’s Framework for Improving Critical Infrastructure Cybersecurity, largely considered the gold standard for security guidelines.  The Government Accountability Office (GAO) has frequently given poor marks for cyber security to U.S. government agencies, and as observed in the recent U.S. State Department breach, challenges persist in improving agency cyber security postures.

Nevertheless, the part of the Strategy that has garnered attention – and correctly so – is the language that clearly removes the tethers that has traditionally restrained the United States from engaging in offensive cyber actions.  Where PPD-20 appeared to be hindered by interagency wrangling, the new Strategy makes it clear that the United States is unburdening itself from such bureaucratic wrangling positioning itself to launch counter attacks quickly and resolutely.  This shift in U.S. cyber policy comes at a time when Russian suspected involvement in the 2016 U.S. elections failed to elicit a “forceful response” either by the then-Obama or the current Trump Administrations, a frequent criticism levied by politicians.

There have been several iterations of a national cyber security strategy over the last decade.  The Clinton Administration had its National Plan for Information Systems, the Bush Administration had its National Strategy to Secure Cyberspace, and the Obama Administration had its Cybersecurity National Action Plan.  While there have been consistent themes in these strategies (e.g., an open and free Internet, the focus on critical infrastructure protection), the latest Strategy shows a more progressive evolution of thinking on how the cyber landscape has changed and how the United States needs to adapt to it.  Noticeably absent in the title is “security”; it is only the National Cyber Strategy, which accurately conveys the fact that “security” cannot be addressed independently without addressing how offensive actions can play a supporting role.  This is not to condemn or criticize past administrations’ strategies; cyber conflict has been evolutionary, and as such, requires each subsequent administration to review the prior one to ensure that it meets the needs and conditions of its environment.

And indeed, as cyber attacks have grown more prolific and increasingly severe, trying to figure out how to use counter attacks as punishment, retaliation, deterrence, or a combination thereof, is critical for governments.  Acknowledging that cyber threats are more than just disruptive/destructive attacks, but can leverage social media platforms, as well as regular and fabricated media outlets to spread propaganda, misinformation, and disinformation to influence targets, must be considered when determining a cyber retaliatory course of action.  Adversaries have typically not suffered any official punitive cyber response from the United States, which may serve to encourage follow on activities such as cyber spying, intellectual property theft, or undue influence operations.  The Strategy clearly articulates its intention to use all of its domestic and collaborative resources with like-minded states to immediately mitigate the threat.  There is no gray area open for misinterpretation.

Unquestionably, the ability for agile actions is necessary in a domain in which attacks happen instantaneously, and in which attribution can be murky at best.  Depending on the intent for conducting a punishing cyber retaliation, the ability to respond quickly to demonstrate that cyber hostility is not tolerated is critical.  However, one big caveat is that prior to launching a counter attack, is to ensure that striking back is done in an appropriate, proportional manner.  There is little doubt that the U.S. possesses the means and resources to conduct such counter strikes.  The biggest challenge for U.S. cyber retaliation – guaranteeing that the target is viable and not hiding behind some civilian façade or operating out of a third country.  The more the U.S. counters these activities, the more adversaries will invariably learn and adjust their operations accordingly, thereby balancing the scales again.  And all eyes will be on the U.S. once more seeing how it will react.

This is a guest blog post by Emilio Iasiello