On September 20, 2018, the White House released a new cybersecurity strategy with several important changes in direction meant to give government agencies and law enforcement partners a greater ability to respond to cybercrime and nation-state attacks. The new U.S. cyber strategy makes one message clear: America will not sit back and watch when attacked in cyberspace. On the contrary, in areas ranging from critical infrastructure to space exploration to intellectual property protection, the USA will respond offensively, as well as defensively in cyberspace. As Justin Sherman, cyber policy researcher and student at Duke University, commented via email:
“An increased focus on deterrence is one of the most important aspects of the new U.S. cyber strategy: there is an entire section on attributing and deterring malicious cyberspace behavior, and there is specific language on building a Cyber Deterrence Initiative. This is related to the ‘defend forward’ terminology in the Department of Defense's new cyber strategy—a separate but related document. Deterrence of cyber activity doesn't necessarily have to occur through cyberspace alone, and the strategy reflects that.”
“Much of the document reaffirms the former stances of the Obama and George W. Bush administrations on Internet governance and cyber policy in general, and the strategy also discusses ongoing programs and initiatives throughout,” said Sherman, like bolstering the cybersecurity workforce and working to strengthen the organizations that make up the country's "critical infrastructure" industries including electrical operators and financial institutions. The only question is how best to implement it.
The four pillars of priority
The new strategy includes four main pillars of priority: I: Protect the American People, the Homeland, and the American Way of Life by securing federal networks and information, securing critical infrastructure, combating cybercrime and improving incident reporting. This includes giving the Department of Homeland Security more oversight of civilian cybersecurity efforts and combating cybercrime by cooperating with other countries to track down cyber criminals. II: Promote American Prosperity by fostering a vibrant and resilient digital economy, fostering and protecting U.S. ingenuity and developing a superior U.S. workforce. The administration says it will work with tech companies to promote cybersecurity testing in new products and “improve recruitment and retention of highly qualified cybersecurity professionals.” III: Preserve Peace through Strength by enhancing cyber stability through norms of responsible state behavior and attributing and deterring unacceptable behaviors in cyberspace. The strategy says the administration will use “all instruments of national power” to deter cyberattacks and impose “swift and transparent consequences” against malicious actors. It also calls for a “Cyber Deterrence Initiative” made up of foreign allies to support each other’s responses to major cyberattacks. IV: Advance American Influence by promoting an open, interoperable, reliable and secure Internet and building international cyber capacity by helping equip U.S. allies with cyber capabilities to address “threats that target mutual interests.”
Cyber Deterrence
The most important change is the shift toward a more offensive cybersecurity posture, thereby following steady calls from Capitol Hill for a more offensive U.S. posture to counter nation-state threats. “We will identify, counter, disrupt, degrade, and deter behavior in cyberspace that is destabilizing and contrary to national interests, while preserving the United States’ overmatch in and through cyberspace,” National Security Advisor Bolton said in a press conference.
“We have authorized offensive cyber-operations that will be undertaken through the coordination process… not because we want more offensive operations in cyberspace, but precisely to create the structures of deterrence that will demonstrate to adversaries that the cost of their engaging in operations against us is higher than they want to bear,” Bolton said.
The document also builds on efforts by the George W. Bush and Obama administrations to "name and shame" more cybercriminals and the countries that back them. It highlights the cybersecurity powers in U.S. agencies, with the Department of Homeland Security playing a growing domestic, consultative role in cyber defense and the Department of Defense taking a more robust offensive stance than before. The strategy codifies the ability of agencies aligned with the Department of Defense, like the NSA and military branches, to conduct offensive actions in cyberspace. This means these agencies will be able to go after the overseas sources of attacks more proactively. There has been a lot of discussion about the hack-back operations, as these activities can be risky, as cybercriminals may position their attacks from a neutral third party or a non-hostile country, making it more complicated for the U.S. to engage in cyber battles. These back-and-forth attacks can also cause damage to the infrastructure that supports the internet, particularly telecommunications providers.
Government Contractors
Pillar I includes two main areas of impact on government contractors – "Strengthen Federal Contractor Cybersecurity" and "Improve Federal Supply Chain Risk Management." Under this first area, implementation of the National Cyber Strategy will affect federal contractors in important ways. It envisions a more proactive government role in assuring that contractors' information systems are adequately protected.
Law enforcement and privacy
The strategy mentions in nearly every section that federal cybersecurity efforts hinge on support from private industry. The plan lays out seven industries that will have priority in terms of information sharing with government partners: "national security, energy and power, banking and finance, health and safety, communications, information technology, and transportation." It also lends support for law enforcement agencies to decrypt the communications of suspected criminals: "law enforcement will work with private industry to confront challenges presented by technological barriers, such as anonymization and encryption technologies, to obtain time-sensitive evidence pursuant to appropriate legal process." This increasing focus on the role of American companies in combating cybercrime alongside government agencies can be problematic to companies that fall into any of these categories. That's because corporations must comply with privacy and security laws in all the countries where they operate, like GDPR, and not just in the United States. The above narrative is in full compliance with the Five Eyes initiative to create encryption backdoors in order to assist law enforcement agencies to combat criminality by monitoring private communications. Therefore, this high-level policy document does not provide a framework for respecting people’s privacy, quite the contrary I would say.
Cyber workforce
The White House also recognizes the longer-term problem of building a workforce ready and capable for cyber response. When only 21 percent of computer science majors and graduate students in U.S. universities are actually American nationals, there is an issue that needs the full engagement of the federal government as part of implementing a comprehensive cybersecurity strategy. Despite the recognized cyber workforce problem, the strategy does not mention any initiatives to counter this shortage, such as investing in STEM and cyber education in all levels of primary and secondary education.
Quantum technology, space and logistics
Finally, the plan recognizes that in the long term we need to deal with the challenge of future quantum technology. The White House expects tech start-ups and private industry to work with government agencies in how they develop artificial intelligence and quantum computing products that could help deter cyber threats. The strategy emphasizes cybersecurity in space, which gives new focus to increasingly worrisome cyber threats to capabilities like position, navigation and timing. In fact, Lt. Gen. (ret.) Kevin McLaughlin has commented on the need to examine whether space should be considered its own critical infrastructure sector. The boost given to maritime and transportation cybersecurity likewise will likewise reinforce the Pentagon’s need to better assure its vulnerable logistics networks.
Some final thoughts and critique
There is no doubt that this document goes further than any previously articulated cybersecurity strategy for the United States. Gina Yacone, CEO of Shark Bye Solutions, commented via mail that although the document “can be considered a useful document, the U.S. must take cybersecurity strategy to the next level. America is at risk, and I would have liked to hear that the Government is committed to allotting a strong budget to defending our nation and creating thousands of jobs focused on the inevitable ‘war of keyboards.’” This brings into discussion the implementation of the strategy. Justin Sherman highlighted that “As with any strategic document, it's now all about how the government implements it.” While some argue that “it does not go far enough in accelerating the reforms that need to be made,” “it's important to not overlook the beginning of the document, the ‘How Did We Get Here?’ section,” Sherman concludes. And he goes on saying that “For years, the United States has released Internet- and cyber-related policy documents that depend heavily on the notion of a free, open, interoperable, secure and reliable global Internet.” “While this is nice in theory, the increasing centralization of Internet architecture, rollbacks of domestic net neutrality protections and a general increase in ‘bad’ flowing through the open Internet—from malware to hate speech to disinformation to child pornography—has slowly opened policymakers' eyes to the reality of the Internet: one where there must be some ‘middle ground’ balance cast between total openness and total security. The opening of the strategy importantly recognizes that the language the U.S. has depended upon for years may, in fact, need reconsideration if the country and its allies are to fight the restrictive, sovereign-controlled ideas of the Internet (censorship, etc.) pushed by the likes of China, Russia and Iran," said Sherman. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
Mastering Security Configuration Management
Master Security Configuration Management with Tripwire's guide on best practices. This resource explores SCM's role in modern cybersecurity, reducing the attack surface, and achieving compliance with regulations. Gain practical insights for using SCM effectively in various environments.
