Lance Bellers - Fotolia
The White House published a comprehensive National Cyber Strategy detailing how the Trump administration aims to improve cybersecurity in government, critical infrastructure and the private sector, as well as tackling cybercrime and international issues.
The National Cyber Strategy builds upon the cybersecurity executive order signed in May 2017 and the subsequent security audit reports submitted by federal agencies. The White House claims this is "the first fully articulated National Cyber Strategy released in 15 years." However, Bryson Bort, fellow at the National Security Institute and CEO of Scythe, said that wasn't exactly right.
"A Cybersecurity Sprint in response to the OMB compromise was enacted [in 2015] to attempt to immediately shore up federal networks, but this dragged on and very little was accomplished. The [Cybersecurity Strategy and Implementation Plan] was released to federal government in 2015," Bort wrote via email. "The [Cybersecurity National Action Plan] was released in 2016 directing a commission to develop a plan and strategy. OPM released a workforce strategy in 2017. The position of National Cyber Coordinator was created by the previous administration and discontinued under [President Donald] Trump this year."
The 26-page document was broken up into four main "pillars" covering topics in cybersecurity and cybercrime, fostering the digital economy and workforce, cyber deterrence, and international governance.
The first pillar included goals to improve cybersecurity in the federal supply chain, third-party contractors -- which has been at the root of multiple government leaks -- critical infrastructure and to improve incident reporting and apprehension of cybercriminals.
"The Administration will clarify the roles and responsibilities of federal agencies and the expectations on the private sector related to cybersecurity risk management and incident response," the White House wrote in the National Cyber Strategy. "Clarity will enable proactive risk management that comprehensively addresses threats, vulnerabilities, and consequences. It will also identify and bridge existing gaps in responsibilities and coordination among federal and non-federal incident response efforts and promote more routine training, exercises, and coordination."
Bort noted the Strategy also plans to give the Department of Homeland Security (DHS) more responsibility for federal civilian cybersecurity, a move which might render the currently vacant role of federal CISO "obsolete."
"The biggest item on there in terms of lift was something I haven't seen commented on elsewhere. They want to create a federal civilian Defense Information Systems Agency equivalent," Bort wrote. "DHS will deliver 'shared services and infrastructure' for all non-Department of Defense and Intelligence Community agencies. Ironically, DISA may be getting disbanded on the DOD side."
The White House wrote that the DHS should have "appropriate access to agency information systems for cybersecurity purposes and can take and direct action to safeguard systems from the spectrum of risks" and have "appropriate visibility into those services and infrastructure to improve United States cybersecurity posture."
The second pillar of the National Cyber Strategy pushed goals to invest in next generation infrastructure, protect American trade secrets and educate and reskill the workforce. One specific in this section noted the government would "evaluate how to improve the end-to-end lifecycle for digital identity management, including over-reliance on Social Security numbers."
The third and fourth pillars of the National Cyber Strategy concerned international cyber norms for "responsible state behavior," protecting internet freedom and interoperable communication infrastructure, promoting a "multi-stakeholder model of internet governance," and building a "Cyber Deterrence Initiative."
"The imposition of consequences will be more impactful and send a stronger message if it is carried out in concert with a broader coalition of like-minded states. The United States will launch an international Cyber Deterrence Initiative to build such a coalition and develop tailored strategies to ensure adversaries understand the consequences of their malicious cyber behavior," the White House wrote. "The United States will work with like-minded states to coordinate and support each other's responses to significant malicious cyber incidents, including through intelligence sharing, buttressing of attribution claims, public statements of support for responsive actions taken, and joint imposition of consequences against malign actors."
Reactions to the National Cyber Strategy
Gregory Touhill, president of Cyxtera Federal Group and former federal CISO, had praise for the National Cyber Strategy.
"The new National Cyber Strategy is a great step forward and demonstrates a thoughtful interagency approach to protecting national prosperity and security in our information-enabled world," Touhill wrote via email. "It builds upon the lessons learned from previous administrations and presents a solid approach to managing cyber risk."
Bort said the National Cyber Strategy was "the most comprehensive cybersecurity strategy document ever published."
Bryson Bortfellow, National Security Institute
"It firmly states a vision of the United States as ensuring a secure internet by cooperation or force. It reads like a response to former NSA Director Admiral Mike Rogers' February Congressional testimony where he acknowledged current constraints in responding to the active threat landscape the U.S. faces," Bort wrote. "The message appears to be: you will see an American Flag planted on your scorched computers."
Pravin Kothari, CEO of cloud security vendor CipherCloud, based in San Jose, Calif., said the Strategy "is a good step forward," but added that "the details count."
"Cyberdefense is all about choosing specific technologies and implementing them with speed and the right human capital. The rubber hits the proverbial road below the policy level and right now there isn't much to work with," Kothari wrote via email. "The other important change is the notion of going on offense at the national level to protect our government and business entities. Offense may be the best way to deal with advanced cyberattackers based offshore in far-flung international locations. The government needs to step up and we're glad to see it happen. All of this aggressive defense must happen in the context of the rule of law and with the cooperation and alignment of our allies. There is no other way forward."