Unveiling its National Security Strategy on Monday, the Trump administration’s plan asserts that America’s response to cyber challenges will “determine our future prosperity and security.”
Drilling down into more granular levels of “priority actions,” the strategy lays out five directives that can be taken to help keep America safe from cyberthreats:
- Identify and prioritize risk.
- Build defensible government networks.
- Deter and disrupt malicious cyber actors.
- Improve information sharing and sensing.
- Deploy layered defenses.
Additionally, the document also outlines three areas in which enhancing cyberspace capabilities can contribute to “peace through strength,” the third overall pillar of the strategy: improve attribution, accountability and response; enhance cyber tools and expertise; and improve integration and agility.
While many of these statements sound like a step in the right direction, much of the administration’s actions to date do not match the bluster in the document, according to Tarah Wheeler, an information security researcher and cybersecurity policy fellow at the New America Foundation.
Wheeler told Fifth Domain that policies such as the federal hiring freeze and efforts that have stymied the building of cyber norms with the international community do not get at the priority actions listed in the strategy.
She added that there’s a lot more hostile language in this strategy than previous administrations and a lot less on partnerships.
Brian Fonseca, director of the Jack D. Gordon Institute for Public Policy at Florida International University’s Steven J. Green School of International and Public Affairs, told Fifth Domain that the Trump administration’s document does get more tactical than past administration’s with the priority action portions.
Fonseca added that the document goes a step further than other strategies expanding the threat space to include the cognitive ― social media, information ― as opposed to critical infrastructure. This, he said, could be a tip to the interference of Russians in the 2016 presidential election.
He also explained that in the cyber context there was an undertone of “America First,” Trump’s campaign slogan, taking more of a homeland security and protection stance to cyber.
In a military context, the strategy stated it would “improve the integration of authorities and procedures across the U.S. government so that cyber operations against adversaries can be conducted as required.”
Many commanders have complained that cyber authorities, which in the past have been governed at the presidential level and delegated down, have been too restrictive.
“In areas of declared hostilities with a standing execution order, the approval to execute timeline for offensive cyber operations has compressed significantly,” Gen. Raymond Thomas, commander of Special Operations Command, said during an AUSA hosted event Dec. 13. “This is a huge improvement. But, and I know those who work in cyberspace will agree with me, it is still far to slow. The limiting factor for cyber effectiveness continues to evolve around policy and process.”
Trump, in other traditional military contexts, has pushed authorities that rested at higher levels during the previous administration down to lower levels of the military.
“Our leaders recognize this problem,” Thomas added. “Our process to improve cyber operations is detailed and lengthy.”
Mark Pomerleau is a reporter for C4ISRNET, covering information warfare and cyberspace.