Trump Releases a National Cyber Strategy: Praised by Some, Feared by Others

By: Marielena Reyes

On September 20, 2018, the Trump Administration revealed the first cyber strategy report since 2003, according to the White House’s Federal Chief Information Security Officer.^[1] The “National Cyber Strategy” (“report”) centers around governmental protection of federal networks and critical infrastructures against foreign actors.[2] The report outlines the White House’s prioritization of cybersecurity across the whole nation, which will increase its ability to combat malicious international actors from cyber-attacks.[3]

In order to accomplish these goals, the report focuses on four main pillars, which are the 1) protection of the American people and our American way of life 2) promotion of American property 3) preservation of peace through strength, and the 4) advancement of American influence.[4] Specifically, the strategy seeks to secure government systems, encourage investments in cyber technologies and innovation, develop a cybersecurity workforce, ascribe and deter “unacceptable behavior in cyberspace,” and promote an open and interoperable internet.[5]

The report also outlines the Cyber Deterrence Initiative, where the U.S. will work with other countries to develop strategies to identify and impose costs on malicious actors.[6] Moreover, the report states that the Trump Administration wishes to give the U.S. Department of Homeland Security more flexibility over federal civilian networks and the ability to exchange more threat data with the telecommunications industry.[7] It’s important to note that the document revealed that the Trump Administration will work closely with Congress to “update the electronic surveillance and computer crime statutes to enhance law enforcement.” [8]

The report follows after a litany of strategic moves initiated by the Trump Administration to prioritize cybersecurity.[9] Among other things, President Trump initially established cybersecurity as a main issue during his 2016 presidential election.[10] In addition, five months after assuming office, President Trump signed Executive Order 13800, which mandated federal agencies to be guided by the National Institute of Standards and Technology (“NIST”) framework in order to develop cybersecurity risk management and IT modernization in the executive branch.[11] In addition, the executive order sought more efficient mechanisms to support and defend the nation’s critical infrastructures, and required a report from executive department heads to develop a strategy to deter adversaries from cyber-attacks.[12] Then in June 2018, the Trump Administration announced that the Department of Defense and the Pentagon were to establish “Space Force,” which will be a sixth branch of the Armed Forces and tasked with supervising launches and U.S. satellites. [13] Despite the need for congressional legislation to approve such a branch, the president has been consistently pushing its creation and establishment.[14]

While the report appears to be mainly defensive in measure, many commentators have said that the cyber strategy could allow for more offensive cyber action against nation states who engaged in cybercrime.[15] This theory was further legitimized when National Security Advisor John Bolton confirmed, but withheld specifics, that President Trump had rolled back a presidential policy directive (“PPD-20”) enforced by the former president, Barack Obama.[16] The directive mandated a complex set of interagency processes that governed offensive cyber operations.[17] In other words, the policy mandated that U.S. agencies receive approval from various stakeholders across the federal government prior to initiating offensive operations.[18] The policy was previously classified and then famously leaked by Snowden in 2013.[19]

As of late, the Trump Administration has clearly taken strides to prioritize the nation’s cybersecurity.[20] After several high profile cyberattacks, a tougher comprehensive strategy for U.S. responses are needed.[21] In recent years, China, Russia, Iran, and North Korea have dramatically increased their cyber capabilities by weaponizing computers to hack U.S. companies, shut down electric grids, paralyze large scale utilities, and shut down critical infrastructures.[22] Moreover, many countries are now becoming cyber power houses who have dedicated cybersecurity task forces to address these very issues.[23] Unfortunately, the sophistication and use of technology to initiate cyber-attacks will only continue to increase and in some instances, will demand an immediate response from the U.S.[24] By unifying command and personnel with one goal in mind, the federal government could have a better chance of combating a highly militarized digital world as compared to the frequent bureaucratic battles that lay within the hierarchies of the Army, Navy, and Air Force.[25]

Moreover, the report recognizes that cyber security has to be integrated at all levels of the federal government.[26] In turn, this could directly impose more aggressive oversight of contractors, supply chain management, and the federal workforce in general.[27] Many of these contractors being companies that are in the private sector.[28] This could result in businesses having to invest a substantial amount of money in upgrading cybersecurity measures, whether it be by hiring specialist, training their workforce or integrating more sophisticated equipment.[29]

Although some are suggesting the cyber strategy report is not effective, many consider this a step in the right direction in combating malicious actors both defensively and offensively.[30] Nevertheless, the Trump Administration continues to move forward in making cybersecurity resiliency more than a wishful term, but an achievable reality.

^[1] See Jessica Kim Cohen, President Trump Releases National Cybersecurity Strategy, Becker’s Hosp. Rev. (Sept. 24, 2018), https://www.beckershospitalreview.com/hospital-management-administration/president-trump-releases-national-cybersecurity-strategy.html.

[2] Id.

[3] See National Cyber Strategy of the United States of America, The White House (Sept. 24, 2018), https://www.whitehouse.gov/wp-content/uploads/2018/09/National-Cyber-Strategy.pdf.

[4] Id. at 3–4.

[5] Id. at 21.

[6] See id.

[7] See id. at 6.

[8] Id. at 11.

[9] See Christopher Fonzone, A Flurry of Recent Cybersecurity Activity from the Trump Administration, Lexology (June 25, 2018), https://www.lexology.com/library/detail.aspx?g=c9a032f7-fae9-498a-8088-62f4b0d28ffc (referring to President Trump’s Cybersecurity Executive Order, advocacy of Space Force, rollback of Obama’s policy directive, loosening restrictions of Cybercom, and more. )

[10] See Cohen, supra note 1.

[11] See Fonzone, supra note 9.

[12] See id.

[13] See Rachel Becker, Trump Directs DOD to Establish a Space Force a Surprise Announcement Today, The Verge (June 18, 2018, 1:08PM), https://www.theverge.com/2018/6/18/17475466/trump-space-force-announcement-national-space-council; see also James Stavridis, The U.S. Needs a Cyber Force More Than a Space Force, Bloomberg Op. (Aug. 14, 2018, 7:00AM), https://www.bloomberg.com/view/articles/2018-08-14/u-s-needs-a-space-force-and-a-cyber-force.

[14] See Stavridis, supra note 13.

[15] See Marianne Kolbasuk McGee, White House National Cyber Strategy: An Analysis, Bankinfo Sec. (Sept. 26, 2018), https://www.bankinfosecurity.com/white-house-national-cyber-strategy-analysis-a-11558.

[16] See Derek B. Johnson, White House Rolls Out New National Cyber Strategy, FCW (Sept. 20, 2018), https://fcw.com/articles/2018/09/20/wh-cyber-policy.aspx.

[17] See id.

[18] See id.

[19] See Chris Bing, Trump Administration May Throw out the Approval Process for Cyberwarfare, Cyberscoop (May 2, 2018), https://www.cyberscoop.com/ppd-20-white-house-national-security-council-cyber-warfare-tactics/.

[20] See Fonzone, supra note 9.

[21] See Lily Hay Newman, The Worst Cybersecurity Breaches of 2018 So Far, The Wired (July 9, 2018, 7:00AM), https://www.wired.com/story/2018-worst-hacks-so-far/.

[22] See National Cyber Strategy, supra note 3 at 1–2.

[23] Id. at 2.

[24] Id. at 1.

[25] See id.; see also Stavridis, supra note 13.

[26] See Jason Miller, National Cyber Strategy: 4 things Agencies, Vendors Should Know About, Federal News Radio (Sep. 24, 2018, 12:43PM), https://federalnewsradio.com/reporters-notebook-jason-miller/2018/09/national-cyber-strategy-4-things-agencies-vendors-should-know-about/.

[27] See id.

[28] See id.

[29] See id.

[30] See McGee, supra note 15.