Eager to demonstrate a commitment to cyber-security amidst criticisms over vulnerable US election infrastructure, the White House yesterday unveiled its National Cyber Strategy.
The plan is divided four "pillars" of strategy: protecting the homeland by fighting cyber-crime and fortifying defenses, promoting American prosperity by adding cyber-jobs and defending intellectual property, preserving peace through strength by enforcing global cyber-norms, and advancing American influence, particularly by ensuring an open and secure internet.
In conjunction with the strategy’s release, White House National Security Adviser John Bolton reportedly affirmed in a press briefing on Thursday that the US will now ratchet up offensive countermeasures against nation-state-backed cyber-actors — a departure from the more conservative approach practiced under the previous administration.
One of the key objectives under the plan’s homeland protection umbrella is to secure federal networks by further centralising such efforts under the banner of the Department of Homeland Security, as well as placing an emphasis on supply chain risk management and strengthening federal contractor security.
A second objective is to defend critical infrastructure, with a point of emphasis on securing voting systems and data. "When requested we will provide technical and risk management services, support training and exercising, maintain situational awareness of threats to this sector, and improve the sharing of threat intelligence with… officials to better prepare and protect the election infrastructure," the document reads, adding that the government will also "continue to coordinate the development of cyber-security standards and guidance to safeguard the electoral process," as well as help with incident response in the event of an attack.
Additionally, homeland protection includes fighting cyber-crime, in part by modernising digital surveillance and computer crime laws to aid authorities, as well as working with other nations to coordinate on investigations and secure the apprehension and extradition of cyber-criminals.
In some instances, the document calls for a continuation or improvement of policies and services that were already established, although it is not always spelled out what specific steps must be taken to improve current efforts.
"Most government strategy documents tend to be underwhelming and this one is no different," said Dave Weinstein, VP of threat research at Claroty and a cyber-security fellow at the think tank NewAmerica, in emailed comments. "This isn’t a whole lot of new content or ideas, but rather amplification, clarification, and renewal of previous ones," noting that critical infrastructure was one such area where "substance is a bit lacking."
On the other hand, he applauded the call for modernizing the criminal code, noting that the Computer Fraud and Abuse Act (CFAA) "is in desperate need of a refresh."
Some of the other notable directives found within the document include studying the benefits and risks of emerging technologies such as artificial intelligence and quantum computing; evaluating ways to improve digital identity management while addressing our "over-reliance on Social Security numbers"; and launching an international Cyber Deterrence Initiative led a coalition of like-minded nations seeking to present a united front against nation-state attackers.
"This initiative has enormous potential to be successful if the right nations formally participate and equally contribute to its cause. I would expect to see the Five Eyes join in but it should extend even further, beginning with NATO member-states," added Weinstein.
"Cyberspace is an integral component of all facets of American life, including our economy and defence. Yet, our private and public entities still struggle to secure their systems, and adversaries have increased the frequency and sophistication of their malicious cyber-activities," said President Donald Trump in a letter accompanying the strategy document. "America created the Internet and shared it with the world. Now, we must make sure to secure and preserve cyberspace for future generations."
"The new US National Cyber Strategy is a great step forward and demonstrates a thoughtful interagency approach to protecting national prosperity and security in our information-enabled world," commented Gregory Touhill, president of Cyxtera Federal Group and former federal CIO under Barack Obama. "It builds upon the lessons learned from previous administrations and presents a solid approach to managing cyber-risk."
Calling the policy a "good step forward," Pravin Kothari, CEO of cloud security vendor CipherCloud said that a more offensive approach on cyber "may be the best way to deal with advanced cyber-attackers based offshore in far-flung international locations. This way, sophisticated defenders can reach out to stop nation-state attackers and organised crime," especially considering that the "average business or municipality has no ability at any level to deal with these threats directly."
From a defence standpoint, however, Kothari cautioned that "the rubber hits the proverbial road below the policy level, and right now there isn’t much to work with. NIST [the National Institute of Standards and Technology] has put some good ideas in place, but the necessary technologies to shut down cyber threats are not being used by over 95 percent of businesses in the US."