New Wine in Old Bottles: The 2018 U.S. National Cyber Strategy
By Dr. Terry L. Thompson
On September 20, 2018, the White House published the National Cyber Strategy of the United States of America. This is the first update since the initial National Strategy to Secure Cyberspace was published in 2003. The new strategy maintains many of the principles and ideas contained in the original document while updating information on the cyber threat environment, research and development, critical infrastructure protection, and other topics. Most significantly, the new strategy defines “cyber” as an element of U.S. national power and includes the strongest declaratory policy the United States has ever made about response options to cyber attacks by adversarial nations.
The new strategy, like its 2003 predecessor, emphasizes the important role the Internet plays in the U.S. economy. It re-states the vision of an open, interoperable, reliable and secure Internet based on American technology that “would carry the universal aspirations for free expression and individual liberty around the world.” The strategy also maintains focus on the international aspects of cyber threats, emphasizing the importance of international partnerships in fighting cyber crime and responding to threats from foreign adversaries.
Russia, Iran, North Korea, and China are named as key adversaries in cyberspace. All are cited for conducting “reckless cyber attacks” against the U.S. and its allies as well as against international business. China is explicitly called out for its cyber theft of trillions of dollars of intellectual property through extensive cyber espionage. All four countries are responsible for using cyberspace as “a means to challenge the United States, its allies, and partners, often with a recklessness they would never consider in other domains.”
While the 2003 strategy was organized around the need for improving America’s cyber defenses, the 2018 strategy is directly tied to the U.S. National Security Strategy (NSS) published in 2017. This linkage provides a broader scope than the previous focus on cyber security. As stated in the White House press release, the new strategy integrates cyber “into all elements of national power” rather than treating it as a separate topic. Implicit in this distinction is the potential use of cyber operations in a national conflict. This change in focus is reflected in the title: it is the national cyber strategy and not the national cybersecurity strategy.
The cyber strategy is organized into sections based on the four pillars of the NSS. Each section summarizes the NSS pillar as it applies to cyber, states an objective, and lists several action items. This format results in a strategy that is considerably shorter than the 2003 original (26 pages vs. 60 pages). It is more concise in its review of cyber threats and challenges, and more direct in the articulation of actions to be undertaken by the U.S. Government. View the White House press release about the new strategy.
Pillar I - Protect the American People, the Homeland, and the American Way of Life
This section is the longest in the document and contains three major focus areas: improving the Federal Government’s response to the evolving cyber threat environment; securing critical infrastructure; and combating cybercrime.
Improving government efficiency will be achieved through clarifying roles and responsibilities of federal agencies and enhancing federal risk management activities consistent with Executive Order 13800 of May 2017. Improving information sharing and consolidating information, technology, and communications (ICT) services among federal agencies will also help improve overall security.
Strengthening cybersecurity among federal contractors is a noteworthy priority in this section. A review of risk management practices will be required in all federal contracts, especially for companies dealing with research and development (R&D) for the Department of Defense. Federal contractors will also be provided with “relevant and shareable threat and vulnerability information” to add to their knowledge of cyber threats. A further enhancement will be initiated by the National Institutes of Standards and Technology (NIST), tasked with developing public-key cryptographic algorithms able to withstand attacks by quantum-computing enabled technology.
The discussion about critical infrastructure focuses on improving threat reduction to America’s critical infrastructure by developing more effective deterrence policies and by relying on Internet service providers to improve overall cybersecurity across networks. The National Critical Infrastructure Security and Resilience Research and Development Plan will be updated to include revised priorities for dealing with cyber risks to critical infrastructure.
Protecting America’s democracy is an important action item in Pillar I. The U.S. Government will, upon request from individual states, provide cybersecurity advice, training, and support to help protect the U.S. election infrastructure.
Improving cybersecurity for the transportation and maritime sectors is an important action in Pillar I because of the critical role of these sectors in the national and global economies. Space is also called out for improved cybersecurity because of U.S. reliance on satellites for key national security functions such as global positioning, intelligence, surveillance, and reconnaissance, and weather monitoring.
Cybercrime is the final topic in Pillar I. To address the constant and growing threat of cybercrime in the U.S., the new strategy calls for improved cybercrime laws, increased pursuit and prosecution of international cyber criminals, and enhanced collaboration between U.S. and international law enforcement organizations. Of note, the new strategy also supports the Council of Europe Convention on Cybercrime (“Budapest Convention”), a 2004 treaty designed to improve international law enforcement cooperation. The United States is one of 61 signatories to this legally binding treaty and the new strategy advocates expanding the number of member nations.
Pillar II - Promote American Prosperity
The three sections in Pillar II focus on increasing innovation and ingenuity in the technology sector and building an effective cyber workforce. The first section addresses the need for continuing innovation in ICT technologies and infrastructure, specifically the evolution and security of 5G and related next-generation technology. To encourage innovation, policy barriers that may inhibit cross-industry collaboration will be eliminated and increased information sharing encouraged. Additional focus on building cybersecurity into new technologies and a “cybersecurity lifecycle” approach and “foundational engineering practices’’ will be promoted to ensure security is considered as part of the design and development processes. The U.S. Government will also encourage regular testing of ICT products to ensure improved security and resilience.
Fostering and protecting ingenuity is the second section of Pillar II. The emphasis here is on protecting intellectual property through updating processes used to evaluate foreign investments in the U.S., by enforcing protections on patents, trademarks, and copyrights, and by preventing adversarial countries from taking advantage of American research and development.
Capacity building, the third section in Pillar II, focuses on developing the U.S. cyber workforce through improved education, merit-based immigration, and retraining American workers. The U.S. Government will continue using the National Initiative for Cybersecurity Education (NICE) to hire people for government cybersecurity positions and will explore giving the Department of Homeland Security (DHS) an expanded role in training federal cyber specialists.
Pillar III - Preserve Peace Through Strength
The shortest section of the new strategy is the most significant departure from the 2003 strategy and links cybersecurity directly to national security. A statement in the initial paragraph clarifies that:
Cyberspace will no longer be treated as a separate category of policy or activity disjointed from other elements of national power. The United States will integrate the employment of cyber options across every element of national power.
Later, the document includes the strongest declaratory policy the United States has ever issued about possible responses to cyber attacks by adversarial nations:
All instruments of national power are available to prevent, respond to, and deter malicious cyber activity against the United States. This includes diplomatic, information, military (both kinetic and cyber), financial, intelligence, public attribution, and law enforcement capabilities. The United States will formalize and make routine how we work with like-minded partners to attribute and deter malicious cyber activities with integrated strategies that impose swift, costly, and transparent consequences when malicious actors harm the United States or our partners.
These two statements are followed by a discussion of a new “cyber deterrence initiative” to be developed with allies and partner nations. This initiative will focus on developing strategies to provide mutual support to respond to malicious cyber activities, improve intelligence sharing, and impose consequences against malicious actors.
Preserving peace through strength also includes the use of “all appropriate tools of national power to expose and counter the flood of malign influence and information campaigns and non-state propaganda and disinformation” in cyberspace while at the same time “respecting civil rights and liberties.”
Pillar IIII - Advance American Influence
The discussion and actions in this section of the new strategy reflect long-standing U.S. principles about cyberspace. Promoting a free, open, interoperable, and reliable Internet has been stated in many documents, most notably the 2011 International Strategy for Cyberspace. This principle reiterates the policy the U.S. has taken in global cybersecurity forums for the past 15 years and contrasts with authoritarian countries who “view the open Internet as a political threat.”
Related to the concept of a free and open Internet is the need for “multi-stakeholder” governance. As defined by the United Nations and International Telecommunication Union (ITU), the multi-stakeholder
model of Internet governance includes governments, industry, civil society, non-governmental and other international organizations, academia and other entities, all of whom have an interest in how the Internet operates. In contrast, the “multinational” model of Internet governance and the related concept of “Internet sovereignty” are actively promoted by China, Russia and other authoritarian regimes. The fact that the strategy not only reiterates support for the multi-stakeholder model but also commits the United States to work with the international cybersecurity organizations the Internet Corporation for Assigned Names and Numbers (ICANN), the ITU, and the Internet Governance Forum (IGF) is significant since the U.S. has sometimes been in opposition to especially the ITU in Internet governance policy.
International capacity building is the second focus area of Pillar IIII and the final section of the strategy. This topic is related to the earlier discussions about working with allies and partners to promote a free and open Internet and to engage in multilateral cyber deterrence. The strategy commits the United States to continue to help countries develop and enhance their national cybersecurity programs.
The 2018 National Cyber Strategy is a major statement about U.S. challenges, policies, and initiatives in cyberspace. It supersedes the original 2003 national cybersecurity strategy, updating information about the cyber threat environment, committing the government to improved efficiencies and management of national cybersecurity, and articulating a new cyber deterrence strategy. At the same time, the new strategy maintains the basic principles of a free and open Internet to support the global exchange of information and economic development and promises to continue helping like-minded nations in the development and improvement of their cybersecurity posture and programs. It also reiterates the need to include allies and partners in the U.S. national effort. Most significantly, by placing the new strategy into the context of the 2017 National Security Strategy, cybersecurity and cyber operations have officially become important elements of U.S. national power.
Dr. Terry Thompson is a lecturer in cybersecurity at the Johns Hopkins University and University of Maryland, Baltimore County. He is a regular contributor to the NCMF blog.