The White House cyber strategy: words must be backed by action

To some fanfare, the White House announced a national cyber strategy last week. It breaks little new ground but still sends an important message that cyber continues to be a priority. Now action is needed to ensure it doesn’t become shelf-ware.

The Trump administration claimed this was the first such strategy since 2003 when President George W. Bush issued the National Strategy to Secure Cyberspace. That’s a little misleading. Though it wasn’t styled as a ‘strategy’ President Barack Obama issued a detailed cyberspace policy review within four months of taking office. He released the first international cyberspace strategy in 2011 and issued multiple cyber-focused executive orders and a cybersecurity action plan in 2016.

And my old office at the State Department, pursuant to a Congressional mandate, produced a wide ranging cyber strategy in 2015 that was far more detailed than this one. But every administration wants to claim it’s doing something new and different with little credit to what’s come before, so the branding here is hardly surprising. The new document is still very important because threats in cyberspace are increasing and it clearly defines this administration’s cyber policy. It doesn’t discard work and policy but builds on it.

The strategy comes almost two years into this administration, and a full year after a myriad of detailed reports were due from a host of federal agencies pursuant to the president’s executive order on strengthening cybersecurity last May. Those reports spanned the gamut from enhancing the cyber workforce to international engagement and deterrence in cyberspace.

Given the scope of those reports, one might assume that a strategy composed of their findings would be detailed and groundbreaking. With few exceptions however, it’s not. Instead it’s very high level, lacks detail and often restates past policies. In some areas, like articulating roles and responsibilities for federal agencies, it punts the hard issues, saying instead that these will be worked out in the future.

Hard as it is, defining roles and responsibilities, and who’s in charge of what, is central to an effective strategy. I expect that, as in the past, internecine turf wars (certainly not unique to cyber) made this too difficult. Still, if the National Security Council has a unique strength, it’s in resolving interagency battles. That’s become, I expect, a more difficult task given the abolition of the White House cyber coordinator role, and it’s disappointing that this could not be achieved with this document.

But, there’s a lot to like in this strategy even if it lacks real detail and often resorts to vague platitudes. It restates much of the US cyber canon, including the importance of internet freedom and the central role of multi stakeholder internet governance, welcome pronouncements to our allies and partners. That’s even more important now when attacks on the press and claims of ‘fake news’ often dominate the headlines and call into question our commitment to these ideals and when countries including China and Russia advance a contrary agenda of absolute internet sovereignty.

The strategy also sounds familiar themes on issues including the importance of battling cybercrime, concern about supply chain vulnerability, the need to strengthen cyber defences and the importance of public-private partnerships—all motherhood concepts of cyber doctrine. Condemnation of attempts by bad state actors to undermine our democracy is also welcome in the light of the president’s second guessing of Russia’s involvement.

Consistency with past practice shows we’re building on accomplishments and sends a strong message of continuity to our public and our partners. The very fact that the strategy’ been released sends a message that cyber continues to be a national priority. That’s especially helpful in light of the revelation in Bob Woodward’s book that the president characterised this area as ‘cyber sh*t’. Perhaps my favourite line in the strategy is ‘[c]yberspace will no longer be treated as a separate category of policy or activity disjointed from other elements of national power’.

One of the critical shortcomings of past cyber policy is that senior decision-makers treat it as a bright shiny object that’s the purview of the technical rather than the policy community. I’ve long argued that integrating cyber as a core issue of national and economic security is fundamental to making real progress. Pretty words are one thing and action another. If the president doesn’t prioritise this area with resources and actions, or if he continues to undercut the messaging on Russian malign activity, all the words in the world will have little effect.

Some new points are noteworthy, but perhaps in tension. For one, the strategy includes the launch of an international cyber deterrence initiative and on the other, a relaxation of the rules governing retaliation, referenced in the strategy but largely articulated in National Security Advisor John Bolton’s ‘cyber-rattling’ comments at its launch.

I’m pleased that the strategy continues to emphasise the need for a cyber stability framework built, among other things, on voluntary norms of state behaviour, and for international engagement and capacity building. These have been staples of the US international program and leadership for many years. I was also happy to see an emphasis on deterrence, including aspiring to impose ‘swift, costly and transparent consequences when malicious adversaries harm the US or its partners’. That’s something, as I have written before, that we’re still not very good at.

While we’re getting better at naming and shaming some of those responsible for cyber events, that’s not sufficient to deter actors like Russia or North Korea. Real consequences for bad state behaviour that will affect their decision making is still desperately lacking. That creates the ‘norm’ that such bad behaviour is acceptable–or at least cost free.

The strategy seeks to address this, in part, through a new international cyber deterrence initiative that recognises that: ‘[t]he imposition of consequences will be more impactful and send a stronger message if it is carried out with a broader coalition of like-minded states.’ It seeks to build a coalition to collectively respond to shared threats by, among other things, coordinating responses, sharing intelligence, buttressing attribution, supporting each other’s responses and, most significantly, engaging in ‘joint imposition of costs against malign actors’. This emphasis on collective action and partnerships is a welcome counter to the prevailing narrative of ‘America alone’.

None of this is easy. Sharing information and coordinating action among disparate bureaucracies is difficult in the best of times but the building of this coalition was underway long before I left the State Department. This strategy gives it a welcome boost at a critical time. As the document was released, a large, multi-agency US delegation, and the delegations of numerous allies and partners, attended the Singapore International Cyber Week conference. It was a timely opportunity to progress this important initiative.

The other major development, that often overshadowed the strategy itself in media coverage, was Bolton’s statement that the rules governing the use of offensive cyber tools had been relaxed and that the White House ‘has authorised offensive cyber operations’ against US adversaries. The extent to which the rules have been relaxed and the nature of such operations remain unclear.

Like the 2011 International Strategy for Cyberspace, the new strategy says that all tools of national power, diplomatic, law enforcement, economic, cyber and military, can be used to respond to a cyber incident. Offensive cyber operations are an important part of this arsenal and their use in the right circumstances, consistent with international law, makes sense.

However, there are many unanswered questions, and some answers may have a negative impact on the international cyber deterrence initiative. Presumably this move does not mean that offensive cyber operations will be a tool of first resort. They should be reserved for when they are most effective. It’s widely accepted that the best response to a cyberattack is often not a cyber one. Cyber tools must be integrated into all our capabilities and not seen as some sort of magic button, particularly given that their use involves a fair amount of pre-planning. And despite the borderless nature of cyberspace, there’s a difference if such tools are used in adversary space or if they’re used to disrupt an adversary’s activities in neutral or friendly territory.

In an adversary’s space, the primary issue is escalation and that can be overcome with direct messaging. In third party space, unilateral cyber actions run the risk of damaging the alliances needed to take collective action against cyber and other threats, essentially making an international cyber deterrence initiative more difficult.

There may be times when the US needs to take unilateral action but in other cases it may be better to ask allies to employ their capabilities. How these diplomatic and partnership issues will be weighted and resolved in the new structure Bolton described is unclear, particularly when it’s reported that interagency consideration of these operations has been significantly curtailed. But failure to properly assess these issues risks the loss of the ability to respond collectively to incidents in the long term.

Inadvertent consequences, potential collateral damage, possible loss of control and retaliation and escalation must all be considered. Again, it’s not clear how the new structure will consider these issues. We need to develop and use these capabilities as part of an overall deterrence regime—but it’s important that they be integrated and balanced as one of many strategic responses.

The 2003 National Strategy to Secure Cyberspace was a generally good document and groundbreaking in its time. Yet, it was soon largely treated as shelf-ware, in part because folks were not ready to treat cyber as a priority and in part because there wasn’t consistent high-level implementation or emphasis. The new White House cyber strategy bears a lot of similarities to that document and, while cyber is now clearly in the mainstream, I fear it too will become little more than a collection of good words unless there’s a robust implementation plan, adequate resources and cybersecurity is made a real priority by the president himself.

While I’m heartened by innovations like the cyber deterrence initiative, actions like the slashing of funding undermines strong language in the strategy that capacity-building is vital. The cyber coordinator role in the White House has been abolished when the strategy suggests we need it most. And, 14 months after I left the State Department, it still hasn’t reestablished a high level cyber position despite the evident need for it made clear by the strategy. I want us to be effective. I want us to better deter cyber threats using all the tools at our disposal. We cannot afford to ignore this issue or be complacent and while a new strategy is an important milestone, it must be followed by concerted action and a real implementation plan.