On September 20, 2018, the White House released its new National Cyber Strategy, which details a four-pillar national cybersecurity plan. In a letter to the American people preceding the 26-page plan, President Donald Trump writes that the plan’s release was driven by the administration’s desire “to secure and preserve cyberspace for future generations.”
Why do we need a strategy? The introduction to the plan calls cyberspace “an inseparable component of America’s financial, social, government, and political life,” which is vulnerable to threats from “competitors and adversaries” who wish to exploit and attack the United States and its allies. The introduction specifically names Russia, Iran, and North Korea as examples of “adversaries” which have carried out cyber attacks that have harmed American and international businesses. With cyberspace playing such an important role in life and business in America, the plan urges the government and the people to commit to maintaining effective cybersecurity measures to ensure an “open, interoperable, reliable, and secure Internet” and safeguard against cyber attacks.
What does the strategy entail? The plan is split into four “pillars,” which are essentially goals the administration hopes to realize through its strategy. Each pillar contains specific actions the government will take in relation to the goal. Below are brief summaries of the pillars:
- Protect the American People, the Homeland, and the American Way of Life. The first pillar describes the administration’s plan to improve cybersecurity by tasking the Department of Homeland Security (DHS) with management and oversight of cybersecurity efforts, strengthening cybersecurity of third-party federal contractors, which are potential sources of leaks of protected information, securing critical infrastructure, incentivizing investments in cybersecurity measures, and working to improve incident reporting and the apprehension of cyber criminals located abroad.
- Promote American Prosperity. Focusing on the benefits that the Internet provides to the American people, the second pillar outlines a plan to incentivize the development and adoption of cybersecurity best practices, maintain strong intellectual property protections to foster innovation, protect the confidentiality of American information and ideas, and educate and develop future talent in the Federal cybersecurity workforce.
- Preserve Peace through Strength. Aimed at creating more cohesive cyberspace policies, the third pillar proposes a strategy to “enhance cyber stability through norms of responsible state behavior,” impose consequences on cyber attackers to deter future attacks, and launch an international Cyber Deterrence Initiative to help police cyber incidents.
- Advance American Influence. The final pillar is driven by the administration’s desire to remain an influential and innovative leader in fighting cyber issues. The pillar seeks to “promote an open, interoperable, reliable, and secure internet” by protecting and advocating for Internet freedom and fostering relationships with allies whose cyber capabilities can complement those of the United States.
How does the strategy affect the law? Although the report does not outline specific laws it plans to push as part of the new strategy, it states that the administration will “work with the Congress to update electronic surveillance and computer crime statutes to enhance law enforcement’s capabilities to lawfully gather necessary evidence of criminal activity, disrupt criminal infrastructure through civil injunctions, and impose appropriate consequences upon malicious cyber actors.” In other words, the administration is outlining a commitment to modernize cyber laws and their enforcement.
How is this different from the previous system? The new National Cyber Strategy, along with other efforts by the administration like a newly-released Department of Defense Cyber Strategy, authorizes a more offensive approach to cyber attacks against the United States and its allies. The main goal of the approach: deterrence. National Security Adviser John Bolton said in a September 20, 2018 statement that the strategy is the “first fully-articulated cyber strategy in fifteen years.” Bolton referenced a confidential counterpart to the Cyber Strategy, which “reinforces, in many respects, the rescinding of the Obama Administration directive on offensive cyber operations.” The directive referenced by Bolton is the Presidential Policy Directive-20, or the U.S. Cyber Operations Policy, which former President Barack Obama released in October 2012. According to the policy fact sheet, it aimed to exercise restraint when dealing with cyber threats by undertaking “the least action necessary to mitigate threats.”