There seems to be a general consensus that the new cyber strategy is a continuation of existing policy. However, the us-versus-them approach the strategy takes could pose a problem.
It has been just over weeks since the White House released its National Cyber Strategy. The general consensus seems to be that it is largely a continuation of existing policy. Former State Department Cyber Coordinator Chris Painter argues that “consistency with past practice…sends a strong message of continuity to [the U.S.] public and partners.” Former White House Cybersecurity Coordinator Michael Daniel said on Twitter that the consistency of approach demonstrates that cyber is a nonpartisan issue.
The main quibble with the document is that it lacks detail. For a long laundry list of actions the U.S. government will undertake, my colleague Rob Knake points out that the strategy says little about which organization will take the lead on what priority area, the timeframe for delivering on an objective, or any other metrics that could keep government accountable.
I’m not one to contradict those with decades of experience managing cyber issues within the U.S. government. They are far more knowledgeable about the ins-and-outs of interagency battles, the challenge of putting a comprehensive strategy together, and aligning roles and responsibilities with Congressional mandates, staffing, and funding than I am.
One thing that is striking, however, is the document’s tone and how radically it departs from Obama-era cyber strategies. The Trump administration’s approach frames cyber-based threats as posing an almost existential threat to the United States. Cybersecurity is vital to protecting “the American way of life.” There’s no doubt that cybersecurity is an important national security issue, but the consequences of getting it wrong are nowhere nearly as grave as WMD proliferation or a military exchange between Washington and another nuclear power. As it is, there’s already too much fear, uncertainty, and doubt in cyberspace that makes it hard to make good policy (for more, see this from Robert M. Lee and Thomas Rid). Having the U.S. government frame the topic in such apocalyptic terms isn’t helpful.
The foreign policy references in the strategy are also hyperbolic. Over the last four years, the United States has sought to impose consequences on actors that violate an emerging body of cyber norms. It started when the Obama administration indicted the Chinese military officials and sanctioned North Korea over Sony, and has picked up recently with denunciations of North Korea (WannaCry), Russia (e.g. NotPetya, VPNFilter, targeting critical infrastructure sectors), and Iran (2012-13 DDOS, Mabna institute). The United States’ previous effort at setting predictable rules for state activity in cyberspace is now framed as the Reagan-sounding “preserving peace through strength.” Burgeoning efforts to work with allies to jointly condemn norm-violating behaviour and impose consequences falls under the rubric of building a Cyber Deterrence Initiative. As others have pointed out, references to the importance of managing the risk of miscalculation and escalation in cyberspace from the 2015 Department of Defense cyber strategy and the 2011 International Strategy for Cyberspace are gone.
Surprisingly, the promotion of internet freedom—a staple of the Bush and Obama administrations—did not disappear. There has been a debate over the last two years on whether the internet freedom agenda, defined as promoting internet access and tools to bypass censorship, is dead. Much of this debate was fuelled by the Trump administration’s seeming lack of interest in human rights writ large, exemplified by the president’s statement last year at the UN General Assembly of not seeking “to impose our way of life on everyone” and its subsequent withdrawal from the UN Human Rights Council. Although internet freedom survived, it is now part of the strategy’s objective of advancing “American influence” in cyberspace.
If I was a policy wonk in the Russian or Chinese foreign ministries, I’d be concerned. From Moscow or Beijing’s vantage point, Washington is already the most influential player in cyberspace. Russia believes it is in an “information war” with the United States, and that it needs to resort to disinformation campaigns, RT, and its bot army to beat back U.S. influence online. Tech platforms such as Twitter, Google, and Facebook are banned because of their potential threat to the Chinese Communist Party. Apple, Microsoft, IBM, and Cisco products are seen with suspicion given the potential espionage risk, similar to U.S. concerns with Kaspersky, Huawei, or ZTE. The National Security Agency is their most competent and formidable adversary.
The hyperbole in the new strategy cranks up the volume to 11. That’s probably the administration’s objective given its stated desire to impose consequences on those that don’t follow its lead.
But this with-us or against-us approach puts rivals in a bind. Moscow and Beijing can choose to also crank up the volume to 11, making competition in cyberspace worse and contributing to the cybersecurity dilemma. Alternatively, they could take the strategy’s hyperbole with a grain of salt, viewing it as mostly bluster from a president who coined the term “truthful hyperbole.” That approach carries its own risks, not least of which is miscalculating the odds and severity of a U.S. response to a cyber operation directed at it.
The success of the Trump administration’s Anakin Skywalker strategy depends on which way other countries will break. I wouldn’t expect Russia or China to cower in compliance.