The Trump administration is planning to write a new cybersecurity strategy, White House Homeland Security Adviser Tom Bossert said Tuesday, suggesting that the slew of Obama-era cyber plans and strategies are fast outliving their usefulness.
There’s no timeframe for when the strategy will launch, Bossert told reporters, but it will follow the broad outlines of a cybersecurity executive order President Donald Trump released in May.
“As soon as we’re prepared to put forward a strategy that will be beneficial to the government and the nation, we’ll do so,” Bossert said on the sidelines of a Washington cybersecurity conference hosted by Palo Alto Networks.
Like the executive order, the cybersecurity strategy is likely to be broken into three main components, Bossert said.
Those three components are: improving the security of federal government computer networks; leveraging government resources to better secure critical infrastructure, such as hospitals, banks and financial firms; and establishing norms of good behavior in cyberspace and punishing bad behavior.
The Obama administration launched a cyberspace policy review soon after taking office in 2009 and released a slew of plans and strategies including the 2011 International Strategy for Cyberspace and a 2016 Cybersecurity National Action Plan.
Those documents served their purpose, Bossert said, but it’s nature of cyberspace for plans to grow out of date. The early documents, for example, don’t contemplate the threat that quantum computing may one day pose to encryption or the values of blockchain technology, he said.
Bossert downplayed the idea of a grand “cyber moonshot” during an on-stage event and in his discussions with reporters, describing the White House’s goal as reducing cyber risk to a manageable level with plans that can be scrapped or adjusted every few years.
“We wouldn’t want to set a goal for ourselves to eradicate and end all neighborhood crime forever and ever,” he said as an analogy. “You’ll never meet that goal.”
Empty Chair or Empty Stunt?
Bossert pushed back during Tuesday’s discussion at the virulent complaints from Senate Armed Services Chairman John McCain, R-Ariz., and other senators that White House Cybersecurity Adviser Rob Joyce did not testify at a Thursday hearing on cross-government cybersecurity.
McCain and other members acknowledged that non-Senate confirmed National Security Council staffers typically don’t testify before Congress but argued that the gravity of the government’s cyber crisis should have compelled the White House to allow Joyce to testify.
McCain left an empty chair at the witness table to signify Joyce’s absence, which senators of both parties frequently addressed during the hearing.
“While I have a great deal of respect for Sen. McCain and for the institution of Congress, I felt that empty chair stunt was cheap and beneath him,” Bossert told reporters.
Bossert also echoed Deputy Attorney General Rod Rosenstein’s call for a way for government to access cop-proof encryption systems but stopped short of calling for legislation.
Obama-era law enforcement officials regularly called for legislation to ensure government access to end-to-end encrypted systems, such as the iPhone used by San Bernardino shooter Syed Farook, but failed to win vocal support from the White House.
Senate Intelligence Chairman Richard Burr, R-N.C., and then-ranking member Dianne Feinstein, D-Calif., floated legislation that would have required tech firms to assist law enforcement with warrants to access the contents of encrypted devices but it never reached a committee debate.