On September 20, 2018, the Trump administration released a comprehensive National Cyber Strategy. This document builds on initiatives outlined in Executive Order 13800, “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure”(May 2017). (See our Legal Update.) The strategy’s stated objective is to “ensure the American people continue to reap the benefits of a secure cyberspace that reflects our principles, protects our security, and promotes our prosperity.” Specifically, the strategy is structured around four pillars:
- Defend the homeland by protecting networks, systems, functions, and data
- Promote American prosperity by nurturing a secure, thriving digital economy and fostering strong domestic innovation
- Preserve peace and security by strengthening the United States’ ability—in concert with allies and partners—to deter and, if necessary, punish those who use cyber tools for malicious purposes
- Expand American influence abroad to extend the key tenets of an open, interoperable, reliable and secure Internet
According to the strategy, the US government will seek to achieve these goals in “a new era of strategic competition” in which the threat of “peacetime cyber attacks” and “cyber attacks . . . short of war” is growing.
Each of the strategy’s four pillars includes numerous “priority actions.” Below, we outline each of these pillars and identify examples of priority actions that bear particular relevance to private sector entities.
Protect the American People, the Homeland and the American Way of Life
The longest and most detailed section of the strategy addresses how to “[m]anage cybersecurity risks to increase the security and resilience of the Nation’s information and information systems.” It focuses on three topics in this area: (1) “Secur[ing] Federal Networks and Information,” (2) “Secur[ing] Critical Infrastructure” and (3) “Combat[ing] Cybercrime and Improv[ing] Incident Reporting.” Many of the recommendations under these topics apply principally to the federal government. For example, the strategy calls for further centralizing cybersecurity management responsibilities for federal civilian agencies under the Department of Homeland Security (“DHS”) and improving the federal supply chain to enhance accountability for cybersecurity risks.
Notably, many of the priority actions described have the potential to impact private sector entities as well, especially those in critical infrastructure industries. For example, the strategy provides that the government will engage with industry to improve risk management for “critical infrastructure at the greatest risk,” a phrase associated with prior executive orders, including Executive Order 13800, which directed the Secretary of Homeland Security, in coordination with multiple departments and agencies, to identify legal authorities and capabilities that could be employed to support the cybersecurity efforts of particularly high-risk critical infrastructure targets. The strategy also prioritizes “risk-reduction activities across seven key areas: national security, energy and power, banking and finance, health and safety, communications, information technology, and transportation.”
The strategy describes prospective initiatives for several specific industries as well. For example, it identifies the importance of transportation and maritime cybersecurity, stating that the government “will move quickly to clarify maritime cybersecurity roles and responsibilities; promote enhanced mechanisms for international coordination and information sharing; and accelerate the development of next-generation cyber-resilient maritime infrastructure.” With respect to information and communications technology providers, the strategy calls for improved information sharing (including classified information) and the encouragement of “industry-driven certification regimes” to augment national cybersecurity.
In addition to critical infrastructure efforts, the strategy also identifies priority actions with respect to cybercrime and cybersecurity incidents that could impact private entities across economic sectors. For example, the strategy recommits the administration to encouraging entities to report cybersecurity incidents. It also recommends modernizing computer crime and electronic surveillance laws to strengthen law enforcement capabilities to deter and disrupt criminal activity.
Promote American Prosperity
The strategy’s second pillar identifies priority actions designed to “[p]reserve United States influence in the technological ecosystem and the development of cyberspace as an open engine of economic growth, innovation, and efficiency.” It focuses on three topics in this area: (1) “Foster[ing] a Vibrant and Resilient Digital Economy,” (2) Foster[ing] and Protect[ing] United States Ingenuity” and (3) “Develop[ing] a Superior Cybersecurity Workforce.”
The priority actions highlighted to advance these goals could align with certain private sector imperatives and concerns. For example, the strategy calls on the government to “promote best practices and develop strategies to overcome market barriers to the adoption of secure technologies” and to “promote open, industry-driven standards . . . and risk-based approaches to address cybersecurity challenges.” (The strategy does not recommend regulatory enforcement or rulemaking to improve cybersecurity.) The strategy also states that the government will explore the use and potential risks of emerging technologies such as artificial intelligence and quantum computing and work with the private sector and civil society “to ensure secure practices are adopted from the outset.” In addition, the strategy commits the government to expanding federal efforts in cybersecurity education and training, including “re-skilling people” for new careers in cybersecurity.
The strategy also identifies “full-lifecycle cybersecurity” as a priority and indicates that the government will “promote regular testing and exercising of the cybersecurity and resilience of products and systems during development.” In particular, the strategy highlights coordinated vulnerability disclosure as one tool to improve cybersecurity resiliency. This has been an area of significant public and private sector activity in recent years as the role of vulnerability management in protecting networks and systems has increased with high-profile cyber attacks exploiting vulnerabilities in common technology platforms.
Preserve Peace through Strength
The strategy’s third—and perhaps most discussed—pillar identifies priority actions designed to “[i]dentify, counter, disrupt, degrade, and deter behavior in cyberspace that is destabilizing and contrary to national interests, while preserving United States overmatch in and through cyberspace.”
In addition to renewing calls for the application of “international law and voluntary non-binding norms of responsible state behavior in cyberspace,” the strategy calls for the imposition of “swift and transparent consequences” for malicious cyber activities. It heralds a new effort to this end—an international Cyber Deterrence Initiative that would seek to build a coalition of like-minded states to collectively impose such consequences and thus augment their deterring effect. The strategy also call for efforts to “identify, counter, and prevent the use of digital platforms for malign foreign influence operations” in collaboration with foreign governments, the private sector and civil society.
This pillar is complemented by the 2018 Department of Defense (“DoD”) Cyber Strategy Summary, which was released only two days before the more comprehensive White House strategy. The DoD strategy identified its own activities to “compete and deter in cyberspace,” including to “[p]ersistently contest malicious cyber activity in day-to-day competition” by “defending forward to intercept and halt cyber threats.”1
Advance American Influence
The strategy’s final pillar identifies actions to “[p]reserve the long-term openness, interoperability, security, and reliability of the Internet, which supports and is reinforced by United States interests.” This section is devoted to explicating the American position on “Internet freedom” and its inextricable connection to national security and the advancement of American values. Specific actions identified include “actively participat[ing] in global efforts to ensure that the multi-stakeholder model of Internet governance prevails,” “improve[ing] the adoption and awareness of cybersecurity best practices worldwide” and “building partner cybersecurity capacity.”
The administration's cybersecurity strategy identifies a wide array of actions that are intended to improve the nation’s cybersecurity posture. Although it remains to be seen how the plan’s specific objectives will be implemented, the administration is already taking some initial steps to advance certain goals. For example, at the latest meeting of the United Nations General Assembly, the United States led a ministerial discussion focused on “advancing responsible state behavior and deterring malicious activity in cyberspace.” Such efforts could be important for both the public and private sectors as the United States continues to confront significant economic espionage and election interference from sophisticated criminal and nation-state actors. It will be important to follow developments closely to track how this high-level strategy will be implemented in practice.