The White House released its long-awaited National Cyber Strategy (the “Strategy”) on September 21, 2018, offering a comprehensive set of objectives such as the preservation of a free, open, and secure Internet, while also signaling tougher repercussions for nations and criminals that engage in malicious cyber activity. The Strategy is similarly ambitious in its expectations for enhanced partnerships between federal agencies and private sector entities and foreign governments. That said, this expansive list of priorities includes few specific actions or steps to implement or accomplish the stated goals, and will require concurrence from private sector businesses and foreign governments that may be reluctant to fully jump into these initiatives. In short, as with many strategic plans, it’s a thorough and thoughtful approach but lacks concrete action items and will require significant diplomacy to achieve the anticipated buy-in.
The Strategy is centered around four pillars: (1) protecting against cyber threats by strengthening U.S. government and private information networks, securing critical infrastructure, and enhancing cybercrime enforcement efforts; (2) boosting the digital economy by promoting innovation in the technology sector, guarding intellectual property, and increasing the ranks of our cybersecurity workforce; (3) combating cyber threats and preserving the United States’ superiority in safeguarding the Internet through taking aggressive actions (thus far unidentified) if necessary; and (4) promoting an open and free Internet.
The Strategy’s most expansive set of objectives are protective in nature, ranging from centralizing and increasing the resiliency of federal agency IT networks, to improving space and maritime cybersecurity, protecting election and other critical infrastructure, and aiding partner nations’ cyber enforcement capacity. To combat cybercrime, the Strategy emphasizes “[t]he prompt reporting of cyber incidents to the Federal Government”, as well as the implementation of “standards and best practices that deter and prevent current and evolving threats and hazards in all domains of the cyber ecosystem.”
To bolster national defenses against attacks, the Strategy emphasizes that federal cybersecurity efforts will hinge on support from private industry. For example, the Administration expects information technology companies and tech start-ups to work with government agencies and law enforcement to “to confront challenges presented by technological barriers, such as anonymization and encryption technologies,” and to use artificial intelligence and quantum computing to deter cyber threats. The Strategy identifies seven industries with which the government will prioritize building relationships and sharing information: “national security, energy and power, banking and finance, health and safety, communications, information technology, and transportation.” Several are singled out for special attention: for example, recognizing that “[i]nformation and communications technology (ICT) underlies every sector in America,” the White House plans to work with ICT providers to improve ICT security by sharing classified threats with ICT providers who have been “cleared” for such information.
One frequent criticism of current federal cybersecurity policy is the lack of a cohesive national regulatory structure, such that myriad agencies and state regulators have enacted a hodge-podge of security standards and breach notification rules. The Strategy recognizes the increasing number of agencies regulating in this space and pledges to clarify their roles and responsibilities, as well as their “expectations on the private sector related to cybersecurity risk management and incident response.” The Strategy further recognizes the importance of reporting cyber incidents to the federal government “by all victims, especially critical infrastructure partners,” but offers no details regarding the manner in which this reporting will occur. It’s hard to guess exactly what the Administration has in mind here; certainly, the language hints of more centralized federal regulation of data security and breach notification, but it’s also telling that the document intentionally omits any specific recommendations or plans to achieve this goal.
The Strategy’s most notable and drastic shift from the policies of prior administrations comes in an explicit warning to nation-state and criminal actors alike that more aggressive responsive actions are in store for malicious cyber activity against the U.S. government, businesses, and citizens. The language is once again oblique, stating only that the United States will “develop swift and transparent consequences, which we will impose consistent with our obligations and commitments to deter future bad behavior.” Recent public statements by Administration officials have added further details, as National Security Advisor John Bolton confirmed during a press conference on Sept. 20, 2018, that the White House has intentionally “authorized offensive cyber operations... not because we want more offensive operations in cyberspace, but precisely to create the structures of deterrence that will demonstrate to adversaries that the cost of their engaging in operations against us is higher than they want to bear.” Bolton didn’t elaborate on the nature of the offensive operations, but he confirmed that the Administration has rescinded Obama-era executive orders restricting the use of retaliatory hacking.
Following such widely publicized attacks to public infrastructure such as the Russian hack of the Ukranian power grid, the Strategy recognizes the need to safeguard domestic critical cyber infrastructure. To accomplish this, the White House plans to partner with private industry to “collectively use a risk-management approach to mitigating vulnerabilities to raise the base level of cybersecurity across critical infrastructure.” At the same time, the Administration will “develop a comprehensive understanding of national risk by identifying national critical functions and will mature our cybersecurity offerings and engagements to better manage those national risks.” Key to this plan is to share the information learned with the industries identified in the Strategy: “national security, energy and power, banking and finance, health and safety, communications, information technology, and transportation.”.
The continued development of new technologies also will be an important contributor to both strengthening our cyber defenses and preserving the United States’ role as an influencer in global cyber policymaking. Specifically, “[t]he Administration will work across stakeholder groups, including the private sector and civil society, to promote best practices and develop strategies to overcome market barriers to the adoption of secure technologies.” Additionally, to promote an open Internet, the Administration plans to support and encourage “open, industry-led standards activities based on sound technological principles.” The objective of the White House in promoting such developments and standards is to “advance American influence” and ultimately protect the nation from further threats.
In sum, much remains to be seen in terms of proposing specific steps to accomplish the many objectives and achieve the broad platitudes in this document. One of the biggest questions moving forward will be the receptiveness of the private sector and foreign governments to the invitations to partner with the White House to solve these challenges. Would-be partners in Silicon Valley and elsewhere have expressed reservations about the government’s policies on encryption, and companies often have mixed views about fulsome sharing with the government about cyber threats and incidents. Corporations have a duty to abide by not only the privacy and security laws of the United States, but also those of other countries in which they operate. And as foreign jurisdictions are enacting increasingly strict limitations regarding the transfer of data outside their borders, many of these countries are expressing increasing reservations about U.S. data privacy laws and procedures.
Still, those attitudes may change in the coming months and years as Congress ramps up to consider its own federal legislation on data privacy. In a Senate hearing on September 26th involving some of the nation’s largest tech and communications companies, several Senators expressed readiness to pass a law similar in effect to the GDPR or the California Consumer Privacy Act. Sen. Brian Schatz (D-Hawaii) said that, although he understood the concerns of tech and communications companies, such companies should not expect Congress to “replace a progressive California law – however flawed you may think it is – with a nonprogressive federal law.” In a second hearing on this topic held on October 10th, Senators listened to the viewpoints of privacy advocates, who reinforced the need for a federal law, and stressed that this law should work alongside state laws, rather than preempting them, and that the law should be backed with enforcement authority from the Federal Trade Commission or a new federal agency. Although some legislators have expressed concerns about fashioning the law in this manner, or creating something similar to the California law or the GDPR, there appears to be some agreement that federal privacy legislation is necessary to bring coordination to 50 different state laws that vary significantly. As stated by Committee Chairman Senator John Thune (R-SD), “The question is no longer whether we need a law for consumer data privacy, the question is what shape these laws will take.