From the president on down, leading members of the Trump administration suggest their work on cybersecurity has been a rescue mission from the Obama days. Yet President Trump’s new strategy is earning high marks — along with a few inevitable brickbats — from veterans of the previous administration.
“We inherited a cybersecurity mess … they ignored cybersecurity threats,” Vice President Mike Pence said recently.
The Obama officials, while disputing the notion that they left a “mess,” said the new National Cybersecurity Strategy represents a continuation of a policy arc based on consensus and collaboration between government and industry that began with President George W. Bush, ran through the Obama administration and is being followed today.
“I think the strategy largely continues the previous administration’s strategy, at least with respect to the Department of Homeland Security mission, and moves it forward in important ways,” said Suzanne Spaulding, who managed the cyber portfolio at DHS during the Obama years.
The Trump strategy includes an enhanced role for DHS in securing federal systems, paying more attention to supply-chain risks, and a commitment to global norms of behavior backed by the willingness to take offensive action in cyberspace spearheaded by the military.
The strategy is intended to promote “communications infrastructure and Internet connectivity that is open, interoperable, reliable, and secure,” along with protecting and promoting “Internet freedom” globally. And it delves into wide-ranging issues such as protecting intellectual property, free flow of data across borders and building the cyber workforce.
National security adviser John Bolton, who unveiled the plan last month, emphasized the new flexibility military leaders will have under the strategy, which in a classified annex addresses the recent repeal of the Obama-era Presidential Policy Directive-20 oversight process for approving offensive cyber actions. Bolton said “we will respond offensively as well as defensively” to cyber attacks, adding, “Our hands are not tied like they were in the Obama administration.”
Policy veterans of the Obama administration took issue with that characterization.
“In general, I think that there is new tone in the policy but not much new policy other than the revocation of PPD-20, which had already been announced,” said Ari Schwartz, a cybersecurity director on the National Security Council under former President Barack Obama.
“In my experience it has not been deterrence policies that held back response, but the inability of agencies to execute,” Schwartz said.
It wasn’t all praise. Another former high-ranking cyber official called the new strategy a “disappointment” and said it signaled a lack of urgency within the Trump administration.
But overall, Obama veterans found plenty of positives in the strategy.
Former Obama White House cybersecurity coordinator Michael Daniel, now president and CEO of the Cyber Threat Alliance, said “release of the U.S. National Cyber Strategy builds on work over the last 12 years to improve our country’s cybersecurity. It charts a solid path forward to strengthen and protect users who rely on the Internet and the digital ecosystem. It strikes a good balance between defensive actions and seeking to impose consequences on malicious actors. Further, it’s clear that this strategy … is a reflection of a strong policy development process across administrations.
“The resulting product is an example of what a national strategy should look like on an issue that truly is nonpartisan,” Daniel concluded. “This strategy protects end-users, disrupts malicious actions, and elevates overall security for everyone. I commend the U.S. government for issuing such a strong document.”
Spaulding noted language in the strategy on sanctions, public attribution of hacks, getting vulnerable software off of federal systems and holding agency heads accountable for cybersecurity and empowered to achieve it.
“All of these things were done under the previous administration and it’s reassuring to see that they are being continued,” Spaulding said.
“The strategy calls out seven areas for priority: national security, energy and power, banking and finance, health and safety, communications, information technology, and transportation. This prioritization is a good step forward,” she said. “However, it will be important for DHS to ensure that they do not imply that they are leaving the rest to the private sector, particularly other critical infrastructure sectors, to fend for themselves.”
Retired Rear Adm. David Simpson, who was cybersecurity chief at the Federal Communications Commission during the Obama administration, offered a “mixed bag” assessment.
“The recent National Cyber Strategy is a big improvement” over the Trump administration’s 2017 cybersecurity executive order, he said. “It goes beyond guidance to federal agencies and articulates important strategic principles for the economy and for international engagement.”
But, Simpson added, “Unfortunately, they are late to this mark and in the first year, the administration took us backward in many of the [non-Defense Department] lines of effort articulated in the strategy. It is evident as you read the new NCS that lofty goals are well articulated; implementation, however, remains a question in many areas. Too often, there is either a hollow reference to support for improved commercial engagement or suggested action by federal agencies that either lack the authorities, the informed staff, budget or all three.”
