Cybersecurity issues permeate President Trump's new National Security Strategy, advancing some of the cyber policies put in place by the Obama administration, while sharpening the emphasis on areas like fighting “botnets” — the tool used in automated attacks on computer systems — and pursuing cyber bad actors wherever they may be found across the globe.
Some on Capitol Hill, including Senate Intelligence ranking member Mark Warner, D-Va., expressed disappointment in the way the document addressed cyber, saying it didn't command enough attention in the strategy.
But cybersecurity concerns are reflected in each part of the overall strategy, which is based on “four pillars” of protecting the homeland, promoting prosperity, preserving peace through strength, and advancing U.S. influence.
Released Dec. 18, the strategy calls for defending critical infrastructure and “going after malicious cyber actors,” identifying and prioritizing cyber risk, bolstering defenses of federal networks, deterring and disrupting bad actors, and improved information sharing
But it also reflects the Trump administration's emphasis on combating threats such as distributed denial of service attacks perpetrated through use of botnets, which was a focus of Trump's May executive order on cybersecurity and will be addressed in more detail in an administration report coming in early January.
The national security strategy document specifically acknowledges Russian and Chinese challenges in cyberspace — as well as those of “transnational criminal organizations” and regional powers.
The strategy says: “Russia uses information operations as part of its offensive cyber efforts to influence public opinion across the globe. Its influence campaigns blend covert intelligence operations and false online personas with state-funded media, third-party intermediaries, and paid social media users or 'trolls.'”
It cites “destabilizing” Russian activities in cyberspace aimed at western democracies among the key challenges.
Overall, the document says, “cyberspace offers state and non-state actors the ability to wage campaigns against American political, economic, and security interests without ever physically crossing our borders. Cyberattacks offer adversaries low-cost and deniable opportunities to seriously damage or disrupt critical infrastructure, cripple American businesses, weaken our Federal networks, and attack the tools and devices that Americans use every day to communicate and conduct business.”
According to the report: “To improve the security and resilience of our critical infrastructure, we will assess risk across six key areas: national security, energy and power, banking and finance, health and safety, communications, and transportation. We will assess where cyberattacks could have catastrophic or cascading consequences and prioritize our protective efforts, capabilities, and defenses accordingly.”
The language tracks with the approach spelled out in the Trump cyber executive order.
It is also similar to provisions in a House-passed bill to elevate cybersecurity functions at the Department of Homeland Security, which calls for special steps to address critical infrastructure entities where a cyber attack could have catastrophic consequences.
That bill, by House Homeland Security Chairman Michael McCaul, R-Texas, is poised to see action in the Senate early in the new year, according to Sen. Ron Johnson, R-Wis., who chairs the upper chamber's homeland security panel.
The new Trump document also highlights cybersecurity issues related to building out the nation's digital infrastructure, as well as “encourag[ing] practices across companies and universities to defeat espionage and theft.” Even in areas such as ensuring energy independence, the document notes potential cyber vulnerabilities that must be addressed.
The Trump administration in the document emphasizes improved attribution of attacks and the promise of a robust response.
“The United States will deter, defend, and when necessary defeat malicious actors who use cyberspace capabilities against the United States,” the document states. “When faced with the opportunity to take action against malicious actors in cyberspace, the United States will be risk informed, but not risk averse, in considering our options.”
That tracks with Trump's campaign promise to take the fight to cyber adversaries. Opportunities to see how that plays out could be coming quickly, as the White House this week formally declared North Korea was behind the “WannaCry” ransomware attack that hit healthcare and other sectors last May.
Whether North Korea will pay a price for “WannaCry” remains to be seen. Obama administration officials frequently said that responses — or retaliation — for cyber attacks might never be seen by the public. The Trump administration seems likely to take a higher profile approach.
Charlie Mitchell is editor of InsideCybersecurity.com, an exclusive service covering cybersecurity policy from Inside Washington Publishers, and author of "Hacked: The Inside Story of America's Struggle to Secure Cyberspace," published by Rowman and Littlefield.