As the White House reviews recommendations on deterrence policy from various federal agencies, industry sources say the administration is moving slowly on its strategy and that they hope to see more outreach to the private sector as part of the effort.
“There have been efforts to pull something together but it’s in fits and starts, and it doesn’t seem imminent,” said one former high-ranking national security official now in the private sector. This source said there is a need for a playbook that allows for quick responses to cyberattacks and offers the president “tools of proportionality that will influence an aggressor country.”
An industry source added, “I’m not wedded to anything, but we want clarity on the government’s role, what they’ll take responsibility for, and what we have responsibility for.” The source called the White House process around cyber strategy and deterrence “very opaque.”
“There has been no dialogue,” the industry source said. “I’m not sure we need another strategy, but they could use some private-sector input. We need to have a fulsome dialogue on how industry can take the lead in securing its systems with government support, while the federal government uses its tools to “stop malicious activity at its source.”
The White House last week confirmed that officials were reviewing interagency input on deterrence and considering next steps before sending recommendations to President Trump, as required under his May 2017 cybersecurity executive order.
Senior administration officials have also pointed to new sanctions on Russia related to election and other hacking as a sign of the government’s deterrence policy in action.
“The government named names and imposed sanctions, and that speaks well to their strategy, even if it’s not spelled out in a doctrine,” commented an energy sector source. “They’ve demonstrated what a doctrine will look like by action. The doctrine doesn’t have to happen tomorrow. There is value in doing this thoughtfully.”
But Director of National Intelligence Dan Coats, Adm. Mike Rogers, who is the head of the National Security Agency and U.S. Cyber Command, and Lt. Gen. Paul Nakasone — nominated to replace Rogers — in recent weeks faced pointed questioning from lawmakers on the need for an articulated cyber strategy.
Coats said White House officials are engaged in putting together a whole-of-government approach but acknowledged the absence of an overall strategy, while Rogers produced headlines by saying he had received no specific instructions on protecting election systems.
And some observers said the recent shakeup at the National Security Council, with national security adviser H.R. McMaster being replaced by John Bolton, can only slow the process of writing a strategy.
Meanwhile, Senate Armed Services Cybersecurity Subcommittee Chairman Mike Rounds, R-S.D., said his panel is working on the deterrence issue through the annual National Defense Authorization Act, “mostly in a classified setting.”
“It’s very clear that for the next 10 years we won’t have the ability to protect our assets” solely through defensive means, Rounds said. “We need offensive as well as defensive capabilities” to deter adversaries.
Rounds joined a bipartisan group of 14 senators on a letter to Trump and White House Cybersecurity Coordinator Robert Joyce calling for a national deterrence strategy.
“It’s clear that in practice we’re not where we need to be,” said Phil Reitinger of the Global Cyber Alliance, a former senior cyber official at the Department of Homeland Security. “There is no effective deterrent in place to nation-state aggression.”
Reitinger said a deterrence policy should maintain flexibility and can include “some ambiguity … but right now, no one feels afraid of what we might do about political interference through cyber space, for instance.” He said the recent sanctions against Russia “are important in terms of signaling but they don’t cause a lot of pain.”
However, Michael Daniel, White House cybersecurity coordinator under former President Barack Obama, noted some of the difficulties policymakers face in writing a deterrence strategy.
“One difficulty is talking about cyber deterrence strategy as if it is separate from our overall strategy for dealing with a particular nation-state, criminal group, or activist organization, because it’s not,” Daniel said. “It does not make sense to produce a ‘cyber deterrence’ strategy in a vacuum or without reference to the other aspects of our relationships with our allies and adversaries, for example.”
Daniel said: “Therefore, the right question to ask is whether our national strategy for dealing with Russia, China, Iran, North Korea, etc. has a cyber component. We want those cyber components to inform each other, but any cyber deterrence efforts need to be aligned with the overall strategy towards that particular country or malicious actor. I do not believe it makes sense to produce a separate, stand-alone, cyber deterrence strategy.”
