The Trump administration’s new cyber strategy out this week isn’t much more than a stringing together of previously considered ideas.
In the 40-page document, the government set out its plans to improve cybersecurity, incentivizing change, and reforming computer hacking laws. Election security about a quarter of a page, second only to “space cybersecurity.”
The difference was the tone. Although the document had no mention of “offensive” action against actors and states that attack the US, the imposition of “consequences” was repeated.
“Our presidential directive effectively reversed those restraints, effectively enabling offensive cyber-operations through the relevant departments,” said John Bolton, national security advisor, to reporters.
“Our hands are not tied as they were in the Obama administration,” said Bolton, throwing shade on the previous government.
The big change, beyond the rehashing of old policies and principles, was the tearing up of an Obama-era presidential directive, known as PPD-20, which put restrictions on the government’s cyberweapons. Those classified rules were removed a month ago, the Wall Street Journal reported, described at the time as an “offensive step forward” by an administration official briefed on the plan.
In other words, it’ll give the government greater authority to hit back at targets seen as active cyberattackers — like Russia, North Korea, and Iran — all of which have been implicated in cyberattacks against the US in the recent past.
Any rhetoric that ramps up the threat of military action or considers use of force — whether in the real world or in cyberspace — is all too often is met with criticism, amid concerns of rising tensions. This time, not everyone hated it. Even ardent critics like Sen. Mark Warner of the Trump administration said the new cyber strategy contained “important and well-established cyber priorities.”
The Obama administration was long criticized for being too slow and timid after recent threats — like North Korea’s use of the WannaCry and Russian disinformation campaigns. Some former officials pushed back, saying the obstacle to responding aggressively to a foreign cyberattack was not the policy, but the inability of agencies to deliver a forceful response.
Kate Charlet, a former government cyber policy chief, said that policy’s “chest-thumping” rhetoric is forgivable so long as it doesn’t mark an escalation in tactics.
“I felt keenly the Department’s frustration over the challenges in taking even reasonable actions to defend itself and the United States in cyberspace,” she said. “I have since worried that the pendulum would swing too far in the other direction, increasing the risk of ill-considered operations, borne more of frustration than sensibility.”
Trump’s new cyber strategy, although a change in tone, ratchets up the rhetoric but doesn’t mean the government will suddenly become trigger-happy overnight. While the government now has greater powers to strike back, it may not have to if the policy serves as the deterrent it’s meant to be.