The Trump administration’s cyber policy is moving away from the prioritization of law enforcement to an approach that balances law enforcement, persistent engagement with adversaries in cyberspace, and the pursuit of deterrence. The most significant expression of this shift is the administration’s September 2018 National Cyber Strategy, according to which the U.S. government will “Identify, counter, disrupt, degrade, and deter behavior in cyberspace that is destabilizing and contrary to national interests, while preserving United States overmatch in and through cyberspace.”1
The Trump administration inherited a cyber policy based on Presidential Policy Directive 20 (PPD-20) of January 2013. An unclassified White House summary of the directive explained, “It is our policy that we shall undertake the least action necessary to mitigate threats and that we will prioritize network defense and law enforcement as preferred courses of action” (emphasis added).2
During President Trump’s tenure, senior U.S. officials have issued blunt assessments of the previous administration’s approach. General Joseph Votel, commander of U.S. Central Command, noted that at the operational level, the approval process can be “so cumbersome that these capabilities are narrowly irrelevant.”3 Similarly, Admiral Mike Rogers, then serving as National Security Agency director and commander of U.S. Cyber Command (CYBERCOM), testified before Congress in February 2018 that U.S. cyber capabilities were “not optimized for speed and agility.” Moreover, he stated, U.S. adversaries are “more emboldened” because they do not believe they will suffer significant consequences for their actions.4 Incoming National Security Agency and CYBERCOM head General Paul Nakasone similarly testified a few days later, “We need to impose costs on our adversaries to ensure mission success by persistent delivery of cyberspace effects.”5
The Trump administration appears to have taken these critiques and recommendations to heart. In May 2017, the president signed an executive order requiring departments to work with the private sector to support critical infrastructure security. Seven months later, in its first National Security Strategy, the administration pledged to impose “swift and costly consequences” on malicious cyber actors, and explicitly noted the danger of adversarial cyber-enabled economic warfare.6
Meanwhile, the Department of Defense’s September 2018 Defense Cyber Strategy stated the department will “deter malicious cyber activities,” “persistently contest malicious cyber activity in day-to-day competition,” and “defend forward to disrupt or halt malicious cyber activity at its source.”7 Simultaneously, the administration provided new authorities for offensive cyber operations and rescinded PPD-20.8
The shift away from the old approach has begun, but implementing the new strategy across all agencies and departments of the federal government will require a sustained effort. For now, the administration continues to rely primarily on sanctions and indictments to impose costs on malicious cyber actors. Over the past two years and coinciding with complementary Department of the Treasury sanctions, the Department of Justice has unsealed indictments against dozens of Chinese, Russian, Iranian, and North Korean intelligence operatives and hackers. In some cases, the Justice Department accused these governments of sponsoring the operations. However, since these operatives are usually beyond the physical reach of U.S. law enforcement, the indictments have rarely led to arrests.9
The Trump administration has sensibly moved to broaden U.S. cyber policy beyond its previous emphasis on law enforcement actions, which have, at best, an unclear effect on hostile nation-state decision-makers who sponsor and authorize operations. In support of a robust cyber strategy, however, sanctions and law enforcement activities do expose the extent of malicious cyber activity. According to former Assistant Attorney General John Carlin, the indictments themselves also “rais[e] the cost of an attack by promoting vigilance against a named attacker.”10
The uptick in indictments and sanctions has also corresponded with a more creative use of government authorities to punish those responsible for, or benefiting from, malicious cyber activity and to harden federal and civilian infrastructure. The Department of Homeland Security issued a Binding Operational Directive in September 2017 requiring federal agencies to remove all of Russia’s Kaspersky Lab products from their systems over concerns that Moscow uses the company to infiltrate U.S. networks.11 Congress then passed bills banning the government from using Kaspersky products and from procuring goods that use Chinese telecommunications equipment as essential components. The Department of Commerce broadened the pressure on China over intellectual property theft by banning all U.S. exports to semiconductor producer Fujian Jinhua Integrated Circuits, who was responsible for stealing trade secrets from Idaho-based Micron Technology, which produces critical computer components for American cyber, national, and economic security.
The Committee on Foreign Investment in the United States (CFIUS) meanwhile blocked a merger between American and Singaporean companies over concerns that this would harm U.S. innovation in 5G service and allow companies with connections to the Chinese military and intelligence to create the equipment underpinning next generation internet technology. The Federal Communications Commission (FCC) also prohibited federal subsidies for broadband providers that use Huawei equipment. The Trump administration has wisely shared its concerns about Huawei with allies who have begun issuing their own warnings about the company and excluding it from projects.
While it is too early to assess the effectiveness of the Trump administration’s new National Cyber Strategy, the document has received rare bipartisan praise. The new approach has the potential to be an effective, proactive strategy accompanied by new offensive authorities. Former National Security Council Cybersecurity Coordinator Rob Joyce – whose departure from the National Security Council caused lawmakers and experts to raise concerns that the White House lacked sufficient cyber expertise – called the replacement of PPD-20 “a thoughtful rewrite.”12 In October 2018, CYBERCOM reportedly launched its first operation under these new authorities, alerting Russian cyber operatives that the U.S. military was tracking their activities to deter Moscow from interfering in the midterm elections.13
While it is too early to assess the effectiveness of the Trump administration’s new National Cyber Strategy, the document has received rare bipartisan praise. The new approach has the potential to be an effective, proactive strategy accompanied by new offensive authorities.
The Trump administration has also been more forward leaning in its public attribution of cyberattacks, including working with its allies to call out Russia for the 2017 notPetya malware and North Korea for the 2017 Wannacry ransomware attacks. These public statements are important for correcting misconceptions about the inability to positively attribute cyberattacks, and as a first step to imposing consequences.
One urgent issue to address is the president’s refusal to consistently accept the U.S. intelligence community’s assessments of Russian cyber operations during the 2016 presidential election. The politicization of the investigation into Russia’s cyberattacks and cyber-enabled information operations undermines the bipartisanship necessary to implement effective responses to cyber vulnerabilities not only in U.S. election systems, but across all critical infrastructure.