The Trump administration's new cyber strategy is raising questions about the U.S. role in offensive cyberattacks.
The document itself, unveiled Thursday, largely consists of existing practices and policies dealing with defensive measures. But national security adviser John Bolton told reporters that the U.S. will now act more aggressively in cyberspace, a move that could both deter cyberattacks and expose the country to new vulnerabilities, according to some cyber experts.
Cyber experts and Obama-era officials said they agree that a fresh policy is needed, but they also have reservations about the Trump administration putting an emphasis on the offense component.
They warned against the dangers of taking this new approach too far: Federal government actions could set a precedent for what is considered to be acceptable behavior. And while the U.S. already faces cyberattacks on a daily basis, the new aggressive posture means it could end up the victim of the same kinds of attacks it ends up carrying out.
Michael Daniel, cybersecurity coordinator for the Obama White House, said in an email to The Hill that the U.S. “should consider carefully the precedents it will set when using these capabilities, because any cyber operation we conduct will either explicitly or implicitly be considered acceptable.”
“Given the nature of cyberspace and the potential for unintended consequences, the murkiness surrounding attribution, and the perception that being on offense is better than defense, the potential for unplanned escalation is a very real,” said Daniel, who is now president and CEO of the Cyber Threat Alliance.
The announcement by the White House appears to be part of a broader overhaul of U.S. cyber strategy. The Defense Department this month issued its own cyber guidance, which said the military had the authority to "defend forward" to prevent cyberattacks.
Key GOP lawmakers appeared to be largely in favor of the strategy unveiled by the White House.
Sen. James LankfordJames Paul LankfordRubio blocks quick votes on stalemated defense bill Constant threats to government funding fail the American public GOP Senate candidate says Fauci is 'mass murderer,' should be jailed rather than 'hero' Rittenhouse MORE (R-Okla.), a member of the Senate Homeland Security Committee, said the policy will help the U.S. work to “effectively deter and respond to bad actors.”
Rep. John RatcliffeJohn Lee RatcliffeThis Thanksgiving, skip the political food fights and talk UFOs instead DOJ charges two Iranians with interference in 2020 election In dramatic shift, national intelligence director does not rule out 'extraterrestrial' origins for UFOs MORE (R-Texas), chairman of the Homeland Security subcommittee on cybersecurity and infrastructure protection, said the strategy shows the administration’s “strong commitment to improving the cyber posture of our nation.”
Democrats were less enthusiastic.
“I agree that our adversaries need to know that we can — and will — challenge them in cyberspace,” Rep. Jim LangevinJames (Jim) R. LangevinFederal agencies ordered to patch hundreds of vulnerabilities Lawmakers praise upcoming establishment of cyber bureau at State Federal first responders deserve the retirement we promised them MORE (D-R.I.), co-founder of the Congressional Cybersecurity Caucus, said in a statement. “But as the country with the most innovative economy in the world, we must also acknowledge the abiding interest of the United States in encouraging stability in this domain.”
He added that there are other ways to respond to cyberattacks that “need not always include a cyber component.”
The Obama administration often responded to cyberattacks with sanctions against other countries. For example, after the U.S. intelligence community determined that Russia had interfered in the 2016 election, then-President Obama imposed sanctions against the country and expelled Russian diplomats from the U.S.
The administration’s new strategy doesn’t specify what offensive attacks are fair game; instead, it says “instruments of national power are available to prevent, respond to, and deter malicious cyber activity against the United States.”
The authorized actions are apparently included in a directive signed by the president in recent weeks, the same order that rescinded the Obama-era guidance which required several federal departments and agencies to be consulted before any adversarial actions are carried out. That directive is not public.
Ari Schwartz, who was senior director for cybersecurity in the Obama White House, told The Hill that from his conversations with people familiar with the document, it appears that Trump’s approach involves soliciting feedback from federal agencies on potential cyber actions on a case-by-case basis, rather than requiring that specific agencies be involved in each decision.
Brandon Valeriano, the Donald Bren Chair of Armed Politics at the Marine Corps University, warned that the targets of U.S. cyber actions could very well retaliate, and that “could lead to escalation and arms races” in cyberspace.
“Certain things are not targeted, certain things are not done,” he said during a press call organized by the Atlantic Council, where he is a senior fellow, adding that breaking those norms could change the unwritten rules on cyber.
Jason Healey, a senior research scholar at Columbia University who was director for cyber infrastructure protection during the George W. Bush administration, said during the same call that he’s in favor of a more-aggressive strategy, with the caveat that it could result in other countries building up their own cyber arsenals to keep pace with the U.S.
“We are all standing knee-deep in tinder and gasoline with the vulnerabilities in cyberspace,” Healey said. “So when I hear someone say that we have to fight fire with fire, I think of a lot of reasons for caution on it.”
Schwartz, the Obama-era cyber official and the current managing director of cybersecurity services at the law firm Venable LLP, said that he doesn’t believe that offensive actions will serve as more or less of a deterrent than existing measures.
“It doesn't take a cyber action to get people to change, it takes an action,” he said. “And the U.S. has a very strong ability to respond in lots of different ways, and we should use all of those tools. And we have been using all of those tools to some extent.”