The White House released a new cybersecurity strategy today, with several important changes in direction meant to give government agencies and law enforcement partners a greater ability to respond to cybercrime and nation-state attacks.
The 40-page document mostly stays the course for past initiatives — like working to strengthen the organizations that make up the country’s “critical infrastructure” industries, including electrical operators and financial institutions.
But some of the changes emphasize a shift toward a more offensive cybersecurity posture, a longtime request fromm the National Security Agency and cybersecurity branches of the U.S. Armed Forces.
The document also builds on efforts by the Trump and Obama administrations to “name and shame” more cybercriminals, and the countries that back them, while acknowledging the available to federal cyber operators have been limited.
“Russia, Iran, and North Korea conducted reckless cyber attacks that harmed American and America’s prosperity and security depend on how we respond to international businesses and our allies and partners without paying costs likely to deter future cyber aggression,” the document says.
It highlights the increasingly consolidated cybersecurity powers in U.S. agencies, with the Department of Homeland Security playing a growing domestic, consultative role in cyber defense, and the Department of Defense taking a more robust offensive stance than before.
The strategy codifies the ability of agencies aligned with the Department of Defense, like the NSA and military branches, to conduct offensive actions in cyberspace.
This means these agencies will be able to go after the overseas sources of attacks more proactively. These activities can be risky, as cybercriminals may position their attacks from a neutral third party or a non-hostile country, making it more complicated for the U.S. to engage in cyber battles. These back-and-forth attacks can also cause damage to the infrastructure that supports the internet, particularly telecommunications providers.
But NSA leaders have long sought a clear green light to conduct operations meant to counter the scale of those launched by nations like Russia against voting infrastructure and financial institutions; or China, against private corporations and government contractors, targeting intellectual property.
This strategy gets the agency and law enforcement partners closer than ever to being allowed to make these offensive bids, which could include dismantling “botnets” — which are collections of compromised computers and devices used to attack corporate or government targets — underground cyber black markets, or other sources of cyberattacks.
The strategy mentions in nearly every section that federal cybersecurity efforts hinge on support from private industry.
The plan lays out seven industries that will have priority in terms of information sharing with government partners: “national security, energy and power, banking and finance, health and safety, communications, information technology, and transportation.”
It also lends support for law enforcement agencies to decrypt the communications of suspected criminals: “law enforcement will work with private industry to confront challenges presented by technological barriers, such as anonymization and encryption technologies, to obtain time-sensitive evidence pursuant to appropriate legal process.”
The White House also expects tech start-ups and private industry to work with government agencies in how they develop artificial intelligence and quantum computing products that could help deter cyber threats.
This increasing focus on the role of American companies in combating cybercrime alongside government agencies can be problematic to companies that fall into any of these categories. That’s because corporations must comply with privacy and security laws in all the countries where they operate — not just the United States.
Unsurprisingly, some foreign jurisdictions don’t support sharing data about their citizens with U.S. law enforcement agencies or security agencies. Multinationals will increasingly have to engage in a delicate diplomatic effort to do their part in information-sharing with government agencies while appeasing local authorities where they operate. This is particularly in countries that are cyber rivals like Russia and China; or in privacy-minded jurisdictions like Germany and South Korea.
Not much has been said about the administration’s plan for increasing operations in space, but the new cybersecurity strategy offers some brief insights into what they might be worried about.
The U.S. will enhance efforts to protect “space assets” including instruments that deal with positioning, navigation and timing; intelligence gathering, surveillance and reconnaissance; satellite communications; and weather monitoring. ]
“We will work with industry and international partners to strengthen the cyber resilience of existing and future space systems,” according to the strategy.