White House announces federal cyber strategy, vows to go on offensive

The White House announced a new national cybersecurity strategy Thursday in an effort raise federal network defenses and more aggressively deter foreign adversaries from threatening U.S. interests.

“We’re going to do a lot of things offensively and I think our adversaries need to know that,” White House national security adviser John Bolton told reporters. Defensive measures are central to the document, but Bolton’s call with reporters emphasized offense.

“We will identify, counter, disrupt, degrade, and deter behavior in cyberspace that is destabilizing and contrary to national interests, while preserving the United States’ overmatch in and through cyberspace,” Bolton said.

The strategy is a template through which federal agencies can carry out their own cybersecurity mandates, according to Bolton.

“I’m satisfied that this allows us the comprehensive look at strategy across the entire government,” he said. “Each agency knows its lane and is pursuing it vigorously. That’s true in the unclassified world; it’s true in the classified world as well.”

In a statement, President Donald Trump said the United States “cannot ignore the costs of malicious cyber activity — economic or otherwise — directed at America’s Government, businesses, and private individuals.” The strategy, he added, will make agencies more effective in carrying out their cybersecurity missions.

The White House’s approach to cybersecurity has changed markedly since Bolton’s arrival at the National Security Council in April.

In August, Trump rescinded a key policy document that governed the approval process for cyberattacks conducted by the U.S. government, potentially opening the door to more offensive operations. NSC officials had for months been pushing to replace Presidential Policy Directive 20 in an effort to give U.S. military hackers more leeway to go after adversaries.

“Our hands are not tied as they were in the Obama administration,” Bolton said Thursday, adding that the directive that replaced PPD 20 is “very different” and “we hope will provide the necessary coordination and direction, but still enable these operations to be conducted in a timely fashion.”

Describing U.S. hacking operations as critical to deterring adversaries in cyberspace, Bolton said the new strategy includes a classified annex that “reinforces in many respects” the rescinding of PPD 20.

“We have authorized offensive cyber-operations that will be undertaken through the coordination process in the new presidential directive…not because we want more offensive operations in cyberspace, but precisely to create the structures of deterrence that will demonstrate to adversaries that the cost of their engaging in operations against us is higher than they want to bear,” Bolton said.

The policy shift follows steady calls from Capitol Hill for a more offensive U.S. posture to counter nation-state threats. Rep. Michael McCaul, R-Texas, said recently that the United States should respond with offensive cyber operations if the Russian government tries to meddle in the 2018 U.S. midterm elections like it did in the 2016 presidential election.

Bolton: I inherited a ‘duplicative’ cyber structure

Key NSC personnel changes have also occurred under Bolton. Rob Joyce, a respected veteran of the National Security Agency, left his post as White House cybersecurity coordinator in May amid reported infighting at the NSC. Shortly after Joyce’s departure, Bolton eliminated the coordinator position in a move administration officials said would cut red tape but which former U.S. officials and Democratic lawmakers criticized as shirking leadership on the issue.

Bolton defended the decision, telling reporters: “I inherited a structure in the National Security [Council] staff that was duplicative and overlapping.”

Various federal agencies have released cybersecurity strategies in recent months. The Department of Homeland Security’s strategy, published in May, seeks closer coordination with critical infrastructure companies that are the target of advanced cyberthreats. The Defense Department’s new strategy, released this week, harps on defending against the “persistent, aggressive” cyber activity of Russia and China. During the press call, Bolton blamed China for the 2015 breach of the Office of Personnel Management which exposed the personal information of over 22 million current and former federal workers.

The new White House strategy, more than any other, will set the overall tone of how the Trump administration approaches cyberspace.  The document is meant to be a “living,” Bolton said, and therefore reviewed periodically and, if necessary, updated.

There is plenty of work ahead in that vein, Bolton indicated. “I’m doing the best I can,” he said, pointing out that he had only been on the job five months.