The Trump administration on Thursday took its most significant step yet to project a tougher stance in cyberspace.
After months of pressure from Congress, the White House unveiled its long-awaited national cyber strategy outlining efforts to harden federal cybersecurity and deter malicious actors from launching digital attacks against the United States. That included authorizing offensive cyber operations against foreign adversaries, said national security adviser John Bolton, who confirmed in a news briefing that President Trump had pared back Obama-era rules restricting such activities, as my colleague Ellen Nakashima reported.
The 40-page document contains little in the way of new proposals, drawing mostly from the work of previous administrations. But it allows the Trump administration to make a more credible case that it's serious about deterring cyberaggression from Russia and other foreign adversaries amid intense criticism from lawmakers and cybersecurity experts that it hasn't done enough.
“I’m glad to see the administration prioritize our nation’s cybersecurity and recognize the need for a strong deterrent that includes the use of offensive capabilities,” Sen. Mike Rounds (R-S.D.), chair of the Armed Services subcommittee on cybersecurity, told me in an email. “Taking a more offensive approach to cyberattacks will allow us to swiftly and preemptively address an imminent attack. I look forward to reviewing the full National Cyber Strategy in the coming days.”
The document itself doesn't mention the use of offensive cyber operations, but it emphasizes that the administration will use "all instruments of national power" to "impose consequences" on malicious cyber actors. To date, that has involved levying sanctions, issuing indictments and "naming and shaming" those linked to cyberattacks from Russia and North Korea.
But Bolton said in Thursday's news conference that the White House had "authorized offensive cyber operations... not because we want more offensive operations in cyberspace, but precisely to create the structures of deterrence that will demonstrate to adversaries that the cost of their engaging in operations against us is higher than they want to bear." He didn't elaborate on the nature of the offensive operations, how significant they were, or what specific malign behavior they were intended to counter, as Ellen reported.
Democrats signaled they were pleased the administration had offered a formal strategy but criticized the White House for offering few specifics about how it would actually implement the strategy.
“The White House strategy document outlines a number of important and well-established cyber priorities,” Sen. Mark R. Warner (Va.), the ranking Democrat on the Intelligence Committee, said in a statement. “The Administration must now move beyond vague policy proposals and into concrete action towards achieving those goals.”
Trump’s strategy contains four broad sets of goals:
- Improving national security by protecting federal computer networks and securing the country’s critical infrastructure. This includes giving the Department of Homeland Security more oversight of civilian cybersecurity efforts and combating cybercrime by cooperating with other countries to track down cyber criminals.
- Boosting the digital economy by promoting innovation in the technology sector and building up the government’s cybersecurity workforce. The administration says it will work with tech companies to promote cybersecurity testing in new products and “improve recruitment and retention of highly qualified cybersecurity professionals.”
- Combating cyberthreats by attributing and deterring “unacceptable behavior” and promoting international norms in cyberspace. The strategy says the administration will use “all instruments of national power” to deter cyberattacks and impose “swift and transparent consequences” against malicious actors. It also calls for a “Cyber Deterrence Initiative” made up of foreign allies to support each other’s responses to major cyberattacks.
- Advocating for Internet freedom around the world and helping equip U.S. allies with cyber capabilities to address “threats that target mutual interests.”
The strategy largely builds work that has already been set in motion, such as using a “risk management” approach to addressing vulnerabilities in critical networks, as Ellen notes. Per Ellen: “Overall, the strategy almost directly mirrors the Obama administration’s national cybersecurity action plan issued in 2016, which grew from best practices developed by industry and the Commerce Department, said Ari Schwartz, a former senior cyber official in the Obama administration.”
Rep. Jim Langevin (D-R.I.) co-chair of the Congressional Cybersecurity Caucus, said that although he supported the strategy’s aims, “it does not go far enough in accelerating the reforms that need to be made.” He noted that the White House had recently eliminated the role of cyber coordinator, which he said was the best position to marshal some of the strategy’s goals. “Without strong executive leadership from the White House, I am concerned that agencies will approach their priority actions under this strategy in an ad hoc manner that does not translate into a decisive national policy,” he said.
But some former Obama administration officials gave the strategy high marks. Michael Daniel, who served as White House cybersecurity coordinator under President Barack Obama, praised the strategy on Twitter, saying it “charts a solid path forward to strengthen and protect users who rely on the Internet and the digital ecosystem.” He continued:
It strikes a good balance between defensive actions and seeking to impose consequences on malicious actors. Further, it’s clear that this strategy is a reflection of a strong policy development process across administrations.— J. Michael Daniel (@CyAlliancePrez) September 21, 2018
This document shows what a national strategy can look like on an issue that truly is nonpartisan. This strategy protects end-users, disrupts malicious actions, and elevates overall security for everyone. I commend the U.S. government for issuing a strong document.— J. Michael Daniel (@CyAlliancePrez) September 21, 2018
Christopher Painter, the State Departments former top cyber diplomat under Obama, said that making cybersecurity a core national security issue would be "easier said than done." But he, too, said he was satisfied by the Trump administration's move:
This is a good document that is largely consistent w/& builds on existing policies (that is a good thing). I applaud the emphasis on imposing costs on bad state actors & the launch of a int’l cyber deterrence initiative but we need to move from aspiration to action. https://t.co/50feFYC9Mc— Chris Painter (@C_Painter) September 21, 2018
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED: Four distributed denial-of-service attacks targeted the campaign website of Bryan Caforio, who unsuccessfully ran for the Democratic nomination in California's 25th Congressional District earlier this year, Rolling Stone's Andy Kroll reported Thursday. “The four apparent DDoS attacks on Caforio’s campaign happened in a five-week span from April to May 2018, according to documents obtained by Rolling Stone,” Kroll wrote. “Each time, the hosting company alerted the campaign that the website had gone down due to an unexpected spike in traffic. Like many upstart congressional campaigns, Caforio did not have a cybersecurity expert on staff or on contract. His campaign manager ended up hiring a cybersecurity consultant midway through the campaign to help strengthen its protections against future attacks.”
According to Rolling Stone, it appears to be the first time that DDoS attacks have been reported against a congressional candidate. “Emails obtained by Rolling Stone show that Caforio’s website was down for a total of 21 hours over the course of the primary,” Kroll wrote. “Even after the campaign added DDoS protection to the site, it created a lag for anyone trying to visit, which could’ve turned away more people. A source close to the campaign refused to blame Caforio’s narrow loss on the DDoS attacks but believes it made a difference in Caforio’s final vote tally.”
PATCHED: States are taking the security of their voter registration databases “seriously, though there’s still room for improvement,” according to a report issued Thursday by the nonpartisan Center for Election Innovation and Research. “The survey shows just how much progress states have made since 2016 in key areas of cybersecurity to prevent, detect, and mitigate foreign interference,” David Becker, the center's executive director, said in a statement. He added that Congress and state legislatures should provide “consistent funding” for election cybersecurity and said that “voters can feel confident their election officials have been working overtime to protect the security and integrity of voter registration data.”
The center sent a survey to all 50 states and the District of Columbia. It received completed surveys from 26 states while one state partially answered and three states refused to answer any questions for security reasons. Most of the states that responded to the survey support the use of “strong” passwords to access voter registration databases, according to the report. Additionally, half of the respondents have rolled out multi-factor authentication and at least one other state plans to implement it.
The report notes that hacking voter registration databases could undermine voters' confidence in the democratic system. “If an attack on a voter database was successful, provisional ballots could mitigate much of the risk to the actual vote-casting, but the chaos and confusion that would likely result from stressed poll workers, long lines, and frustrated voters could further damage Americans’ faith in our system,” the report said.
PWNED: An entrepreneur witnessed a demonstration of the Pegasus spyware from Israeli cyber surveillance company NSO Group, and he said it took just “five or seven minutes” for the content of his iPhone to show up on a screen, Motherboard's Lorenzo Franceschi-Bicchierai and Joseph Cox reported on Thursday. “Pegasus can infect fully up-to-date Android and iPhone devices, and siphon a target’s emails, Facebook chats, and photos; pick up their GPS location and phone calls, and much more,” Franceschi-Bicchierai and Cox wrote. “NSO provides this toolkit, and then customers — law enforcement or intelligence agencies — deploy it themselves on their targets. As the New York Times recently reported, NSO demos its products to potential clients. The company is currently facing a number of lawsuits, including allegations it participated in illegal hacking operations itself.”
Citing a source familiar with NSO Group, Motherboard reported that customers around the world have bought capabilities to target between about 350 and 500 devices. “For every potential sale, NSO has to get explicit permission — an export license — from Israel’s Ministry of Defense,” Franceschi-Bicchierai and Cox wrote. “With that green light, the company then asks a so-called business ethics committee to approve the sale.” However, some critics have expressed doubts that the company can effectively ensure that its spyware is not being used improperly by its customers.
— “The National Security Agency shut down expensive and vital operations as a result of top secret information being spirited out of its headquarters by a fired NSA computer engineer who claims he took the sensitive records home to work on bolstering his performance review, according to a report submitted to a federal court,” Politico’s Josh Gerstein reported Thursday. “Admiral Mike Rogers disclosed the far-reaching fallout in connection with the upcoming sentencing of Nghia Pho, 70, who pleaded guilty last December to taking highly classified information from the NSA from 2010 to 2015, when the FBI raided his Ellicott City, Maryland, home and hauled away a large volume of material.”
— Rep. Suzan DelBene (D-Wash.) on Thursday introduced a bill to ensure that companies' privacy policies are written in “plain English,” according to a news release from her office. The bill, which is co-sponsored by Rep. Hakeem Jeffries (D-N.Y.) and is called the Information Transparency and Personal Data Control Act, would also require companies to allow users to “opt in” for the use of their personal data. “With our nation's proud history of being the undeniable leader in tech innovation, the U.S. should be taking a lead in setting global norms in this vast arena,” DelBene said in a statement. “Under my plan, people won't have to dig through confusing policies and opt out of highly invasive settings. Privacy will be the default.”
— “Susquehanna County is the first Pennsylvania county to buy a voting system under new security standards by Gov. Tom Wolf’s administration,” the Associated Press reported. “State and county officials said Thursday the new optical scan system will be in use for the Nov. 6 general election.” Wolf has directed counties to adopt voting machines that include a paper trail, according to the AP.
— More cybersecurity news from the public sector:
— “Taiwan is bracing for an onslaught of cyber attacks from mainland China ahead of local elections in November intended to undermine a president who has defied Beijing’s efforts to bring the democratically ruled island under its control,” Bloomberg News's John Follain, Adela Lin and Samson Ellis reported Wednesday. “China, along with Russia and North Korea, may be increasingly testing out cyber hacking techniques in Taiwan before using them against the U.S. and other foreign powers, according to the Taiwanese government.”
— More cybersecurity news from abroad:
- Detect '18 conference in National Harbor, Md.
- ShellCon 2018 conference in San Pedro, Calif., through tomorrow.
- Two Senate Armed Services subcommittees hold a hearing on the Defense Department's “cyber operational readiness” on Wednesday.
- House Energy subcommittee hearing on the Energy Department's Office of Cybersecurity, Energy Security, and Emergency Response on Thursday.
Anti-doping agency votes to welcome back Russians:
Watch: Fogbow appears in Arctic Ocean
“Space Jam 2” slated to film in 2019: