He did not elaborate on the nature of the offensive operations, how significant they are, or what specific malign behavior they are intended to counter.
The Trump administration is focused on foreign governments’ attempts to target U.S. networks and interfere in November’s election. The strategy incorporates a new classified presidential directive that replaced one from the Obama administration, Bolton said. It allows the military and other agencies to undertake cyber operations intended to protect their systems and the nation’s critical networks.
Bolton’s remarks are consistent with the Trump administration’s posture toward cyber deterrence, which is considered to be more aggressive in comparison to former administrations’ positions. He cast the latest move as part of an effort to “create structures of deterrence that will demonstrate to adversaries that the cost of their engaging in operations against us is higher than they want to bear.”
In general, the president’s directive — called National Security Presidential Memorandum 13, or NSPM 13 — frees the military to engage, without a lengthy approval process, in actions that fall below the “use of force” or a level that would cause death, destruction or significant economic impacts, said individuals familiar with the policy who spoke on the condition of anonymity to discuss nonpublic information.
“As a policy matter, Bolton’s remarks likely mean the administration is willing to take more risks than previous administrations, but the proof will be in the results,” said Michael Daniel, who was cyber coordinator for the Obama Administration.
Trump’s strategy builds on those put forward by previous administrations and incorporates initiatives already underway, such as using a “risk-management” approach to addressing vulnerabilities in critical infrastructure.
Overall, the strategy almost mirrors the Obama administration’s national cybersecurity action plan issued in 2016, which grew from the best practices developed in the cybersecurity industry and the Commerce Department, said Ari Schwartz, a former senior cyber official for the Obama administration.
The strategy “does not go far enough in accelerating the reforms that need to be made,” said Rep. Jim Langevin (D-R.I.), who co-chairs the Congressional Cybersecurity Caucus. It’s good to clarify the roles of federal agencies in protecting critical infrastructure, he said, but “the document often fails to provide the strategic guidance regarding what trade-offs we should expect to make” between regulating and responding to the needs of those who operate critical systems.
Langevin said it is ironic that Bolton eliminated the position of White House cyber coordinator when he took office earlier this year. Langevin said cyber coordinator is “the very position best able to address these trade-offs at a national level.”
Bolton said he did so to “eliminate the duplication and overlap” on the National Security Council staff. He said other directorates — intelligence and counterproliferation, for instance — were headed by directors but did not have a coordinator above that position.
The issue of responding to cyber provocations has been hotly debated for years. The Obama administration was criticized for being too slow and too timid. Some former officials pushed back, saying the obstacle to responding aggressively to a foreign cyberattack was not the policy, but the inability of agencies to deliver a forceful response.
“When you got to the point of saying, ‘Okay, what do you have for us?’ there was not much ready to go,” said Schwartz, now managing director for cybersecurity services at the law firm Venable.
The new White House document comes on the heels of a Pentagon cyber strategy issued this week that focuses on China and Russia as the United States’ top adversaries. “This is attributed to their roles, respectively, in eroding U.S. military and economic vitality and challenging our democratic processes,” said Kate Charlet, a former senior Pentagon cyber official who is now at the Carnegie Endowment for International Peace.
The Defense Department strategy also calls for “confronting threats before they reach U.S. networks.” U.S. Cyber Command has always been tasked with defending the nation against attacks while operating outside U.S. borders. Now defensive activity will take place in the context of “day-to-day great power competition” rather than in crisis.
“The new approach derives from a growing consensus that lower-level malicious campaigns pose a major, cumulative risk and must be contested,” Charlet said. This is right, she said, but the Pentagon “must not find itself so focused on the day-to-day that it underprepares for major conflict.”
The strategy also makes more explicit the Defense Department’s role in deterring or defeating cyber operations targeting U.S. critical infrastructure that is “likely to cause a significant cyber incident.”