National Security Council delays publication of cyber strategy over inclusion of ‘offensive’ measures
A public summary of the Trump administration’s cyber-deterrence strategy has been delayed because of internal disputes over retaliatory hacking measures, two current U.S. officials familiar with the matter tell CyberScoop.
According to sources, several National Security Council staffers are seeking edits that emphasize repercussions if an adversary attacks either the U.S. government or a U.S.-based company in cyberspace. The strategy’s outline was supposed to be released last Friday alongside other government cybersecurity reports, but it was held up after an NSC member requested a postponement.
The summary, although not as comprehensive as the strategy itself, is important because it would broadly inform the public about the government’s secret plan of action and signal to adversaries what behaviors cross a red line.
Originally, the Trump administration mandated the creation of a cyber-deterrence framework through the cybersecurity executive order released in May 2017. A classified document that defines response options for when the country comes under cyberattack has already been submitted to Congress.
The sources spoke on condition of anonymity to discuss an ongoing policy debate that’s taking place at the highest levels of government.
Broadly speaking, Trump’s cyber deterrence plan leans on the government’s ability to collaborate with U.S. tech companies in order to combat emerging cyberthreats, one U.S. official said. The delayed release of the aforementioned summary and other reports, however, came as a surprise to many of these same private sector partners.
Several industry groups were planning coordinated press releases on Friday about their own private-public cybersecurity efforts to mirror the White House’s release plan. For example, telecom companies were planning to publish a tandem report about shutting down botnets, but that was called off. Some of the companies held off on releasing their own reports late last week; a move which annoyed the private sector after they had taken time to compile information supporting the Trump administration’s cybersecurity initiatives.
The U.S. Telecom Association did not respond to a request for comment prior to publication. The CSDE, a joint trade group comprised by USTelecom and the Information Technology Industry Council (ITI), published an anti-botnet guide on Friday that did not mention the cybersecurity executive order or U.S. government by name.
Being able to work closely with the private sector is critical for the government as it continues to take on new cybersecurity challenges, experts say. With the recent departure of White House Cybersecurity Coordinator Rob Joyce and Homeland Security Adviser Thomas Bossert, the White House lost its two most prominent figures that were actively fostering relationships with the private sector on cybersecurity matters.
Politico reported Monday that the White House had been planning to publicize several different cybersecurity reports on Friday, but that plan was scrapped by National Security Adviser John Bolton’s deputy Mira Ricardel at the specific request of NSC staffer Joshua Steinman. The cyber-deterrence strategy summary was going to be one of these publicized documents.
The idea was to release multiple related cybersecurity reports — some even detailing the progress made by federal agencies to improve their own cybersecurity practices — for the one-year anniversary of the cybersecurity executive order.
Steinman, according to Politico, lobbied against Friday’s comprehensive rollout to “stick it to” Joyce on his last day at the White House. CyberScoop first reported that Steinman had been disparaging Joyce’s work in front of Bolton in an attempt to succeed Joyce, taking over the top cybersecurity policy job in government.
The NSC referred CyberScoop to the State Department regarding the deterrence strategy summary. The State Department did not respond to a request for comment prior to publication. The Secretary of State is one of the people that are supposed to be involved in crafting the deterrence strategy, according to the cybersecurity executive order.
In past years, the government has released limited information about classified cybersecurity policies in order to educate the public. For example, in 2014, former White House Cybersecurity Coordinator Michael Daniel wrote a blog post explaining the existence and basis behind the Vulnerabilities Equities Process (VEP), although it was secret at the time. Daniel’s blog explained how government agencies involved in offensive cyber-operations, like the NSA and CIA, were supposed to follow guidelines whenever they discovered or implemented a so-called zero-day vulnerability.
Joyce further elaborated in a November 2017 release, which brought additional transparency to the equities process.