Many cybersecurity experts and lawmakers from both sides of the aisle are applauding Trump's new national cyber strategy, which takes on a more offensive tone than previous guiding directives.
Between the lines: Many are also quick to point out it doesn't specify new details that go beyond the guidance of previous administrations.
Rep. Jim Langevin (D-R.I.), the co-chair of the Congressional Cybersecurity Caucus argues that the strategy "does not go far enough in accelerating the reforms that need to be made...Unfortunately, the strategy is largely a restatement of recommendations that have carried through the last several Administrations."
Adam Segal, director of the Digital and Cyberspace Policy Program at the Council on Foreign Relations, explains, "[w]hile the U.S. led in introducing national cyber strategies, you could argue that now we have fallen a little behind in introducing new organizations. Israel and the UK, for example, have built specialized cyber agencies."
Tommy Ross, senior director of policy at the Software Alliance, says "offensive operations often hinge upon the ability of governments to take advantage of vulnerabilities and flaws in products that are produced by the private sector." But "as customers see those products interfered with or exploited, it can undermine their trust" in the private sector.
Brett Bruen, the Obama administration's director of global engagement, tells me "this is part of the administration's effort to relabel everything under the new administration." Bruen says more focus needs to be on the issue that "we still don’t have a functional disinformation capability within the U.S. government" to battle social media misinformation. "This is a much more serious threat than they are acknowledging."
The other side:
- Michael Daniel, Obama's cybersecurity coordinator: "It strikes a good balance between defensive actions and seeking to impose consequences on malicious actors…The resulting product is an example of what a national strategy should look like on an issue that truly is nonpartisan."
- Rep. Mike McCaul (R-Texas), chairman of the House Homeland Security Committee, emails: "This strategy will help better combat malicious cyber acts from foreign adversaries like Russia, China, Iran, and North Korea."
- Rep. John Ratcliffe (R-Texas), chair of the House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection: "I look forward to leading the cyber subcommittee’s collaboration with the administration to critically examine the key principles of the National Cyber Strategy. We must define DHS’ specific role in its implementation, so we can ensure a robust approach is utilized to most effectively address our top cyber priorities both foreign and domestic."
- Sen. James Lankford (R-Okla.): "It is good for the US to finally have a National Cyber Strategy in place to work to secure critical networks, effectively deter and respond to bad actors, and protect our economy while promoting a free and open internet...This has been a significant need for years."
- Sen. Mike Rounds (R-S.D.): "I’m glad to see the admin. prioritize our nation’s cybersecurity and recognize the need for a strong deterrent that includes the use of offensive capabilities. Taking a more offensive approach to cyber-attacks will allow us to swiftly and preemptively address an imminent attack."
The takeaway: The strategy announcement is a positive outcome, but there is still a lack of clarity on overlapping cyber responsibilities between federal agencies. There is likewise no specification about whether there's a "red line," after which, if crossed, the U.S. would respond. A "red line" could erode deterrence by allowing adversaries to move forward until that point with no repercussions.
- One new thing: The U.S. is kicking off an "international Cyber Deterrence Initiative," through which the U.S. and partners will aim to boost each other's attribution efforts, consequences, and responses on cyber incidents.