President Trump’s advisor for homeland security explained the new administration’s perspectives on cyber deterrence, maintaining norms, and information technology (IT) modernization at an event March 15.
Thomas Bossert, assistant to the President for Homeland Security and Counterterrorism, gave the keynote at a Center for Security Studies and International Security (CSIS) cybersecurity summit, using it to introduce the priorities of the administration.
He said the U.S. has not previously put together a serious deterrent strategy. The administration’s idea will “take the Cabinet, bring them together very seriously, as we negotiate with our foreign enemies and frenemies and enemies, and figure out how we’re going to share information responsibly with our allies and how we are going to deter our adversaries,” Bossert said.
He noted the administration will take this seriously as a state objective and will be looking for achievable ideas. “I think that needs to be stated out loud,” he said.
Bossert said section three of the upcoming Executive Order on cyber security, expected in the following weeks or months, will relate to deterring enemies. “We need to look at sharing with our allies, but we need to also look at deterring their intent.”
When engaging nation-state actors on cyber issues he said the government must approach the issue carefully but norms are important. “They are our statement, as a country – as the country that invented the Internet, by the way – that we have a certain expectation for how people will behave themselves on an open, interoperable platform that allows for innovation, free trade, fair trade, and other things that we think are important to our societal organization, socioeconomic organization.”
Bossert said you start by candidly telling other countries how the U.S. expects them to behave and how the U.S. promises to behave in return. If the countries accept the agreed norms but then violate them, “we have a responsibility to call them out on it and we have a responsibility to do something about it.”
This seems to mirror the Obama administration’s policy on cyber norms which included U.S. agreements with China and others to prohibit the countries’ governments from cyber-enabled theft of intellectual property.
Last September then-President Barack Obama said the U.S. seeks to start instituting norms so countries act responsibly in the cyber realm and to avoid duplicating escalation cycles from previous arms races. “What we cannot do is have a situation in which suddenly this becomes the Wild, Wild West, where countries that have significant cyber capacity start engaging in competition — unhealthy competition or conflict through these means when, I think, wisely we’ve put in place some norms when it comes to using other weapons,” Obama said at the G-20 summit in September.
Bossert said he did not want to rush to put “anyone on notice or anything worse,” but that the government has to start establishing cyber norms, “establishing evidence that they’re violating those norms if they so choose, and then taking appropriate steps to penalize and disincent the behavior.”
He also highlighted that data localization, which countries like China and Russia are doing, is misguided and is the antithesis of fundamental U.S. values along with excluding services and goods from other countries.
U.S. responses to norm violations could include sanctions if appropriate and effective. Bossert said he has no problem recommending that to the president “but that’s getting way in front of ourselves right now. I think there’s also some very positive opportunities for us to continue constructive conversations from Asia to the Middle East to our allies in Western Europe.”
Kevin Mandia, CEO of FireEye, speaking to the media also on March 15 before his company’s 4th Annual Government Forum, said cyber deterrence is very hard and there are few incentives in particular against Russia.
“I don’t have all the data points and it’s a complex equation, but if we launched all our offensive tools against Russia in the cyber domain and they launched all their tools against the United States in the cyber domain, they win no matter what … And that’s because they control their media and they have less of a dependency on the infrastructure than we have,” Mandia said.
He added that asymmetry of freedom of the press in a country like Russia hurts the U.S. in cyberspace. “So they can invade our privacy, they could ruin careers, they can do a lot of different things that we cannot. Then you put on your Russia cap. Why would you stop if you can hack us? What is the deterrent? There isn’t one.”
Mandia did, however, see two deterrent mechanisms that can work: financial penalties and sanctions and military might. However, he said there are limits to military use of cyber.
Bossert also commented on the administration’s perspective on IT modernization.
“Federal networks at this point can no longer sustain themselves. We cannot tolerate indefensible technology, antiquated technology, hardware and software. Modernization is absolutely critical.” he said.
More specific details will come in the following weeks and months but Bossert said the budget choices will not reflect “an overnight modernization of the IT.”
He estimated the full IT modernization effort will cost about $90 billion but that requires additional time and “thoughtful analysis.” Additional funds will be followed by policy guidance at the Department of Homeland Security.
Major budgetary reforms on cyber security will require departments and agencies to report their risk management activities, report known and unmitigated risks, and determine investments. Meeting unmet needs is a budget mechanisms and additional budget cost item, Bossert said.
“We do need to address unmet needs in a budgetary matter in a regular ongoing basis as we assess risk and determine insufficiencies on behalf of the federal networks.”
“So that’s not a call for more money. It’s a call for efficiency. It’s tied hand in hand with modernization. Modernization is going to have a big price tag. But in the interim, we’re going to need a way to meet unmet needs with unrealized threats and unmitigated risks,” he added.
Bossert underscored that he believes the administration can get Capitol Hill support needed for this kind of budget flexibility. “Every single person I talk to, those that understand cyber security and those that just read about it in the paper, agree that we need some reform. And that’s the start.”
He also said there will be metrics associated with cyber security reform. The administration will require federal departments and agencies to adopt and implement the NIST Cybersecurity Framework (and subsequent iterations), produce a report for the administration on observance, he said, adding that the report will go through the Secretary of Homeland Security and the Office of Management and Budget.
“The idea there is for us to collectively render determinations on the adequacy of those mitigations strategies as management tactics,” Bossert said. “But also then it’s going to have to be done in some way as a – as a scorecard, right? How do we decide whether we’ve determined adequacy or sufficiency?”
The administration will develop metrics and they will probably not be public because as part of defending the collective federal enterprise “that will inherently will be something that we don’t want to reveal to the public or our enemies,” Bossert said.
He said he will know a metric when he sees it, specifically mentioning the Office of Personnel Management hacks and the failure to secure their data properly.
“We all now know that an antiquated hardware system and an antiquated database software system holding millions and millions of important records to our national security was a bad approach. That was known and unmitigated risk, contemplated through the lens of one agency who had responsibility for their enterprise.”