The Trump administration is developing a new cyber security strategy that will build on work being done as part of an executive order the president signed in May and it will contain a vision, something the nation current lacks for cyber security, a senior White House official said on Tuesday.
The “objective” is to put out a new cyber strategy and the “executive order gives you a good blueprint, and the blueprint is to organize our efforts into three component parts,” Tom Bossert, assistant to the president of Homeland Security and Counterterrorism, said during a press gaggle after he spoke at a cyber security conference.
President Donald Trump on May 11 issued his executive order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure. The key themes of the directive are bolstering the security of federal networks, strengthening the cyber security of critical infrastructure, and developing options to deter cyber attacks and protect Americans from cyber attacks. The order calls for reports from different federal departments around each thrust in the directive.
Bossert said strengthening the security of federal networks is a “function … of practicing what we preach before we preach it to others. On the deterrence front, he said one half of the challenge is to create normal behavior among the U.S. and “likeminded allies” for operating on the Internet, “and how they want to hold their citizens to a standard of behavior.”
The other side of the deterrence equation comes down to improved defenses, Bossert said, noting that the administration has been “very clear” that this includes “increased costs to the adversary” through “better collective defenses and also better individual defenses.”
Another component to the defensive side of deterrence includes the “punitive steps” a nation reserves for its own defense, he said. In September, Bossert said that the administration will likely resort to traditional means to deter bad behavior in cyberspace, saying that punishment would likely be meted out in a “way that is real world not cyber world.”
Bossert wouldn’t put a timeline for when the new cyber strategy will be issued, saying it will be ready when the administration is “prepared to put forward a strategy that will be beneficial.” He also said that the administration is being careful not to “telegraph to the public” everything necessary to defending U.S. networks.
The administration of President George W. Bush signed off on a National Strategy to Secure Cyberspace in 2003 and followed that up in 2008 with the Comprehensive National Cybersecurity Initiative. The Obama administration adopted the Bush plans and then built on them, resulting in a Cybersecurity National Action Plan in 2016, that among other things called for modernizing the information technology networks of the federal government, increased cyber security spending by the federal government, and providing recommendations to the next administration.
Bossert, speaking at the Federal Ignite 2017 conference hosted by the cyber security company Palo Alto Networks [PANW], said “I don’t think we have a collective vision” for cyber security. “If fact, I’d like to get this room to wrap their heads around what it is that we’re trying to do because the term cyber security itself is elusive.”
Earlier in the conference, Rep. John Ratcliffe (R-Texas), chairman of the House Homeland Security Subcommittee on Cybersecurity & Infrastructure Protection, told attendees that he’s ready to “lean in” to help achieve a “cyber security moonshot” that some industry and government officials have said will help solve the nation’s cyber insecurity.
Ratcliffe said he’s “trying to get other members of Congress on board as well.” He also said that his contribution will include “guiding parameters,” adding that the goals of the moonshot need more clarity and precision.
Mark McLaughlin, chairman and CEO of Palo Alto Networks, said in remarks following Ratcliffe’s that the U.S. should consider setting a 10-year goal for security the Internet.
But Bossert, in his remarks before attendees and later to the media, said of putting up a goal like securing the Internet in 10 years, “I’m not sure if it’s achievable.” If a “unified vision” for cyber security can be hammered out, “I’d be thrilled. If we come out with a way to actually achieve it in four years I’d be astonished.”
The type of terminology that Bossert believes best applies to cyber security is risk management, “the idea there being that you always have to manage risk, mitigate it, and manage it to a tolerable level, and there are going to be different people and different situations that should have the right to tolerate their own risk,” he said.
Instead of focusing just on protecting a network, Bossert said it would be better to protect the “crown jewels” that are on a network, and that’s the data.
Bossert noted that a moonshot has merit around developing the nation’s cyber workforce. He cited Department of Labor statistics that show the U.S. is short about 300,000 cyber workers.