The plan follows the Pentagon’s new cyber strategy also released last week.
The Cipher Brief tapped a number of our experts, including former senior leaders from DHS, NSA, DoD, and the NSA's UK counterpart, GCHQ as well as private sector partners, to get their take on the 26-page document and the Administration’s plan forward.
Michael Chertoff, Former Secretary of Homeland Security
“The newly released National Cyber Security Strategy is a comprehensive and sensible roadmap that builds on the work done by the two previous Administrations. Notably, the strategy emphasizes U.S. commitments to internet freedom and the importance of promoting international law and norms. Allies will welcome the repeated calls for international collaboration in deterring bad actors and building capacity. Now to translate these words into actions!”
David Omand, Former Director, GCHQ
Former Director of GCHQ (the UK Sigint Agency)
“The strategic themes make a lot of sense in the light of serious developments in the cyber threat to the U.S. and its allies, not least Russian interference in the 2016 U.S. Presidential as with other elections elsewhere. The U.S. now appears to be following some of the same active defence strategy as the UK, as announced earlier this year in the UK cybersecurity strategy, namely, a pronounced shift from a purely defensive, passive set of defences around key networks, to a pro-active stance to build active defences and to be able to challenge those who engage in malign cyber activities, whether criminal or from hostile states. In that respect, the U.S. strategy seems much more open to the use of offensive cyber means as an accepted form of defending forward, rather than as seemed to be the case under the previous administration, an exceptional activity only to be contemplated in extraordinary circumstances. This should give potential attackers pause for thought. There are welcome references at several places in the US strategy to working with close allies and partners, not least to develop norms of good conduct for states in cyberspace.”
Stewart Baker, Former General Counsel of the National Security Agency
Former General Counsel of the National Security Agency
“The emphasis on attribution and deterrence is welcome, as is the development of those concepts into more concrete proposals on a cyber deterrence initiative and rapid retaliation. Attribution is the one defensive tool that seems to be getting better, not worse, over time, probably because attribution builds on the same human weaknesses that undermine our other defenses. As attribution gets better, we need to improve our capability for retribution. We need retaliation options that are kinetic, imaginative, and in some cases barely short of war, if we want to persuade attackers that escalation will end badly for them. That's a tall order, but one this administration has at least opened the door for.”
Admiral James 'Sandy' Winnefeld, Former Vice Chairman, Joint Chiefs of Staff
“This important document seems clearly written and fairly straightforward, though I see little that is brand new. It is not clear to me, however, what new authorities will be given to the various U.S. agencies to more actively defend the U.S. against malign actors, including states, criminals, and other disruptive persons or organizations. For example, if, through their own reconnaissance, US CYBER Command or an intelligence agency see an incipient cyber attack developing, do they now have additional authorities to take preemptive action to prevent it? If so, what kind of action, and on whose authority? How do the concepts of necessity and proportionality as well as a determination of the imminence of an attack, play out in this environment? What if the countering action must be executed through hardware located within a third nation's territory? We grappled with these questions years ago, and found that the issue was about both authorities and capabilities, each of which are problematic. It goes without saying that the specific answers to some of these questions would be classified, but the document might suggest additional authorities if they have indeed been granted.”
