A Review of the Trump Administration’s National Cyber Strategy: Need for Renewal and Rethinking of the Public-Private Partnership in U.S. National Security Policy
March 31, 2021 | | Americas | Written by Wade H. Atkinson, Jr.
This article was originally published in the Summer 2020 edition of IWP’s student journal, Active Measures.
The Trump Administration’s National Cyber Strategy (NCS) was published in 2018 in a rapidly evolving threat environment due to the verification of increasingly sophisticated threats in cyber espionage, cyber physical attacks, and electoral manipulations. The NCS attempts to use a “whole of government” approach to Protect the Homeland, Promote American Prosperity, Preserve Peace Through Strength, and Advance American Influence (the “Four Pillars” of U.S. Cyber Strategy). At its core, the National Cyber Strategy seeks to use a renewal of the historic American Public-Private Partnership, which evolved from the post-World War II Defense Industrial Base to all forms of U.S. cyber security via real-time, comprehensive, and well-protected information-sharing among all critical U.S. entities about threat/defense/response actions.
From the Cold War to the Cyber Era
The post-Cold War era has seen a dramatic increase in cyber espionage, cyber attacks on physical entities, and cyber manipulation of democratic processes and elections. Those attacks have, in turn, required the progressive focus of U.S. administrations, beginning with Presidents Ronald Reagan, George H.W. Bush, Bill Clinton, George W. Bush, and Barrack Obama. In the words of one author, “in the eight years [Obama was] in the White House…cyber went from a nuisance to a mortal threat.”[1] This led to the Trump Administration’s Executive Order 13800 on “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure” (May 20, 2017) and culminated in the Trump Administration’s “National Cyber Strategy of the United States of America,” issued in September 2018.
The new “Cyber Era”[2] of fast-paced cyber offense and defense has seen various forms of intrusions, attacks, and manipulations, which can be broken down into three categories: cyber espionage intrusions (often with economic and geopolitical consequences), cyber attacks which resulted in physical and economic damage, and cyber manipulations of democratic processes and elections.
The first category of cyber espionage intrusions would include espionage-oriented cyber network intrusions with nicknames such as “Titan Rain,” “Mafia Boy,” “Epsilon,” “Morris Worm,” and the Chinese breach of the U.S. Office of Personnel Management (“OPM”). The second category of cyber attacks – attacks which resulted in physical and economic damage – include the original U.S. “logic bomb” which blew up the Soviet Siberian gas pipeline in 1982; the U.S./Israeli Stuxnet virus, which severely damaged Iranian nuclear centrifuges in 2010; the Iranian attack on Saudi ARAMCO in 2012, which resulted in severe economic and network damage to ARAMCO; the Iranian attack on the Bowman Avenue Dam in Rye, New York in 2013; the North Korean attack on Sony Pictures in 2014; and the Russian attack on the Ukrainian power grid in 2015. The third category of cyber manipulations of democratic processes and elections includes the Russian and Chinese use of social media platforms, such as Facebook, Google, and Twitter, to polarize electorates/disrupt democratic processes/manipulate elections in the U.S., U.K., and Germany from at least 2016 to the present.
Development of U.S. National Cybersecurity Policy from Presidents Reagan to Obama
Beginning with the Reagan Administration’s National Security Decision Directive Number 145 (NSDD-145) on September 17, 1984, the U.S. national security apparatus set up systems and processes (including a National Manager for Telecommunications Security and Automated Information Systems Security) to examine government telecommunications systems and automated information systems, to evaluate U.S. vulnerability to hostile interceptions and exploitation, and to use the National Bureau of Standards for Federal Information Processing Standards.[3] The George H.W. Bush Administration in National Security Directive-42 (NSD-42) of July 5, 1990, established a National Security Council/Policy Coordination Committee for National Security Telecommunications and Information Systems to provide systems security guidance for national security systems.[4] The Clinton Administration, in Presidential Decision Directive (PDD-63) of May 22, 1998, explicitly recognized the mutually reinforcing and dependent nature of the U.S. public and private sectors with the U.S. as the world’s strongest military and its largest national economy.[5] The Clinton Administration recognized the interdependence of the U.S. economy and military on “certain critical infrastructure and cyber-based information systems for the minimum operations of the economy and government in defense, telecommunications, energy, banking and finance, transportation, water systems, and emergency services.”[6] The Clinton Administration set the year 2003 as the deadline for achieving and maintaining the ability to protect the nation’s critical infrastructure from intentional attacks. NPP-63 also recognized that the elimination of potential U.S. vulnerability required “a closely coordinated public-private partnership to reduce vulnerability.”[7] NPP-63 designated for each sector of the economy vulnerable to an infrastructure attack a designated Lead Agency Senior Sector Liaison to work with the private sector and to develop a sectoral National Infrastructure Assurance Plan.
Perhaps most significantly for the development of the U.S. Cybersecurity Public-Private Partnership (“PPP”), the Clinton Administration’s NPP-63 initiated the use of Information Sharing and Analysis Centers (“ISACs”).[8] In ISACs, critical infrastructure owners and operators are brought together “to collect, analyze, and disseminate actionable threat information and provide members tools to mitigate risks and enhance resiliency.”[9] The Clinton Administration initiated the establishment of an ISAC, originally for each of the then seven designated critical infrastructure sectors, to coordinate with each other across sectors and with the government.[10] For instance, the first, the Financial Services ISAC (“FS-ISAC”) was formed in 1999 and has been operating for nearly 20 years. The Communication ISAC, also known as the DHS National Coordinating Center, is part of DHS’s National Cybersecurity and Communications Integration Center (“NCCIC”) – “the national nexus of cyber and communications integration for the Federal Government, the Intelligence Community, and Law Enforcement.”[11] More ISACs were formed and expanded during the Clinton and Bush Administrations and constitute one of the central hubs of the U.S. public-private partnership in cybersecurity. To date, ISACs have been established in 18 areas: Automotive, Aviation, Communication, Defense-Industrial Base, Downstream Natural Gas, Electricity, Emergency Management and Response, Financial Services, Health Information Technology, Multi-State (state, local, tribunal, and territorial governments), National Defense, Oil and Natural Gas, Real Estate, Research and Education Networks, Retail Businesses, Surface and Public Transportation, and Water and Wastewater.[12] Most recently, the Automotive ISAC (“Auto-ISAC”) signed a Cooperative Research and Development Agreement (“CRADA”), with DHS allowing for public-private collaboration with DHS on cyber threats to automated vehicles in order to detect and prevent vehicular cybersecurity threats. The CRADA allows Auto-ISAC members to obtain security clearances, access government facilities, and collaborate with DHS on issues relating to potential cybersecurity threats to automated vehicles.”[13]
Following 9/11 and the creation of the Department of Homeland Security (“DHS”) in 2001, the George W. Bush Administration formally addressed the issue of cybersecurity as part of the renewed interest in U.S. homeland security and simultaneously issued National Security Presidential Directive (NSPD-54) and Homeland Security Presidential Directive (HSPD-23) on January 8, 2008.[14] These documents’ goal was to provide an “enduring and comprehensive approach to cybersecurity that anticipates future cyber threats and technologies and involves applying all elements of national power and influence to secure national interests in cyberspace.”[15] NSPD-54/HSPD 23 also established the National Cyber Response Coordination Group (“NCRCG”) and the National Cybersecurity Center (“NCC”) at DHS. HSPD-23 tasked the Secretary of Homeland Security to prepare a report detailing policy and resource requirements for improving the protection of privately-owned U.S. critical infrastructure networks. In the post-9/11 environment, DHS increasingly became the centerpiece of U.S. non-defense and intelligence cybersecurity under its second Secretary, former U.S. Appellate Court Judge Michael Chertoff, who served from 2005-2009.[16]
The Obama Administration placed increased emphasis on cybersecurity and signed Executive Orders and National Security Presidential Directives (many of which are still classified) to bolster America’s response to cyber intrusions and cyber attacks. The Obama Administration also championed PPPs and the use and expansion of ISACs. Executive Order 13691 on “Promoting Private Sector Cybersecurity Information-Sharing” called on DHS “‘to develop a more efficient means for granting clearances to private sector individuals’ in Information Sharing and Analysis Organizations (‘ISAOs’) and to “identify a set of voluntary standards or guidelines” for them,” especially for sectors that, due to their unique needs, “cannot join an ISAC, but still have a need for cyber threat information and can benefit from membership in an ISAO.”[17] Executive Order 13636 on “Improving Critical Infrastructure Cybersecurity” emphasized the centrality of the PPP to the Obama Administration’s cybersecurity strategy. EO 13636 stated that: “It is the policy of the United States to enhance the security and resilience of the Nation’s critical infrastructure and… [promote innovation and efficiency] …through a partnership with the owners and operators of critical infrastructure to improve cybersecurity information sharing and collaboratively develop and implement risk-based standards.”[18]
The Trump Administration National Cyber Strategy
The Trump Administration’s “National Cyber Strategy” was articulated in a rapidly evolving threat environment due to the verification of increasingly sophisticated threats in cyber espionage, cyber physical attacks, and electoral manipulations by criminal groups, state and non-state actors, and combinations of state and non-state actors. The public nature of the Sony Pictures attack, combining a devastating physical and economic attack on a U.S. commercial entity with related credible threats of domestic terrorism, and the lack of a clear response by the Obama Administration, crystallized the need for a National Cyber Strategy.[19]
The Trump National Cyber Strategy had its origins in Presidential Executive Order 13800 on “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure” (May 20, 2017), which dealt primarily with federal networks, procurement, and information infrastructure.[20] The lead agencies named in Executive Order 13800 were DHS and OMB (for all aspects of cybersecurity other than defense and intelligence) and DOD and DNI (for defense and intelligence network and infrastructure).[21]
Section 2 (a) of Executive Order 13800 stated:
It is the policy of the Executive Branch to use its authorities and capabilities to support the cybersecurity and risk management efforts of the owners and operators of the Nation’s Critical Infrastructure (as defined in Section 5195 (c) (e) of Title 42, USC) (critical infrastructure entities), as appropriate.[22]
Title 42, U.S.C. Section 5195 (c) (e), as adopted by the Patriot Act of 2001, defines critical infrastructure as:
…The term “critical infrastructure” means systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.[23]
Executive Order 13800, Section 4 (a) also defines “appropriate stakeholders” as “any non-executive branch, person, or entity that elects to participate in an open and transparent process established by the Secretary of Commerce and Secretary of Homeland Security under Section 2 (d) of EO 13800.”[24] (Section 2 (d) of EO 13800 refers specifically to Resilience Against Botnets and Other Automated Distributed Threats).[25]
Following on Executive Order 13800, in September 2018, the Trump Administration issued its “National Cyber Strategy of the United States of America.” This document put forth the “Four Pillars” of U.S. Cyber Strategy: Protecting the American People, the Homeland, and the American Way of Life (Pillar I); Promoting American Prosperity (Pillar II); Preserving Peace Through Strength (Pillar III); and Advancing American Influence (Pillar IV).[26]
In its Cover Letter and Introduction, the Trump Administration National Cyber Strategy issued a “call to action for all Americans and our great companies to take the necessary steps to enhance our national security”[27] in order “to reflect our principles, protect our security, and promote our prosperity based on the American values of individual liberty, free expression, free markets, and privacy.[28]
Pillar I on “Protecting the American People, the American Homeland, and the American Way of Life” focuses on Securing Federal Networks and Information, Securing Critical Infrastructure (as previously defined in 42 USC Sec. 5195 (c) (e)), and Combatting Cybercrime and Improving Incident Reporting.[29] Pillar I discusses protecting information networks, whether public or private, by both the public and private sectors as a “responsibility shared by the private sector and the federal government.”[30] This is to be done, in part, by managing supply chain risk in the nation’s infrastructure, using federal cyber standards (particularly in the defense-industrial base), and by adopting a risk management approach to mitigate vulnerabilities and raise the base level of cybersecurity across the critical infrastructure areas of national security, energy and power, banking and finance, health and safety, communications, information technology, and transportation.[31] Implementation of industry-driven certification regimes, incentivization of cybersecurity investments (presumably through the U.S. Tax Code), and creation of a National Critical Infrastructure Security Resilience Research and Development Plan to protect key infrastructure assets (such as assets for positioning, navigating, and timing (PNT assets), which are crucial to so many U.S. defense and consumer electronic devices) are the preferred means for achieving these objectives.[32] Pillar I also discusses the use of U.S. law enforcement to work with private industry to disable cybercriminal infrastructure (botnets and dark markets) and to confront challenges presented by technological barriers (such as anonymization and encryption technologies) to obtain time-sensitive evidence for appropriate legal processes.[33] In order to do this, the Trump Administration proposes to work with Congress to update electronic surveillance and computer crime statutes, use law enforcement tools to investigate and prosecute transnational crimes in cyberspace, and promote international law enforcement cooperation by use of the U.N. Convention on Transnational Organized Crime, The G-7 24/7 Network Points of Contact Program, and the expansion of the Council of Europe’s Budapest Convention on Cybercrime.[34]
Specifically, Section 3 of Pillar I, on “Securing Critical Infrastructure,” discusses the need to “Leverage Information and Communication Technology Providers as Cybersecurity Enablers.” It states:
Information and communications technology (ICT) underlies every sector in America. ICT providers are in a unique position to detect, prevent, and mitigate risk before it impacts their customers, and the Federal Government must work with these providers to provide ICT security and resilience in a targeted and efficient manner while protecting privacy and civil liberties. The United States Government will strengthen efforts to share information with ICT providers to enable them to respond and remediate known malicious cyber activity at the network level. This will include sharing classified threat and vulnerability information with cleared ICT operators and downgrading information to the unclassified level as much as possible. The U.S. will promote an adaptable, sustainable, and secure technology supply chain that supports security based on best practices and standards. The United States Government will convene stakeholders to devise cross-sector solutions to challenges at the network, device, and gateway layers, and we will encourage industry-driven certification regimes that ensure solutions can adapt in a rapidly evolving market and threat landscape.[35]
In Pillar II on “Promoting Prosperity,” the Trump Administration says that it expects the technology marketplace to support and reward the continuous development, adoption, and evolution of innovative scientific technology and processes by promoting best practices and developing strategies to overcome market barriers to adoption of secure technologies.[36] The Administration will improve awareness and transparency of cybersecurity practices to build market demand for more products and services in collaboration with international partners. This will be done by encouraging “best practices” in industry and facilitating next-generation telecommunications and information infrastructure in the U.S. using the evolution of 5-G technology, spectrum-based solutions, and emerging technologies, such as artificial intelligence (AI), quantum computing, and next-generation telecommunications infrastructure.[37] The Administration also proposes the free flow of data, digital trade, and cybersecurity innovation through “trade-related engagement, innovative tools, and best uses, in order to achieve full life-cycle cybersecurity using things such as strong default settings, upgradeable products, and best practices to differentiate products based on security features and foundational engineering practices.”[38] In order to achieve this, the U.S. will use strong intellectual property rights enforcement, the CFIUS process, and administrative enforcement agencies, such as the FCC, the FTC, and (presumably) the newly-created Cybersecurity and Infrastructure Security Agency to be created from the former DHS National Protection and Programs Directorate (“NPPD”). [39] Additionally, the Trump Administration proposes the development of a stronger U.S. cybersecurity workforce, through education, training, and the National Institute for Cybersecurity Education, which will educate and re-train secondary, post-secondary, vocational, and professional levels.[40]
In Pillar III on “Preserving Peace Through Strength,” the Trump Administration says that it will integrate the employment of cyber options across every element of U.S. national power using an integrated diplomatic, military, economic, and law enforcement approach to promote the U.S. national interest and preserve the U.S. “overmatch” in cyber technology.[41] For instance, it will encourage universal adherence to cyber norms, international law, and voluntary non-binding norms to achieve predictability and stability in cyberspace. It will also use the U.S. intelligence community and the U.S. International Cyber Deterrence Initiative to counter malign influence and information campaigns by working with “foreign government partners, the private sector, academia, and civil society.”[42]
Finally, in Pillar IV on “Advancing American Influence,” the Trump Administration promises a multi-stakeholder model of Internet governance based on a “transparent, bottom-up, consensus-driven process that enables governments, the private sector, civil society, academia, and the technical community to participate on an equal footing,” using diverse organizations, such as the Freedom Online Coalition, The Internet Governance Forum, and the U.N. Telecommunications Union, “to promote interoperable and reliable community infrastructure and Internet connectivity.”[43] Pillar IV states this can be achieved by “working with like-minded countries, industry, civil society, and stakeholders through integrated technical development, digital safety, training, policy advocacy, and research.[44] A priority will be enhancing Cyber Capacity Building Efforts “as building blocks for organizing national efforts for cybersecurity, sharing information, and threat warnings, cybersecurity coordination, and promoting analytical and technical exchanges in order to promote markets for American ingenuity overseas, including for emerging technologies, which can, in turn, lower the cost of security.”[45]
The Trump Administration has gone out of its to emphasize the PPP in its cybersecurity strategy. For instance, at the 2018 DHS National Cybersecurity Summit, Vice President Pence stated: “Cybersecurity is a shared responsibility and the President and I need you to be advocates in your industry and among your peers for greater cybersecurity collaboration.”[46] In addition to EO 13800 on “Strengthening the Cybersecurity of the Federal Networks and Critical Infrastructure” and the “National Cyber Strategy,” the recent “Report to the President on Enhancing the Resilience of the Internet and Communications Ecosystem Against Botnets and Other Automated Distributed Threats,” noted the importance of public-private partnerships and called for “collaboration to improve the ability of the ecosystem members to mitigate botnet threats.”[47]
The Evolution of the Public-Private Partnership in U.S. Cybersecurity Policy
At its heart, the Trump Administration National Cyber Strategy relies on a dramatic evolution in the nature of the Public-Private-Partnership (PPP) in U.S. national security by relying on continuous information-sharing and coordination, rather than manufacturing or production, to protect the U.S. from cyber espionage, cyber attacks, and cyber manipulation.
Historically, the U.S. private sector has always supported the U.S. national security sector enormously, and virtually unconditionally, with the building of ships, tanks, planes, and satellites, as well as large-scale, technology-driven projects, such as the Manhattan and the Apollo Projects; the integration of stealth technology and precision-guided weapons into military arsenals; and the Strategic Defense Initiative (SDI). These programs and projects enriched the private sector with government contracts and the public good with related security and technology innovations. The U.S. PPP grew out of necessity during the American Revolution and the War of 1812, continued through the U.S. Civil War, and was firmly established in the Presidential Emergency Powers granted under the Trading with the Enemy Act of 1918. President Franklin Roosevelt used the Trading with the Enemy Act to expand Presidential powers during the New Deal and for war preparation prior to the U.S. entry into World War II. Certain aspects of the PPP were expanded in the 1952 National Defense Act, which created the National Security Resources Board.[48] Generally, the PPP worked quite well through the Vietnam Era; contributed greatly to the Strategic Defense Initiative, which won the Cold War; and propelled the technology-driven integrated battle strategies, which won the two Gulf Wars in 1994 and 2003, in dramatic fashion.
However, the Trump Administration’s adaption of the PPP in its National Cyber Strategy represents a departure, by necessity, from the traditional PPP because it involves a continuous sharing and coordination of code, information, data (including trade secrets and proprietary data), and information/communication technology, not manufacturing or production, in a never-ending offensive and defensive cybersecurity effort. This multifaceted and continuous offensive and defensive use of the PPP, domestically and internationally, will present unparalleled challenges in the Cyber Era.
The Cybersecurity Imperative
The cyber threat poses unique threats to U.S. economic and national security because of its inherently global nature; the extremely rapid evolution of technology and tactics; the involvement of criminal, state, and non-state actors; and the dynamics of a partnership/consensus approach “along with some necessary elements of a regulatory approach” to the public-private nature of cyber challenges. An estimated 80% of U.S. critical infrastructure is owned and operated by the private sector, and most U.S. digital services were created by the domestic innovation base.[49] Yet, many aspects of the information and communication technology (ICT) sector are also regulated by government agencies, such as the FCC, the FTC, and the SEC. Therefore, a cooperative, but sometimes enforceable/deferential, public-private “partnership” is required across industries to better defend critical systems and functions from adversaries, while protecting the American public from predatory business practices at home.[50] For instance, the government (the public entity in the PPP) must regulate certain aspects of the private entities it is partnering with to prevent private citizens from dangers, such as corporate pricing or access abuses. At the same time, the government needs cooperation from the private sector, particularly the ICT sector, to perfect and preserve infrastructure and security standards. Put another way: “A unity of effort is required by those responsible for protecting the nation and those who own and operate the infrastructure that is critical to the mission.”[51]
Public-private partnerships do exist across federal agencies and are often championed by the National Institute of Standards and Technology (“NIST”) whose mission is: “to assist private sector initiatives to capitalize on advanced technology; to advance through cooperative efforts among industries, universities, and government laboratories, promising research and development projects, which can be optimized by the private sector for commercial and industrial applications; and to promote shared risks, accelerated development, and pooling of skills which will be necessary to strengthen America’s manufacturing industries.”[52] NIST’s cybersecurity role has evolved under the Cybersecurity Enhancement Act of 2014, which directs NIST to “facilitate and support the development of voluntary consensus-based, industry-led set of standards, guidelines, best practices, methodologies, procedures, and processes to cost-effectively reduce cyber risk to critical infrastructure.[53] Private collaboration was crucial to NIST’s “Framework for Improving Critical Infrastructure Cybersecurity” developed in a year-long collaborative process. NIST serves as a convener for industry, academia, and government stakeholders, while DHS coordinates much of the information-sharing between the government and the private sector using the ISACs.
DHS is also developing other information-sharing technologies. For example, Automated Indicator Sharing (“AIS”) managed by DHS U.S. Computer Emergency Readiness Teams (US-CERT) aims “to enable the exchange of threat indicators between the Federal Government and the Private Sector at machine speed.”[54] The DHS Office of Cybersecurity and Communications leads efforts to protect the federal government networks and to collaborate with the private sector to increase the security of critical networks.[55] DHS also announced the establishment of a National Risk Management Center to be the gateway for American companies to work with the federal government more closely to strengthen our shared cybersecurity.[56] Furthermore, the efforts at DHS to emphasize the collaboration have been increased by raising the profile and mission of the National Protection and Programs Directorate (NPPD) to become an independent agency: The Cybersecurity and Infrastructure Security Agency, pursuant to the Cyber Security Act of 2015.[57] Presumably, the new Cybersecurity and Infrastructure Security Agency will streamline the functions of the old NPPD. However, as envisioned, it still lacks a Division of Enforcement, similar to the Divisions of Enforcement of the SEC, CFTC, or FTC to serve as an investigatory/enforcement/international-information-sharing arm to enforce the 11 cybersecurity statutes Congress passed in 2014 and 2015. Therefore, the Cybersecurity and Infrastructure Security Agency will apparently have to rely on cooperation and information-sharing, rather than administrative enforcement, and refer civil, administrative, and criminal cases to the Department of Justice (DOJ).
Sector-specific Departments and Agencies have embraced the PPPs as well, including the Department of Energy, which has a Multiyear Plan for Energy Sector Cybersecurity; the FCC, which has a Communications Security, Reliability, and Interoperability Council (“CSRIC”); and the FDA, which is developing a Cyber Med (Expert) Analysis Board to complement existing device vulnerability coordination and response mechanisms.[58]
Similarly, Congress has developed a collaborative consensus-driven approach over a regulatory approach to the public-private partnership in cybersecurity. In 2002, Congress enacted the Protected Critical Infrastructure Information Program (PCII) “to protect private sector information voluntarily shared with the government for the purposes of homeland security.”[59] Under this program, DHS has been given procedures for receiving, validating, handling, storing, marking, and using information voluntarily shared by industry.[60] Perhaps most importantly to the PPP aspect of the PCII Programs, PCII information cannot be disclosed through a FOIA request, in civil litigation, or for additional regulatory purposes.[61]
Additionally, in 2015, Congress passed the Cybersecurity Information Sharing Act of 2015, which “created a framework to foster greater information-sharing in both directions: industry-to-government and government-to-industry. The framework envisioned in CISA is:
A voluntary cybersecurity information sharing process that will encourage public and private sector entities to share cyber threat information… [and allow] for greater cooperation and collaboration in the face of growing cybersecurity threats to national and economic security.[62]
Pursuant to CISA, the Cyber Information and Collaboration Program (“CISCP”) at DHS is the focal point for data sharing and analytical collaboration. The goal of CISCP is “to establish a community of trust between the Federal Government and entities from across the different critical infrastructure sectors and then leverage these relationships for enhanced information-sharing and collaboration.”[63] For instance, the Financial Services Sector Coordination Council welcomed CISA as “a strong vote of confidence for information sharing and its importance as a key component of cyber risk mitigation.”[64] Other commentators have stated that CISA has developed a “needed cyber security asset, and industry welcomed it to ‘help business achieve timely and actionable situational awareness to improve detection, mitigation, and response capabilities against cyber threats.’”[65]
The main strength of the CISA approach is that it embraces the public-private partnerships’ ability to empower private expertise to address evolving cyber threats by incentivizing corporations to protect their information systems, customer data, and networks; by allowing corporations (and other nongovernmental entities) who know their cyber infrastructure vulnerabilities to develop solutions to their own data security and cybersecurity challenges; and by being forward-looking to adapt to challenges or rapidly changing technology.”[66] For instance, when the Game Over Zeus botnet emerged, the DHS and FBI were able to work closely with the financial and business actors to disable a botnet which was “believed to be responsible for the theft of millions of dollars from business and consumers in the U.S. and around the world.”[67] The response to the Game Over Zeus botnet attack represents a substantial improvement to the lack of coordinated action taken by Sony and government/law enforcement following the Sony Pictures attack in 2014.
In order to bolster incentives for public-private cybersecurity partnerships, policymakers need to continue to reduce barriers to private participation. This can be done by the following: 1) providing the same level of protection for private-to-private information-sharing as private-to-government sharing; 2) expanding CISA protections from purely defensive measures to the development of all best practices cybersecurity strategies; 3) strengthening CISA’s antitrust exemptions to encourage business-to-business information-sharing; 4) expanding exemptions from Freedom of Information Act (“FOIA”) requests under CISA beyond trade secrets and proprietary information; and 5) adding additional safe harbor and immunity provisions to CISA in troublesome areas, such as tort claims, class action suits, and SEC securities disclosure actions.[68] Protecting the private sector from the apparent downsides to private sector collaboration/cooperation in the PPP will encourage broader information-sharing, development of best practices, and greater cooperation with federal and state and local governments to address cybersecurity challenges in real time, and thus, hopefully, will allow closer to real-time responses to cyber threats, such as the North Korean attack on Sony Pictures.[69]
The Trump Administration’s National Cyber Strategy represents a positive, if less than fully-detailed, advancement of the historic U.S. public-private partnership in the cybersecurity based on an improved supply-chain; use of best practices, and rapid responses to real-time threats. The Trump Cyber Strategy uses free market ideas; best practices; and coordination, cooperation, and information-sharing techniques to attempt to advance the public-private partnership in cybersecurity. It needs to address more specifically some of the potential incentives and liabilities to the private sector for participation in this partnership. The Trump Cyber Strategy, along with the use of ISACs, CISA, and the newly-independent Cybersecurity and Information Security Agency, should advance the U.S. national security interest by allowing for more rapid response to cyber espionage incursions and physical cyber attacks in real time.
However, the challenges posed by the myriad and rapidly-evolving challenges of cybersecurity are great. The issue of cyberespionage is still a troublesome one, in no small part because cyber espionage often results in greater geopolitical and economic risks, as the Chinese hacking of OMB showed. The dangers of cyber attacks resulting in physical damage to critical infrastructure in defense, intelligence, and critical infrastructure are still great and require a firm “red line” and deterrence by denial strategy, as David Sanger has advocated, particularly in the most critical areas of national security, such as the defense/industrial base, the intelligence community, and the electric grid. Other “critical” aspects of the nation’s infrastructure, such as transportation, telecommunications, and IT, will have to rely on closer real-time coordinated responses with DHS. Perhaps, most significantly, cyber manipulation of democratic processes and elections in the U.S. and abroad via the use of Facebook, Google, and Twitter requires an even deeper dive into the nature of public-private partnership on public information-sharing platforms (and greater awareness by the American public of the information and data they are consuming and the effects it is having on them) in order to re-enforce and strengthen U.S. democratic processes and institutions.
[1] Quoting David E. Sanger, The Perfect Weapon, (New York, New York: Penguin, 2018), p. 146.
[2] The “Cyber Era” refers to a new era in international relations which offers new opportunities for political cooperation, but also disrupts interstate dealings and empowers subversive actors. See, Lucas Kello, The Virtual Weapon and International Order (New Haven: Yale University Press, 2017), Chapter 3 on “Technical Revolutions and International Order, pp. 80-115.
[3] National Security Policy Directive Number 145 (Washington, D.C.: The White House, September 17, 1984). https://fas.org/irp/offdocs/nsdd145.htm, accessed October 7, 2020.
[4] National Security Directive Number 42 (Washington, D.C.: The White House, July 5, 1990). https://fas.org/irp/offdocs/nsd/nsd42.pdf, accessed October 7, 2020.
[5] Presidential Decision Directive Number 63 (Washington, D.C.: The White House, May 22, 1998) https://fas.org/irp/offdocs/pdd/pdd-63.htm, accessed October 7, 2020. See also, William J. Clinton, “A National Security Strategy for a New Century” (Washington, D.C. The White House, October 1988), p. 17. https://clintonwhitehouse4.archives.gov/media/pdf/nssr-1299.pdf, accessed October 7, 2020.
[6] Presidential Decision Directive Number 63. https://fas.org/irp/offdocs/pdd/pdd-63.htm, Accessed October 7, 2020. See also, Meagan Brown, “Cyber Imperative: Preserve and Strengthen Public-Private Partnerships” (White Paper) (Arlington, VA: George Mason Antonin Scalia School of Law, National Security Institute, 2018), pp. 1-2. https://nationalsecurity.gmu.edu/cyber-imperative-preserve-and-strengthen-public-private-partnerships/, accessed October 7, 2020.
[7] National Security Directive Number 63, p. 3. Indeed, the George W. Bush Administration National Security Council worked diligently during 2001-2009 to protect critical aspects of the national infrastructure. See generally, Michael Chertoff, Exploding Data: Reclaiming Our Cybersecurity in the Digital Age (New York, New York: Atlantic Monthly Press, 2018).
[8] See Megan Brown, “Cyber Imperative: Preserve and Strengthen Public-Private Partnerships” (White Paper) (Arlington, VA: George Mason Antonin Scalia School of Law, National Security Institute, 2018.) https://nationalsecurity.gmu.edu/cyber-imperative-preserve-and-strengthen-public-private-partnerships/, accessed October 7, 2020.
[9] National Council of Information Sharing Analysis Centers (ISAC’s), “About ISACs.” https://www.nationalisacs.org/about-isacs, accessed October 7, 2020.
[10] National Council of Information Sharing Analysis Centers (ISAC’s), “About ISACs.” https://www.nationalisacs.org/about-isacs, accessed October 7, 2020.
[11] Quoting Brown, “Cyber Imperative,” p.4.
[12] National Council of Information Sharing Analysis Centers (ISAC’s), “About ISACs.” https://www.nationalisacs.org/about-isacs, accessed October 7, 2020.
[13] Brown, “Cyber Imperative,” p.5.
[14] National Security Presidential Directive Number 54; Homeland Security Presidential Directive Number 23 (Washington, D.C.: The White House, January 8, 2008). https://fas.org/irp/offdocs/nspd/nspd-54.pdf, accessed October 7, 2020.
[15] National Security Presidential Directive Number 54. p. 1 emphasized the need for public-private information sharing in cybersecurity to be coordinated primarily by DHS, with the exception of the defense, defense-industrial, and intelligence sectors, which were to be coordinated by DOD.
[16] See, Michael Chertoff, Exploding Data: Reclaiming Our Cybersecurity in the Digital Age (New York, New York: Atlantic Monthly Press, 2018), pgs. 1-25.
[17] Brown, Cyber Imperative, pp. 4-5.
[18] Executive Order 13636 (Washington, D.C.: The White House, February 12, 2013). https://obamawhitehouse.archives.gov/the-press-office/2013/02/12/executive-order-improving-critical-infrastructure-cybersecurity, accessed October 7, 2020.
[19] See, Sanger, The Perfect Weapon, pgs. 124-151.
[20] Executive Order 13800 (Washington, D.C.: The White House, May 20, 2107), https://www.whitehouse.gov/presidential-actions/presidential-executive-order-strengthening-cybersecurity-federal-networks-critical-infrastructure/, accessed October 7, 2020.
[21] Executive Order 13800, p.5. The Department of Defense (DOD) was named as the Sector-Specific Agency for the Defense, Defense Industrial Base (DIB), and Intelligence Sectors. DOD is “responsible for leading the collaborative coordinated effort to identify, assess, and improve the risk management of critical infrastructure across the DIB with its partners.” See, Department of Homeland Security and Department of Defense, “Defense Industrial Base Sector-Specific Plan: An Annex to the National Infrastructure Plan” (NIPP) (2010), Preface, p. iii. https://www.dhs.gov/xlibrary/assets/nipp-ssp-defense-industrial-base-2010.pdf, accessed October 7, 2020.
[22] Executive Order 13800, p.5, quoting 42 U.S.C. Sec. 5195 9 (c) (e)’s definition of “critical infrastructure.”
[23] Quoting Title 42, United States Code, Section 5195c (e) (2018). https://www.law.cornell.edu/uscode/text/42/5195c, accessed October 7, 2020.
[24] Quoting Executive Order 13800, p. 10.
[25] Executive Order 13800, p. 5. “Botnets” are a network of private computers infected with malicious software and controlled as a group that can operate without the owner’s knowledge. They can be used to perform distributed denial-of-service (DDOS) attacks, steal data, send spam, and allow the attacker to access devices and connections.
[26] “National Cyber Strategy of the United States of America” (Washington, D.C.: The White House, September 2018). https://www.whitehouse.gov/wp-content/uploads/2018/09/National-Cyber-Strategy.pdf, accessed October 7, 2020.
[27]Quoting President Trump’s Transmittal Letter of National Cyber Strategy, p. ii. https://www.whitehouse.gov/wp-content/uploads/2018/09/National-Cyber-Strategy.pdf, accessed October 7, 2020.
[28] National Cyber Strategy (NCS), pp i-ii advances the use of the NCS to promote national security and also benefit the U.S. economically. See, NCS, Pillar II on “Promoting American Prosperity,” pp. 8-14.
[29] The National Cyber Strategy picks up the definition of “Critical Infrastructure” from EO 13800.
[30] National Cyber Strategy, pp. 8-11. The lead agencies for protecting critical information networks are DHS and DoD (for defense, defense industrial base, and intelligence.).
[31] National Cyber Strategy, pp. 8 – 11. Ultimately 18 areas of critical infrastructure have been designated. Each industry sector will use designated experts to facilitate the exchange of information. For instance, for Defense, the Defense Industrial Base (DIB), and Intelligence, DoD has been designated.
[32] National Cyber Strategy, pp. 8-11.
[33] National Cyber Strategy, pp. 8 -11. This will be composed of law enforcement partners at the federal, state, local, and tribal levels.
[34] Id., p.11. While the Trump Administration has encouraged international law enforcement cooperation by use of the UN Convention on Transnational Organized Crime, the G-7 24/7 Network Points of Contact Program, and the expansion of the Council of Europe’s Budapest Convention on Cybercrime, it has not endorsed a Comprehensive International Cybersecurity Treaty/Code of Conduct. See, https;//www.state.gov/release-of-the-2018-national-cyber-strategy.
[35] Quoting, National Cyber Strategy, pp. 8-9.
37 National Cyber Strategy, p.14.
[37] National Cyber Strategy, p. 14-15. Pillar II proposes a more nationalistic approach to cybersecurity. For instance, the Trump Administration has opposed the sale of 5-G equipment in the U.S. by China’s Huawei on national security grounds. See, https://www.cnn.com/2019/07/04/tech/huawei-us-ban.
[38] National Cyber Strategy, pp. 14-17. This goal echoes the December 2017 National Security Strategy of the U.S. generally, and specifically with regard to cybersecurity. See, National Security Strategy of the U.S. at pp. 12-14 on “Keep America Safe in the Cyber Era”; pp.20-21 on “Lead in Research, Technology, and Innovation”; p. 29 on “Defense Industrial Base”; and p. 31-32 on “Cyberspace” and “Intelligence.”
[39] See Charlie Mitchell, “Long-Awaited Cyber Agency Nears, But Will It Change Anything Much?” in The Washington Examiner, October 23, 2018, discussing the likely passage of the Cyber Act of 2015, currently in House-Senate Conference Committee. https://www.washingtonexaminer.com/policy/technology/long-awaited-cyber-agency-nears-but-will-it-change-anything-much, accessed October 7, 2020.
[40] National Cyber Strategy, pp. 14-15.
[41] Id., pp. 20-21. This goal of “overmatch” reinforces what was previously stated in The National Security Strategy of the U.S., pp. 12-14 and pp. 31-32.
[42] Id. This threat/goal is reiterated in the January 29, 2019 Worldwide Threat Assessment of the U.S. Intelligence Community on “Cyber.” https://www.dni.gov/files/ODNI/documents/2019-ATA-SFR—SSCI.pdf, accessed October 7, 2020. See, Worldwide Threat Assessment of the U.S. Intelligence Community, (Testimony of Daniel R. Coats, Director of National Intelligence to the Senate Select Committee on Intelligence, January 29, 2019) pp.5-7. https://www.dni.gov/files/documents/Newsroom/Testimonies/2019-01-29-ATA-Opening-Statement_Final.pdf, accessed October 7, 2020.
[43] Id., pgs. 24-26. See, also, Madeline Carr, “Public-Private Partnerships in National Cybersecurity Strategies” in International Affairs 92:1 (2016).
[44] Id. However, the U.S. Department of State still opposes a Comprehensive International Cybersecurity/Code of Conduct. See https://www.state.gov/release-of-the-2018-national-cyber-strategy/, accessed October 7, 2020.
[45] National Cyber Strategy, p. 26.
[46] Remarks of Vice President of the United States Mike Pence at the DHS Cyber Summit (Washington, D.C.: The White House, July 31, 2018.) https://www.whitehouse.gov/briefings-statements/remarks-vice-president-pence-dhs-cybersecurity-summit/, accessed October 7, 2020.
[47] U.S. Department of Commerce and Department of Homeland Security, “Enhancing the Resilience of Internet Communications Ecosystem Against Botnets and Other Automated Distributed Threats” (May 22, 2018). https://csrc.nist.gov/publications/detail/white-paper/2018/05/30/enhancing-resilience-against-botnets–report-to-the-president/final, accessed October 7, 2020.
[48] See Madeline Carr, “Public-Private Partnerships in National Cyber-Security Strategies” in International Affairs 92:1 (2016). pgs. 46-49
[49] See, Cybersecurity Information Agency Release on the Defense Industrial Sector, https://www.cisa.gov/defense-industrial-base-sector, accessed October 7, 2020.
[50] See, DHS and DOD Defense Industrial Base Sector-Specific Plan: An Annex to the National Infrastructure Protection Plan, p.3, https://www.dhs.gov/xlibrary/assets/nipp-ssp-defense-industrial-base-2010.pdf, accessed October 7, 2020.
[51] Quoting, Brown, “Cyber Imperative,” p. 10.
[52] See, 15 U.S. Code 271 defining the role of the National Institute of Standards and Technology (NIST), https://www.law.cornell.edu/uscode/text/15/271, accessed October 7, 2020.
[53] Cybersecurity Enforcement Act of 2014, Sec. 101, Pub. L. No. 113-274, 128 Stat. 2971 (2014), https://www.congress.gov/113/plaws/publ274/PLAW-113publ274.pdf, accessed October 7, 2020.
[54] United States Computer Emergency Readiness Team (“US-CERT”), “Automated Indicator Sharing,” https//www.us-cert.gov/ais, accessed October 7, 2020.
[55] DHS, Office of Cybersecurity Communications, https://www.hsdl.org/?abstract&did=440227, accessed October 7, 2020. https://www.cisa.gov/cybersecurity-division, accessed October 7, 2020.
[56] CISA, National Risk Management, https://www.cisa.gov/national-risk-management, accessed October 7, 2020.
[57] See Mitchell, “Long-Awaited Cyber Agency Nears”, pp. 14-15.
[58] See Brown, “Cyber Imperative,” pgs. 7-8.
[59] DHS, CISA Protected Critical Infrastructure Information Program (“PCII”), https://www.cisa.gov/pcii-program, accessed October 7, 2020.
[60] See Brown, “Cyber Imperative,” pp. 12-14.
[61] Brown, “Cyber Imperative.”
[62] Quoting Senate Rep. No. 114-32 (2015). https://www.congress.gov/congressional-report/114th-congress/senate-report/32/1, accessed October 7, 2020.
[63] DHS. Cyber Information Sharing and Collaboration Programs (CISCP) (June 2013), https://csrc.nist.gov/CSRC/media/Events/ISPAB-JUNE-2013-MEETING/documents/ispab_june2013_menna_ciscp_one_pager.pdf, accessed October 7, 2020.
[64] Id. Similarly, DOD has also acknowledged “a maturation of the relationship between government and private sector DIB partners.” See. Defense Industrial Base Sector-Specific Plan: An Annex to the National Infrastructure Protection Plan, Preface, p. iii, https://www.dhs.gov/xlibrary/assets/nipp-ssp-defense-industrial-base-2010.pdf, accessed October 8, 2020.
[65] Brown, Cyber Imperative, p. 8. See also, DHS, Critical Infrastructure and Key Resources Cyber Information Sharing and Collaboration Program. https://www.us-cert.gov/sites/default/files/c3vp/CISCP_20140523.pdf, accessed October 8, 2020.
[66] Brown, “Cyber Imperative, p. 8.
FBI, Game Over Zeus Botnet Disrupted, Collaborative Effect Among International Partners (June 2, 2014, updated July 11, 2014), https://www.fbi.gov/news/stories/gameover-zeus-botnet-disrupted, accessed October 8, 2020.
[67] Brown, Cyber Imperative, pp. 12-13. See also, DHS, Strategic Principles for Securing the Internet of Things (2016), https://www.dhs.gov/sites/default/files/publications/Strategic_Principles_for_Securing_the_Internet_of_Things-2016-1115-FINAL….pdf, accessed October 8, 2020.
[68] Brown, Cyber Imperative.
[69] See, U.S. Department of State, Recommendation to the President on Deterring Adversaries and Better Protecting the American People from Cyber Attacks (May 31, 2018), https://www.state.gov/recommendations-to-the-president-on-deterring-adversaries-and-better-protecting-the-american-people-from-cyber-threats/, accessed October 8, 2020.