The US National Cyber Strategy

Last month, the White House released the "National Cyber Strategy of the United States of America. I generally don't have much to say about these sorts of documents. They're filled with broad generalities. Who can argue with:

Defend the homeland by protecting networks, systems, functions, and data;

Promote American prosperity by nurturing a secure, thriving digital economy and fostering strong domestic innovation;

Preserve peace and security by strengthening the ability of the United States in concert with allies and partners ­ to deter and, if necessary, punish those who use cyber tools for malicious purposes; and

Expand American influence abroad to extend the key tenets of an open, interoperable, reliable, and secure Internet.

The devil is in the details, of course. And the strategy includes no details.

In a New York Times op-ed, Josephine Wolff argues that this new strategy, together with the more-detailed Department of Defense cyber strategy and the classified National Security Presidential Memorandum 13, represent a dangerous shift of US cybersecurity posture from defensive to offensive:

...the National Cyber Strategy represents an abrupt and reckless shift in how the United States government engages with adversaries online. Instead of continuing to focus on strengthening defensive technologies and minimizing the impact of security breaches, the Trump administration plans to ramp up offensive cyberoperations. The new goal: deter adversaries through pre-emptive cyberattacks and make other nations fear our retaliatory powers.

[...]

The Trump administration's shift to an offensive approach is designed to escalate cyber conflicts, and that escalation could be dangerous. Not only will it detract resources and attention from the more pressing issues of defense and risk management, but it will also encourage the government to act recklessly in directing cyberattacks at targets before they can be certain of who those targets are and what they are doing.

[...]

There is no evidence that pre-emptive cyberattacks will serve as effective deterrents to our adversaries in cyberspace. In fact, every time a country has initiated an unprompted cyberattack, it has invariably led to more conflict and has encouraged retaliatory breaches rather than deterring them. Nearly every major publicly known online intrusion that Russia or North Korea has perpetrated against the United States has had significant and unpleasant consequences.

Wolff is right; this is reckless. In Click Here to Kill Everybody, I argue for a "defense dominant" strategy: that while offense is essential for defense, when the two are in conflict, it should take a back seat to defense. It's more complicated than that, of course, and I devote a whole chapter to its implications. But as computers and the Internet become more critical to our lives and society, keeping them secure becomes more important than using them to attack others.

Posted on October 9, 2018 at 6:01 AM • 20 Comments

Comments

TimOctober 9, 2018 6:51 AM

I read this piece "...together with the more-detailed Department of Defense cyber strategy and the classified National Security Presidential Memorandum 13,..." and immediately thought that I must be reading a script from the TV show Get Smart. But I suppose that even they wouldn't have been silly enough to have propose pre-emptive cyber attacks!

After I got over my personal baggage, I finished the article and appreciate your point. Truth can indeed be stranger than fiction!

Clive RobinsonOctober 9, 2018 7:17 AM

Not Apple Pie...

Whilst the first quotes appear as "Motherhood and Apple Pie", this comment is very very different,

    Expand American influence abroad to extend the key tenets of an open, interoperable, reliable, and secure Internet.

In short "Our way or no way" which is a reflection of the very destructive US Foreign Policy, that has given rise to many of the worlds current hot spots one way or another.

Which brings us down to the other quotes. Where,

    Instead of continuing to focus on strengthening defensive technologies and minimizing the impact of security breaches, the Trump administration plans to ramp up offensive cyberoperations. The new goal: deter adversaries through pre-emptive cyberattacks and make other nations fear our retaliatory powers.

This again reflects another US Foreign Policy doctrine of every decad or so to premeptively and without good cause kinetically reduce some nation back to the stone age to enrich the "I" of the MIC with US tax dollars and more importantly serve as a threat to get all other nations to toe the US political line...

Typical bullying behaviour mixed in with blood lust not just of foreign citizens but US citizens as well...

echoOctober 9, 2018 7:43 AM

@Clive

I don't have the resources or inclination but a media anlysis might be useful. This is one of those "who shot first problems". I vaguely remember the Russians or analysts saying that Russia was becoming more assertive as a response to American aggression. The US says different.

Post-Snowden we know how invasive NSA-GCHQ were. It was also popular chatter on the internet that the US had sloppily placed critical infrastructure such as power stations online with extremely poor security for a decade or more. Then a couplke of months ago thereis a media scare story about the Russians getting a toehold in these systems. Now only the other day I am reading that the UK is threatening an Cyberwardfare "exercise" to close down Russian civil power reactors.

The UK conducted an analysis a couple of years ago and concluded that UK society would break down within three days of the power grid going offline. I'm unsure if the reason for this policy was "defensivesecurity" or whether the UK government was panicking over more than a decade of poor public policy for power generation. At the time the UK power grid was coming very close to maximum capacity and threatening blackouts.

This kind of aggressive exceptionalism is very very worrying. We only need to point to unilaterally pulling out of the Iran nucelar deal or the childlike tantrum of threatening sanctions against Russia and India for concluding a military procurement deal, or more sanctions being threatened against China. The blunderbus of American sanctions are now so bad that the EU has directed companies to insulate themselves via legal mechanisms to protect lawful EU economic and foreign policy interests.

4ndr34October 9, 2018 8:07 AM

@Clive
I couldn't agree more with you.

A bully is a bully as far as he doesn't meet a bigger bully. And I am pretty confident that thinking to be always the bigger one is a gargantuan mistake.

anonOctober 9, 2018 8:36 AM

Back in 1988, Joshua S. Goldstein wrote in his book 'Long cycles: prosperity and war in the modern age' about a large scale conflict (comparable with the 20th century world wars) in the late 2020s. Seems were right on schedule?

Little LambOctober 9, 2018 10:58 AM

United States ... allies and partners ­... deter ... punish those who use cyber tools for malicious purposes; and

Dude, you can't build a computer or do anything "cyber" with your nose that clean. I have a degree in computer science and I am a citizen of the United States, but under this policy, I just have to leave the property before I get arrested or hit on a black-budget government contract. I could go clean out stables, but the rich folks don't want me near their horses.

Expand American influence

Right. All we need to do is work out at the gym and flex our muscles in order to develop the skills to accomplish our cyber objectives.

Just move on, folks. They took all the cyber stuff back in the kitchen in Asia.

albertOctober 9, 2018 12:57 PM

"...The devil is in the details, of course. And the strategy includes no details...." - as Bruce correctly points out.

Perhaps the powers that control US foreign policy aren't as smart as they think they are. Or perhaps it doesn't matter. Historical definitions of military strength may still be valid, but Cyberwar is a very different animal. It's almost a level playing field, and relatively cheap to enter. State actors who think they've got it handled are in for a rude awakening.

Regular wars, cyberwars, and coming soon: The US Space Command, under the direction of the Commander-in-Chief himself, the Honorable Donald J. Trump.

I don't think poking a hornets nest is wise. You can destroy a hornets nest easily, but you're gonna get stung.

. .. . .. --- ....

TheInformedOneOctober 9, 2018 1:45 PM

Is the U.S. government so sure we'll be able to maintain cyber-offensive supremacy indefinitely? What happens to nations who promise their citizens that they can, but then fall behind? Do they fall back on conventional warfare? What if the Russians or Chinese reach the "Quantum Break" 1st? Better to speak softly and carry a big stick, don't you think?

Impossibly StupidOctober 9, 2018 2:06 PM

Who can argue with:

I can argue with those points, and it's easy to do, too, because they're self-contradictory. You can't on one hand call for "protecting networks" and "domestic innovation" while at the same time aim to be working with foreign "allies and partners" on a network that is globally "open" and "interoperable". It's also laughable to claim you'll "punish those who use cyber tools for malicious purposes" when you are doing that very same thing against not only other nation states, but your own citizens as well.

AnuraOctober 9, 2018 2:34 PM

Authoritarians generally believe the public is best kept in line through fear of retribution to begin with (just look at the American justice system; hell, the right-wing view of poverty for minorities is that it's punishment for bad behavior, which allows them to justify letting minorities starve to death), so it's no surprise that's the focus. Plus, offensive capabilities are more profitable than defensive capabilities in this respect; for the latter, you need to create quality development environments across the entire industry, but for the former you only need to figure out who to pay.

Grant Allen HodgesOctober 9, 2018 3:33 PM

Of course, . . . the government isn't really going to tell us what they are really going to do on cyber security. If you were in charge would you detail all your plans for the defense of the nation's net defense? One only need think about it for a minute to know that you would not. So . . in this case, boilerplate is the bomb.

Sergey BabkinOctober 9, 2018 7:58 PM

Um, but how do the offence and defence come into the conflict? There doesn't seem to be any such conflict in this strategy.

Also, "There is no evidence that pre-emptive cyberattacks will serve as effective deterrents to our adversaries in cyberspace" seems to be just plain wrong. Just a couple of months ago we've seen the Obama administration's claim that it didn't pursue the Russian meddling in the elections because they were afraid that the Russians would escalate their offence. Which, if we take this claim at face value, is a direct evidence that the offensive measures do work as a major deterrence.

echoOctober 9, 2018 8:06 PM

https://tech.slashdot.org/story/18/10/09/2237209/pentagons-new-next-gen-weapons-systems-are-laughably-easy-to-hack
https://www.zdnet.com/article/pentagon-s-new-next-gen-weapons-systems-are-laughably-easy-to-hack/
https://www.gao.gov/assets/700/694913.pdf

Many officials we met with stated that including weapon systems on the same networks with less protected systems puts those weapon systems at risk. Furthermore, the networks themselves are vulnerable. DOT&E found that some networks were not survivable in a cyber -contested environment and the DSB reported in 2013 that “the adversary is in our networks.

Further complicating matters, weapon systems are dependent on external systems, such as positioning and navigation systems and command and control systems in order to carry out their missions and their missions can be compromised by attacks on those other systems. A successful attack on one of the systems the weapon depends on can potentially limit the weapon’s effectiveness, prevent it from achieving its mission, or even cause physical damage and loss of life.

Oh, this is unfortunate timing.

WeatherOctober 9, 2018 8:48 PM

If the USA attacks with a good cyber weapon too inflect a lot of damage what's stopping the target in a month of RE to now have that weapon, isn't it abit like flying f35 to China land then the piolet take a commercial flight back home as a passage

Clive RobinsonOctober 10, 2018 12:09 AM

@ Weather,

isn't it abit like flying f35 to China land then the piolet take a commercial flight back home as a passage

No, it's worse than that.

The majority of so called "Cyber-weapons" are code. To work they need a system to run on. Usually the system the code runs on is NOT the attackers system, for obvious reasons

If an attacker can not get the code onto someone elses system then as a weapon it's no more dangerous than a floppy disk at the bottom of a draw, with a load of "bottom draw junk" and dust on top of it.

This is the equivalent of sending some one the plans to make a bomb, hoping they will then be daft enough to build the bomb and have it blow up in their faces...

The other way is to sell them systems with bombs built in then trigger then... That is you send a system with a bomb built in a self destruct trigger code...

Either way you have to be able to connect to the other persons system.

Which brings us around to the only other non code cyber-weapon, which is the equivalent of a pair of wire cutters or an off switch. That is you break the Internet by stoping it performing as a communicating network.

Currently the "all roads lead to Rome" idea actually has the US be Rome. For various historic reasons the world has let the US become "the spider at the center of the web". Which gives the US many advantages, in the same way having a prison guard hold the key to cell doors does. Or having another nation control your water or energy supply, they turn the switch and you will soon be begging.

Ultimately you are vulnerable to cyber attack for two reasons.

1, Your systems are bad.
2, Your communications are bad.

Remove either issue and you are not vulnerable.

The US economy is the one most dependent on the Internet, followed closely by other first world nations. Second and third world nations are much less dependent or not dependent at all.

The US used to supply everybody's hardware and software in the early days. Now due mainly to the stupidity of "conservative politicians" it does not. The computer based around "Intel chips" is being replaced by ARM chips, which used to be British but are now Chinese. Whilst the US in theory still has a grip on software that is begining to fade, Open Source Software Operating Systems and Applications are now more than sufficient for most people. It's one of the reasons "cloud" is being pushed so hard from the US. If they can not control the hardware or software, they will try to control peoples data, but they are losing that one as well...

Thus the reality is the US is reliant on being "the spider at the center of the web" for dominance.

The question is "For how much longer?" the current underlying physical structure made sense in the early days, but makes less and less sense as time goes on.

Arguments over DNS control with the US abusing it's position have caused other Nations (via ITU Doha 2014) to express their misgivings on alowing the US to maintain it's center of the web position. This will only increase with time and eventually the underlying physical web model will break down and with it much of the unseen "information infrustructure" that is dependent on "the spider at the center of the web" model. The real question will then be how resilient, or if you prefere "defendable" will the replacment sustems be?

But as for supplying systems with "bombs on board" the West have ceeded that to the East, and if the current "Supply Chain Poisoning" reports are true then the West already has it's information infrastructure go bad on it.

As the old Chinese proverb has it "May you live in Interesting times"...

Another MouseOctober 10, 2018 1:43 AM

@clive
I'm currently in India, never been so dependant on the net as anywhere else in this world. The old more informal systems seem incapable to keep pace with growth. Just one example earlier we used catching yellow taxis or 3-wheelers nowadays its all app based... So not only 1st world depending on net to a huge extent.

Wesley ParishOctober 14, 2018 2:47 AM

@Clive Robinson

That expression, according to an interesting Scientific American article I read back in the 80s on the mind and its internal indexing, is actually "As American as mother pie and applehood."

Considering that Apple Inc or Corp is now a person under US law, we may well concede it Applehood; it's just the Mother Pie sticks in my throat.

moopsOctober 14, 2018 9:52 AM

Part of the point of claiming a more aggressive cyber policy (then having that secret leaked) is to get all your enemies to invest more in their own defense.

ThursdayOctober 17, 2018 12:01 PM

1. Public policy must be interpreted with a grain of salt. The text is merely what they want us to know.

NYT and others are wrong if they're implying somehow that the US intends to weaken defenses in the name of offenses. The spectrum of prevent, detect, and respond must be balanced in any system of security and the new US direction is no testament to bastardizing this logic. Any other interpretation is misguided or a mere politicization of the actual intent.

I contend that US policy to bolster cyber offensive strategy is a welcome method of response that increases security for many nations. How the US conducts itself with its new capabilities are important details that as of now are classified and only time will reveal to us.

2. Say what you want about level playing fields, the US IC sorely lacks cyber offensive capabilities.

As a matter of policy, cyber weapons have been used for highly covert targeted purposes and when use of conventional warfare options are less favorable. Up until modern times, a relatively justified position for the West to take.

The reason the US didn't subject RU, CN, NK to retaliatory cyber attacks is not just due to escalation concerns, but because its arsenal is depleted or non-existent. There is nothing but shame and embarrassment in bringing flash, but no bang in retaliation.

When adversaries increase cyber offensives it is only natural for the US to do the same to protect its interests. One does not need to look any further than the striking DoD exploits over the last 5 years to notice that a defense-only strategy for a nation-state eventually fails to prevent exploits. What other options are left?..Perhaps offering the other cheek?..Cruise missile strikes?..Bags full of money to bribe the attackers?

The weight of future battlefields will doubtlessly feel the brunt of cyber weapons tactics and techniques whether justified or not. To be an opponent on that battlefield requires it to hone its skills. To continue a public policy of defend-only, the US will be forced to leverage conventional tactics more, not less often; eventually losing to its adversaries who are better equipped.

History shows us that cyber can save lives and settle wars by favoring the opponent with the better strategy e.g. WWII/analog cipher machines.

Dangerous?..Yes. Life is dangerous. Go ask Khoshaggi.

BillOctober 18, 2018 4:44 AM

To reach the scale he's talking about, I think he's talking about subverting entire platforms. This is vastly different from pointing a weapon at somebodies.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.