The Trump administration wants to boost partnerships with the private sector to combat a barrage of hacks, but current and former government officials say the White House’s approach to cybersecurity is uncoordinated and ineffectual.
The administration outlined its strategy July 31 during a cybersecurity summit in New York City. There, the Department of Homeland Security announced a new national risk management center that would serve as a threat-sharing hub with private companies. The idea is to provide cyber risk information with private businesses like banks, utility companies and transportation systems that are essential for everyday American life.
In addition, Trump administration officials repeatedly emphasized there would be consequences for attacking the United States in cyberspace.
“Gone are the days when America allows our adversaries to cyberattack us with impunity,” said Vice President Mike Pence. He added that the administration has “already made our adversaries’ actions more costly.”
But current and former government officials fear the Trump administration’s cyber strategy is unproven at best and catastrophic at worst.
Cyberthreat sharing programs already exist and struggle. The new center announced July 31 does not have any immediate, additional funding. If firms do not join - or remain involved in the center - its future is unclear.
“The government assumes it has to be at the center of the action with cyber threat sharing when there is already a lot happening in the private sector,” said Jason Healey a former White House cybersecurity official in the George W. Bush administration.
A senior Defense Department cyber official described the current administration’s cyber policy as “a potential catastrophe”. The official explained how the White House was not coordinating important cyber issues and briefings were missed or not taking place altogether. The official added that the administration is sending the wrong message to allies and adversaries because the U.S. is not prioritizing cyber issues at the same time as cyber activity ramps up. The official spoke on the condition of anonymity because they were not authorized to speak to the media.
America’s current cyber strategy is “stalled, self-limiting, and focused on tactical outcomes,” said a June report from the Department of Defense’s Science Board. “Current policies often thwart cyber capability.”
The report said that authorities which govern U.S. action in cyberspace should be updated to allow for “continuous offensive and defensive actions.”
Cyber operations that may have “significant consequences” require presidential approval, according to a policy directive.
Administration officials acknowledge that current threat sharing programs are struggling.
Today, just six companies are sharing cyberthreats with government, Chris Krebs, head of the national protection and programs directorate at Homeland Security, told reporters during the July 31 summit.
“We have to establish a value proposition for an organization to share into the system,” said Krebs. He added that improved supply chain risk management is an incentive that would set the new center apart from previous intelligence-sharing efforts.
But critics of the administration’s approach also point to the April departure of Rob Joyce as the top cyber official inside the National Security Council. Joyce left the White House after his former boss, Homeland Security Advisor Thomas Bossert, was pushed out by John Bolton. The cyber-czar position was reportedly eliminated by Bolton.
Trump administration officials disputed that U.S. cyber policy is uncoordinated and that cyberattacks have not been deterred. A White House official told Fifth Domain that the National Security Council is in regular coordination to address foreign influence.
“Streamlining management improves efficiency, reduces bureaucracy, and increases accountability,” said Garrett Marquis, a spokesman for the National Security Council. “The action continues efforts to empower National Security Council senior directors.”
The White House also points to the closure of two Russian government compounds and expulsion of 35 diplomats due to interference in the 2016 election.
“The Administration is confronting and countering malign Russian cyber activity, including their attempted interference in U.S. elections, destructive cyber-attacks, and intrusions targeting critical infrastructure,” said Treasury Secretary Steven Mnuchin March 15, after he sanctioned five entities and 19 individuals for malign Russian cyber activity.
The State Department has been working to create a voluntary framework of foreign countries that it hopes can deter foreign-backed cyber activity, Rob Strayer, the deputy assistant secretary for cyber and international communications, told Fifth Domain. The coalition of cyber allies will be able to coordinate attribution of hacks like WannaCry and NotPetya, Strayer said. The plan appears to be in the early stages and Strayer did not disclose which countries are involved in the framework.
Meanwhile, Russia’s digital attacks on the United States show no signs of slowing. The Department of Homeland Security is warning that the Russian government is trying to hack energy, nuclear, aviation and critical manufacturing sectors. The Daily Beast reported that a Russian intelligence agency tried to hack the office of Sen. Claire McCaskill, D-Missouri. America’s top intelligence official, Dan Coats, warned during a July 13 event that America’s critical infrastructure is under digital attack and “the warning lights are blinking red."
The U.S. has not deterred Russia in cyberspace, said Chris Painter, the former top cyber diplomat at the State Department during a July 20 event at the Washington Post. His position was also eliminated by former Secretary of State Rex Tillerson.
“One of the things no one has really done a good job of so far is really imposing costs on bad state actors for their activities,” Painter said. “We really haven’t done something that really hits (Putin) in the way that makes him change his mind.
He said that the U.S. actions against Russia in cyberspace are “undercut if you don’t have consistent high level and strong messaging from the top, from the President.”
Some experts told Fifth Domain that there has not been enough coordination of cyber policy into regional foreign policy strategies. Strayer rejected the criticism. Instead, he said that the State Department usually has cyber representatives embedded in teams during bilateral talks.
However, some experts are not convinced that anyone is running cyber policy at the top of government.
Katherine Charlet, a former defense department official and a director at the Carnegie Endowment for International Peace, said that U.S. government agencies have different interests in cyberspace.
“You need someone pushing for a consensus,” she said.