New National Cyber Strategy Links Cyber Security to American Economic Growth

On September 21, 2018, the White House issued a new guiding directive on cybersecurity entitled: “National Cyber Strategy of the United States of America.” It is touted as the nation’s “first fully articulated cyber strategy in 15 years.”

True to its title, the National Cyber Strategy substantially addresses the geopolitical status of the United States in the cyber world. It describes, in broad strokes, the proposed federal strategy of increased federal regulation, departmental involvement and civil and criminal enforcement designed to promote the United States’ historic dominance of the internet.

Nevertheless, the private sector, and businesses with any involvement in e-commerce in particular, should begin anticipating what will be required of them to meet Internet security standards in the future.

The new National Strategy outlines how the U.S. will benefit from a secure cyberspace by responding to its adversaries who engage in “pernicious economic espionage and malicious cyber activities.” Such threats, according to the directive, are the cause of “economic disruption and harm individual, commercial and non-commercial interests and governments across the world.”

The new cyber strategy places an emphasis on deterrence combined with certain punishment to serve its goal of securing critical networks so that a free and open internet can prosper. In its Introduction, the directive acknowledges that the United States must make policy choices that impose costs to deter malicious cyber actors and prevent further and potentially devastating disruptions. It names Russia, China, Iran and North Korea as hotbeds of the most harmful threats, accusing these countries of using “cyber tools to undermine our economy and democracy, steal our intellectual property, and sow discord in our democratic processes.” Clearly, the Administration’s aim is to go on the offensive in order to combat malicious cyber acts from foreign adversaries.

The National Strategy is organized into four “pillars” individually aimed at effectively managing cybersecurity vulnerabilities.

Pillar I: “Protecting the American People, the Homeland, and the American Way of Life”

This pillar sets forth priority actions to be undertaken in order to more effectively manage cybersecurity risks and increase the security of the nation’s information systems. It is based on three primary objectives: (1) secure Federal networks and information; (2) secure critical infrastructure; and (3) combat cybercrime and improve incident reporting. These objectives are to be achieved by centralizing authority in the Department of Homeland Security to secure Federal department and agency networks. This is to be accomplished by updating electronic surveillance and computer crime statutes to enhance law enforcement’s ability to disrupt the “criminal infrastructure.”

Pillar II: “Promote American Prosperity”

This pillar seeks to preserve U.S. influence in the technological ecosystem and to develop economic growth, innovation and efficiency in cyberspace. The objectives of this pillar: (1) foster a vibrant and resilient digital economy; (2) foster and protect United States ingenuity; and (3) develop a superior American cybersecurity workforce. It is here that private entities may be called on to have the greatest role, as the administration’s plan is to overcome “market barriers” to the adoption of secure technologies. Areas specifically identified for development include the security of the 5G network, artificial intelligence and quantum computing; promotion of full-life cycle cybersecurity; and institution of strong intellectual property protections.

Pillar III: “Preserving Peace through Strength” 

This pillar seeks to identify and eradicate behavior that is contrary to national interests in cyberspace. This objective is to be achieved: (1) through enhanced cyber stability via norms of responsible state behavior; and (2) by attributing and deterring unacceptable behavior in cyberspace. These objectives will be established using international law with security-enhancing features. Significantly, the directive calls for “consequences for irresponsible behavior that harms the United States and our partners.” Such consequences are expected to be “swift, costly, and transparent” and will be established through the new international Cyber Deterrence Initiative – a coalition that will develop tailored strategies to respond on cyber incidents and ensure adversaries understand the consequences of their malicious cyber behavior. The more aggressive approach found in this pillar is aimed at allowing the United States to swiftly and preemptively address an imminent attack.

Pillar IV: “Advance American Influence”

This pillar is aimed at preserving America’s leadership posture on the internet so as to assure that it continues to align with American values and interests. The objectives are to: (1) promote an open, interoperable, reliable and secure internet; and (2) build international cyber capacity and cooperation. Here, the directive focuses upon the threats to freedoms of expression, peaceful assembly and privacy rights. The National Strategy seeks to prevent authoritarian states from taking control of the internet and views internet freedom as “the online exercise of human rights.” The directive emphasizes that through technological development, the United States will “strive for unrestricted access to an uncensored internet and promote international markets for emerging technologies that can lower security costs.” By capacity-building, the United States seeks a greater sharing of cyber threat information to allow the U.S. and its partners to better defend critical infrastructures and global supply chains.

Clearly, there are some aspects of the National Cyber Strategy that will require further clarification and investigation in order to determine its impact on the private sector. In future articles, we explore whether the directive goes far enough in providing clarity to federal agencies and the private sector with respect to key cyber responsibilities and whether there are new challenges to the private sector that may result from its implementation.