National Cyber Strategy

This afternoon, President Trump released the National Cyber Strategy. Below, NSI experts offer their commentary.

September 20, 2018

Dmitri Alperovitch – NSI Visiting Fellow; Co-Founder/CTO, CrowdStrike

“I am very pleased to see the new National Cyber Strategy formally establish the precedent to make routine the ‘work with like-minded partners to attribute and deter malicious cyber activities’. This is a key and necessary step that has been lacking in US cyber policy for many years.”

Bryson Bort – NSI Fellow; Founder & CEO SCYTHE

“This is the most comprehensive cybersecurity strategy document ever published—firmly stating a vision of the United States as ensuring a secure Internet by cooperation or force…The message appears to be: you will see an American Flag planted on your scorched computer(s).

This is the most comprehensive cybersecurity strategy document ever published—firmly stating a vision of the United States as ensuring a secure Internet by cooperation or force. It reads like a response to former NSA Director Admiral Mike Rogers’ February Congressional testimony where he acknowledged current constraints in responding to the active threat landscape the US faces.

The ambitious scope is easily reflected in a just few stand out items: replacing social security numbers for identify management; addressing IOT security through the full lifecycle, although not post-deployment; a global “Cyber Deterrence Initiative” to strength partner law enforcement and information sharing capabilities; and the promise of “swift and transparent consequences” to deter attacks.

The message appears to be: you will see an American Flag planted on your scorched computer(s).”

Megan Brown – NSI Senior Fellow; Partner, Wiley Rein LLP

It is heartening to have a new cyber strategy committed to paper, for the private sector and the government.  There is a lot to like in here, and a lot of unanswered questions.  Big picture, this document lays out a muscular role for government as it relates to the private sector.

This strategy doubles down on the contracting community, with hints of some intrusive new requirements on the way.  This is notable because contractors have already been the “tip of the spear” on cyber regulatory obligations.

Not surprisingly, it tackles IT and telecom supply chain issues—hopefully the Administration can bring some clarity to the many overlapping federal efforts on this.

It puts DHS’ role on steroids and confirms the government’s commitment to nudging the private sector along, whether or not the industry wants help.  From trying to shape the market for “secure” products to encouraging manufacturers to test security and differentiate products based on security features, the government sends a message that it will take an active role.  Its emphasis on transparency and the roll out of secure next-generation telecom and IT infrastructure will affect technology companies and the broader economy.

The bottom line: industry needs to prepare for additional expectations and obligations, and get ready to interact with the government in a variety of settings.

Cameron Burks – NSI Visiting Fellow; Deputy Chief Security Officer, Chevron Corporation

“The Administration’s focus on protecting critical infrastructure against cyber attacks and providing risk-reduction activities across key sectors and the maritime space is a critical element of the new strategy. It reflects a clear understanding that enhanced government-to-private sector engagement is a vital imperative to the country’s national security.”


Jamil N. Jaffer – Founder, National Security Institute

“While the current administration’s national security apparatus may face significant challenges from within, the fact is, the President and his team got this one right: ignoring the costs of malicious cyber activity, including destructive attacks and efforts to undermine our core economic base through IP theft and extortion, is a recipe for disaster.

We must make clear to our enemies in cyberspace, including Russia, China, Iran, and North Korea, that they will no longer be free to conduct destructive or disabling attacks on U.S. soil or against American companies, our government, or our allies, whether in Central Europe, Asia, or the Middle East.  Nor must they think it is acceptable to pillage our American industry of the very technology that is at the core of our economic vitality, undermine our democratic institutions, or pre-position assets to use against us in a future conflict.

The administration’s new strategy–with its discussion of deterrence and consequences—is thus a step in the right direction.

But more must be done immediately.  The time for mere words has passed. We must respond swiftly and surely to cyber activities that threaten our national security.  To that end, the new strategy’s promise of ‘swift and transparent consequences,’ is exactly spot on, and we must now deliver on this promise when challenged in cyberspace.”

Andy Keiser – NSI Fellow; Former Senior Advisor, U.S. House Permanent Select Committee on Intelligence

“The National Cyber Strategy announced by President Trump today is an important step in not only identifying the threats to the United States in cyberspace, but the opportunities and solutions. The strategy touches on typical areas of hardening federal systems, while introducing newer concepts such as an international deterrence model in cyber.

After 15 years of multiple Administrations admiring the problem, the Trump Administration should be given credit for conducting a full interagency review grown out of the National Security Strategy process to get this critical policy in place which has a direct impact on our economy and security. Though it is surely not the end all be all for what needs to happen in cyber, the new NCS will help guide a whole-of-government response to the threats against and openings for the U.S. in cyber.”


Dr. Andrea Little Limbago – NSI Senior Fellow; Chief Social Scientist, Endgame

“In many ways, this strategy is the first articulation of a whole-of-nation approach to the range of digital state and non-state threats. The NCS prioritizes the integration of cyber with other elements of national power, focusing on fostering diplomatic norms, countering disinformation, deterring and disrupting malicious activity, and enabling economic prosperity. The private sector also plays a prominent role in this strategy, with everything from incentivizing robust risk management and incident response to augmenting mechanisms for greater information sharing.

The promotion of a free and open internet is at the core of the NCS, and reaffirms American leadership in shaping a democratic, multi-stakeholder model of internet governance. In contrast to the authoritarian model of censorship, data localization, and digital protectionism, the NCS reasserts American commitment to an open internet as a core feature of protecting democracy. While several other recent strategies and policies have emphasized offensive cyber capabilities, that same verbiage of continuous engagement and defending forward is surprisingly minimal. In fact, the NCS emphasizes that efforts to counter malign activities will continue to respect and preserve democratic values.”

Harold Moss – NSI Visiting Fellow; Senior Director Strategy, Akamai Technologies

“The rapid pace at which technology and cyber threats are evolving, warrants the need for a combined public and private response as highlighted in the newly released cybersecurity strategy update.

The first step to a sustainable cyber strategy is enabling future cyber talent and leveraging existing public sector talent to buttress existing cybersecurity deficiencies. The acknowledgement that we must expand our cyber talent pool, is significant and meaningful.  In absence of concrete and detailed steps, one has to remain cautiously optimistic.  I for one look forward to additional context related to building the necessary foundation for such an endeavor. “

Megan Stifel – NSI Visiting Fellow; Former Director for International Cyber Policy, National Security Council
“The White House strategy released importantly recognizes the opportunities of interconnected technologies as well as the risks and vulnerabilities created. The announcement today builds upon ongoing efforts to protect and defend United States information infrastructure in the new era. By bringing these ongoing efforts together into a cohesive document, today’s Strategy sends a strong signal not only that cybersecurity remains a priority to the United States, but also that it is a whole of nation effort—that the government plays an important but not independent role in sustaining the Internet ecosystem for the future.Among the key priorities identified by the Strategy are that the government must lead by example, including through workforce training and development and supply chain risk management. Expanding from the government as an enterprise risk management organization, the Strategy prioritizes building and supporting technical and policy relationships to sustain United States economic and security interests for the future. The Strategy highlights the critical role U.S., partner, and ally information and communications technologies and networks play in maintaining secure and resilient economies and the need to continue efforts to support the development of norms, multistakeholder internet governance, and internet freedom, in particular by continuing capacity building efforts to achieve these objectives.”

Dave Weinstein – NSI Visiting Fellow; Vice President of Threat Research, Claroty, Inc.

“Until now the United States has not formally adopted an international approach to cyber deterrence.  The Cyber Deterrence Initiative, which would formally strengthen collaboration with other countries on incident response and attribution, is a promising concept. Successful implementation will depend on what countries participate and their level of commitment.  In this respect, geographical diversity is key to establishing and maintaining the credibility of such a body.  The east versus west I would expect the “Five Eyes” and other NATO member-states to be among the first recruits for the coalition, but it would be worth exploring the private sector’s role in such a construct.
It’s encouraging to critical infrastructure risk management featured so prominently in the Strategy, but the substance is a bit lackluster.  More creativity is needed for government to maximize its contributions to what is largely a private sector problem.  Some of the best ways for government to “secure critical infrastructure” is to incentive investment in technology, people, and training; share actionable threat intelligence; and deter activities that hold infrastructure assets (and the citizens they serve) at risk.”