The White House’s National Cyber Strategy was received by many with yawns and expressions of puzzlement, as the administration of President Trump had been pruning cyber expertise from within the ranks of those advising the National Security Council (NSC). To embrace this as ho-hum would be in error.
The strategy quietly sets the stage and signals the United States is ready for a fight within the cyber domain, especially given the adjustments with respect to Presidential Policy Directive 20 (PPD-20), which loosens even further the restrictions under which the U.S. Cyber Command may operate. There is no need for specific presidential approval for the U.S. military to retaliate to a cyberoffensive attack.
For those following along, the PPD-20 is the same document Edward Snowden purloined and may have provided to the Russians and Chinese as part of his barter arrangements during his 2013 run to Moscow. It was at that time that the world learned that President Obama had authorized, “… unique and unconventional capabilities to advance U.S. national objectives around the world with little or no warning to the adversary or target and with potential effects ranging from subtle to severely damaging.” He then somewhat hogtied that statement with, “… require specific presidential approval,” meaning every operation would require the president’s sign-off.
The question remains for all, Does this signal sufficiently to the nation’s adversaries who continue to probe, compromise, infiltrate and deliberately manipulate public and private networks and data sets that their days of acting with impunity are coming to an end? Will there now be an onslaught of cyberattack-backs from the United States?
What Circumstances May Warrant a Cyberattack?
Logically, an attack against a military element engaged in hostilities would be fair game and met with immediate retaliation. Indeed, one could conjure up a multitude of scenarios in which setting the battlefield for a future escalation would require offensive acts by Cyber Command.
But questions remain about other scenarios, which are worthy of approbation:
- Is an attack on a defense contractor enough basis to launch a cyberattack on the attacking entity?
- What of those attacks on national infrastructure? Will that be sufficiently damning as to warrant a cyber response?
- What provisions are there to keep a cyber engagement from evolving to a kinetic one? How badly would the U.S. economy be damaged if a cyber- and kinetic attack was made against the global servers of key service providers, such as AWS?
- Is a cyberattack acceptable to assist an ally?
- Can a cyber domain be used as a response to hardware manipulation or compromise?
Then we have the recent exposé from Bloomberg that revealed China has compromised processor chips that are being used in the U.S. infrastructure and military components. That said, the U.S. government, Super Micro, AWS and Apple have all pushed back—and pushed back without ambiguity—regarding the claims made in the Bloomberg piece.
Let’s assume for a moment it is true. Would this not constitute China setting its plate for a future cyber or armed conflict with an adversary? Putting in place cyber back doors for later use makes good strategic sense: Make the capability ubiquitous and then turn on those you need in a specific scenario. With these “hot” chips in place, could China at a time and place of its liking turn out the lights, turn off the sensors or cause military systems to fail?
This rings the klaxon loudly as the importance of being precise in pinning that tail on the donkey called attribution.
Has the new National Cyber Strategy, which no longer requires cyberattacks to require specific presidential permission, put the country at risk or made it stronger?
Is this a time for caution or a time for boldness?