Trump administration officials are working on a new national cybersecurity strategy, building on the president’s executive order earlier this year, homeland security adviser Tom Bossert said Tuesday.
“The president moved in his first months to put out an executive order to do the trench work necessary to put us in a position of putting forward a cybersecurity strategy,” he said at a Palo Alto Networks event Tuesday in Washington, D.C. “As soon as we’re prepared to issue a strategy that will be beneficial to the government and the nation, we’ll do so.”
During a conversation on stage with Palo Alto Networks CEO Mark McLaughlin, Bossert said he was surprised and disappointed that the 2008 Comprehensive National Cybersecurity Initiative he had helped craft during his time serving President George W. Bush still appeared to be the blueprint for U.S. strategy in cyberspace.
“If you had told me that ten years later, I’d come back into government and that would still be the extant strategy and wasn’t fully implemented yet I’d have thought … I mean I have to moderate my language here,” he joked.
The CNCI followed President Bush’s 2003 National Strategy to Secure Cyberspace, which established three strategic objectives for national cyberspace security: preventing cyber attacks against vital national industries; reducing national vulnerability to cyberattacks; and minimizing damage and recovery time from cyberattacks that got through.
While the CNCI was continued under President Barack Obama, there were several national cybersecurity strategy documents released while Bossert wasn’t in government service:
- The White House Cyberspace Policy Review (May 2009)
- The International Strategy for Cyberspace (May 2011)
- The Strategic Plan for Cybersecurity Research and Development (December 2011)
Two years later, in 2015, the Pentagon produced the Department of Defense Cyber Strategy. And in February last year, the White House produced the Cybersecurity National Action Plan, combining pledges to improve federal cybersecurity with plans to empower consumers to improve their online protections through measures like two-factor authentication.
Bossert was tight lipped when asked after his presentation to outline the strategy or give more details.
“Scoping” — deciding exactly what areas of policy and which agencies should be included — “is always an important first step,” he said, adding, “But I think the [cybersecurity] executive order gives you a good blueprint, and the blueprint is to organize our efforts” into three component parts:
- Defending federal networks “practicing what we preach before we preach it to others”
- Working with critical infrastructure owners and operators to protect vital industries
- The global dimension: Developing norms of good behavior for nation states in cyberspace and raising the costs for foreign adversaries who don’t abide by them.