The Trump Administration Just Threw Out America’s Rules for Cyberweapons
U.S. cyberstrategy needs updating, but this isn’t the way to do it.
Quietly, in a week dominated by other news, the Trump administration has taken the United States’ purported rules for using cyberweapons and thrown them out the window.
As reported in the Wall Street Journal, U.S. President Donald Trump signed an order on Aug. 15 reversing a set of classified guidelines “that had mapped out an elaborate interagency process that must be followed before U.S. use of cyberattacks, particularly those geared at foreign adversaries.” The change, a Trump administration official said, represents “an offensive step forward.”
At first glance, it is not clear that there is anything wrong with this shift. Having counseled senior officials responsible for both cyberdefense and cyber-offense, it’s hard not to conclude that the United States is doing a lousy job at both. The country’s adversaries are pulling well ahead, whether it is Russia launching a massive cyberspace-enabled campaign to interfere with U.S. elections, China swiping precious intellectual property, North Korea attacking the U.S. film industry, or the Islamic State mobilizing recruits.
Despite well-intentioned efforts by U.S. Presidents Barack Obama (whose activities I supported while in government) and George W. Bush to set cyberstrategy and build up cybercapacity, the United States is simply not able to counter threats in cyberspace. Its rules do need to change. But throwing them out entirely is unwise.
For one, it isn’t clear that the Trump administration has an alternative process for managing cyberspace policy. Tearing up the offense and defense rulebook follows Trump’s hollowing out of the White House team that runs cyberspace policy. This administration has also weakened U.S. cyberspace diplomacy—meant to establish global rules of the road, including initiatives to restrict bad behavior by countries like Russia and China—by eliminating its chief coordinator at the State Department.
Reasonable people can disagree over whether the abolished roles were functioning as well as they could. Personally, I believe that the White House team would have operated better had it been more closely integrated with the regional groups coordinating overall policies toward the United States’ chief adversaries. If a data breach were linked to the Russian government, for example, the White House cyberteam should have supported the Russia group’s management of the response. But the positions were necessary. Since the departure of Chris Painter, the ousted State Department coordinator of cyberspace diplomacy, there have already been signs that the United States is losing more ground to its adversaries in shaping global governance of the internet. Cyberspace policy touches everything, including commerce, law enforcement, diplomacy, international law, intelligence, and military affairs. That is why some top-down structure for managing it was necessary.
In the absence of a White House cyberteam, the United States is left with a handful of individuals to handle policy. One of them is National Security Advisor John Bolton. With regard to cyberspace, Bolton has shown a predilection for the easy button, issuing aggressive threats with little regard for the consequences. Before his appointment, for example, Bolton called for the United States to use its “muscular cyber capabilities,” to impose costs on our adversaries “so high that they will simply consign all their cyberwarfare plans to their computer memories to gather electronic dust.” Bolton’s words sound great, but they betray a simplistic understanding of the difficulty involved in unseating Russia and China from their digital perch, including what do when their infrastructure is in an unwitting third country or, worse, in the United States itself.
Another problem is Bolton’s reputation for consolidating power around himself. There is an obvious problem with allowing one person—and a rather trigger-happy one, at that—to have so much influence: He could push the United States toward war, even if Trump never intended it. Although the national security advisor has no formal operational role in war, Bolton already demonstrated that recklessness can inch the country closer to conflict when he made some ill-advised and unsanctioned comments about North Korea. He may also have a freer hand when it comes to cyberwar, thanks to some seldom-noticed provisions within the National Defense Authorization Act that appear to pre-authorize the use of certain cybertools against the United States’ main adversaries. As much as Washington may indeed need to do a better job punching back against cyberthreats, it matters who is doing the punching and how, especially if it is primarily a person with a penchant for living dangerously.
Finally, even with the most state-of-the-art cybertools, it is not clear that complete freedom to use them would deter America’s adversaries. Russia and China, and to a lesser extent North Korea and Iran, are doing everything they can to erode U.S. advantages and strengthen themselves. Russia’s influence operations and what appears to be a multiyear campaign to tap into U.S. digital critical infrastructure probably give the Kremlin a leg up that no rule rewriting will overcome. And China can always stay ahead of the game by stealing U.S. technology, perhaps by cranking up investment in U.S. startups or inviting the country’s most capable companies into their marketplace. Indeed, Apple and Google are already there. It is enough to make experts wonder whether cyberdeterrence alone is a realistic option.
Fortunately, there is a way out of this mess. One step would be smarter and more transparent investment in cybercapabilities. The United States’ defenses aren’t cutting it. The cybersecurity industry has grown at huge rates year after year, but the country may not yet be more secure. One approach to the problem could be to identify the right package of incentives to encourage firms to design with security in mind from the start. The effort could start with emerging technology industries, as a British government report recently recommended. Another would be to apply artificial intelligence not to weapons systems, but toward helping humans identify and patch vulnerabilities at scale.
It is important not to take offensive tools for granted either. When former U.S. Secretary of Defense Ash Carter expressed disappointment with the performance of U.S. Cyber Command in the fight against the Islamic State, it should have been a wake-up call. Carter attributed Cybercom’s woes to interagency infighting. But thanks to the post-9/11 Authorization for Use of Military Force, we know the military enjoys wide latitude to go after terrorists, which means that infighting could not have been the sole issue. Rather, Carter’s statement raised questions about whether senior leaders had the right tools at their disposal. In addition to better tools, the United States also need better personnel: more diplomats with digital expertise and more special agents who know computer forensics better than they do al Qaeda.
Further, beyond a cyberwar rulebook, the United States desperately needs to know what cards it is even playing with and, just as importantly, how to play them. The country’s experience with counterterrorism is instructive. Following the attacks of Sept. 11, 2001, Republicans and Democrats spent years inventorying the country’s tools—intelligence, law enforcement, diplomatic, military—and determining how best to employ them. The Obama administration even declassified its guidance for certain counterterrorism tools, colloquially known as the “playbook.” Analogous tools exist in cyberspace—investigations, sanctions, and, yes, cyberweapons—and there have also been some limited attempts at inventorying them. But Washington needs to organize them into a hierarchy and outline how each might be used independently, in sequence, or simultaneously.
Ultimately, even more than focusing on tools and rules, the United States has to acknowledge a difficult reality: For the last two decades, the country’s strategic focus and investment has concentrated disproportionately on terrorism and the wars in Iraq and Afghanistan. Everything else has been secondary, including responding to those who are threatening the country through cyberspace. No set of rules, cyberweapon, or deterrence strategy alone is likely to change the calculus of China, Russia, or any other country. In fact, the only reported instances where the United States appears to have curbed the use of malicious cybertools have been when it has built cyber concerns into broader discussions, including Obama’s agreement with Chinese President Xi Jinping in 2015, in which China agreed to certain limits on theft of U.S. intellectual property through cyberspace, and through the Iran nuclear accord. Both reportedly produced changes in each country’s pattern of digital confrontation. This suggests that mitigating the harm from rampant digital insecurity will depend less on building more capabilities or plans in cyberspace. Rather, it will depend on integrating them into grand strategies for dealing with today’s adversaries.