Cybersecurity and Deterrence

How Biden’s Cyber Strategy Echoes Trump’s

By Herb Lin
Wednesday, March 10, 2021, 10:48 AM

On March 3, the Biden administration released its Interim National Security Strategic Guidance. Regarding cybersecurity, the document stated that

 we will make cybersecurity a top priority, strengthening our capability, readiness, and resilience in cyberspace. We will elevate cybersecurity as an imperative across the government. We will work together to manage and share risk, and we will encourage collaboration between the private sector and the government at all levels in order to build a safe and secure online environment for all Americans. We will expand our investments in the infrastructure and people we need to effectively defend the nation against malicious cyber activity, providing opportunities to Americans of diverse backgrounds as we build an unmatched talent base. We will renew our commitment to international engagement on cyber issues, working alongside our allies and partners to uphold existing and shape new global norms in cyberspace. And we will hold actors accountable for destructive, disruptive, or otherwise destabilizing malicious cyber activity, and respond swiftly and proportionately to cyberattacks by imposing substantial costs through cyber and noncyber means.

The interim guidance document is, by definition, a work in progress, and one would expect a final guidance document to be roughly consistent with the interim guidance but also to contain a more substantial elaboration on the interim guidance. Nonetheless, to get a sense of relative priorities, I found it interesting to compare the interim guidance to the Trump National Cyber Strategy published in 2018. The table below contrasts the paragraph above, mostly sentence by sentence, to comparable passages in the Trump National Cyber Strategy.

Biden Interim Guidance 2020

Trump National Cyber Strategy 2018

[W]e will make cybersecurity a top priority, strengthening our capability, readiness, and resilience in cyberspace. We will elevate cybersecurity as an imperative across the government.

Protecting America’s national security and promoting the prosperity of the American people are my top priorities. Ensuring the security of cyberspace is fundamental to both endeavors. p. I

We will work together to manage and share risk, and we will encourage collaboration between the private sector and the government at all levels in order to build a safe and secure online environment for all Americans.

The Federal Government will work with the private sector to manage risks to critical infrastructure at the greatest risk. p. 8

We will collaborate with the private sector and civil society to understand trends in technology advancement to maintain the United States technological edge in connected technologies and to ensure secure practices are adopted from the outset. p. 15

We will expand our investments in the infrastructure and people we need to effectively defend the nation against malicious cyber activity, providing opportunities to Americans of diverse backgrounds as we build an unmatched talent base.

The United States Government will work with private and public sector entities to promote understanding of cybersecurity risk so they make more informed risk-management decisions, invest in appropriate security measures, and realize benefits from those investments. p. 9

The Federal Government will update the National Critical Infrastructure Security and Resilience Research and Development Plan to set priorities for addressing cybersecurity risks to critical infrastructure. Departments and agencies will align their investments to the priorities, which will focus on building new cybersecurity approaches that use emerging technologies, improving information-sharing and risk management related to cross-sector interdependencies, and building resilience to large-scale or long-duration disruptions. p. 9

The Administration will facilitate the accelerated development and rollout of next-generation telecommunications and information communications infrastructure here in the United States, while using the buying power of the Federal Government to incentivize the move towards more secure supply chains. p. 15

We will renew our commitment to international engagement on cyber issues, working alongside our allies and partners to uphold existing and shape new global norms in cyberspace.

The United States will strive to improve international cooperation in investigating malicious cyber activity, including developing solutions to potential barriers to gathering and sharing evidence. p. 11

The United States will promote a framework of responsible state behavior in cyberspace built upon international law, adherence to voluntary non-binding norms of responsible state behavior that apply during peacetime, and the consideration of practical confidence building measures to reduce the risk of conflict stemming from malicious cyber activity. p. 20

[W]e will hold actors accountable for destructive, disruptive, or otherwise destabilizing malicious cyber activity, and respond swiftly and proportionately to cyberattacks by imposing substantial costs through cyber and noncyber means.

We will also deter malicious cyber actors by imposing costs on them and their sponsors by leveraging a range of tools, including but not limited to prosecutions and economic sanctions, as part of a broader deterrence strategy. p. 8

 

By my reading, the Biden interim guidance document is different from the Trump National Cyber Strategy in two ways, apart from detailed phrasing. First, the Biden document emphasizes the importance of diversity in the national talent base for cyber, whereas the Trump document is silent on the matter. Second, the Biden document strongly implies government investment in cybersecurity, whereas the Trump document seeks to minimize the notion of government investment in cybersecurity and emphasizes a government role in facilitating private-sector investment in cybersecurity. 

In all other areas addressed in the Biden interim guidance, I believe the statements are substantially the same. If this is true, it suggests great continuity in cyber policy and strategy between administrations as different as Biden’s and Trump’s. Of course, the Trump National Cyber Strategy wasn’t all that different from Obama’s cyber strategy, either.

This suggests there has been more continuity than change between administrations on cyber policy over the past decade and more. Whether this is a good thing or a bad thing for the nation is left as an exercise for the reader.