Trump security plan calls for consequences for cyberattacks

President Trump's first National Security Strategy called for improving risk management and resilience, but remained vague on authorities and coordination.

Trump official
 

President Trump released his National Security Strategy on Dec. 18.

President Donald Trump's first National Security Strategy included several sections that touched on cybersecurity, calling for improved risk management and resilience, but the document remained vague on authorities and coordination.

The strategy, required under the National Security Act of 1947, outlines cyber priorities in broad strokes in a section titled "keeping America safe in the cyber era." The text emphasizes ongoing initiatives, including information sharing, securing critical infrastructure, strengthening public-private partnerships and modernizing federal tech.

In a Dec. 18 campaign-style speech announcing White House's National Security Strategy, Trump made scant mention of cybersecurity, but the issue is central (if somewhat vague) throughout the document. Trump is the first president to release the report with a public speech, according to the Center for a New American Security.

According to the document, the White House will invest in attribution capabilities and expand collaboration with industry to better detect and pinpoint attack sources. Additionally, the government plans to work with Congress to improve information sharing with private industry.

The strategy also prioritizes granting IT and cybersecurity personnel "necessary [acquisition] authorities, information, and capabilities to prevent attacks," and promises "swift and costly consequences on foreign governments, criminals, and other actors who undertake significant malicious cyber activities."

The document also warns about adversaries leveraging the features of an open society to foment mistrust.

"Today, actors such as Russia are using information tools in an attempt to undermine the legitimacy of democracies," the strategy states. "Adversaries target media, political processes, financial networks, and personal data." Elsewhere, the strategy warns, "Russia uses information operations as part of its offensive cyber efforts to influence public opinion across the globe. Its influence campaigns blend covert intelligence operations and false online personas with state-funded media, third-party intermediaries, and paid social media users or 'trolls.'"

The strategy recommends improved public diplomacy and stronger local partnerships. The document also notes that "U.S. efforts to counter the exploitation of information by rivals have been tepid and fragmented," and have been "hampered by the lack of properly trained professionals."

While cyber is woven throughout the strategic document, there's a lack of detail regarding the precise U.S. protocol following a cyberattack, how the U.S. would respond, and what agencies would lead a U.S. response. A 2016 Government Accountability Office report warned about a lack of clearly defined roles and responsibilities for the military when it comes to defending domestic networks and infrastructure.

Christine Wormuth, the Atlantic Council's Center for Resilience director and a former DOD policy undersecretary, said on a press call that while the strategy "certainly doesn't give a clear indication" as to how the government will handle a cyberattack, it does "put emphasis on integrating procedures and authorities" across the government.