The White House has finally delivered its strategy on cybersecurity deterrence to Congress after enduring weeks of criticism from lawmakers for the lack of such a plan.
In the document, the government says it will take a “multidisciplinary approach” to thwarting malicious acts against the country’s public and private sector systems, relying on deterrence by stopping threats and “cost imposition,” which ranges from indictments to military force.
“Our targeted use of these instruments is intended to create uncertainty in adversaries’ minds about the effectiveness of any malicious cyber activities and to increase the costs and consequences that adversaries face as a result of their actions,” the report reads.
The strategy is specifically focused on stopping attacks that could result in “catastrophic regional or national effects on public health or safety, economic security, or national security.” The report goes on to say that it would be impractical to guard the entirety of U.S. assets in cyberspace, so the government will work with the most vulnerable spots in both the public and private sector as a means to deter malicious activity.
Congress has been pressing top administration officials for deterrence plans for months, especially in light of a number of high-profile attacks on both government systems and private companies.
“Make no mistake, we are not winning the fight in cyberspace. Our adversaries view our response to malicious cyber activity as timid and ineffectual,” Sen. John McCain, R-Ariz., said during a Senate Armed Services Committee hearing in September. “The administration has not demonstrated to our adversaries that the consequences of continued cyberattacks against us outweigh the benefit. Until this happens, the attacks will continue and our national security interests will suffer.”
The report also highlights how the U.S. has reached out to other countries to develop legal frameworks and is using computer forensics to investigate crimes. The government has encouraged other countries to use the Budapest Convention on Cybercrime as a basis for ensuring law enforcement agencies have the authorities and tools to investigate cybercrime and share that information in a timely manner.
The document, first obtained by Inside Cybersecurity, is considered to be an initial roadmap, neither “exhaustive nor static.” The administration will adapt “priorities to new threats and geopolitical developments,” it says.
“The United States government is committed to identifying and defending against cyber attacks and other malicious cyber activity and to deterring those who choose to conduct such activity,” the report reads.