White House officials and President Obama's top military adviser disagree about whether the United States has a coherent national strategy to address cyber threats.
The rift surfaced when Gen. Martin Dempsey, chairman of the Joint Chiefs of Staff, recently voiced concerns at the Atlantic Council about the nation's lack of preparedness for a cyber attack, cited strategic shortcomings and assigned blame to Congress.
"We have sectors within our nation that are more ready than others, but we don't have a coherent cyber strategy as a nation," Dempsey said. "And I understand why. . . . There are some big issues involved with achieving that kind of coherence -- issues related to privacy and cost, information sharing and all of the liabilities that come in the absence of legislation to incentivize information sharing."
Dempsey has previously defined strategy not merely as the issuance of high-profile guidance but as the process of balancing ends, ways and means.
Laura Lucas Magnuson, a spokeswoman for White House Cybersecurity Coordinator Michael Daniel, disputed Dempsey's critique.
"Current U.S. cyber strategy is coherent and consistent with U.S. values that support an open, interoperable, secure and reliable Internet," she told Inside Cybersecurity. "Given that cyberspace permeates every aspect of the economy and national security, no single document can meaningfully capture our strategic direction. Instead, our efforts are informed by specific strategy and policy documents."
She said the Obama administration has produced a series of "targeted, coordinated strategies and policies to address specific cybersecurity topics," including the International Strategy for Cybersecurity; the National Strategy for Trusted Identities in Cyberspace; the National Strategy for Information Sharing and Safeguarding; Executive Order 13286 "Assignment of National Security and Emergency Preparedness Communications Functions"; Executive Order 13587 "Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information"; the Strategic Plan for the Federal Cybersecurity Research and Development Program; and the Cross Agency Priority Goal for Cybersecurity.
"Rather than developing yet another strategy on top of existing strategies, we need to remain flexible and focus on achieving measurable improvements in our cybersecurity," Magnuson said. "The administration's current approach fits the rapidly changing environment of cyberspace and the swiftly evolving government capabilities and understanding in cybersecurity."
But Dempsey is standing by his remarks and pointing the finger at Congress. He "remains extremely concerned at how vulnerable our nation's critical infrastructure is to a debilitating cyber attack," his spokesman, Air Force Col. Ed Thomas, told Inside Cybersecurity.
"To close this national vulnerability, which constitutes a grave threat to our security, he continues to urge the passage of legislation that improves information sharing, encourages companies to adopt voluntary cybersecurity best practices and standards, and supports the establishment of international norms in cyberspace," Thomas said.
The Defense Department has pushed for a more comprehensive national strategy to address cyber threats for years, said a former defense official, who concurred with Dempsey that more must be done -- particularly by lawmakers -- to address cyber threats.
In a broad sense, the source continued, Pentagon officials remain concerned that the U.S. government is in a tail chase when it comes to cyber threats, mainly due to Congress' failure to pass legislation that identifies critical infrastructure and enables information sharing. Officials have also been frustrated that the administration has taken so long to publicly address policy questions about offensive cyber operations, the source said.
Echoing the White House's emphasis on encouraging industry to voluntarily boost cybersecurity, the former official said incentives are preferable to a regulatory regime. For instance, Congress could pass legislation mandating active red-teaming of critical infrastructure, the source said, noting that private sector experts or potentially the National Security Agency could play the role of attackers during the tests and the infrastructure companies would be accountable for the results. The Nuclear Regulatory Commission could oversee such testing for nuclear power plants, the source said.
Daniel's predecessor, Howard Schmidt, said in an interview he was a bit surprised by Dempsey's remarks. Schmidt, now teamed with former Homeland Security Secretary Tom Ridge in the Ridge-Schmidt cybersecurity consultancy, said the general's comments reflect a tendency in Washington to forget accomplishments and needlessly reinvent things. Schmidt said in his opinion the 2003 National Strategy to Secure Cyberspace -- which he helped develop for former President George W. Bush -- still stands.
But the White House spokeswoman said the 2003 strategy does not represent the policy of the Obama administration. The former defense official said the 2003 strategy featured good words, but the Bush administration did too little to implement it. And Mark Weatherford, a former DHS deputy under secretary for cybersecurity, said that although the 2003 strategy was "very comprehensive," it would now need refreshing.
"I can't help but agree with Gen. Dempsey, though," said Weatherford, a principal with The Chertoff Group, a consultancy formed by former DHS Secretary Michael Chertoff. Noting that cybersecurity is a dynamic discipline, Weatherford said DHS has struggled with the questions about the role of government in cybersecurity -- and how the government ought to respond when someone attacks one of the United States' 16 critical infrastructure sectors.
Weatherford also said it must be determined what role industry has in protecting itself. The federal framework of cybersecurity standards, which the White House released earlier this year in a bid to voluntarily encourage better cybersecurity in industry, has raised the level of conversation on the subject in an astonishingly good way, he said.
Weatherford also praised the recent indictment of five Chinese military hackers for economic espionage against U.S. companies. Industry has been waiting for the U.S. government to step up in this way, he said.
Jason Healey of the Atlantic Council said he agrees completely with Dempsey about the lack of a coherent national cyber strategy. Most of the current crop of strategy documents, he said, are either overly focused on military issues, too old, or too limited to only one area of cyber. The lack of deadlines for completing actions is also problematic, he said.
"None of these 'strategies' actually give much advice on how to balance between competing priorities, such as where additional [signals intelligence] collection might trample on American companies to the ultimate detriment of American security (such as happened with Microsoft and Flame)," he said via email. Citing the Cold War, he said, "The best strategy ever was 'containment' which summed up the entire idea in just a single word."
James Lewis of the Center for Strategic and International Studies said via email the United States has "done pretty well in assembling a set of strategies," which collectively "add up to a coherent strategy (with a lot of extraneous pieces)." But Lewis also sees room for improvement.
"If you were going to look for two areas for work, it would be in critical infrastructure protection and in responding to cyber attack -- that's why Dempsey is saying we are unprepared," he said.
Ben FitzGerald of the Center for a New American Security questioned whether a coherent strategy is attainable. "The U.S. does not and likely cannot have a singular, coherent cyber strategy," he said. "There are too many stakeholders with competing perspectives and interests to fit under one umbrella approach. The most that can be hoped for is a minimum acceptable standard of security and particular strategies for vital networks and assets."
Healey, Lewis and FitzGerald doubted the administration's upcoming National Security Strategy would say much on cybersecurity.
And Jane Holl Lute, the president and chief executive officer of the Council on Cybersecurity, urged a greater focus on promoting cybersecurity hygiene. The federal framework of cybersecurity standards is the foundation of the Obama administration's legacy on cybersecurity, she said. Lute questioned the utility of writing cybersecurity strategies.