President Biden is about to approve a policy that goes much farther than any previous effort to protect private companies from malicious hackers—and to retaliate against those hackers with our own cyberattacks.
The 35-page document, titled “National Cybersecurity Strategy,” differs from the dozen or so similar papers signed by presidents over the past quarter-century in two significant ways: First, it imposes mandatory regulations on a wide swath of American industries. Second, it authorizes U.S. defense, intelligence, and law enforcement agencies to go on the offensive, hacking into the computer networks of criminals and foreign governments, in retaliation to—or preempting—their attacks on American networks.
“Our goal is to make malicious actors incapable of mounting sustained cyber-enabled campaigns that would threaten the national security or public safety of the United States,” the document states in a five-page section titled “Disrupt and Dismantle Threat Activities,” according to a draft exclusively viewed by Slate. (The document has not yet been publicly released, though it will be after Biden signs it, an event anticipated sometime this month.)
Under the new strategy, the U.S. will “disrupt and dismantle” hostile networks as part of a persistent, continuous campaign. This campaign will be coordinated by the FBI’s National Cyber Investigative Joint Task Force working in tandem with all relevant U.S. agencies—a systematic collaboration that has rarely been attempted and never before publicized. Private companies—both firms that are frequent targets of cyberattacks and firms that specialize in cybersecurity methods—will be full partners in this effort, both to alert the government task force of intrusions and to help repel them. (In the past, many of these firms, especially in Silicon Valley, have been reluctant to be seen cooperating with the government on these issues.)
The new strategy—which was in the works for much of 2022 under the supervision of senior White House officials—stems from the growing recognition of two facts, which have long been obvious to specialists.
First, mere guidelines on cybersecurity—which Washington has previously allowed private companies to follow voluntarily—have, for the most part, failed to block major intrusions by foreign governments or cybercriminals.
Second, purely defensive measures have also had limited impact, as a clever hacker will eventually find ways around them.
The United States has conducted cyber-offensive operations for many decades. Bill Clinton was the first president to acknowledge this fact publicly. In 2012, Barack Obama issued Presidential Policy Directive No. 20, which established strict controls, including that the president’s explicit permission was needed for all cyber-offensive operations. (Classified Top Secret, it was one of many documents leaked by Edward Snowden.) In 2018, President Trump signed National Security Presidential Memorandum No. 13, which loosened those controls, giving defense and intelligence agencies enormous leeway to mount offensive campaigns themselves.
Gen. Paul Nakasone, who was and still is NSA director and Cyber Command chief (the two positions are generally held by the same four-star officer), was the chief advocate of that approach. In an article he later wrote for Foreign Affairs, he described the mission, with its greater latitude, as “hunt forward” and “persistent engagement.”
At the time, many feared that the end of tight controls would unleash excess and blowback, and ultimately harm security. But, as one official who used to be among the fearful told me last week, “None of those horrible things happened.”
As a result, Biden and his team decided to push the Trump-Nakasone policy further. The strategy that Biden is set to approve covers only those offensive operations designed to disrupt hostile actors’ attempts to hack into U.S. networks. At the same time, however, the Pentagon is drafting a new cyber strategy, which applies the White House paper’s principles to cyber policies, both defensive and broadly offensive.
The other sections of the Biden paper—which includes 30 pages dealing with purely defensive measures—outline still more drastic departures from present policies to protect the nation’s “critical infrastructure.” That term, “critical infrastructure,” was coined in the mid-1990s and refers to economic sectors—such as banking, finance, electrical power, water works, transportation systems, telecommunications, and emergency management services—that are essential to modern societies and are connected to computer networks, meaning they are vulnerable to cyberattacks.
Presidents Bill Clinton, George W. Bush, and Barack Obama all signed orders and created agencies to strengthen the resiliency of these sectors. A few aides to all three presidents tried to impose mandatory cybersecurity regulations on companies in these sectors, but corporate lobbyists successfully resisted their efforts, as did some economic advisers, who warned (perhaps correctly) that regulations would curtail innovation. So enforcement of the rules has been, until now, strictly voluntary.
The new strategy stems from a recognition that voluntary measures in most of those sectors don’t work. There are exceptions—for instance, banks. Cybersecurity is central to their business; if they get hacked too often, customers will take their deposits elsewhere; banks also have the money to hire very good specialists. However, for public utilities, such as power plants, cybersecurity is very expensive. Mandatory regulations are needed to prod them into action.
At the same time, the new strategy recognizes that uniform standards for all sectors—which some aides under past presidents tried to formulate—don’t work either. As an alternative, more than a year ago, the Biden White House started analyzing each sector, in consultation with the federal agency that had authority over each sector and with the companies that would be affected by regulations.
For instance, according to one official, the TSA identified 97 oil and gas pipelines that serviced at least 25,000 Americans. The White House then held three meetings with executives of the companies that owned the pipelines. At one meeting, after being vetted for security clearances, the executives were briefed by intelligence officials on the threats their pipelines faced.
Officials have also met with state utility commissions on the threats to electric power grids and on measures to improve security. Just before Christmas, in a bill signed by Gov. Kathy Hochul, New York became the first state to issue new mandatory cybersecurity regulations. It will be assisted by a few federal experts as well as a chunk of the $1.5 billion that the White House is allotting to states that take this leap. Similarly, this month, according to one official, the EPA will issue new regulations on the cybersecurity of the nation’s waterworks.
Context is another big difference between Biden’s strategy and earlier attempts to impose regulations. As recently as a few years ago, many corporate executives perceived cyber threats as theoretical. Now they are obviously anything but. In 2020, Russia’s massive hack on SolarWinds—which affected system management tools on the computers of more than 30,000 agencies and firms involved in critical infrastructure—was a major wake-up call. In 2021, a criminal gang’s ransomware attack on Colonial Pipeline—which shut down the flow of gasoline and jet fuel to 17 states until Colonial paid 75 Bitcoins (at the time worth $4.4 million) to the hacker group—was another.
The Colonial hack couldn’t have happened had even rudimentary security measures been followed. It was a big part of what led Biden to impose mandatory regulations on pipelines. The new strategy spreads such regulations across the other critical industries.
Michael Daniel, Obama’s cyberpolicy coordinator who now heads the Cyber Threat Alliance, a nonprofit group of security providers and IT firms, told me, “There’s definitely been a shift in business thinking. It’s one thing if your spreadsheets are wrecked—quite another if it’s your pacemaker. With recognition that cyberattacks can cause physical damage, some degree of government regulation is inevitable.”
Many of these companies also do business abroad, where regulations are much more stringent. If they need to follow regulations in Europe, Australia, or Canada, they might as well follow them here, too.
Still, the new strategy won’t solve all the problems. There are several sectors—including food and agriculture, emergency services, and several manufacturing industries—where Congress would need to pass authorities to regulate. And the new Congress, at least on the House side, doesn’t seem interested in passing much of anything, much less additional regulations on business.
Even for sectors where the executive branch already has authority, the lines of authority—which agencies can write and enforce which regulations over whom—aren’t entirely clear. During the drafting of the National Cybersecurity Strategy, the two White House officials in charge—Anne Neuberger, the deputy national security adviser for cyber and emerging technologies (appointed by Biden), and Chris Inglis, the national cyber director (a position newly created by Congress just two years ago)—sometimes clashed over these matters. Compromises were made, and a consensus was reached between the two of them and among more than 20 federal agencies. Still, there are, inevitably, some lingering ambiguities, which are to be settled in a subsequent “implementation strategy.”
It was way back in October 1997 when President Clinton’s Commission on Critical Infrastructure Protection warned of “cyber attacks” that could “paralyze or panic large segments of society” and “limit the freedom of action of our national leadership”—adding, “We must learn to negotiate a new geography, where borders are irrelevant and distances meaningless, where an enemy may be able to harm the vital systems we depend on without confronting our military power.”
A quarter-century later, Biden’s new strategy goes a long distance toward coming to grips with this new geography. But in many ways, we’re still negotiating.