The U.S. State Department, the Department of Homeland Security (DHS), the Department of Commerce, and the Office of Management and Budget (OMB) last week issued a series of reports tied to an executive order President Trump released a year ago to fortify federal networks and critical infrastructure.Trump’s May, 2017 Executive Order 13800, Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, made it clear that the heads of executive departments and agencies will roll if they fail to blunt the cybersecurity risk to their enterprises. The subsequent agency reports conveniently appeared only a few days ahead of the June 4 election, with the November midterms an expected target of cybersecurity attackers.The State Department’s deterrence strategy is not without its detractors. Ruchika Mishra, director of product marketing for IT security specialist Balbix, called it a “post attack reaction.” Rethinking cybersecurity and protecting IT assets “requires much more emphasis on proactively predicting and controlling your breach risk and focusing on strategies and approaches to avoid breaches as a first step, rather than focusing on developing and imposing consequences after the fact,” she said.A second State Department report, Recommendations to the President on Protecting American Cyber Interests Through International Engagement, details a strategy to strengthen collaboration with foreign partners and allies to address shared threats in cyberspace.
'Make Them Pay' Strategy
The State Department’s Recommendations to the President on Deterring Adversaries and Better Protecting the American People From Cyber Threats said that hitting the wallet of foreign countries “responsible for significant malicious cyber activities aimed at harming U.S. national interests” is the best deterrence. The State Department’s “make them pay” strategy includes:- Developing a range of consequences: A “menu of options for swift, costly, and transparent consequences.”
- Policy planning: Inter-agency policy planning for the time periods leading up to, during, and after laying on the consequences.
- Building partnerships: Consequences are best carried out in concert with like-minded partners.