Trump admin to revisit bedrock cyber policies as it implements new strategy
Implementation steps for the Trump administration’s forthcoming cyber strategy, set for release in January, will include reexamining policies like NSPM-13, a classified document that governs what agencies can launch cyber operations and how they are authorized; PPD-41, which governs what happens when a major cyber incident hits U.S. soil, including lead agencies and coordination structures; and NSM-22, which sets standards for protecting critical infrastructure across various sectors.
Executive orders focused on cybercrime and ransomware groups are also being arranged, two of the people said.
All sources spoke on the condition of anonymity because they were not authorized to publicly discuss the Trump administration’s intentions. They cautioned that some of the plans are fluid and may be subject to change.
Details of the cyber strategy itself were also laid out in part in an industry document obtained by Nextgov/FCW. The six-pillar strategy would focus on taking steps to preempt foreign adversaries’ hacking capabilities, reform cybersecurity regulations to reduce compliance burdens, modernize federal networks, secure critical infrastructure, encourage superiority in emerging technologies and build a business-driven cyber talent pipeline.
CyberScoop first reported on those pillars.
The strategy and associated reworking of cybersecurity policy documentation underscore the scale of the White House’s effort to recalibrate U.S. cyber policy amid sustained nation-state pressure on the nation’s digital and physical infrastructure.
The effort also comes as the White House has overseen sweeping moves to reduce the size of major cyberdefense and national intelligence offices across the government, though some of those workforce reductions are reportedly being reversed in the coming calendar year.
“We do not comment on pre-decisional policy matters,” said a spokesperson for the Office of the National Cyber Director, the White House office overseeing implementation of these plans. “The Trump administration is determined to make Americans, and our vital infrastructure, networks and information secure in cyberspace.”
The offensive pillar would focus on reshaping adversary behavior by being more proactive in cyberspace, including by resetting foreign adversaries’ risk calculus and leaning into partnerships with the private sector to aid in that work. The goal, ultimately, is “preemptive erosion” of adversaries’ hacking capacity, the industry document says.
Bloomberg News first reported details on the administration’s offensive cybersecurity plans with private industry.
How that offensive realignment takes shape is not entirely clear. Debates over the role of the private sector in national cyber operations have included proposals to grant companies authority to conduct offensive cyber activity against adversaries.
The concept has been discussed between U.S. officials and the private sector, Nextgov/FCW reported in May, though sources acknowledged that any modern framework would be more constrained than those used in past centuries.
Still, there is clear intent to “take off the kid gloves” inside government agencies that already have legal authority to offensively hack, one person familiar with the administration’s thinking said. The administration has been making these statements of intent for months.
Two other people familiar with the matter also suggested that the White House’s plans could involve more innovative and creative ways to integrate cyber threat intelligence — technical data that helps identify who is behind hacking campaigns and how they operate — more closely with spy agencies’ signals intelligence tools, which monitor foreign communications and digital activity for national security purposes.
On the defensive side of the strategy, the White House will focus on pushing agencies to adopt quantum-safe security measures, part of an effort aimed at ensuring encrypted government networks remain secure even as future quantum computers gain the ability to crack today’s encryption standards.
A related component of the blueprint involves adopting tools that promote “zero trust” — the notion that all users on a network should never be trusted and always verified to ensure their authenticity.
There is also a procurement dimension to the strategy, which would seek to increase competition in the government contracting space by not deferring only to giant defense and technology prime contractors that have historically dominated large federal cyber contracts.
More broadly, the critical infrastructure pillar would focus heavily on moving away from Chinese technology, building on prior efforts to jettison China-linked telecom hardware from U.S. networks.
The government will also explore business incentives to spur interest in cybersecurity careers and develop the concept of a U.S. cyber academy, the workforce pillar shows. A venture capital component for funding cyber startups is also being crafted in tandem with those goals.
An executive order implementing the cyber strategy is also planned, according to the industry document, and is expected to be much shorter than its Biden-era equivalent released in 2023.
]]>