The Trump administration ushered in Year Two by signing the 2018 defense authorization bill into law. It calls for the administration to develop and report to Congress on U.S. plans to deter and respond to cyberattacks by foreign powers, plans to defend U.S. networks and critical infrastructure systems and plans to respond in cyberspace in such a way “to impose costs on any foreign power targeting the United States or United States persons with a cyberattack or malicious cyber activity.”
However, the bill also included a provision that limits funding for the White House Communications Agency (WHCA) “contingent upon the submission of a report on a national policy for cyberspace, cybersecurity, and cyberwarfare.”
The provision, section 1633 in the National Defense Authorization Act, led by Sen. John McCain (R.-Ariz) is intended to “immediately prioritize the administration’s commitment to develop a new and improved cyber deterrence strategy that emphasizes both deterrence by denial and deterrence by consequence imposition.”
Trump signed the bill into law in December 12, but in an accompanying statement he called the measure “unprecedented and dangerous” by limiting the WHCA.
And while the political rhetoric around the provision continues, what is being overlooked is the need (and opportunity) for the US to take a greater leadership role on cyber warfare globally – and there is policy already in place … but seemingly forgotten.
The National Strategy for Trusted Identities in Cyberspace (NSTIC) is a US government initiative announced in 2011 to improve the privacy, security and convenience of sensitive online transactions. It is the vision for a collaborative ecosystem where individuals, businesses, and other organizations enjoy greater trust and security as they conduct sensitive transactions online.
Waverley Labs believes strategic initiatives such as NSTIC need to be updated and expanded to emphasize an “authenticate-first” strategy that also includes trusted users and trusted devices. Identifying authorized users will go a long way to helping cyber warfare initiatives globally.
Forward-thinking enterprises are already doing it. It is now time for the US to take the lead in advocating it globally to create a clear delineation of standards for trusted identities across borders and geographies.
If we continue to ignore it, we will continue to be plagued by knowledge-based credential theft, data theft and identity theft similar to what we experienced with the OPM hack, the NSA hack, Equifax, Yahoo, and list goes on.