For Immediate Release September 20, 2018
PRESS BRIEFING
ON THE NATIONAL CYBER STRATEGY
James S. Brady Press Briefing Room
3:03 P.M. EDT
MR. MARQUIS: Hello, everybody. We're here today to talk about the National Cyber Strategy. Ambassador Bolton will be providing the briefing. This is off camera; it is on record, of course. It is embargoed until 4 o'clock. If you have follow-up questions, you can email myself, of course, or Lauren. Any other questions, let us know. Otherwise, the Ambassador will make a few remarks, he'll then take Q&A, and we'll have about 20 minutes or so. Thank you.
AMBASSADOR BOLTON: Well, thanks. Thanks very much, Garrett. Thanks for everybody for coming. This is to announce the President's signature on the cyber strategy, which will be made public shortly. And so I have a few prepared remarks and then we'll do some questions.
Americans and our allies are under attack every day in cyberspace. Malicious nation-state, criminal, and terrorist actors seek to steal our intellectual property and our personal information, damage our infrastructure, and even undermine our democracy through the use of cyber tools.
In May 2017, the WannaCry ransomware infected hundreds of thousands of machines in 150 countries, grinding global business to a halt, and causing billions of dollars in damage.
The following months saw the outbreak of the NotPetya malware, which wiped data from banks, energy companies, and even an airport.
But it's not just businesses that fall victim to cyber threats. This past March, the city of Atlanta was hit, forcing mission-critical services offline for months, and causing millions of dollars in damage. Americans living there couldn’t perform basic online tasks with local government, like paying water bills and parking tickets.
America invented the Internet. It has brought prosperity and productivity to American lives and those across the world. Going forward, we must do more to ensure it is secure and remains an engine of American growth.
Today, the President signed the National Cyber Strategy, the first fully articulated cyber strategy in 15 years. I'd like to provide you with a top-level outline before it's released to the public.
Since President Trump took office, he has acted decisively to strengthen the American response to the challenges presented by cyberspace. Under his watch, the United States has sanctioned malign cyber actors, indicted cyber criminals, placed public blame on those responsible for malicious activity, released public warnings on dangerous digital tools, and improved the security of government systems.
Last year, he signed Executive Order 13800, Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, which enhanced our understanding of the strategy required to improve our nation's cybersecurity. We release that strategy today.
It recognizes that private and public entities have struggled to secure their systems as adversaries have increased the frequency and sophistication of their malicious cyber activity. The strategy acknowledges that overcoming these challenges and securing cyberspace will require technical advancements, a thriving tech sector, and improved efficiency across the public and private information technology communities.
The strategy directs the federal government to take action that ensures long-term improvements to cybersecurity for all Americans. Recognizing that cyber must be integrated into other elements of national power, the strategy is structured around the four pillars of the National Security Strategy. Each of the four pillars includes a number of focus areas with associated priority actions to secure and preserve cyberspace.
Pillar number one is "Protect the American People, the Homeland, and the American Way of Life." We will manage cybersecurity risks to increase the security and resilience of the nation's information and information systems, and we'll do this by taking specific steps to secure our federal networks and information, secure critical infrastructure, combat cyber crime, and improve incident reporting.
The second pillar is "Promoting American Prosperity." We will preserve American influence in the technological ecosystem, and the development of cyberspace as an open engine of economic growth, innovation, and efficiency.
To do this, we will foster a vibrant and resilient digital economy, foster and protect American ingenuity, and develop a superior cybersecurity workforce.
The third pillar is "Preserve Peace Through Strength." We will identify, counter, disrupt, degrade, and deter behavior in cyberspace that is destabilizing and contrary to national interests, while preserving United States overmatch in and through cyberspace. To achieve this, we will enhance cyber stability through norms of responsible state behavior, and attribute unacceptable behavior in cyberspace.
We intend to, through both offensive and defensive cyber actions, to create structures of deterrence that will reduce malign behavior in cyberspace. And in connection with this strategy that we announce today, we have previously, through the signature of the President, repealed what is known as PPD-20, an Obama administration presidential directive on offensive cyber operations. Our presidential directive effectively reversed those restraints, enabling offensive cyber operations through the relevant departments. This is consistent with Section 1642 of the National Defense Authorization Act, which paid particular attention to intrusive cyber operations by China, Russia, Iran, and North Korea.
The fourth pillar is "Advancing American Influence." We will preserve the long-term openness, interoperability, security, and reliability of the Internet, which supports and is reinforced by United States interests. We will take specific global efforts to promote these objectives, while supporting market growth for infrastructure and emerging technologies, and building cyber capacity internationally.
That basically concludes the unclassified strategy. There is a classified annex, which of course I can't talk about, but which reinforces, in many respects, the rescinding of the Obama administration directive on offensive cyber operations.
The strategy takes effect today. Agencies will execute their missions informed by its guidance, and National Security Council staff will coordinate its implementation.
So I'd be happy now to take a few questions. Yes, ma'am.
Q Ambassador Bolton, thank you for hosting this briefing. I wanted to ask you: Earlier this year, right around the time that you took your current position, the White House eliminated the position of Cybersecurity Coordinator at NSC. First of all, how do you think that that effectively enhances security? How is that not counterproductive?
I also wanted to ask, in regards to North Korea, you mentioned --
AMBASSADOR BOLTON: Well, why don't I answer that question first, if that's all right.
I inherited a structure in the National Security Staff that was duplicative and overlapping. It was -- one of the things that I wanted to do was eliminate the duplication and overlap. My analysis, I might say, was essentially the same as my predecessor, General McMaster. For reasons entirely beyond his control, he was unable to fix it; the opportunity fell to me, and I fixed it.
The structure of the National Security Council, for those of you who don't know, through its staff, is that, to carry out the NSC staff responsibility of coordinating the development and implementation of policy, we do it through a series of directorates, which are led by senior directors.
So there are, for example, directorates of intelligence. There's a directorate of intelligence. There's a directorate of counter-proliferation. There's a directorate for defense. There's a directorate for resilience that handles some of the things we just went through with Hurricane Florence. There's a directorate for Western Hemisphere affairs. There's a directorate for Europe and Russia. There's a directorate for international organizations. And there is a directorate for cybersecurity.
Each of these directorates is headed by one or more senior directors. In the case of cyber, two senior directors. The function of the senior directors is to coordinate the development and implementation of policy. So there's a senior director for defense. There's no coordinator for defense. There is a senior director for intelligence. There is no coordinator for intelligence. There is a senior director for Asia and the Pacific. There is no coordinator for Asia and the Pacific. And now, today, there are senior directors for cyber and no coordinator. And, you know, the whole thing works.
MR. MARQUIS: But just, real quickly, this briefing and Q&A is only on cyber. So please avoid all questions --
Q It's a question about the WannaCry.
MR. MARQUIS: So please avoid all questions that don't focus on cyber. Thank you.
Q Okay. I did want to follow up then --
AMBASSADOR BOLTON: You can try. Go ahead.
Q You mentioned the WannaCry attack. Obviously, North Korea has denied involvement in that. But looking forward, is that something that is going to come up in future conversations with North Korea -- cybersecurity?
AMBASSADOR BOLTON: Well, I'll just put it this way: For any nation that's taking cyber activity against the United States, they should expect -- and this is part of creating structures of deterrence, so that it's publicly known as well -- we will respond offensively as well as defensively. And beyond that, I'm just not going to go at this point.
Q Ambassador, is there a price tag attached to this? Do you need funding for these things? And separately but sort of related, can you describe how this policy, and also the recent cybersecurity policy from the Pentagon, envisions the military's role in protecting companies or others from cyberattacks?
AMBASSADOR BOLTON: Well, the question of budget authority is something that we do not address in any strategy that we do. This is -- the budget questions are resolved through the annual OMB process. Obviously, we are redirecting resources into the cyber area. But as that comes up in the annual budget process, that's how that's done.
The Pentagon strategy is actually the implementation of the new presidential directive that I mentioned reversing, PPD- 20. And so their actions and those of other departments outside the intelligence community, which conducts its own operations under separate authority, are covered by the new presidential directive.
Q Thank you, Ambassador Bolton. The GAO report just recently came out, and had real concerns about a unified cyber strategy as it relates to the whole of federal government, particularly as it comes from the White House. There have been concerns --
AMBASSADOR BOLTON: Sorry, who was concerned about that?
Q GAO, the Government Accountability Office, as well as some on the Hill -- some members of Congress who have said, hey, this is just too piecemeal; there's too many people doing too many things.
How do you respond to that particular criticism? And what does this plan that you're rolling out today do to bring the whole-of-government response in a more unified way?
AMBASSADOR BOLTON: Right. Well, that's the purpose of a government-wide strategy. And, you know, we have to say, we wish this could have been written and put in place beforehand. I've been here five months; I'm doing the best I can.
The fact is that the cyber threat is government-wide, and so there's no doubt there are a large number of government agencies involved. And each has their responsibility. That's one reason why writing a strategy like this, which was and should be coordinated with all the agencies involved, takes some time to do.
But I'm satisfied that this allows us the comprehensive look at strategy across the entire government. Each agency knows its lane and is pursuing it vigorously. That's true in the unclassified world, and it's true in the classified world as well. It's the function of the National Security Council process and the staff to make sure, now, that this policy is implemented. And that's what we'll be doing.
Yes, sir.
Q Thank you, Ambassador. Last week, or a few days ago, when you rolled out the biosecurity strategy, there was a -- you named HHS as a coordinating role. Is there a similar coordinating agency for the cyber strategy, number one?
And then, number two, if you can -- you mentioned the rescission of PPD-20, and that the strategy takes effect today. Does that mean that the potential for offensive cyber operations -- is this a warning-shot to the world that, starting from today on, those could begin?
AMBASSADOR BOLTON: Well, the cyber strategy takes effect today. The rescission of PPD-20 took place several weeks ago. So work has begun since then.
In terms of the comparison between biodefense and this, in the realm of biodefense, because of its discreet nature, we felt that a lead agency approach made sense. In cyber, we think this is such a broad area, with so many agencies involved, that each should proceed in its particular area of expertise.
So Treasury and the financial markets area, for example. DHS has a huge role in this, in preserving and protecting information technology systems in many other areas. The military and intelligence government systems are protected in their own realms. And it was in that context that we determined there would not be one lead agency because so many are involved.
Yes, sir.
Q Sir, yeah, just to follow up --
AMBASSADOR BOLTON: Sorry, did I not answer --
Q I just had one slightly separate question, sorry. There was a report out, just a minutes ago, that Google has confirmed that it has detected state-based actors attempting to hack the personal accounts of senators and lawmakers on Capitol Hill. I was hoping, given that the, sort of, breaking news, you might be able to address that. Is that something the White House is monitoring? And how does the White House plan to address situations like that?
AMBASSADOR BOLTON: Yeah, I think it's, at this point, not appropriate for me to comment. But in due course, there may be -- I'd rather confine it just to the strategy now.
Q Just to follow up on -- two questions. The first, to follow up on what Zeke asked, according to PPD-20 -- the Obama administration shied away from saying this, but I'll ask it you point-blank: Are we engaged in cyberwar with those who stand opposed to us?
AMBASSADOR BOLTON: Well, I wouldn't accept that characterization. What I have said, and what I would stress -- and I think it is important that our adversaries know it and that publics know that our adversaries know it -- is we have authorized offensive cyber operations that will be undertaken through the coordination process in the new presidential directive, and that we have determined, the President has determined it's in our national interest to do that -- not because we want more offensive operations in cyberspace, but precisely to create the structures of deterrence that will demonstrate to adversaries that the cost of their engaging in operations against us is higher than they want to bear.
Q And then, the follow-up to something that you said earlier -- experts in cyber say that the only really way to harden our systems, or the Internet, is to put certain information in silos that can't be accessed by the Internet. Are we taking those steps towards securing the Internet, or securing our cyber operations?
AMBASSADOR BOLTON: Well, I'll tell you two things. Number one, there's a lot that's going on in the classified world that I'm not going to talk about --
Q Well, I thought I might try. (Laughs.)
AMBASSADOR BOLTON: Always worth the try.
And second, nobody should be under the impression that if you take certain defensive measures, that you've solved the problem. The history of conflict like that is that for every defensive measures, an offensive countermeasure is developed, and it goes on and on.
So it's a continuous process. And in this sense, like the biodefense strategy, this cyber strategy document is intended to be living. We will be reviewing it periodically to make sure that it remains up to date. I think the fact that it's the first time in 15 years that there is a comprehensive government strategy speaks to the need for this kind of thing and why it needs to be kept up to date.
Yes, sir.
Q General Nakasone at NSA has said that his biggest fear isn’t a cyberwar but a hybrid war. Do you share that assessment? And what you're doing today, does that take that sort of view of what we may be facing?
AMBASSADOR BOLTON: Sure. I think, again, a lot of this is in the classified world, but some hostile state actors view cyber as an asymmetric way to come against the United States. And we need to have that in mind. And it's also the case that not every response to a cyberattack would be in the cyber world. It is part of the range of instruments of national power that we have, and it's part of our strategic analysis that we're going to use the means we deem appropriate to create these structures of deterrence as we try and do in so many other areas, but to create them in cyberspace as well.
Yes, sir.
Q What assurances can you give that cyberattacks won't affect or influence the midterm elections?
AMBASSADOR BOLTON: Well, I'd just refer you back to the briefing that we held here some weeks back, where you heard from Director of National Intelligence, Dan Coats, and others as to the steps we've taken at the direction of the President. I think everybody who was there -- Kirstjen Nielsen, General Nakasone, Chris Wray of the FBI -- all said that they and their departments and agencies were fully alert to all of this. That remains the case, right up to and including today.
And it's one of the reasons why our decision to reverse this PPD-20 from the Obama administration on offensive cyber actions, we think, is so important. Our hands are not tied as they were in the Obama administration.
Yes, ma'am.
Q Thank you. So you've been talking a lot about offensive action, and I realize -- I'm not asking for any specifics, but just for the public and for the people that you're talking to, what type of offensive actions could the U.S. take in the cyber realm? And also, how will these decisions be made? I know that it will case by case. But will, say, a cyberattack on a city government or the U.S. government be treated differently than a cyberattack on a private company?
AMBASSADOR BOLTON: Well, I don’t -- I wouldn’t want to analogize myself to General Schwarzkopf entirely, but I remember, before the first Gulf War, he was asked by a reporter, "Would you tell me what the weakest point of your strategy is?" (Laughter.) And he said, "No, actually, I won't answer that." You know, we're going to do a lot of things offensively, and I think our adversaries need to know that. Some of the things we may well be in a position to talk about publicly; others we may well not be in a position to. So I wouldn’t want to prejudice that.
I just think it's important for people to understand that we're not just on defense, as we have been primarily on defense for a period of time.
Q And what about how the decisions are made? Like what -- will they be treated differently and --
AMBASSADOR BOLTON: Well, there's a process that's laid out in the presidential directive. It's very different from PPD-20. And we hope we'll provide the necessary coordination and direction, but still enable these operations to be conducted in a timely fashion.
Q Thank you, Ambassador Bolton. Does that mean we're going to see more aggressive offense from the U.S. side to potential threat from -- including like retaliation to the cyberattack?
AMBASSADOR BOLTON: Yes.
Q Yes. And secondly, there are report about more aggressive cyberattack from China to Taiwan. And in the strategy, is there consideration of talking to the counterpart in Asia regarding this issue?
AMBASSADOR BOLTON: Well, there will be consultations -- there have been already -- with our friends and allies, because many of us are vulnerable to the same hostile actions. And I think it's very important that we work through our alliance structures, where we can do that. And I think that's part of the deterrent effect that our adversaries ought to think about, that we do have a robust structure of international alliances, and we intend to keep them strong in cyberspace.
Yes, ma'am.
Q Thank you, Ambassador Bolton. When you say the word "offensive" -- we're being more aggressive with cyberattacks and prevention -- to some Americans, that might bring up a fear that their personal privacy might be invaded upon. How can you ensure to them that that won't infringe on their own rights as Americans?
AMBASSADOR BOLTON: Because we're talking about actions versus our foreign adversaries. That's what the nature of this is about. It has absolutely nothing to do domestically. The fact is that many Americans' privacy is at risk now from the actions of hostile foreign actors.
You may recall seeing about the hacking of the Office of Personnel Management by China, where potentially millions of personnel records -- my own included, and maybe some of yours, from former government employees -- has now found a new residence in Beijing.
That's the kind of threat to privacy from hostile foreign actors that we're determined to deter. We're not looking for continued hostility. We're looking to create powerful deterrence structures that persuade the adversary not to strike in the first place.
And we'll take one more here.
Q Yes. So I have a question. Is there any protections for foreign civilians as part of this? And just following up on Emerald, is there any way to --
AMBASSADOR BOLTON: Depends on whether they're hostile-acting against us, basically.
Q So can you describe the protections for foreign civilians? Like, the private sector information, and how you would (inaudible) that are stored overseas?
AMBASSADOR BOLTON: Well, look, to the extent that the military is involved, they follow the same rules and strictures that they do in other military operations. That's the purpose of our new presidential directive, to try and put this capability into the cyber world. And we think we've done that. So the people who need to be worried about this are the people who have taken or were preparing to take hostile actions in cyberspace against us, whether it's foreign states, terrorist organizations, criminal organizations, or whatever it might be.
Okay, thank you all very much. Appreciate it.
END 3:27 P.M. EDT