President Trump on Friday called on private companies to take a more active role in U.S. cybersecurity, a major shift that raises legal and practical questions about how companies would get involved in the nation’s closely guarded cyberoperations.
The directive was part of the Trump administration’s new National Cybersecurity Strategy, which lays out the federal government’s cyber priorities and policy prescriptions.
Currently, the government can contract with private companies to develop elements of its cyberoperations. But the new strategy, which includes a signed introduction by the president, would dramatically expand the role of companies in cyberwarfare. It says that the United States will “unleash” companies to “disrupt adversary networks.”
The strategy differs from those of past administrations in other key ways, including its lack of attention to China and Russia, which in the past have targeted key U.S. infrastructure. It is also only seven pages long — 32 pages shorter than the cyber strategy the Biden administration published in 2023.
The document contains more conventional goals, such as streamlined regulations, modern government networks, more secure infrastructure and a skilled cyber work force. And it calls for using artificial intelligence to “detect, divert, and deceive threat actors.”
Every administration since President George W. Bush’s, which published a Strategy to Secure Cyberspace in 2003, has issued some kind of cyber strategy.
The Trump administration is expected to release a series of executive orders to accompany its strategy. The first such order, signed by the president on Friday, addressed online scams and other cybercrime.
Because Mr. Trump has yet to sign an order on private companies and cyber, it is unclear what role companies would take in the country’s efforts. Among the ways that companies could be deployed would be in so-called offensive attacks, when the entity conducting a cyber operation breaches and disrupts an adversary’s infrastructure.
The strategy “doesn’t rule out the possibility of industry hacking back or engaging in offensive operations,” said Lauryn Williams, a cybersecurity expert at the Center for Strategic and International Studies who held senior roles overseeing cybersecurity policy in the Biden administration. Hacking back refers to an approach that would allow companies to conduct retaliatory cyberattacks after coming under attack by foreign adversaries.
It is illegal for companies to conduct offensive campaigns online, and lawmakers have discussed changing the law to allow companies to engage in offensive cyberattacks, even as experts caution against such moves.
It is also unclear if the Trump administration has made overtures to Congress to address these legal barriers, said Ms. Williams.
The more worrisome question for private companies, she said, was how the administration would ensure that companies that engage in offensive cyberattacks in response to being hacked are not then subject to retaliatory attacks by foreign adversaries.
Mark Montgomery, a retired rear admiral and the senior director of the Center on Cyber and Technology Innovation at the Foundation for Defense of Democracies, said he was waiting for the administration to clarify how it planned for private companies to be involved in cyberwarfare.
“We just need to be careful,” he said. “It doesn’t mean the private sector can’t be involved in responding.” But if it does take on a role in the United States’ cyberwarfare, he added, it would need direct military oversight.
.
The new cyber strategy continues the Trump administration’s unconventional approach of discussing cyberoperations, a topic that previous administrations alluded to more discreetly.
“We’ve seen unprecedented public acknowledgment of cyber operations following Venezuela, following Iran,” Ms. Williams said, referring to recent military operations Mr. Trump ordered in those countries.
In the strategy, Mr. Trump reiterates the role cyberwarfare played in the operation to capture President Nicolás Maduro of Venezuela in January, and in the U.S. strikes on Iranian nuclear facilities last summer.
“Adversaries are on notice that America’s cyber operators and tools are the best in the world, and can be swiftly and effectively deployed to defend America’s interests,” the strategy says.
Those adversaries are not identified. The Trump administration’s National Security Strategy, which was released last December, also avoids confronting China.
“This is a consistent problem in the Trump administration,” Admiral Montgomery said.
China has repeatedly targeted U.S. public and private infrastructure, most notably with the Salt Typhoon attacks, which may have stolen information from nearly every American, and the Volt Typhoon attacks, which could disrupt U.S. military operations.
China’s presence, or lack thereof, in the cyber strategy does not affect the United States’ ability to take action against the country, Admiral Montgomery said. But, he added, “you lose deterrent opportunity when you don’t name the adversary.”
Adam Sella covers breaking news for The Times in Washington.
The post Trump Calls On Private Companies to Take On a Bigger Role in Cyber appeared first on New York Times.
