U.S. To Go on Offense in Cyberspace, Bolton Says

Nations that attack the U.S. in cyberspace should know that the U.S. will strike back, National Security Adviser John Bolton said Thursday while introducing a new national cybersecurity strategy.

At the core of that strategy, Bolton said, is a promise that the U.S. will strike back, either in cyberspace or elsewhere, when it’s attacked.

“For any nation that’s taking cyber activity against the United States, they should expect…we will respond offensively as well as defensively,” Bolton told reporters in advance of the strategy’s unveiling.

Bolton echoed warnings from the Obama administration that retaliation for cyber strikes could come in a variety of ways, such as sanctions, criminal indictments and naming and shaming on the world stage.

He suggested strongly, however, that a higher proportion of retaliatory acts will take place in cyberspace.

“It’s important for people to understand that we’re not just on defense as we have been on defense for a period of time,” Bolton said.

The release of the cyber strategy comes just a few weeks after President Donald Trump rescinded an Obama-era presidential policy directive, known as PPD-20, which mandated a lengthy interagency process before greenlighting any offensive cyberattacks.

Going forward, Bolton said, the authority to launch offensive cyber operations will reside in the agencies authorized to launch them, namely the Defense Department and intelligence agencies.

Bolton declined to say if the U.S. is preparing offensive cyber operations against any of its main cyber adversaries: Russia, China, Iran and North Korea.

He stressed that the goal of loosening restrictions on offensive cyber operations is not to bolster cyber conflict but to make adversaries think twice before launching a first strike.

The goal, Bolton said, is “to create the structures of deterrence that will demonstrate to adversaries that the cost of their engaging in operations against us is higher than they want to bear.”

The Obama administration reportedly launched a handful of offensive cyber operations, especially aimed at disabling the development and advancement of nuclear weapons programs in Iran and North Korea. The Pentagon also acknowledged conducting offensive cyber operations aimed at disrupting recruitment and operations by the Islamic State.

Obama-era officials were hesitant to rely too much on offensive cyber operations as a deterrent out of concern the ensuing conflict would get out of hand.

The U.S. is the world’s most-connected nation and so also its most vulnerable. That means the U.S. is likely to come out behind in a tit-for-tat cyber conflict.

The U.S. may claim credit for some offensive cyber operations, but may conceal its involvement in others, Bolton said. He declined to describe what those offensive operations would look like.

The full cyber strategy had not been formally released as of 4 p.m. Thursday.

The strategy generally follows priorities of the administration’s National Security Strategy, Bolton said, and includes sections focused on protecting American innovation in cyberspace and strengthening the U.S. cyber workforce.

Separately during the call, Bolton defended his decision to eliminate the position of White House cyber coordinator, saying it was duplicative of a senior director for cybersecurity position in the National Security Council.

That move was highly controversial among cyber practitioners and former federal officials who worried it would lead the administration to be too bellicose in cyberspace and not consider possible negative consequences.