• Home
  • About RSIS
    • Introduction
    • Building the Foundations
    • Welcome Message
    • Board of Governors
    • Staff Profiles
      • Executive Deputy Chairman’s Office
      • Dean’s Office
      • Management
      • Distinguished Fellows
      • Faculty and Research
      • Associate Research Fellows, Senior Analysts and Research Analysts
      • Visiting Fellows
      • Adjunct Fellows
      • Administrative Staff
    • Honours and Awards for RSIS Staff and Students
    • RSIS Endowment Fund
    • Endowed Professorships
    • Career Opportunities
    • Getting to RSIS
  • Research
    • Research Centres
      • Centre for Multilateralism Studies (CMS)
      • Centre for Non-Traditional Security Studies (NTS Centre)
      • Centre of Excellence for National Security (CENS)
      • Institute of Defence and Strategic Studies (IDSS)
      • International Centre for Political Violence and Terrorism Research (ICPVTR)
    • Research Programmes
      • National Security Studies Programme (NSSP)
      • Studies in Inter-Religious Relations in Plural Societies (SRP) Programme
    • Future Issues and Technology Cluster
    • [email protected] Newsletter
    • Other Research
      • Science and Technology Studies Programme (STSP) (2017-2020)
  • Graduate Education
    • Graduate Programmes Office
    • Overview
    • MSc (Asian Studies)
    • MSc (International Political Economy)
    • MSc (International Relations)
    • MSc (Strategic Studies)
    • NTU-Warwick Double Masters Programme
    • PhD Programme
    • Exchange Partners and Programmes
    • How to Apply
    • Financial Assistance
    • Meet the Admissions Team: Information Sessions and other events
    • RSIS Alumni
  • Alumni & Networks
    • Alumni
    • Asia-Pacific Programme for Senior Military Officers (APPSMO)
    • Asia-Pacific Programme for Senior National Security Officers (APPSNO)
    • International Strategy Forum-Asia (ISF-Asia)
    • SRP Executive Programme
    • Terrorism Analyst Training Course (TATC)
  • Publications
    • RSIS Publications
      • Annual Reviews
      • Books
      • Bulletins and Newsletters
      • Commentaries
      • Counter Terrorist Trends and Analyses
      • Commemorative / Event Reports
      • IDSS Paper
      • Interreligious Relations
      • Monographs
      • NTS Insight
      • Policy Reports
      • Working Papers
      • RSIS Publications for the Year
    • Glossary of Abbreviations
    • External Publications
      • Authored Books
      • Journal Articles
      • Edited Books
      • Chapters in Edited Books
      • Policy Reports
      • Working Papers
      • Op-Eds
      • External Publications for the Year
    • Policy-relevant Articles Given RSIS Award
  • Media
    • Great Powers
    • Sustainable Security
    • Other Resource Pages
    • Media Highlights
    • News Releases
    • Speeches
    • Vidcast Channel
    • Audio/Video Forums
  • Events
  • Giving
  • Contact Us
Facebook
Twitter
YouTube
RSISVideoCast RSISVideoCast rsis.sg
Linkedin
instagram instagram rsis.sg
RSS
  • Home
  • About RSIS
      • Introduction
      • Building the Foundations
      • Welcome Message
      • Board of Governors
      • Staff Profiles
        • Executive Deputy Chairman’s Office
        • Dean’s Office
        • Management
        • Distinguished Fellows
        • Faculty and Research
        • Associate Research Fellows, Senior Analysts and Research Analysts
        • Visiting Fellows
        • Adjunct Fellows
        • Administrative Staff
      • Honours and Awards for RSIS Staff and Students
      • RSIS Endowment Fund
      • Endowed Professorships
      • Career Opportunities
      • Getting to RSIS
  • Research
      • Research Centres
        • Centre for Multilateralism Studies (CMS)
        • Centre for Non-Traditional Security Studies (NTS Centre)
        • Centre of Excellence for National Security (CENS)
        • Institute of Defence and Strategic Studies (IDSS)
        • International Centre for Political Violence and Terrorism Research (ICPVTR)
      • Research Programmes
        • National Security Studies Programme (NSSP)
        • Studies in Inter-Religious Relations in Plural Societies (SRP) Programme
      • Future Issues and Technology Cluster
      • [email protected] Newsletter
      • Other Research
        • Science and Technology Studies Programme (STSP) (2017-2020)
  • Graduate Education
      • Graduate Programmes Office
      • Overview
      • MSc (Asian Studies)
      • MSc (International Political Economy)
      • MSc (International Relations)
      • MSc (Strategic Studies)
      • NTU-Warwick Double Masters Programme
      • PhD Programme
      • Exchange Partners and Programmes
      • How to Apply
      • Financial Assistance
      • Meet the Admissions Team: Information Sessions and other events
      • RSIS Alumni
  • Alumni & Networks
      • Alumni
      • Asia-Pacific Programme for Senior Military Officers (APPSMO)
      • Asia-Pacific Programme for Senior National Security Officers (APPSNO)
      • International Strategy Forum-Asia (ISF-Asia)
      • SRP Executive Programme
      • Terrorism Analyst Training Course (TATC)
  • Publications
      • RSIS Publications
        • Annual Reviews
        • Books
        • Bulletins and Newsletters
        • Commentaries
        • Counter Terrorist Trends and Analyses
        • Commemorative / Event Reports
        • IDSS Paper
        • Interreligious Relations
        • Monographs
        • NTS Insight
        • Policy Reports
        • Working Papers
        • RSIS Publications for the Year
      • Glossary of Abbreviations
      • External Publications
        • Authored Books
        • Journal Articles
        • Edited Books
        • Chapters in Edited Books
        • Policy Reports
        • Working Papers
        • Op-Eds
        • External Publications for the Year
      • Policy-relevant Articles Given RSIS Award
  • Media
      • Great Powers
      • Sustainable Security
      • Other Resource Pages
      • Media Highlights
      • News Releases
      • Speeches
      • Vidcast Channel
      • Audio/Video Forums
  • Events
  • Giving
  • Contact Us
  • instagram instagram rsis.sg
Connect

Getting to RSIS

Map

Address

Nanyang Technological University
Block S4, Level B3,
50 Nanyang Avenue,
Singapore 639798

View location on Google maps Click here for directions to RSIS

Get in Touch

    Connect with Us

      rsis.ntu
      rsis_ntu
      rsisntu
    RSISVideoCast RSISVideoCast rsisvideocast
      school/rsis-ntu
    instagram instagram rsis.sg
      RSS
    Subscribe to RSIS Publications
    Subscribe to RSIS Events

    RSIS Intranet

    S. Rajaratnam School of International Studies Think Tank and Graduate School Ponder The Improbable Since 1966
    Nanyang Technological University Nanyang Technological University

    Skip to content

     
    • RSIS
    • Publication
    • RSIS Publications
    • IP23042 | Cyberspace and American Power – The US Cybersecurity Strategy 2023
    • Annual Reviews
    • Books
    • Bulletins and Newsletters
    • Commentaries
    • Counter Terrorist Trends and Analyses
    • Commemorative / Event Reports
    • IDSS Paper
    • Interreligious Relations
    • Monographs
    • NTS Insight
    • Policy Reports
    • Working Papers
    • RSIS Publications for the Year

    IP23042 | Cyberspace and American Power – The US Cybersecurity Strategy 2023
    Kevin Chen Xian An

    26 May 2023

    download pdf

    The authors’ views are their own and do not represent the official position of the Institute of Defence and Strategic Studies of the S. Rajaratnam School of International Studies, NTU. These commentaries may be reproduced with prior permission from RSIS and due recognition to the authors and RSIS. Please email to Editor IDSS Paper at [email protected].

     


    In response to mounting concerns about cyberattacks, the Biden administration launched its National Cybersecurity Strategy on 2 March 2023. The 2023 strategy echoes numerous aspects of its predecessors but also diverges from them in significant ways. KEVIN CHEN XIAN AN traces the evolution of these strategies to give a sense of where US strategic thought on cybersecurity is heading and how Washington increasingly views cyberspace.

     

     

     

    COMMENTARY

    The United States has come under increasing threat from online actors in recent years. The Federal Bureau of Investigation reported that ransomware attacks, in which cybercriminals block access to a network until a sum of money is paid, affected at least 649 organisations across 14 of America’s 16 critical infrastructure sectors in 2021. One such attack on Colonial Pipeline in May 2021 forced the company to temporarily shut down all its pipeline operations, resulting in widespread fuel shortages.

    Given the rising threat of cyberattacks, the launch of the National Cybersecurity Strategy on 2 March 2023 by President Joe Biden was a welcome development. At first glance, the document shares numerous aspects with its predecessors, but observers should view these similarities – as well as differences – in context. From market-driven to government-regulated, and defensive to aggressive, the 2023 strategy is not old wine in a new bottle, but the next stage in US strategic thought.

    The Evolution of US Cybersecurity Strategy

    The foundation of US cybersecurity strategy is “the healthy functioning of cyberspace”, as stated in the 2003 National Strategy to Secure Cyberspace. The 2003 document cautioned that increasing digitalisation left the US economy vulnerable to cyberattacks and it sought to prevent or minimise the damage from such incidents. At the time, the Bush administration’s focus on crisis response pointed to a defensive approach to cyber incidents. Instead of an element of US national power to be applied in pursuit of national objectives, cyberspace was treated as a platform for other forms of power. Simultaneously, the strategy emphasised that the government should “lead by example”, instead of by regulation, thus allowing market forces to compel private action.

    This defensive approach was discarded in the 2018 National Cyber Strategy under President Donald Trump. His strategy still called for only a limited government role, but it accused specific challengers (Russia, China, Iran, North Korea) of undermining America’s economic and political system through cyberattacks. In doing so, the 2018 strategy explicitly highlighted the political dimension of cyberattacks.

    Public statements by then National Security Advisor John Bolton hinted that the political restraints surrounding retaliatory cyberattacks by the US Cyber Command were removed by the Trump administration, allowing them to undertake operations to create “structures of deterrence”. This marked the first time that discourse on cyber operations was couched in Cold War–era notions of deterrence. While doubts still persist about whether deterrence works in cyberspace, Washington clearly shifted towards a more aggressive stance on cybersecurity under Trump.

    IP23042
    The US Cybersecurity Strategy 2023 under the Biden administration shares several similarities with previous strategies but takes on a distinctly more aggressive and government-regulated approach compared to its predecessors. Image from Unsplash.

    The 2023 Strategy in Perspective

    The 2023 strategy at the outset reads like an updated version of its predecessors. Its first pillar reiterates the need to defend critical infrastructure through features such as zero-trust principles, which institute strict authentication requirements. Its second pillar discusses ways to “disrupt and dismantle threat actors”, ranging from “cyberspace operations” intended to deter attacks to “disruption campaigns” such as law enforcement efforts to render cybercrime unprofitable. Rather than downplaying the aggressiveness of the 2018 strategy, the Biden administration appears to echo its treatment of cyberspace as an element of US national power.

    Differences between the two strategies become apparent in the fourth pillar, principally due to Biden’s political goals. For example, both the 2018 and 2023 strategies identify supply chain risks as a concern when building new infrastructure. However, the 2023 strategy goes further to prioritise clean energy due to its importance as a key sector for US competitiveness. The 2023 strategy also makes more specific references to how cybersecurity is integrated into legislation passed under the Biden administration, including the Creating Helpful Incentives to Produce Semiconductors (CHIPS) Act and the Inflation Reduction Act.

    Under the fifth pillar, the 2023 strategy names specific mechanisms such as the Quadrilateral Security Dialogue (Quad) and Indo-Pacific Economic Framework for Prosperity (IPEF) as partnerships where the US can advance cybersecurity cooperation. By comparison, the 2018 strategy’s equivalent pillar only called for cooperation with “like-minded partners” under the ominous title of “advancing American influence”.

    Still, the 2023 strategy stands out most in its third pillar, which eschews market forces in favour of regulatory frameworks to address cybersecurity failures. The strategy aims to reallocate the responsibility for securing cyberspace from individuals and small companies, which have limited resources, to “the biggest, most capable, and best-positioned actors” in the US digital ecosystem. Details are still emerging about how this concept of liability will be applied, but it still marks a significant departure from previous strategies.

    Implications of the 2023 Strategy

    The 2023 strategy’s call for assigning liability for cyber failures represents a fundamental reimagining of America’s cyber strategy. From defensive, market-driven beginnings, the shift towards an aggressive, regulation-driven approach to cybersecurity points to an acknowledgement that cyberspace is both an integral component of US national power and an arena that must be defended.

    Legislation on liability requirements is likely to face implementation issues, including resistance from industry actors and political opposition from the Republican-controlled Congress. Still, some observers have applauded the move as a necessary measure, comparing its significance to Grimshaw v. Ford Motor Company, a 1978 lawsuit over safety flaws in Ford Pinto automobiles. Ford lawyers argued that their client did not intend to cause injuries to their customers, but it was ruled that Ford failed to address a known flaw in the Pinto model. The same logic may prevail in cybersecurity if software standards are clearly defined.

    For international observers, a more troubling question concerns US cyber operations. It is unclear how offensive operations will be squared with US efforts to promote norms for responsible state behaviour with its partners, especially given the challenge of ensuring cyber operations do not spiral out of control. The onus will be on US partners, including Japan and ASEAN, to discuss such matters further during platforms such as the ASEAN-US Cyber Policy Dialogue.

    Kevin CHEN Xian An is an Associate Research Fellow in the US Programme at the Institute of Defence and Strategic Studies, S. Rajaratnam School of International Studies (RSIS).

    Categories: IDSS Paper / Cybersecurity, Biosecurity and Nuclear Safety / International Politics and Security / Americas

    Last updated on 26/05/2023

    The authors’ views are their own and do not represent the official position of the Institute of Defence and Strategic Studies of the S. Rajaratnam School of International Studies, NTU. These commentaries may be reproduced with prior permission from RSIS and due recognition to the authors and RSIS. Please email to Editor IDSS Paper at [email protected].

     


    In response to mounting concerns about cyberattacks, the Biden administration launched its National Cybersecurity Strategy on 2 March 2023. The 2023 strategy echoes numerous aspects of its predecessors but also diverges from them in significant ways. KEVIN CHEN XIAN AN traces the evolution of these strategies to give a sense of where US strategic thought on cybersecurity is heading and how Washington increasingly views cyberspace.

     

     

     

    COMMENTARY

    The United States has come under increasing threat from online actors in recent years. The Federal Bureau of Investigation reported that ransomware attacks, in which cybercriminals block access to a network until a sum of money is paid, affected at least 649 organisations across 14 of America’s 16 critical infrastructure sectors in 2021. One such attack on Colonial Pipeline in May 2021 forced the company to temporarily shut down all its pipeline operations, resulting in widespread fuel shortages.

    Given the rising threat of cyberattacks, the launch of the National Cybersecurity Strategy on 2 March 2023 by President Joe Biden was a welcome development. At first glance, the document shares numerous aspects with its predecessors, but observers should view these similarities – as well as differences – in context. From market-driven to government-regulated, and defensive to aggressive, the 2023 strategy is not old wine in a new bottle, but the next stage in US strategic thought.

    The Evolution of US Cybersecurity Strategy

    The foundation of US cybersecurity strategy is “the healthy functioning of cyberspace”, as stated in the 2003 National Strategy to Secure Cyberspace. The 2003 document cautioned that increasing digitalisation left the US economy vulnerable to cyberattacks and it sought to prevent or minimise the damage from such incidents. At the time, the Bush administration’s focus on crisis response pointed to a defensive approach to cyber incidents. Instead of an element of US national power to be applied in pursuit of national objectives, cyberspace was treated as a platform for other forms of power. Simultaneously, the strategy emphasised that the government should “lead by example”, instead of by regulation, thus allowing market forces to compel private action.

    This defensive approach was discarded in the 2018 National Cyber Strategy under President Donald Trump. His strategy still called for only a limited government role, but it accused specific challengers (Russia, China, Iran, North Korea) of undermining America’s economic and political system through cyberattacks. In doing so, the 2018 strategy explicitly highlighted the political dimension of cyberattacks.

    Public statements by then National Security Advisor John Bolton hinted that the political restraints surrounding retaliatory cyberattacks by the US Cyber Command were removed by the Trump administration, allowing them to undertake operations to create “structures of deterrence”. This marked the first time that discourse on cyber operations was couched in Cold War–era notions of deterrence. While doubts still persist about whether deterrence works in cyberspace, Washington clearly shifted towards a more aggressive stance on cybersecurity under Trump.

    IP23042
    The US Cybersecurity Strategy 2023 under the Biden administration shares several similarities with previous strategies but takes on a distinctly more aggressive and government-regulated approach compared to its predecessors. Image from Unsplash.

    The 2023 Strategy in Perspective

    The 2023 strategy at the outset reads like an updated version of its predecessors. Its first pillar reiterates the need to defend critical infrastructure through features such as zero-trust principles, which institute strict authentication requirements. Its second pillar discusses ways to “disrupt and dismantle threat actors”, ranging from “cyberspace operations” intended to deter attacks to “disruption campaigns” such as law enforcement efforts to render cybercrime unprofitable. Rather than downplaying the aggressiveness of the 2018 strategy, the Biden administration appears to echo its treatment of cyberspace as an element of US national power.

    Differences between the two strategies become apparent in the fourth pillar, principally due to Biden’s political goals. For example, both the 2018 and 2023 strategies identify supply chain risks as a concern when building new infrastructure. However, the 2023 strategy goes further to prioritise clean energy due to its importance as a key sector for US competitiveness. The 2023 strategy also makes more specific references to how cybersecurity is integrated into legislation passed under the Biden administration, including the Creating Helpful Incentives to Produce Semiconductors (CHIPS) Act and the Inflation Reduction Act.

    Under the fifth pillar, the 2023 strategy names specific mechanisms such as the Quadrilateral Security Dialogue (Quad) and Indo-Pacific Economic Framework for Prosperity (IPEF) as partnerships where the US can advance cybersecurity cooperation. By comparison, the 2018 strategy’s equivalent pillar only called for cooperation with “like-minded partners” under the ominous title of “advancing American influence”.

    Still, the 2023 strategy stands out most in its third pillar, which eschews market forces in favour of regulatory frameworks to address cybersecurity failures. The strategy aims to reallocate the responsibility for securing cyberspace from individuals and small companies, which have limited resources, to “the biggest, most capable, and best-positioned actors” in the US digital ecosystem. Details are still emerging about how this concept of liability will be applied, but it still marks a significant departure from previous strategies.

    Implications of the 2023 Strategy

    The 2023 strategy’s call for assigning liability for cyber failures represents a fundamental reimagining of America’s cyber strategy. From defensive, market-driven beginnings, the shift towards an aggressive, regulation-driven approach to cybersecurity points to an acknowledgement that cyberspace is both an integral component of US national power and an arena that must be defended.

    Legislation on liability requirements is likely to face implementation issues, including resistance from industry actors and political opposition from the Republican-controlled Congress. Still, some observers have applauded the move as a necessary measure, comparing its significance to Grimshaw v. Ford Motor Company, a 1978 lawsuit over safety flaws in Ford Pinto automobiles. Ford lawyers argued that their client did not intend to cause injuries to their customers, but it was ruled that Ford failed to address a known flaw in the Pinto model. The same logic may prevail in cybersecurity if software standards are clearly defined.

    For international observers, a more troubling question concerns US cyber operations. It is unclear how offensive operations will be squared with US efforts to promote norms for responsible state behaviour with its partners, especially given the challenge of ensuring cyber operations do not spiral out of control. The onus will be on US partners, including Japan and ASEAN, to discuss such matters further during platforms such as the ASEAN-US Cyber Policy Dialogue.

    Kevin CHEN Xian An is an Associate Research Fellow in the US Programme at the Institute of Defence and Strategic Studies, S. Rajaratnam School of International Studies (RSIS).

    Categories: IDSS Paper / Cybersecurity, Biosecurity and Nuclear Safety / International Politics and Security

    Last updated on 26/05/2023

    Back to top

    Terms of Use | Privacy Statement
    Copyright © S. Rajaratnam School of International Studies. All rights reserved.
    This site uses cookies to offer you a better browsing experience. By continuing, you are agreeing to the use of cookies on your device as described in our privacy policy. Learn more
    OK
    Latest Book
    more info