Professional Documents
Culture Documents
Jacob Shively
To cite this article: Jacob Shively (2021): Cybersecurity policy and the Trump administration,
Policy Studies, DOI: 10.1080/01442872.2021.1947482
Article views: 10
Introduction
In June 2019, headlines signalled what appeared to be a remarkable change to American
cybersecurity policy (Sanger and Perlroth 2019). US government agencies had actively
developed access to critical Russian infrastructure and could, officials claimed, threaten
the Russian power grid. That the United States held such capabilities was unsurprising.
That officials leaked the implied threat was new. Previously, US officials worried that any
such leaks would reveal sensitive sources and methods. Now, per reporting, US officials
appeared frustrated by years of reactive policies and defending against constant attacks.
They wanted to adopt a more offensive posture. They also felt pressure to confront fallout
from Moscow’s 2016 disinformation campaign. Intelligence agents and at least one
organization affiliated with the Russian government apparently had obtained private
information from Democratic officials and, in opposition to candidate Hillary Clinton,
had spread false or misleading information through data networks and social media. Pre-
sident Obama, still in office, led a relatively muted response and reached for diplomatic
CONTACT Jacob Shively jshively@uwf.edu 1100 University Pkwy., Building 50, Pensacola, FL 32514, USA
Jacob Shively @Jacob___Shively
© 2021 Informa UK Limited, trading as Taylor & Francis Group
2 J. SHIVELY
tools like sanctions. Later, President Donald Trump showed little personal interest in
grappling with the fallout from this episode; nevertheless, three years later, Trump
administration officials now declared that they would approach national cybersecurity
with threats of proactive deterrence. Did this “defending forward” policy represent dra-
matic change or mere tinkering within existing policy frameworks?
This article evaluates the conditions under which national cybersecurity policy
changes or remains stable. For at least two decades, national-level policy makers have
known that cyberspace posed unique security challenges. For example, they have devel-
oped powerful capabilities vested in government organizations like the National Security
Administration (NSA), Department of Homeland Security (DHS), and U.S. CYBER-
COM. In theory, therefore, observers might expect new technological capabilities to
drive strategic and policy innovations (Ruggie 1975; Brimley, FitzGerald, and Sayler
2013; Saltzman 2013). In fact, as this article finds, national-level cybersecurity strategy
has more often than not proven constrained by existing conceptual, political, and stra-
tegic commitments. The following pages evaluate policy outcomes after two major
policy decision periods. In each, rather than revise policy categories and priorities
(such as espionage, warfare or property rights), policy makers interpreted the cyber
threat within existing categories. For instance, when officials initiated a more assertive
“defending forward” approach to cybersecurity, they still focused on traditional state
threats and old standards to define public national security threats versus private
responsibility.
These findings offer two contributions to the scholarship and practice of cybersecurity.
First, the article begins the work of overviewing US cybersecurity policy and strategy
during the Trump administration. Second, it demonstrates conceptual, strategic and
other constraints on senior policy makers. Namely, it finds that punctuated equilibrium
theory (PET) is a plausible framework to explain the relative stability of cybersecurity
policy in the face of constant pressure. Senior policy makers and strategists, for the
most part, built cybersecurity policies that fit within existing frameworks and concepts
rather than policies representing a fundamentally new policy framework.
Theory
Technology change and security policy inevitably interact (Akaev and Pantin 2014;
Herrera 2006). Though many scholars have grown skeptical that technology alone
drives war decisions, competing states’ capabilities often drive threat perceptions, some-
times to the point of arms racing (Lieber 2005; Colaresi, Rasler, and Thompson 2008;
Garfinkel and Dafoe 2019; Talmadge 2019). Access to new technology like cyber net-
working may not alter the basic likelihood of conflict, but it can embolden certain
types of aggression (Valeriano and Maness 2015; Slayton 2016/2017; Schneider 2019b).
Still, questions surround how such policy changes and how quickly it changes. Cyberse-
curity practitioners, tacticians, and other professionals constantly revise and update their
practices and policies. Does that translate into constantly evolving national policies?
Stated differently, is national cybersecurity policy flexible and easily mouldable, or is it
“sticky” and inflexible?
According to the punctuated equilibrium theory (PET), policymaking tends to display
both leaps and stasis (Baumgartner, Jones, and Mortensen 2014). Under this framework,
POLICY STUDIES 3
public discourse defines salient issues and affects whether existing policies are either
reinforced or questioned. In turn, policy entrepreneurs and others setting policy
agendas will find change either inhibited or facilitated, respectively. Through that
process, public and elite images of a given policy tend to be stable. In any given situation,
policy stability is more likely than policy change. One reason for this lies in a bounded
rationality approach to change. At most, humans can only focus on a few issues at
once; thus, “collectively, a shift in the object of attention can lead to a disjointed
change in preferred alternatives, even when the alternatives are well defined” (Baumgart-
ner, Jones, and Mortensen 2014, 69). Policy change is more often than not constrained by
the complexity of agreeing upon alternatives, by existing beliefs and images, and by the
normal limitations of human cognition. Overall, policymaking is “a continual struggle
between the forces of balance and equilibrium, dominated by negative feedback pro-
cesses, and the forces of destabilization and contagion, governed by positive feedback
processes” (Jones and Baumgartner 2012). These insights join an extensive literature
on policy and institutional inertia (Cioffi-Revilla 1998; Levinthal 1998; Goertz 2003;
Pierson 2004).
Existing scholarship on foreign policy and on technology innovation also offer insights
into how cybersecurity may emerge and change as a national security policy. Like PET,
this work reveals a propensity for relative policy stability and occasional moments of dra-
matic change amidst constant pressure. First, at any given point in time, inertia is likely to
define the broadest levels of national security policy. Whereas a new technology like
cyber introduces pressure for adaptation, a government’s articulation of change – such
as policies, institutions, strategies, and implementation – often lags or remains basically
stable. David Welch’s (2005) study of foreign policy, for instance, finds that loss-aversion
discourages leaders from enacting major change. Jeffrey Legro’s (2005) theory of foreign
policy idea change finds that unless an existing idea is perceived to have dramatically
failed and a single alternative is available, the status quo is likely to remain in place. In
a more recent study, Patrick Porter (2018) argues that after the shocks of the 1930s
and 1940s, the US foreign policy establishment adopted a new set of norms and conven-
tional wisdoms that have been consistently replicated by the foreign policy elite. Second,
when policy and other change happens, it tends to occur in big steps rather than incre-
mentally. Of course, incremental adjustments are common, but incrementalism is often
constrained within larger parameters. Jeffrey Lantis (2016), for instance, finds that state
leaders enjoy relatively wide agency to push new international norms when new technol-
ogies challenge existing standards and practices. Actual change, though, is often con-
strained within a limited window of opportunity. Mark Zachary Taylor (2016) finds
that domestic political interests will favour policy and innovative inertia unless and
until they perceive a serious external threat. He dubs this “creative insecurity.” This dove-
tails with older work (Samuels 1994) on “technonationalism,” which describes, for
example, Meiji Japan’s willingness to abruptly adopt an ideology fusing disruptive tech-
nological innovation and military expansionism.
Such findings reveal two patterns. In each, inertia tends to dominate outcomes.
Whereas individuals, organizations, businesses, or even governments themselves may
push relentless technological innovation, the professional incentives and ideational fra-
meworks of policy makers and bureaucracies prove far more “sticky.” Changing them
even under direct pressure is difficult. Adjustments are possible and common, but
4 J. SHIVELY
. Sustained leader attention: the executive or another decisive policy figure must
advance or support the policy change consistently over time rather than during
either a single spike in attention or intermittently/unevenly.
. Systemic technological change: an emerging technology that affects interstate inter-
action capacity.
. Systemic security change: baseline interstate threat perceptions change due to an
emerging issue or crisis.
Given these variables, if PET does offer useful predictions regarding national cyberse-
curity policy, the case studies will track with one of the three following scenarios. In the
first, (1) sustained leadership attention along with systemic political, technical and secur-
ity change creates the conditions for a “punctuated equilibrium” and the administration
achieves a dramatic break with “business as usual.” In other words, systemic conditions
align with policy entrepreneurship. In the second and third scenarios, those conditions
do not exist and Trump’s administration would have either (2) modified existing cyber-
security policy or (3) attempted major change that proved abortive or limited. Here,
ongoing adjustments and evolutionary adaptations are possible within policy inertia,
but they will be constrained or limited within the preexisting framework.
Alternative explanations of strategic policy change emphasize regular adjustments and
gradualism rather than periods of step-wise change. This article cannot actively test these
alternatives; however, they set the context in which PET may be a relatively more effective
theoretical framework. One ideal type, often associated with rationalism, would hold that
officials carefully respond to threats and changing circumstances. They consult experts,
work out cost–benefit calculations and so forth and then implement the new strategy
(Head and Alford 2013). The policy’s relative success or failure then leads to ongoing
adjustments. Periods of dramatic change are possible, but between such moments,
adjustments persist and policy at point B is not necessarily constrained by policy set at
point A. Second, an incremental or evolutionary view of policy change assumes that
policy makers, policy entrepreneurs, bureaucrats, and other agents push for their pre-
ferred changes even as the issue and the surrounding conditions continue to change.
POLICY STUDIES 5
Though largely abandoned among theorists, aspects of this “muddling through” frame-
work persist in applied fields (Bendor 2015). Policy “learning” is another framework in
which incremental or continuous change occurs (Moyson, Scholten, and Weible 2017).
Over time, dramatic changes emerge from this process. In fact, PET itself is a form of
evolutionary theory developed as an alternative to this gradualist concept of change. If
the PET predictions do not hold or display only weak correlations with the cases, then
it likely holds less explanatory power than these alternatives.
programme to sabotage North Korean missile tests with cyber and other electronic
attacks (Sanger and Broad 2017). Such tactics allowed indirect physical attacks and coer-
cive threats with low costs to political capital and low fears of escalation. Ultimately,
Trump bypassed this quiet approach. He opted to ramp up diplomatic and sanctions
pressure over the next year before agreeing to a summit with North Korean leader
Kim Jong Un. At home, high profile hacks and leaks continued. WikiLeaks released thou-
sands of files showing the Central Intelligence Agency’s capacity to use familiar items like
cellphones and televisions to conduct espionage (Miller and Nakashima 2017). Weeks
later, another group, Shadow Brokers, released stolen documents showing NSA
hacking practices and tools (Farrell 2017). Despite this constant pressure, basic policies
at the NSA, DHS and elsewhere continued as normal, in part because a number of mid-
and high level positions for political appointees remained unfilled. The Department of
Justice continued its practice of treating foreign hackers as criminals – rather than exis-
tential national security threats – and charged two Russians with a data breach against the
internet firm Yahoo (Associated Press 2017). The White House itself extended an
Obama-era executive order that had declared a national emergency designed “to deal
with the unusual and extraordinary threat to the national security, foreign policy, and
economy of the United States constituted by the increasing prevalence and severity of
malicious cyber-enabled activities” posed by foreign actors (Presidential Notice 2017).
In May, the administration released an expansive executive order (138000, 2017) that
addressed cybersecurity. It set out guiding principles for bureaucratic leaders and tech-
nical practitioners across the US government. Under this framework, cybersecurity
largely was a domestic “risk management” problem that could be mitigated with techni-
cal updates. Like previous administrations, the Trump White House identified critical
infrastructure as the strategic concern exposed by cyber connectivity. Agency heads
were given 90 days to send their respective assessment and mitigation plans to DHS.
They were instructed to refer to a set of guidelines created by the National Institute of
Standards and Technology (NIST) called the Framework for Improving Critical Technol-
ogy. Under this framework, technical updates should be identified and personnel should
be trained. In particular, the order suggested that US government agencies should con-
solidate their networks and IT services, such as email and cloud computing. In turn, DHS
recommended a series of internally-focused technical and organizational changes to miti-
gate cyber risks (Department of Homeland Security 2020).
The order also set out general strategic-level approaches to cybersecurity. As in other
administrations, it affirmed that executive branch policy is “to promote an open, inter-
operable, reliable, and secure internet that fosters efficiency, innovation, communication,
and economic prosperity, while respecting privacy and guarding against disruption,
fraud, and theft.” The order also indicated that the administration would entertain
changes to the government’s existing balance between defence and deterrence. As
under Obama, though, deterrence was left as a broad agenda rather than a clearly-
defined set of policies. The state, treasury and defence departments, among other organ-
izations, were to report back on this question. Agencies that regularly worked with inter-
national partners were also assigned to articulate their priorities regarding investigation,
attribution, and capacity building.
In sum, President Trump inherited from his predecessor a diplomatic as much as a
technical policy of loosely-defined cybersecurity deterrence. That policy approach
POLICY STUDIES 9
appears to have continued throughout the administration’s first year. Trump himself
rarely addressed cybersecurity, and when his team finally released a cybersecurity execu-
tive order, it prioritized technical, internal risk management. In turn, official policy
remained hazy about how the administration would approach cybersecurity in the
context of an outward-facing national security strategy. This is notable in the immediate
aftermath of Russia’s 2016 disinformation and hacking campaign. Overall, in its first
year, the Trump administration framed cybersecurity policy as a technological
problem with domestic solutions.
to set aside those constraints. Since the cyber environment favoured diffuse, low level
attacks, the US approach to deterrence would involve proactively identifying and mena-
cing threats as they emerged.
Russia became the first – but not the only – highly-visible target. In October and
November 2018, according to media reports, CYBERCOM conducted offensive cyber
operations against Russian networks. Whereas the Obama administration in 2016
shied away from direct reactions and turned to diplomatic responses, military officials
now proactively blocked cyberattacks and disinformation that they could trace back to
the “Internet Research Agency,” located in St. Petersburg, Russia (Nakashima 2019b).
US operatives also directly messaged individual Russians to demonstrate that they had
been identified and to dissuade their disinformation campaign. One US official stated
that “grand strategic deterrence” was less a goal in this operation than “inject[ing] a
little friction, sow[ing] confusion.” As in the prior case, deterrence as an operative cat-
egory remained broadly construed.
Practiced across the entire US national security apparatus, that type of offensive
behaviour would – officials appear to have reasoned – lead to broad, strategic deterrence.
As in 2017, deterrence itself remained a vaguely-defined strategy. It would also be
difficult to sustain and remain credible. In the middle of 2019, for instance, US
officials leaked details about capabilities to access the Russian electrical grid. The previous
policy was to develop offensive capabilities but avoid publicly advertising them for fear of
exposing trade secrets or triggering a tit-for-tat spiral akin to an arms race. That approach
reflected a reactive strategy for protecting critical national infrastructure. In their early
months, Trump officials accepted that basic policy. They reframed the approach as
“risk management.” Under “defending forward,” however, strategic planners reckoned
that without clearly demonstrating and using offensive, potentially overwhelming capa-
bilities, adversaries would steadily ratchet upward their cyber attacks. In familiar terms,
they employed the maxim, “the best defence is a good offence.” In turn, defending
forward also complemented the administration’s “maximum pressure” framework,
used most prominently in the trade war approach to China and particularly in efforts
to coerce Iran regarding its nuclear programme (Joobani and Daheshvar 2020; Nuruzza-
man 2020). Under maximum pressure, the US administration claimed to apply all tools
available short of initiating direct violence in order to compel or coerce favourable policy
changes in the target country.
Tensions with Iran throughout 2019 illustrate the uses and constraints of “defending
forward.” Months after the midterm election and the Russia operation, the adminis-
tration faced a crisis with Iran, which apparently attacked two civilian cargo vessels
and, as tensions flared, shot down a US unmanned aerial vehicle. Later, Iran or one its
proxies appeared to fire a missile barrage at a Saudi oil facility. White House officials
felt pressured to respond with traditional military force, but they worried about casualties
and, in turn, escalation or a long-term military commitment. At one point, US aircraft
were actually proceeding toward Iranian targets when the president abruptly changed
his mind and called off an airstrike. Along with verbal condemnations and deploying
several thousand troops to bolster existing positions in the region, the US president
agreed to launch a set of cyberattacks that had been developed over prior weeks or
months (Nakashima 2019a). At least two major attacks occurred in June and September
(Ali and Stewart 2019; Barnes and Gibbons-Neff 2019). They focused on intelligence
POLICY STUDIES 11
capabilities, the Iranian Revolutionary Guard Corps (IRGC), as well as other military
command and control systems. Summarizing extensive research, Valeriano and Jensen
(2019) argue that this type of cyber response to physical provocations was now a
common way for governments to de-escalate security tensions. At the turn of the year,
however, tensions in the physical world did escalate. Administration officials argued
that they must respond with force after an Iranian-backed militia aggression in Iraq
and a mob attack on the US Embassy, Baghdad. Trump ordered airstrikes across Iraq
against the militias and then, after the embassy attack, a drone strike that killed one of
Iran’s senior political and military figures, Qasem Soleimani, while he was visiting
Baghdad (Crowley, Hassan, and Schmitt 2020). Reports suggest that the US also
attempted at least one or two simultaneous kinetic strikes against Iranian targets in
the region. Iran responded with a large but relatively ineffective missile barrage against
US bases in Iraq. The crisis then quickly receded, though observers suspected that the
two governments would likely return to, and possibly escalate, their cyberattacks
(Kanno-Youngs and Perlroth 2020; Schneider 2019a). In short, “defending forward”
created a framework to respond assertively to digital and physical threats, but it did
not solve – and even may have exacerbated – the basic diplomatic and security questions
at hand.
Within a year of Trump’s administration revising PPD-20 and the DOD adopting
“defending forward,” the United States had repeatedly demonstrated its commitment
to offensive cyber capabilities. Officials publicly advertised or leaked their threats
against and attacks on specific actors. Trump and his team also drew upon cyber capa-
bilities as an alternative to military responses against Iran. Cyber attacks in that case
appear to have been calibrated to avoid physical escalation. If so, they also seem to
have failed, and the administration finally reached for dramatic, escalatory strikes,
including the killing of one of Iran’s senior political and military figures.
Overall, “defending forward” fit into a larger strategic approach. Cyber capabilities
themselves were not a leading priority. Rather, officials attempted to overhaul the US
national security policy to focus on traditional state and geopolitical threats. How
threats and responses would be determined was set at the level of national strategy.
Cybersecurity priorities followed. In theory, defending forward also included a call for
international cooperation and norms building, as with prior cybersecurity agendas, but
it presented no larger framework or context in which those should be developed. In prac-
tice, defending forward appears to have proven less dramatic than advertised. Namely,
the policy, at least as publicly known, tended to be limited to specific issues, such as
threats to the midterm election. In 2019, when a physical and cyber security crisis
with Iran ballooned, the administration reached for “defending forward” but ultimately
relied upon traditional tools of coercive statecraft. As observers might expect under PET,
without a fundamental change in the threat environment, the Trump administration
achieved marginal adjustments to national cybersecurity policy rather than a major step-
wise change.
Results
This article seeks to determine the conditions in which cybersecurity policy change is
likely, and it specifically tests whether PET is a plausible account of change or nonchange.
12 J. SHIVELY
It observes three proximate variables that affect the likelihood of change: leader attention,
systemic technological change, and systemic security change. If any one of these cat-
egories remains stable when an administration seeks to change cybersecurity policy, its
efforts are likely to be constrained within the parameters of existing policies. The case
studies above reveal that PET does offer a plausible explanation for the Trump team’s
overall approach to cybersecurity policy. As described above under Theory, scenario
one (1) never materialized. Neither sustained leadership attention nor changing systemic
conditions emerged. Instead, scenarios two (2) and three (3) unfolded: respectively,
adjusted policy and abortive major change. The administration first adopted a lightly
modified version of the Obama approach to cybersecurity policy. Then, its later
attempt to deploy a more offensive cybersecurity policy represented a modification to
existing practices rather than a wholesale transformation. Through 2017 and into
2018, Trump administration policies treated cybersecurity as a technical, risk-manage-
ment problem. Approaches centred on domestic institutional procedures and practices.
This reframed but did not fundamentally alter the existing Obama-era approach. White
House officials up to the president did not prioritize cybersecurity relative to more tra-
ditional national security policies, such as great power competition and regimes posing
nuclear proliferation threats. After policy reviews, however, the administration in 2018
adopted a “defending forward” policy. This was designed at the tactical and operational
level to respond proactively to threats. In the lead-up to the 2018 midterm election, for
example, the administration policy encouraged agencies responsible for cybersecurity to
seek out and inhibit or prevent efforts to spread disinformation or penetrate US electoral
systems. Perhaps crucially, this policy posture complemented the administration’s stra-
tegic preference for hardline rhetoric and “maximal pressure” diplomacy. Superficially,
it appeared to be a break with prior cybersecurity policy; however, “defending
forward” emerged as a modification of, rather than a dramatic break with, prior cyber-
security policy. Furthermore, the Trump administration tied this approach to a larger
attempt to focus US grand strategy on traditional state actors and peer competitors.
“Defending forward” was not a revolution for cybersecurity policy. Rather, for Trump
and his senior officials, it served a larger, nationalist vision for national security strategy.
In short, the Trump administration initially adopted an amended approach to cyber-
security that it had inherited from the Obama administration, and it later adopted a more
proactive “defending forward” policy that remained a modification of, rather than a
break with, prior cybersecurity policies. As PET predicts, ambitious policy proposals
were not sufficient to overcome both relatively low attention from the president
himself and an administration more focused on traditional security threats than cyber
infrastructure, cyber espionage, and cyber disinformation campaigns. In other words,
neither the technological nor the security environments were radically different from
prior administrations. Rather than building a new strategy with a radically new set of pol-
icies to accommodate new realities, the new realities were categorized and addressed
within the parameters of existing approaches. Even in the case of a seemingly radical
new technology which creates a new “space,” existing strategic agendas and tools
carried the day. For such outcomes, there are simple explanations that hold across
different theoretical traditions. The psychology of sunk costs, long-accepted ideological
investments, and a perceived record of success – or, at least, a record of non-failure –
POLICY STUDIES 13
Discussion
Despite its emergent status, US cybersecurity policy is inherently stable. As PET predicts,
senior officials typically respond to new, dynamic threats by building upon or modifying
old frameworks. For better and worse, cybersecurity policy is constrained by existing
strategic frameworks. Once in place, a strategic approach is operationalized as policy.
This policy tends to be stable until it catastrophically fails. As a plausibility probe, this
study finds that punctuated equilibrium theory is a viable framework to explain cyberse-
curity policy change. These are still limited findings. Donald Trump as a figure and his
general approach to national security represented a moment in which policy change is
seems almost overdetermined. He directly questioned received wisdom and prior policies
of both Democratic and Republican administrations. He entered office after a high profile
attempt by a foreign government to use cyber tools to influence the 2016 election. Nom-
inally, his administration’s maximal pressure campaigns against adversaries espoused
aggressive confrontation. Under such conditions, observers might expect a profound
rethink of cybersecurity policy, yet the change achieved was much less dramatic. PET
offers a simple and viable explanation for this outcome. Even determined leaders are con-
strained by existing policy commitments, and in this administration, the president
invested little personal energy in cybersecurity policy. The systemic context, meanwhile,
was not meaningfully different from the later Obama years. Americans may have per-
ceived greater threat to their electoral systems, but neither the technologies nor the
global power structure were changing. Certeris paribus, observers should expect stability
rather than change, and that is what this study confirms.
Future research needs to expand and systematically test these insights. Do they apply
to other US administrations? Does PET effectively explain other governments’ relation-
ships with cybersecurity policy? Such work will involve development of more precise
hypotheses and more systematic comparison with other theories of change. For
example, the effects of bureaucracy are held steady in the current study, but a major
aspect of US and other governments’ cybersecurity capacity and, in turn, policy is the
development and expansion of organizations, units, and practices devoted to cyber
defence and offence. Indeed, whereas cybersecurity is a fundamentally tactical and tech-
nical exercise that has been developing for decades, cybersecurity policy as an aspect of
national security or national priorities is relatively new. What is the precise relationship
between the functional and the strategic ends of cybersecurity policy? Do the exigencies
of day-to-day cybersecurity in fact drive the national policy agenda, rather than the other
way around? Finally, PET seems to imply that dramatic change is only possible during or
shortly after a systemic shock that undermines existing orthodoxies. As an empirical
matter, this needs to be tested on cybersecurity policy. As a matter of options available
to policy makers and others, this is concerning. If Trump’s approach to issues like cyber-
security policy did not constitute a shock to business-as-usual, what does? And what is
required to achieve fundamental change? For instance, at the end of Trump’s term, a
massive, months-long hack – dubbed SolarWinds – was revealed (Paul and Beckett
2020). “Defending forward” as well as more established practices all failed, but those
14 J. SHIVELY
approaches remained part of the strategic landscape when Joe Biden took the oath of
office and will likely constrain his administration’s policy options. Research into the par-
ameters of cybersecurity policy change is required.
The Biden and other, future administrations will benefit from observing the Trump
experience. Several possible lessons emerge. First, leadership attention matters but will
always be constrained. Cybersecurity is a particularly challenging issue because it
spans domestic and international jurisdictions, deepens public and private linkages,
and defies management by any one agency or organization. Presidential attention is
always limited; yet, without coherent messaging and a clear, unified policy model consist-
ently emanating from the president, responses across the bureaucracy and the private
sector will continue to proliferate. Second, and related, even if focused leadership
exists, it is most likely to be effective in policy and threat areas where the technology
is new or experiencing persistent change. For instance, there is virtually nothing any
given president now can do about the fact that the internet was created as an openly
accessible system; however, presidents may take action on reducing the exposure of
certain networks or increasing coordination and cooperation among public and
private actors. Third, the geopolitical situation and leaders’ associated threat perceptions
set the environment for any policy change. If that environment is relatively stable,
working up radically new policies that overcome existing inertia often will be prohibi-
tively difficult. This is why, for instance, presidents in nearly every era of US history
have exaggerated foreign or national security threats. Relevant veto players and stake-
holders typically resist major new security policies unless they feel that geopolitical
threats are growing or imminent. In sum, presidential impacts on cybersecurity policy
are constrained by whether and how three variables converge: the leader’s attention, sys-
temic technological change, and perceptions of systemic threat. Ultimately, the Trump
cybersecurity policy effort partially succeeded. It created space for “defend forward;”
however, as PET predicts, Trump’s administration did not experience the kind of eco-
logical shift necessary for a major, stepwise change. In addition, Trump’s relatively
low engagement with cybersecurity and his relatively unfocused leadership style
ensured that fundamental change would remain limited.
Disclosure statement
No potential conflict of interest was reported by the authors.
Notes on contributor
Jacob Shively received his Ph.D. from Indiana University and is an associate professor in the
Reubin O’D. Askew Department of Government at the University of West Florida, where he
studies foreign policy and grand strategy. His 2020 book is entitled Make America First Again:
Grand Strategy Analysis and the Trump Administration.
References
Akaev, Askar, and Vladimir Pantin. 2014. “Technological Innovations and Future Shifts in
International Politics.” International Studies Quarterly 58: 867–872.
POLICY STUDIES 15
Ali, Idrees, and Phil Stewart. 2019. “Exclusive: U.S. Carried Out Secret Cyber Strike on Iran in
Wake of Saudi Oil Attack: Officials.” Reuters, October 16. https://www.reuters.com/article/us-
usa-iran-military-cyber-exclusive/exclusive-u-s-carried-out-secret-cyber-strike-on-iran-in-
wake-of-saudi-oil-attack-officials-say-idUSKBN1WV0EK?utm_campaign=20191016&utm_
source=sailthru&utm_medium=email&utm_term=MEM%20send%20list.
Associated Press. 2017. “U.S. Charges Russian Officials, Hackers in Mass Yahoo Breach.” PBS
NewsHour, March 15. https://www.pbs.org/newshour/world/watch-live-justice-department-
expected-announce-charges-yahoo-hacking-reports-say.
Barnes, Julian E., and Thomas Gibbons-Neff. 2019. “U.S. Carried Out Cyberattacks on Iran.” The
New York Times, June 22. https://www.nytimes.com/2019/06/22/us/politics/us-iran-cyber-
attacks.html.
Barrett, Brian. 2018. “White House Cuts Critical Cybersecurity Role as Threats Loom.” Wired,
May 15. https://www.wired.com/story/white-house-cybersecurity-coordinator/.
Baumgartner, Frank, Bryan D. Jones, and Peter B. Mortensen. 2014. “Chapter 3: Punctuated
Equilibrium Theory: Explaining Stability and Change in Public Policy Making.” In Theories
of the Policy Making Process, edited by Paul A. Sabatier, and Christopher M. Weible.
Boulder, CO: Westview Press.
Bendor, Jonathan. 2015. “Incrementalism: Dead yet Flourishing.” Public Administration Review 75
(2): 194–205.
Brimley, Shawn, Ben FitzGerald, and Kelley Sayler. 2013. “Game Changers: Disruptive Technology
and U.S. Defense Strategy.” Washington DC: Center for a New American Security.
Cioffi-Revilla, Claudio. 1998. “The Political Uncertainty of Interstate Rivalries: A Punctuated
Equilibrium Model.” In The Dynamics of Enduring Rivalries, edited by Paul Diehl, 64–97.
Chicago: University of Illinois Press.
Colaresi, Michael P., Karen Rasler, and William R. Thompson. 2008. Strategic Rivalries in World
Politics: Position, Space and Conflict Escalation. New York: Cambridge University Press.
Crowley, Michael, Falih Hassan, and Eric Schmitt. 2020. “U.S. Strike in Iraq Kills Qassim
Suleimani, Commander of Iranian Forces.” The New York Times, January 2. https://www.
nytimes.com/2020/01/02/world/middleeast/qassem-soleimani-iraq-iran-attack.html.
Department of Defense Strategy for Operating in Cyberspace. 2011. https://csrc.nist.gov/CSRC/
media/Projects/ISPAB/documents/DOD-Strategy-for-Operating-in-Cyberspace.pdf.
Department of Homeland Security. 2020. Executive Order on Strengthening the Cybersecurity of
Federal Networks and Critical Infrastructure. October 28. https://www.dhs.gov/cisa/executive-
order-strengthening-cybersecurity-federal-networks-and-critical-infrastructure#.
Doran, Charles F. 1991. Systems in Crisis: New Imperatives of High Politics at Century’s End.
New York: Cambridge University Press.
Eckstein, Harry. 1975. “Case Studies and Theory in Political Science.” In Handbook of Political
Science, edited by Fred Greenstein, and Nelson Polsby, 79–137. Reading, MA: Addison-Wesley.
Executive Order 13757. 2016. “Taking Additional Steps to Address the National Emergency with
Respect to Significant Malicious Cyber- Enabled Activities.” 82 FR 1. Document no. 2016-
31922. Signed December 28, published 3 January 2017. https://fas.org/irp/offdocs/eo/eo-
13757.pdf.
Executive Order 138000. 2017. “Strengthening the Cybersecurity of Federal Networks and Critical
Infrastructure.” 82 FR 22391. Document no. 2017- 10004. Signed May 11, published 16 May
2017. https://www.govinfo.gov/content/pkg/FR-2017-05-16/pdf/2017-10004.pdf.
Farrell, Henry. 2017. “Hackers Have Just Dumped a Treasure Trove of NSA Data. Here’s What it
Means.” The Washington Post. Monkey Cage Blog, April 15. https://www.washingtonpost.com/
news/monkey-cage/wp/2017/04/15/shadowy-hackers-have-just-dumped-a-treasure-trove-of-
nsa-data-heres-what-it-means/?utm_term=.462c6e28e650&wpisrc=nl_cage&wpmm=1.
Garfinkel, Ben, and Allan Dafoe. 2019. “How Does the Offense-Defense Balance Scale?” Journal of
Strategic Studies 42 (6): 736–763.
Goertz, Gary. 2003. International Norms and Decision Making: A Punctuated Equilibrium Model.
New York: Rowman and Littlefield.
16 J. SHIVELY
Head, Brian W., and John Alford. 2013. “Wicked Problems: Implications for Public Policy and
Management.” Administration and Society 47 (6): 711–739.
Herrera, Geoffrey L. 2006. Technology and International Transformation: The Railroad, the Atom
Bomb, and the Politics of Technological Change. Albany, NY: SUNY Press.
Holsti, Ole R., and James N. Rosenau. 1986. “Consensus Lost. Consensus Regained? Foreign Policy
Beliefs and American Leaders, 1976-1980.” International Studies Quarterly 30 (4): 375–409.
Isikoff, Michael. 2018. “Former Trump Official: No One ‘Minding the Store’ at White House on
Cyberthreats.” yahoo!news, July 25. https://www.yahoo.com/news/former-trump-official-no-
one-minding-store-white-house-cyberthreats-090017630.html.
Jones, Bryan D., and Frank R. Baumgartner. 2012. “From There to Here: Punctuated Equilibrium
to the General Punctuation Thesis to a Theory of Government Information Processing.” Policy
Studies Journal 40 (1): 1–20.
Joobani, Hossein Aghaie, and Mohammadhossein Daheshvar. 2020. “Deciphering Trump’s
‘Maximum Pressure’ Policy: The Enduring Challenge of Containing Iran.” New Middle
Eastern Studies 10 (1): 2020.
Kanno-Youngs, Zolan, and Nicole Perlroth. 2020. “Iran’s Military Response May Be ‘Concluded,’
but Cyberwarfare Threat Grows.” The New York Times, January 8. https://www.nytimes.com/
2020/01/08/us/politics/iran-attack-cyber.html.
Lantis, Jeffrey S. 2016. Arms and Influence: U.S. Technology Innovations and the Evolution of
International Security Norms. Stanford: Stanford University Press.
Legro, Jeffrey. 2005. Rethinking the World: Great Power Strategies and World Order. Ithaca: Cornell
University Press.
Levinthal, Daniel A. 1998. “The Slow Pace of Rapid Technological Change: Gradualism and
Punctuation in Technological Change.” Industrial and Corporate Change 7 (2): 217–247.
Levy, Jack. 2008. “Case Studies: Types, Designs, and Logics of Inference.” Conflict Management
and Peace Science 25 (1): 1–18.
Lieber, Keir Alexander. 2005. War and the Engineers: The Primacy of Politics Over Technology.
Ithaca, NY: Cornell University Press.
Mahoney, James, and Gary Goertz. 2006. “A Tale of Two Cultures: Contrasting Quantitative and
Qualitative Research.” Political Analysis 14: 227–249.
Miller, Greg, and Ellen Nakashima. 2017. “WikiLeaks Says It Has Obtained Trove of CIA Hacking
Tools.” The Washington Post, March 7. https://www.washingtonpost.com/world/national-
security/wikileaks-says-it-has-obtained-trove-of-cia-hacking-tools/2017/03/07/c8c50c5c-0345-
11e7-b1e9-a05d3c21f7cf_story.html?utm_term=.eef95883ec86.
Moyson, Stephane, Peter Scholten, and Christopher M. Weible. 2017. “Policy Learning and Policy
Change: Theorizing Their Relations from Different Perspectives.” Policy and Society 36 (2): 161–
177.
Nakashima, Ellen. 2019a. “Trump Approved Cyber-Strikes Against Iran’s Missile Systems.” The
Washington Post, June 22. https://www.washingtonpost.com/world/national-security/with-
trumps-approval-pentagon-launched-cyber-strikes-against-iran/2019/06/22/250d3740-950d-
11e9-b570-6416efdc0803_story.html?utm_term=.351ce9390cea.
Nakashima, Ellen. 2019b. “U.S. Cyber Command Operation Disrupted Internet Access of Russian
Troll Factory on Day of 2018 Midterms.” The Washington Post, February 27. https://www.
washingtonpost.com/world/national-security/us-cyber-command-operation-disrupted-
internet-access-of-russian-troll-factory-on-day-of-2018-midterms/2019/02/26/1827fc9e-36d6-
11e9-af5b-b51b7ff322e9_story.html?utm_term=.48553489b774.
Nuruzzaman, Mohammed. 2020. “President Trump’s ‘Maximum Pressure’ Campaign and Iran’s
Endgame.” Strategic Analysis 44 (6): 570–582.
Nye, Joseph. 2016–2017. “Deterrence and Dissuasion in Cyberspace.” International Security 41 (3):
44–71.
Paul, Kari, and Lois Beckett. 2020. “What We Know – and Still Don’t – About the Worst-ever US
Government Cyber-Attack.” The Guardian, December 19. https://www.theguardian.com/
technology/2020/dec/18/orion-hack-solarwinds-explainer-us-government.
POLICY STUDIES 17
Pierson, Paul. 2004. Politics in Time: History, Institutions, and Social Analysis. Princeton:
Princeton University Press.
Porter, Patrick. 2018. “Why America’s Grand Strategy Has Not Changed: Power, Habit, and the U.S.
Foreign Policy Establishment.” International Security 42 (4): 9–46. doi:10.1162/ISEC_a_00311.
Presidential Notice. 2017. Continuation of the National Emergency With Respect to Significant
Malicious Cyber-Enabled Activities. Executive Office of the President. 82 FR 16099.
Document no. 2017-06583. Signed March 29, filed 31 Mar 2017. https://www.govinfo.gov/
content/pkg/FR-2017-03-31/pdf/2017-06583.pdf.
Report of the Select Committee on Intelligence United States Senate on Russian Active Measures
and Interference in the 2016 U.S. Election. 2020. Vol. 5: Counterintelligence Threats and
Vulnerabilities. 116th Congress 1st Session. Report 116-XX, August 18. https://www.
intelligence.senate.gov/sites/default/files/documents/report_volume5.pdf
Ruggie, John Gerard. 1975. “International Responses to Technology: Concepts and Trends.”
International Organization 29 (3): 557–583.
Saltzman, Ilai. 2013. “Cyber Posturing and the Offense-Defense Balance.” Contemporary Security
Policy 34 (1): 40–63.
Samuels, Richard J. 1994. “Rich Nation, Strong Army”: National Security and the Technological
Transformation of Japan. Ithaca: Cornell University Press.
Sanger, David E. 2016. “Obama Strikes Back at Russia for Election Hacking.” The New York Times,
December 29. https://www.nytimes.com/2016/12/29/us/politics/russia-election-hacking-
sanctions.html.
Sanger, David E., and William J. Broad. 2017. “Trump Inherits a Secret Cyberwar Against North
Korean Missiles.” The New York Times, March 4. https://www.nytimes.com/2017/03/04/world/
asia/north-korea-missile-program-sabotage.html?_r=2.
Sanger, David E., and Nicole Perlroth. 2019. “U.S. Escalates Online Attacks on Russia’s Power
Grid.” The New York Times, June 15. https://www.nytimes.com/2019/06/15/us/politics/
trump-cyber-russia-grid.html.
Schneider, Jackie. 2019a. “Iran Can Use Cyberattacks Against the U.S. That’s Not Nearly as Bad as
it Sounds.” The Washington Post, Monkey Cage blog, January 6. https://www.washingtonpost.
com/politics/2020/01/06/iran-can-use-cyberattacks-against-us-thats-not-nearly-bad-it-sounds/.
Schneider, Jacquelyn. 2019b. “The Capability/Vulnerability Paradox and Military Revolutions:
Implications for Computing, Cyber, and the Onset of War.” Journal of Strategic Studies 42
(6): 841–863.
Slayton, Rebeca. 2016/2017. “What Is the Cyber Offense-Defense Balance? Conceptions, Causes,
and Assessment” International Security 41 (3): 72–109.
Summary: Department of Defense Cyber Strategy. 2018. https://media.defense.gov/2018/Sep/18/
2002041658/-1/-1/1/CYBER_STRATEGY_SUMMARY_FINAL.PDF.
Talmadge, Caitlin. 2019. “Emerging Technology and Intra-war Escalation Risks: Evidence from
the Cold War, Implications for Today.” Journal of Strategic Studies 42 (6): 864–887.
Taylor, Mark Zachary. 2016. The Politics of Innovation: Why Some Countries are Better Than
Others at Science and Technology. New York: Oxford University Press.
Valeriano, Brandon, and Benjamin Jensen. 2019. “How Cyber Operations Can Help Manage Crisis
Escalation with Iran.” The Washington Post, The Monkey Cage blog. June 25. https://www.
washingtonpost.com/politics/2019/06/25/how-cyber-operations-can-help-manage-crisis-
escalation-with-iran/.
Valeriano, Brandon, and Ryan C. Maness. 2015. Cyber War Versus Cyber Realities: Cyber Conflict
in the International System. New York: Oxford University Press.
Volz, Dustin. 2008. “Trump, Seeking to Relax Rules on U.S. Cyberattacks, Reverses Obama
Directive.” The Wall Street Journal, August 15.
Welch, David A. 2005. Painful Choices: A Theory of Foreign Policy Change. Princeton: Princeton
University Press.
White House. 2011. International Strategy for Cyberspace: Prosperity, Security, and Openness in a
Networked World, May. https://obamawhitehouse.archives.gov/sites/default/files/rss_viewer/
international_strategy_for_cyberspace.pdf.