Policy Studies

ISSN: (Print) (Online) Journal homepage: https://www.tandfonline.com/loi/cpos20

Cybersecurity policy and the Trump administration

Jacob Shively

To cite this article: Jacob Shively (2021): Cybersecurity policy and the Trump administration,
Policy Studies, DOI: 10.1080/01442872.2021.1947482

To link to this article: https://doi.org/10.1080/01442872.2021.1947482

Published online: 28 Jun 2021.

Submit your article to this journal

Article views: 10

View related articles

View Crossmark data

Full Terms & Conditions of access and use can be found at

https://www.tandfonline.com/action/journalInformation?journalCode=cpos20
POLICY STUDIES
https://doi.org/10.1080/01442872.2021.1947482

Cybersecurity policy and the Trump administration

Jacob Shively
Reubin O’D. Askew Department of Government, University of West Florida, Pensacola, FL, USA

ABSTRACT ARTICLE HISTORY

This article evaluates the conditions under which national Received 22 February 2021
cybersecurity policy changes or remains stable. Consistent with Accepted 20 June 2021
theories of policy and bureaucratic inertia, particularly
KEYWORDS
punctuated equilibrium theory (PET), it finds that national-level Trump administration;
cybersecurity policy during the Trump administration was cybersecurity; punctuated
constrained by existing conceptual, political, and strategic equilibrium theory; national
commitments. It uses government and media documentation to security; defending forward;
observe two pivotal policy periods during the Trump plausibility probe; executive
administration. It finds that despite shifting from a nominally order; inertia; cyber attack
defensive to a nominally offensive posture, rather than revise
policy categories and priorities, policy makers interpreted cyber
threats within existing threat and policy categories. These
findings offer two contributions to policy scholarship. First, they
begin the process of situating the Trump administration in the
larger context of US cybersecurity policy. Second, they
demonstrate constraints on senior policy makers as well as the
utility of a punctuated equilibrium model. The Trump
administration’s “defending forward” concept represented one of
the most ambitious efforts to break with existing US cybersecurity
policy; however, even this effort was constrained in ways
consistent with punctuated equilibrium theory.

Introduction
In June 2019, headlines signalled what appeared to be a remarkable change to American
cybersecurity policy (Sanger and Perlroth 2019). US government agencies had actively
developed access to critical Russian infrastructure and could, officials claimed, threaten
the Russian power grid. That the United States held such capabilities was unsurprising.
That officials leaked the implied threat was new. Previously, US officials worried that any
such leaks would reveal sensitive sources and methods. Now, per reporting, US officials
appeared frustrated by years of reactive policies and defending against constant attacks.
They wanted to adopt a more offensive posture. They also felt pressure to confront fallout
from Moscow’s 2016 disinformation campaign. Intelligence agents and at least one
organization affiliated with the Russian government apparently had obtained private
information from Democratic officials and, in opposition to candidate Hillary Clinton,
had spread false or misleading information through data networks and social media. Pre-
sident Obama, still in office, led a relatively muted response and reached for diplomatic

CONTACT Jacob Shively jshively@uwf.edu 1100 University Pkwy., Building 50, Pensacola, FL 32514, USA
Jacob Shively @Jacob___Shively
© 2021 Informa UK Limited, trading as Taylor & Francis Group
2 J. SHIVELY

tools like sanctions. Later, President Donald Trump showed little personal interest in
grappling with the fallout from this episode; nevertheless, three years later, Trump
administration officials now declared that they would approach national cybersecurity
with threats of proactive deterrence. Did this “defending forward” policy represent dra-
matic change or mere tinkering within existing policy frameworks?
This article evaluates the conditions under which national cybersecurity policy
changes or remains stable. For at least two decades, national-level policy makers have
known that cyberspace posed unique security challenges. For example, they have devel-
oped powerful capabilities vested in government organizations like the National Security
Administration (NSA), Department of Homeland Security (DHS), and U.S. CYBER-
COM. In theory, therefore, observers might expect new technological capabilities to
drive strategic and policy innovations (Ruggie 1975; Brimley, FitzGerald, and Sayler
2013; Saltzman 2013). In fact, as this article finds, national-level cybersecurity strategy
has more often than not proven constrained by existing conceptual, political, and stra-
tegic commitments. The following pages evaluate policy outcomes after two major
policy decision periods. In each, rather than revise policy categories and priorities
(such as espionage, warfare or property rights), policy makers interpreted the cyber
threat within existing categories. For instance, when officials initiated a more assertive
“defending forward” approach to cybersecurity, they still focused on traditional state
threats and old standards to define public national security threats versus private
responsibility.
These findings offer two contributions to the scholarship and practice of cybersecurity.
First, the article begins the work of overviewing US cybersecurity policy and strategy
during the Trump administration. Second, it demonstrates conceptual, strategic and
other constraints on senior policy makers. Namely, it finds that punctuated equilibrium
theory (PET) is a plausible framework to explain the relative stability of cybersecurity
policy in the face of constant pressure. Senior policy makers and strategists, for the
most part, built cybersecurity policies that fit within existing frameworks and concepts
rather than policies representing a fundamentally new policy framework.

Theory
Technology change and security policy inevitably interact (Akaev and Pantin 2014;
Herrera 2006). Though many scholars have grown skeptical that technology alone
drives war decisions, competing states’ capabilities often drive threat perceptions, some-
times to the point of arms racing (Lieber 2005; Colaresi, Rasler, and Thompson 2008;
Garfinkel and Dafoe 2019; Talmadge 2019). Access to new technology like cyber net-
working may not alter the basic likelihood of conflict, but it can embolden certain
types of aggression (Valeriano and Maness 2015; Slayton 2016/2017; Schneider 2019b).
Still, questions surround how such policy changes and how quickly it changes. Cyberse-
curity practitioners, tacticians, and other professionals constantly revise and update their
practices and policies. Does that translate into constantly evolving national policies?
Stated differently, is national cybersecurity policy flexible and easily mouldable, or is it
“sticky” and inflexible?
According to the punctuated equilibrium theory (PET), policymaking tends to display
both leaps and stasis (Baumgartner, Jones, and Mortensen 2014). Under this framework,
 POLICY STUDIES 3

public discourse defines salient issues and affects whether existing policies are either
reinforced or questioned. In turn, policy entrepreneurs and others setting policy
agendas will find change either inhibited or facilitated, respectively. Through that
process, public and elite images of a given policy tend to be stable. In any given situation,
policy stability is more likely than policy change. One reason for this lies in a bounded
rationality approach to change. At most, humans can only focus on a few issues at
once; thus, “collectively, a shift in the object of attention can lead to a disjointed
change in preferred alternatives, even when the alternatives are well defined” (Baumgart-
ner, Jones, and Mortensen 2014, 69). Policy change is more often than not constrained by
the complexity of agreeing upon alternatives, by existing beliefs and images, and by the
normal limitations of human cognition. Overall, policymaking is “a continual struggle
between the forces of balance and equilibrium, dominated by negative feedback pro-
cesses, and the forces of destabilization and contagion, governed by positive feedback
processes” (Jones and Baumgartner 2012). These insights join an extensive literature
on policy and institutional inertia (Cioffi-Revilla 1998; Levinthal 1998; Goertz 2003;
Pierson 2004).
Existing scholarship on foreign policy and on technology innovation also offer insights
into how cybersecurity may emerge and change as a national security policy. Like PET,
this work reveals a propensity for relative policy stability and occasional moments of dra-
matic change amidst constant pressure. First, at any given point in time, inertia is likely to
define the broadest levels of national security policy. Whereas a new technology like
cyber introduces pressure for adaptation, a government’s articulation of change – such
as policies, institutions, strategies, and implementation – often lags or remains basically
stable. David Welch’s (2005) study of foreign policy, for instance, finds that loss-aversion
discourages leaders from enacting major change. Jeffrey Legro’s (2005) theory of foreign
policy idea change finds that unless an existing idea is perceived to have dramatically
failed and a single alternative is available, the status quo is likely to remain in place. In
a more recent study, Patrick Porter (2018) argues that after the shocks of the 1930s
and 1940s, the US foreign policy establishment adopted a new set of norms and conven-
tional wisdoms that have been consistently replicated by the foreign policy elite. Second,
when policy and other change happens, it tends to occur in big steps rather than incre-
mentally. Of course, incremental adjustments are common, but incrementalism is often
constrained within larger parameters. Jeffrey Lantis (2016), for instance, finds that state
leaders enjoy relatively wide agency to push new international norms when new technol-
ogies challenge existing standards and practices. Actual change, though, is often con-
strained within a limited window of opportunity. Mark Zachary Taylor (2016) finds
that domestic political interests will favour policy and innovative inertia unless and
until they perceive a serious external threat. He dubs this “creative insecurity.” This dove-
tails with older work (Samuels 1994) on “technonationalism,” which describes, for
example, Meiji Japan’s willingness to abruptly adopt an ideology fusing disruptive tech-
nological innovation and military expansionism.
Such findings reveal two patterns. In each, inertia tends to dominate outcomes.
Whereas individuals, organizations, businesses, or even governments themselves may
push relentless technological innovation, the professional incentives and ideational fra-
meworks of policy makers and bureaucracies prove far more “sticky.” Changing them
even under direct pressure is difficult. Adjustments are possible and common, but
4 J. SHIVELY

fundamental or structural change tends to occur in dramatic, stepwise corrections. Rela-

tive stability tends to dominate unless and until the environment experiences radical or
systemic transformation. If plotted on an x-y axis, technical capabilities would steadily
increase with time. By contrast, strategies and policies related to cyber – not the technol-
ogies themselves – are likely to fit a stepwise profile. They are relatively stable, and the
area between technical capabilities and actual strategy and policy grows. Then, at
occasional inflection points, policy makers revise their policies to better match current
capabilities, practices, and threats (Doran 1991). In short, as a country’s power or tech-
nical capabilities change in a continuous flow, actual strategic policies will look like a
series of steps along the arc as policy makers occasionally adjust to match reality.
Regarding cybersecurity, then, a fundamental break with prior approaches would
likely require that several factors align. Without those conditions, any given adminis-
tration is likely to be constrained to adjusting existing policy frameworks. Only by con-
verging during the same temporal window do these variables create the conditions for
major change. This article posits that these variables are

. Sustained leader attention: the executive or another decisive policy figure must
advance or support the policy change consistently over time rather than during
either a single spike in attention or intermittently/unevenly.
. Systemic technological change: an emerging technology that affects interstate inter-
action capacity.
. Systemic security change: baseline interstate threat perceptions change due to an
emerging issue or crisis.

Given these variables, if PET does offer useful predictions regarding national cyberse-
curity policy, the case studies will track with one of the three following scenarios. In the
first, (1) sustained leadership attention along with systemic political, technical and secur-
ity change creates the conditions for a “punctuated equilibrium” and the administration
achieves a dramatic break with “business as usual.” In other words, systemic conditions
align with policy entrepreneurship. In the second and third scenarios, those conditions
do not exist and Trump’s administration would have either (2) modified existing cyber-
security policy or (3) attempted major change that proved abortive or limited. Here,
ongoing adjustments and evolutionary adaptations are possible within policy inertia,
but they will be constrained or limited within the preexisting framework.
Alternative explanations of strategic policy change emphasize regular adjustments and
gradualism rather than periods of step-wise change. This article cannot actively test these
alternatives; however, they set the context in which PET may be a relatively more effective
theoretical framework. One ideal type, often associated with rationalism, would hold that
officials carefully respond to threats and changing circumstances. They consult experts,
work out cost–benefit calculations and so forth and then implement the new strategy
(Head and Alford 2013). The policy’s relative success or failure then leads to ongoing
adjustments. Periods of dramatic change are possible, but between such moments,
adjustments persist and policy at point B is not necessarily constrained by policy set at
point A. Second, an incremental or evolutionary view of policy change assumes that
policy makers, policy entrepreneurs, bureaucrats, and other agents push for their pre-
ferred changes even as the issue and the surrounding conditions continue to change.
 POLICY STUDIES 5

Though largely abandoned among theorists, aspects of this “muddling through” frame-
work persist in applied fields (Bendor 2015). Policy “learning” is another framework in
which incremental or continuous change occurs (Moyson, Scholten, and Weible 2017).
Over time, dramatic changes emerge from this process. In fact, PET itself is a form of
evolutionary theory developed as an alternative to this gradualist concept of change. If
the PET predictions do not hold or display only weak correlations with the cases, then
it likely holds less explanatory power than these alternatives.

Materials and methods

This article highlights two possible predictions for cyber as a new security challenge.
First, policy makers are likely to reach first for familiar or established frameworks
rather than a radically new approach to accommodate the new technology. Second, in
turn, that new technology is more likely to be deployed to supplement or reinforce an
existing national security strategy than it is to directly undermine or change that strategy.
Stated differently, new tactical capabilities will allow greater opportunities to pursue an
existing strategy rather than force policy makers to dump the old and build a new strat-
egy. New technology use is more likely to be constrained by existing policy and strategic
frameworks rather than drive changes in those policies and strategies. The Trump
administration generally sought to break with presidential conventions and policy
norms. Under such conditions, observers might expect to see incremental or even
radical policy solutions to cybersecurity threats. By contrast, PET and related theories
of policy change anticipate either cascading and dramatic change or, more likely, new
technological capabilities and updated threat perceptions being integrated into the exist-
ing policy framework.
This article evaluates two periods of cybersecurity policy formulation. It compares the
Trump administration’s major policy positions on cyber security with the theoretical pre-
dictions above. If PET is correct, cybersecurity change is more likely to be constrained by
existing strategic and policy frameworks than feature fundamental or radical change.
Trump officials will create a policy expanding upon existing precedents rather than
forging a fundamentally new policy.
This study defines cybersecurity and deterrence in broad terms. Cybersecurity refers to
efforts to secure and protect digital networks, information systems, and electronically-
linked devises and infrastructure. Example threats for national security policy range
from espionage against US government databases to direct attacks on military or civilian
infrastructure to theft of private intellectual property to influence operations on social
media. As an analytical category, this approach is potentially unwieldy; however, as an
emergent technological and policy category, national level “cybersecurity” typically
includes all those threat categories, as the strategy documents below illustrate. In particu-
lar, this study seeks to evaluate how the Trump administration used the term. For
instance, in its 2017 executive order (13800), the administration focused on “information
technology” and defined it (with reference to 40 US Code §11101(6)) as the hardware,
software, and networked infrastructure surrounding data or information used by US gov-
ernment agencies. In turn, deterrence is an extensively studied and theorized concept, but
for this study, it is used not as a formal concept but, rather, as policy makers applied it to
articulate their strategic and policy agenda. Typically, these official documents and policy
6 J. SHIVELY

statements use “deterrence” to refer to shifting the cost–benefit calculation made by

foreign government agencies, criminal actors and others seeking to breach or manipulate
US digital systems. The cyber environment affords low risk and high rewards for these
hackers and spy agencies. Consequently, in the cases below, policy makers are seeking
methods to increase costs to putative attackers to the point that they determine the
costs outweigh the benefits. This is, in short, deterrence: convincing an actor to forego
an action due to the risk of high costs. Deterrence methods may differ. Joseph Nye
(2017), for instance, identifies four: punishment, denial, entanglement, and norms. For
the cases below, deterrence varies along as simple axis, ranging from, on one end, a
focus on denial and, on the other end, reaction to attack and prevention.
Rather than a fully developed theoretical test, this case study approach is best under-
stood as a “plausibility probe.” It seeks to determine if the theoretical claims fit the
empirical reality. Such work is a stepping stone to greater theoretical and empirical devel-
opment and more formal structured, focused case comparison. A plausibility probe is
appropriate, here, for several reasons. As Levy (2008) argues, this approach is designed
to “sharpen a hypothesis or theory” as well as provide a “feel” for a theoretical argument.
A relatively new case of presidential policy, the Trump administration is ripe for theory
development and refinement. Similarly, the PET approach to cybersecurity policy is new.
Levy admits that plausibility probes are often pressed into service as an all-purpose case
study approach; nevertheless, they are a valuable intermediary step between identifying a
possible theoretical pattern and intensive testing or case comparison (Eckstein 1975). In
addition, isolating specific causal relationships, such as in a process tracing approach, will
be difficult with a vast number of possible inputs, some or many of which may still be
classified. In addition, there are a relatively limited number of possible observations, par-
ticularly regarding this new technology. Overall, as Mahoney and Goertz (2006) argue,
along with others (Holsti and Rosenau 1986), such qualitative approaches are appropriate
where “the research goal is the explanation of particular outcomes.”
Case selection for this plausibility probe is simple. Though not part of a fully devel-
oped case comparison, each case is one of the administration’s two major periods of sus-
tained attention to cybersecurity policy. Each appears designed to signal or implement
the administration’s core cybersecurity agenda. Presidential administrations tend to
focus attention on an issue either early during their terms – in order to set the policy
agenda – or in response to crises and similar developments. In other words, each case
studied here represents a period of concentrated attention. Each involves a formal pre-
sidential action (an executive order and a presidential policy directive, respectively)
that was designed to set the overall US government approach on cybersecurity. The
cases hold a number of variables constant because they are part of a single administration
and occur within a single term. Still, they do vary across two basic dimensions. The first is
timeframe: early presidential term versus middle term. The second is relative aggressive-
ness: more reactive versus more proactive policy solutions for cybersecurity. Such vari-
ation between otherwise similar cases offers the observer analytical leverage to observe
across a limited set of variables whether and to what degree the theoretical framework
– PET, in this study – correlates with the historical record. In turn, the basic parameters
of each case are compared with predictions made by the general theory stated above. PET
predicts that most cybersecurity strategy and policy changes will occur within a preexist-
ing framework. Is that, in fact, what happened? By addressing this question, the article
 POLICY STUDIES 7

seeks to determine whether PET is a plausible theoretical account of national cybersecur-

ity policy change.

2017: From Obama’s framework to Trump’s cybersecurity executive order

A self-proclaimed nationalist, Donald Trump elevated “sovereignty” during this first year
as any government’s supreme national security interest. In turn, concerns like immigra-
tion and trade, along with a handful of adversarial states like Iran and North Korea,
dominated his policy priorities. In theory, under this nationalist framework, cyber
threats could also pose a serious challenge to sovereignty. In practice, throughout his
first year in office, they largely remained on a separate, more technical track from this
strategic agenda. Politically, Trump also faced uncomfortable associations with cyberse-
curity: US intelligence agencies uniformly agreed that Russian operatives used social
media and hacked emails to indirectly support his 2016 campaign (“Report … ” 2016).
When the administration released its first major cybersecurity statement in May 2017,
a presidential executive order, the policy retread familiar ground with a set of domesti-
cally- and technically-focused approaches.
The Obama administration attempted to hand off a policy of diplomatic – rather than
tactical or technical – deterrence against foreign government cybersecurity threats. In
practice, this included an uncertain or muted response to Russia’s disinformation cam-
paign during the 2016 general election. Obama’s 2011 policy of developing more
offensive cyber capabilities and international norms remained in place (Department of
Defense 2011; White House 2011). It emphasized building “norms of responsible behav-
ior” and diplomatic cooperation. Deterrence remained the basic strategic goal; however,
deterrence remained broadly defined. US officials “reserve[d] the right to use all necessary
means – diplomatic, informational, military, and economic – as appropriate and consist-
ent with applicable international law.” They wanted the costs of attacking US networks to
“vastly outweigh the potential benefits.” Still, in 2016, Obama and his team struggled with
how to respond to a foreign government using old techniques in the cyber environment.
US intelligence agencies realized that Russian agents and/or their proxies were pushing a
disinformation campaign. These foreign actors used social media networks, hacked
emails and other basic intelligence methods to undermine the credibility of candidate
Hillary Clinton and support Donald Trump (as well as, to a lesser extent during the pri-
maries, Democrat Bernie Sanders). Obama officials worried that a tit-for-tat response
might escalate with unknown consequences. Publicizing the attack too loudly, they
also feared, might lead to charges that Obama was misusing his power to help
Clinton. Initially, the administration pressured the Russian government through diplo-
matic channels. After the election, the Obama administration expelled 35 Russian
officials, shut down two properties allegedly used by Russian operatives, and imposed
sanctions on two Russian intelligence agencies (Sanger 2016). Obama also signed an
executive order (13757, 2016) allowing the Treasury Department to respond to future
cyber attacks with similar actions.
In response, president-elect Trump said that the government should “move on.” Once
in office, slowed by early personnel turnover and unfilled appointments, administration
officials spent several months building a review of cybersecurity. In the meantime, fam-
iliar threats and policies continued. President Trump was briefed on an Obama-era
8 J. SHIVELY

programme to sabotage North Korean missile tests with cyber and other electronic
attacks (Sanger and Broad 2017). Such tactics allowed indirect physical attacks and coer-
cive threats with low costs to political capital and low fears of escalation. Ultimately,
Trump bypassed this quiet approach. He opted to ramp up diplomatic and sanctions
pressure over the next year before agreeing to a summit with North Korean leader
Kim Jong Un. At home, high profile hacks and leaks continued. WikiLeaks released thou-
sands of files showing the Central Intelligence Agency’s capacity to use familiar items like
cellphones and televisions to conduct espionage (Miller and Nakashima 2017). Weeks
later, another group, Shadow Brokers, released stolen documents showing NSA
hacking practices and tools (Farrell 2017). Despite this constant pressure, basic policies
at the NSA, DHS and elsewhere continued as normal, in part because a number of mid-
and high level positions for political appointees remained unfilled. The Department of
Justice continued its practice of treating foreign hackers as criminals – rather than exis-
tential national security threats – and charged two Russians with a data breach against the
internet firm Yahoo (Associated Press 2017). The White House itself extended an
Obama-era executive order that had declared a national emergency designed “to deal
with the unusual and extraordinary threat to the national security, foreign policy, and
economy of the United States constituted by the increasing prevalence and severity of
malicious cyber-enabled activities” posed by foreign actors (Presidential Notice 2017).
In May, the administration released an expansive executive order (138000, 2017) that
addressed cybersecurity. It set out guiding principles for bureaucratic leaders and tech-
nical practitioners across the US government. Under this framework, cybersecurity
largely was a domestic “risk management” problem that could be mitigated with techni-
cal updates. Like previous administrations, the Trump White House identified critical
infrastructure as the strategic concern exposed by cyber connectivity. Agency heads
were given 90 days to send their respective assessment and mitigation plans to DHS.
They were instructed to refer to a set of guidelines created by the National Institute of
Standards and Technology (NIST) called the Framework for Improving Critical Technol-
ogy. Under this framework, technical updates should be identified and personnel should
be trained. In particular, the order suggested that US government agencies should con-
solidate their networks and IT services, such as email and cloud computing. In turn, DHS
recommended a series of internally-focused technical and organizational changes to miti-
gate cyber risks (Department of Homeland Security 2020).
The order also set out general strategic-level approaches to cybersecurity. As in other
administrations, it affirmed that executive branch policy is “to promote an open, inter-
operable, reliable, and secure internet that fosters efficiency, innovation, communication,
and economic prosperity, while respecting privacy and guarding against disruption,
fraud, and theft.” The order also indicated that the administration would entertain
changes to the government’s existing balance between defence and deterrence. As
under Obama, though, deterrence was left as a broad agenda rather than a clearly-
defined set of policies. The state, treasury and defence departments, among other organ-
izations, were to report back on this question. Agencies that regularly worked with inter-
national partners were also assigned to articulate their priorities regarding investigation,
attribution, and capacity building.
In sum, President Trump inherited from his predecessor a diplomatic as much as a
technical policy of loosely-defined cybersecurity deterrence. That policy approach
 POLICY STUDIES 9

appears to have continued throughout the administration’s first year. Trump himself
rarely addressed cybersecurity, and when his team finally released a cybersecurity execu-
tive order, it prioritized technical, internal risk management. In turn, official policy
remained hazy about how the administration would approach cybersecurity in the
context of an outward-facing national security strategy. This is notable in the immediate
aftermath of Russia’s 2016 disinformation and hacking campaign. Overall, in its first
year, the Trump administration framed cybersecurity policy as a technological
problem with domestic solutions.

2018–2019: Defending forward

By the end of Trump’s second year, the administration had adopted a relatively more
aggressive cybersecurity policy: “defending forward.” The change emerged from
specific concerns articulated by policy professionals. The content of the change,
however, reflected Trump’s generally nationalist national security approach. For White
House officials, cybersecurity was a secondary or tertiary issue. Traditional threats like
trade and nuclear proliferation remained their top national security concerns. Trump
himself addressed cybersecurity in vague terms, and the topic rarely figured either in
major policy statements or in his off-the-cuff comments and tweets. In April 2018,
John Bolton replaced H.R. McMaster as National Security Advisor in April 2018. He
brought a preference for traditional military power and consolidating decisions to
himself. Over the following month, both the White House “cybersecurity czar” and
cybersecurity coordinator resigned and the Oval Office handed those responsibilities
to National Security Council senior directors (Barrett 2018). Months later, the ousted
cybersecurity czar, Tom Bossart, worried that “on cyber, there is no clear person or
clear driver, and there is no clear muscle memory” (Isikoff 2018).
Despite cyber’s relatively low priority status, President Trump signed a more aggres-
sive version of President Obama’s PPD-20. Under this framework, preemption against
emerging cyber threats was the new standard. It would be a tactical and operational strat-
egy to meet tactical and operational threats. One official called the move in August 2018
an “offensive step forward” (Volz 2008). Obama’s version required approval from mul-
tiple agencies before any one agency engaged in offensive cyber operations. By contrast,
several publicly-known policies and operations suggest that Trump’s version allowed
more latitude for agencies to launch or maintain offensive cyber capabilities. For
instance, a month after the new PPD-20 was signed, the Department of Defense
(DOD) released an unclassified summary of its updated cybersecurity strategy. “We
will,” it stated, “defend forward to disrupt or halt malicious cyber activity at its source,
including activity that falls below the level of armed conflict” (“Summary,” 2018).
(Emphasis in original statement.) Defending forward would use two approaches to con-
front peer and near-peer state competitors: (1) proactively collecting intelligence and (2)
developing “military cyber capabilities” to confront those competitors. In an armed
conflict, cyber capabilities would be deployed alongside traditional force capabilities.
Crucially, at home, the policy stated that the DOD would “preempt, defeat, or deter mal-
icious cyber activity targeting U.S. critical infrastructure that could cause a significant
cyber incident.” The Obama administration sought to constrain offensive capabilities
within existing ethical and policy processes. By contrast, the Trump approach appeared
10 J. SHIVELY

to set aside those constraints. Since the cyber environment favoured diffuse, low level
attacks, the US approach to deterrence would involve proactively identifying and mena-
cing threats as they emerged.
Russia became the first – but not the only – highly-visible target. In October and
November 2018, according to media reports, CYBERCOM conducted offensive cyber
operations against Russian networks. Whereas the Obama administration in 2016
shied away from direct reactions and turned to diplomatic responses, military officials
now proactively blocked cyberattacks and disinformation that they could trace back to
the “Internet Research Agency,” located in St. Petersburg, Russia (Nakashima 2019b).
US operatives also directly messaged individual Russians to demonstrate that they had
been identified and to dissuade their disinformation campaign. One US official stated
that “grand strategic deterrence” was less a goal in this operation than “inject[ing] a
little friction, sow[ing] confusion.” As in the prior case, deterrence as an operative cat-
egory remained broadly construed.
Practiced across the entire US national security apparatus, that type of offensive
behaviour would – officials appear to have reasoned – lead to broad, strategic deterrence.
As in 2017, deterrence itself remained a vaguely-defined strategy. It would also be
difficult to sustain and remain credible. In the middle of 2019, for instance, US
officials leaked details about capabilities to access the Russian electrical grid. The previous
policy was to develop offensive capabilities but avoid publicly advertising them for fear of
exposing trade secrets or triggering a tit-for-tat spiral akin to an arms race. That approach
reflected a reactive strategy for protecting critical national infrastructure. In their early
months, Trump officials accepted that basic policy. They reframed the approach as
“risk management.” Under “defending forward,” however, strategic planners reckoned
that without clearly demonstrating and using offensive, potentially overwhelming capa-
bilities, adversaries would steadily ratchet upward their cyber attacks. In familiar terms,
they employed the maxim, “the best defence is a good offence.” In turn, defending
forward also complemented the administration’s “maximum pressure” framework,
used most prominently in the trade war approach to China and particularly in efforts
to coerce Iran regarding its nuclear programme (Joobani and Daheshvar 2020; Nuruzza-
man 2020). Under maximum pressure, the US administration claimed to apply all tools
available short of initiating direct violence in order to compel or coerce favourable policy
changes in the target country.
Tensions with Iran throughout 2019 illustrate the uses and constraints of “defending
forward.” Months after the midterm election and the Russia operation, the adminis-
tration faced a crisis with Iran, which apparently attacked two civilian cargo vessels
and, as tensions flared, shot down a US unmanned aerial vehicle. Later, Iran or one its
proxies appeared to fire a missile barrage at a Saudi oil facility. White House officials
felt pressured to respond with traditional military force, but they worried about casualties
and, in turn, escalation or a long-term military commitment. At one point, US aircraft
were actually proceeding toward Iranian targets when the president abruptly changed
his mind and called off an airstrike. Along with verbal condemnations and deploying
several thousand troops to bolster existing positions in the region, the US president
agreed to launch a set of cyberattacks that had been developed over prior weeks or
months (Nakashima 2019a). At least two major attacks occurred in June and September
(Ali and Stewart 2019; Barnes and Gibbons-Neff 2019). They focused on intelligence
 POLICY STUDIES 11

capabilities, the Iranian Revolutionary Guard Corps (IRGC), as well as other military
command and control systems. Summarizing extensive research, Valeriano and Jensen
(2019) argue that this type of cyber response to physical provocations was now a
common way for governments to de-escalate security tensions. At the turn of the year,
however, tensions in the physical world did escalate. Administration officials argued
that they must respond with force after an Iranian-backed militia aggression in Iraq
and a mob attack on the US Embassy, Baghdad. Trump ordered airstrikes across Iraq
against the militias and then, after the embassy attack, a drone strike that killed one of
Iran’s senior political and military figures, Qasem Soleimani, while he was visiting
Baghdad (Crowley, Hassan, and Schmitt 2020). Reports suggest that the US also
attempted at least one or two simultaneous kinetic strikes against Iranian targets in
the region. Iran responded with a large but relatively ineffective missile barrage against
US bases in Iraq. The crisis then quickly receded, though observers suspected that the
two governments would likely return to, and possibly escalate, their cyberattacks
(Kanno-Youngs and Perlroth 2020; Schneider 2019a). In short, “defending forward”
created a framework to respond assertively to digital and physical threats, but it did
not solve – and even may have exacerbated – the basic diplomatic and security questions
at hand.
Within a year of Trump’s administration revising PPD-20 and the DOD adopting
“defending forward,” the United States had repeatedly demonstrated its commitment
to offensive cyber capabilities. Officials publicly advertised or leaked their threats
against and attacks on specific actors. Trump and his team also drew upon cyber capa-
bilities as an alternative to military responses against Iran. Cyber attacks in that case
appear to have been calibrated to avoid physical escalation. If so, they also seem to
have failed, and the administration finally reached for dramatic, escalatory strikes,
including the killing of one of Iran’s senior political and military figures.
Overall, “defending forward” fit into a larger strategic approach. Cyber capabilities
themselves were not a leading priority. Rather, officials attempted to overhaul the US
national security policy to focus on traditional state and geopolitical threats. How
threats and responses would be determined was set at the level of national strategy.
Cybersecurity priorities followed. In theory, defending forward also included a call for
international cooperation and norms building, as with prior cybersecurity agendas, but
it presented no larger framework or context in which those should be developed. In prac-
tice, defending forward appears to have proven less dramatic than advertised. Namely,
the policy, at least as publicly known, tended to be limited to specific issues, such as
threats to the midterm election. In 2019, when a physical and cyber security crisis
with Iran ballooned, the administration reached for “defending forward” but ultimately
relied upon traditional tools of coercive statecraft. As observers might expect under PET,
without a fundamental change in the threat environment, the Trump administration
achieved marginal adjustments to national cybersecurity policy rather than a major step-
wise change.

Results
This article seeks to determine the conditions in which cybersecurity policy change is
likely, and it specifically tests whether PET is a plausible account of change or nonchange.
12 J. SHIVELY

It observes three proximate variables that affect the likelihood of change: leader attention,
systemic technological change, and systemic security change. If any one of these cat-
egories remains stable when an administration seeks to change cybersecurity policy, its
efforts are likely to be constrained within the parameters of existing policies. The case
studies above reveal that PET does offer a plausible explanation for the Trump team’s
overall approach to cybersecurity policy. As described above under Theory, scenario
one (1) never materialized. Neither sustained leadership attention nor changing systemic
conditions emerged. Instead, scenarios two (2) and three (3) unfolded: respectively,
adjusted policy and abortive major change. The administration first adopted a lightly
modified version of the Obama approach to cybersecurity policy. Then, its later
attempt to deploy a more offensive cybersecurity policy represented a modification to
existing practices rather than a wholesale transformation. Through 2017 and into
2018, Trump administration policies treated cybersecurity as a technical, risk-manage-
ment problem. Approaches centred on domestic institutional procedures and practices.
This reframed but did not fundamentally alter the existing Obama-era approach. White
House officials up to the president did not prioritize cybersecurity relative to more tra-
ditional national security policies, such as great power competition and regimes posing
nuclear proliferation threats. After policy reviews, however, the administration in 2018
adopted a “defending forward” policy. This was designed at the tactical and operational
level to respond proactively to threats. In the lead-up to the 2018 midterm election, for
example, the administration policy encouraged agencies responsible for cybersecurity to
seek out and inhibit or prevent efforts to spread disinformation or penetrate US electoral
systems. Perhaps crucially, this policy posture complemented the administration’s stra-
tegic preference for hardline rhetoric and “maximal pressure” diplomacy. Superficially,
it appeared to be a break with prior cybersecurity policy; however, “defending
forward” emerged as a modification of, rather than a dramatic break with, prior cyber-
security policy. Furthermore, the Trump administration tied this approach to a larger
attempt to focus US grand strategy on traditional state actors and peer competitors.
“Defending forward” was not a revolution for cybersecurity policy. Rather, for Trump
and his senior officials, it served a larger, nationalist vision for national security strategy.
In short, the Trump administration initially adopted an amended approach to cyber-
security that it had inherited from the Obama administration, and it later adopted a more
proactive “defending forward” policy that remained a modification of, rather than a
break with, prior cybersecurity policies. As PET predicts, ambitious policy proposals
were not sufficient to overcome both relatively low attention from the president
himself and an administration more focused on traditional security threats than cyber
infrastructure, cyber espionage, and cyber disinformation campaigns. In other words,
neither the technological nor the security environments were radically different from
prior administrations. Rather than building a new strategy with a radically new set of pol-
icies to accommodate new realities, the new realities were categorized and addressed
within the parameters of existing approaches. Even in the case of a seemingly radical
new technology which creates a new “space,” existing strategic agendas and tools
carried the day. For such outcomes, there are simple explanations that hold across
different theoretical traditions. The psychology of sunk costs, long-accepted ideological
investments, and a perceived record of success – or, at least, a record of non-failure –
 POLICY STUDIES 13

discourage radical reinvention. “Defending forward” superficially offered to break out of

this overarching inertia, but the approach was largely confined to existing categories.

Discussion
Despite its emergent status, US cybersecurity policy is inherently stable. As PET predicts,
senior officials typically respond to new, dynamic threats by building upon or modifying
old frameworks. For better and worse, cybersecurity policy is constrained by existing
strategic frameworks. Once in place, a strategic approach is operationalized as policy.
This policy tends to be stable until it catastrophically fails. As a plausibility probe, this
study finds that punctuated equilibrium theory is a viable framework to explain cyberse-
curity policy change. These are still limited findings. Donald Trump as a figure and his
general approach to national security represented a moment in which policy change is
seems almost overdetermined. He directly questioned received wisdom and prior policies
of both Democratic and Republican administrations. He entered office after a high profile
attempt by a foreign government to use cyber tools to influence the 2016 election. Nom-
inally, his administration’s maximal pressure campaigns against adversaries espoused
aggressive confrontation. Under such conditions, observers might expect a profound
rethink of cybersecurity policy, yet the change achieved was much less dramatic. PET
offers a simple and viable explanation for this outcome. Even determined leaders are con-
strained by existing policy commitments, and in this administration, the president
invested little personal energy in cybersecurity policy. The systemic context, meanwhile,
was not meaningfully different from the later Obama years. Americans may have per-
ceived greater threat to their electoral systems, but neither the technologies nor the
global power structure were changing. Certeris paribus, observers should expect stability
rather than change, and that is what this study confirms.
Future research needs to expand and systematically test these insights. Do they apply
to other US administrations? Does PET effectively explain other governments’ relation-
ships with cybersecurity policy? Such work will involve development of more precise
hypotheses and more systematic comparison with other theories of change. For
example, the effects of bureaucracy are held steady in the current study, but a major
aspect of US and other governments’ cybersecurity capacity and, in turn, policy is the
development and expansion of organizations, units, and practices devoted to cyber
defence and offence. Indeed, whereas cybersecurity is a fundamentally tactical and tech-
nical exercise that has been developing for decades, cybersecurity policy as an aspect of
national security or national priorities is relatively new. What is the precise relationship
between the functional and the strategic ends of cybersecurity policy? Do the exigencies
of day-to-day cybersecurity in fact drive the national policy agenda, rather than the other
way around? Finally, PET seems to imply that dramatic change is only possible during or
shortly after a systemic shock that undermines existing orthodoxies. As an empirical
matter, this needs to be tested on cybersecurity policy. As a matter of options available
to policy makers and others, this is concerning. If Trump’s approach to issues like cyber-
security policy did not constitute a shock to business-as-usual, what does? And what is
required to achieve fundamental change? For instance, at the end of Trump’s term, a
massive, months-long hack – dubbed SolarWinds – was revealed (Paul and Beckett
2020). “Defending forward” as well as more established practices all failed, but those
14 J. SHIVELY

approaches remained part of the strategic landscape when Joe Biden took the oath of
office and will likely constrain his administration’s policy options. Research into the par-
ameters of cybersecurity policy change is required.
The Biden and other, future administrations will benefit from observing the Trump
experience. Several possible lessons emerge. First, leadership attention matters but will
always be constrained. Cybersecurity is a particularly challenging issue because it
spans domestic and international jurisdictions, deepens public and private linkages,
and defies management by any one agency or organization. Presidential attention is
always limited; yet, without coherent messaging and a clear, unified policy model consist-
ently emanating from the president, responses across the bureaucracy and the private
sector will continue to proliferate. Second, and related, even if focused leadership
exists, it is most likely to be effective in policy and threat areas where the technology
is new or experiencing persistent change. For instance, there is virtually nothing any
given president now can do about the fact that the internet was created as an openly
accessible system; however, presidents may take action on reducing the exposure of
certain networks or increasing coordination and cooperation among public and
private actors. Third, the geopolitical situation and leaders’ associated threat perceptions
set the environment for any policy change. If that environment is relatively stable,
working up radically new policies that overcome existing inertia often will be prohibi-
tively difficult. This is why, for instance, presidents in nearly every era of US history
have exaggerated foreign or national security threats. Relevant veto players and stake-
holders typically resist major new security policies unless they feel that geopolitical
threats are growing or imminent. In sum, presidential impacts on cybersecurity policy
are constrained by whether and how three variables converge: the leader’s attention, sys-
temic technological change, and perceptions of systemic threat. Ultimately, the Trump
cybersecurity policy effort partially succeeded. It created space for “defend forward;”
however, as PET predicts, Trump’s administration did not experience the kind of eco-
logical shift necessary for a major, stepwise change. In addition, Trump’s relatively
low engagement with cybersecurity and his relatively unfocused leadership style
ensured that fundamental change would remain limited.

Disclosure statement
No potential conflict of interest was reported by the authors.

Notes on contributor
Jacob Shively received his Ph.D. from Indiana University and is an associate professor in the
Reubin O’D. Askew Department of Government at the University of West Florida, where he
studies foreign policy and grand strategy. His 2020 book is entitled Make America First Again:
Grand Strategy Analysis and the Trump Administration.

References
Akaev, Askar, and Vladimir Pantin. 2014. “Technological Innovations and Future Shifts in
International Politics.” International Studies Quarterly 58: 867–872.
 POLICY STUDIES 15

Ali, Idrees, and Phil Stewart. 2019. “Exclusive: U.S. Carried Out Secret Cyber Strike on Iran in
Wake of Saudi Oil Attack: Officials.” Reuters, October 16. https://www.reuters.com/article/us-
usa-iran-military-cyber-exclusive/exclusive-u-s-carried-out-secret-cyber-strike-on-iran-in-
wake-of-saudi-oil-attack-officials-say-idUSKBN1WV0EK?utm_campaign=20191016&utm_
source=sailthru&utm_medium=email&utm_term=MEM%20send%20list.
Associated Press. 2017. “U.S. Charges Russian Officials, Hackers in Mass Yahoo Breach.” PBS
NewsHour, March 15. https://www.pbs.org/newshour/world/watch-live-justice-department-
expected-announce-charges-yahoo-hacking-reports-say.
Barnes, Julian E., and Thomas Gibbons-Neff. 2019. “U.S. Carried Out Cyberattacks on Iran.” The
New York Times, June 22. https://www.nytimes.com/2019/06/22/us/politics/us-iran-cyber-
attacks.html.
Barrett, Brian. 2018. “White House Cuts Critical Cybersecurity Role as Threats Loom.” Wired,
May 15. https://www.wired.com/story/white-house-cybersecurity-coordinator/.
Baumgartner, Frank, Bryan D. Jones, and Peter B. Mortensen. 2014. “Chapter 3: Punctuated
Equilibrium Theory: Explaining Stability and Change in Public Policy Making.” In Theories
of the Policy Making Process, edited by Paul A. Sabatier, and Christopher M. Weible.
Boulder, CO: Westview Press.
Bendor, Jonathan. 2015. “Incrementalism: Dead yet Flourishing.” Public Administration Review 75
(2): 194–205.
Brimley, Shawn, Ben FitzGerald, and Kelley Sayler. 2013. “Game Changers: Disruptive Technology
and U.S. Defense Strategy.” Washington DC: Center for a New American Security.
Cioffi-Revilla, Claudio. 1998. “The Political Uncertainty of Interstate Rivalries: A Punctuated
Equilibrium Model.” In The Dynamics of Enduring Rivalries, edited by Paul Diehl, 64–97.
Chicago: University of Illinois Press.
Colaresi, Michael P., Karen Rasler, and William R. Thompson. 2008. Strategic Rivalries in World
Politics: Position, Space and Conflict Escalation. New York: Cambridge University Press.
Crowley, Michael, Falih Hassan, and Eric Schmitt. 2020. “U.S. Strike in Iraq Kills Qassim
Suleimani, Commander of Iranian Forces.” The New York Times, January 2. https://www.
nytimes.com/2020/01/02/world/middleeast/qassem-soleimani-iraq-iran-attack.html.
Department of Defense Strategy for Operating in Cyberspace. 2011. https://csrc.nist.gov/CSRC/
media/Projects/ISPAB/documents/DOD-Strategy-for-Operating-in-Cyberspace.pdf.
Department of Homeland Security. 2020. Executive Order on Strengthening the Cybersecurity of
Federal Networks and Critical Infrastructure. October 28. https://www.dhs.gov/cisa/executive-
order-strengthening-cybersecurity-federal-networks-and-critical-infrastructure#.
Doran, Charles F. 1991. Systems in Crisis: New Imperatives of High Politics at Century’s End.
New York: Cambridge University Press.
Eckstein, Harry. 1975. “Case Studies and Theory in Political Science.” In Handbook of Political
Science, edited by Fred Greenstein, and Nelson Polsby, 79–137. Reading, MA: Addison-Wesley.
Executive Order 13757. 2016. “Taking Additional Steps to Address the National Emergency with
Respect to Significant Malicious Cyber- Enabled Activities.” 82 FR 1. Document no. 2016-
31922. Signed December 28, published 3 January 2017. https://fas.org/irp/offdocs/eo/eo-
13757.pdf.
Executive Order 138000. 2017. “Strengthening the Cybersecurity of Federal Networks and Critical
Infrastructure.” 82 FR 22391. Document no. 2017- 10004. Signed May 11, published 16 May
2017. https://www.govinfo.gov/content/pkg/FR-2017-05-16/pdf/2017-10004.pdf.
Farrell, Henry. 2017. “Hackers Have Just Dumped a Treasure Trove of NSA Data. Here’s What it
Means.” The Washington Post. Monkey Cage Blog, April 15. https://www.washingtonpost.com/
news/monkey-cage/wp/2017/04/15/shadowy-hackers-have-just-dumped-a-treasure-trove-of-
nsa-data-heres-what-it-means/?utm_term=.462c6e28e650&wpisrc=nl_cage&wpmm=1.
Garfinkel, Ben, and Allan Dafoe. 2019. “How Does the Offense-Defense Balance Scale?” Journal of
Strategic Studies 42 (6): 736–763.
Goertz, Gary. 2003. International Norms and Decision Making: A Punctuated Equilibrium Model.
New York: Rowman and Littlefield.
16 J. SHIVELY

Head, Brian W., and John Alford. 2013. “Wicked Problems: Implications for Public Policy and
Management.” Administration and Society 47 (6): 711–739.
Herrera, Geoffrey L. 2006. Technology and International Transformation: The Railroad, the Atom
Bomb, and the Politics of Technological Change. Albany, NY: SUNY Press.
Holsti, Ole R., and James N. Rosenau. 1986. “Consensus Lost. Consensus Regained? Foreign Policy
Beliefs and American Leaders, 1976-1980.” International Studies Quarterly 30 (4): 375–409.
Isikoff, Michael. 2018. “Former Trump Official: No One ‘Minding the Store’ at White House on
Cyberthreats.” yahoo!news, July 25. https://www.yahoo.com/news/former-trump-official-no-
one-minding-store-white-house-cyberthreats-090017630.html.
Jones, Bryan D., and Frank R. Baumgartner. 2012. “From There to Here: Punctuated Equilibrium
to the General Punctuation Thesis to a Theory of Government Information Processing.” Policy
Studies Journal 40 (1): 1–20.
Joobani, Hossein Aghaie, and Mohammadhossein Daheshvar. 2020. “Deciphering Trump’s
‘Maximum Pressure’ Policy: The Enduring Challenge of Containing Iran.” New Middle
Eastern Studies 10 (1): 2020.
Kanno-Youngs, Zolan, and Nicole Perlroth. 2020. “Iran’s Military Response May Be ‘Concluded,’
but Cyberwarfare Threat Grows.” The New York Times, January 8. https://www.nytimes.com/
2020/01/08/us/politics/iran-attack-cyber.html.
Lantis, Jeffrey S. 2016. Arms and Influence: U.S. Technology Innovations and the Evolution of
International Security Norms. Stanford: Stanford University Press.
Legro, Jeffrey. 2005. Rethinking the World: Great Power Strategies and World Order. Ithaca: Cornell
University Press.
Levinthal, Daniel A. 1998. “The Slow Pace of Rapid Technological Change: Gradualism and
Punctuation in Technological Change.” Industrial and Corporate Change 7 (2): 217–247.
Levy, Jack. 2008. “Case Studies: Types, Designs, and Logics of Inference.” Conflict Management
and Peace Science 25 (1): 1–18.
Lieber, Keir Alexander. 2005. War and the Engineers: The Primacy of Politics Over Technology.
Ithaca, NY: Cornell University Press.
Mahoney, James, and Gary Goertz. 2006. “A Tale of Two Cultures: Contrasting Quantitative and
Qualitative Research.” Political Analysis 14: 227–249.
Miller, Greg, and Ellen Nakashima. 2017. “WikiLeaks Says It Has Obtained Trove of CIA Hacking
Tools.” The Washington Post, March 7. https://www.washingtonpost.com/world/national-
security/wikileaks-says-it-has-obtained-trove-of-cia-hacking-tools/2017/03/07/c8c50c5c-0345-
11e7-b1e9-a05d3c21f7cf_story.html?utm_term=.eef95883ec86.
Moyson, Stephane, Peter Scholten, and Christopher M. Weible. 2017. “Policy Learning and Policy
Change: Theorizing Their Relations from Different Perspectives.” Policy and Society 36 (2): 161–
177.
Nakashima, Ellen. 2019a. “Trump Approved Cyber-Strikes Against Iran’s Missile Systems.” The
Washington Post, June 22. https://www.washingtonpost.com/world/national-security/with-
trumps-approval-pentagon-launched-cyber-strikes-against-iran/2019/06/22/250d3740-950d-
11e9-b570-6416efdc0803_story.html?utm_term=.351ce9390cea.
Nakashima, Ellen. 2019b. “U.S. Cyber Command Operation Disrupted Internet Access of Russian
Troll Factory on Day of 2018 Midterms.” The Washington Post, February 27. https://www.
washingtonpost.com/world/national-security/us-cyber-command-operation-disrupted-
internet-access-of-russian-troll-factory-on-day-of-2018-midterms/2019/02/26/1827fc9e-36d6-
11e9-af5b-b51b7ff322e9_story.html?utm_term=.48553489b774.
Nuruzzaman, Mohammed. 2020. “President Trump’s ‘Maximum Pressure’ Campaign and Iran’s
Endgame.” Strategic Analysis 44 (6): 570–582.
Nye, Joseph. 2016–2017. “Deterrence and Dissuasion in Cyberspace.” International Security 41 (3):
44–71.
Paul, Kari, and Lois Beckett. 2020. “What We Know – and Still Don’t – About the Worst-ever US
Government Cyber-Attack.” The Guardian, December 19. https://www.theguardian.com/
technology/2020/dec/18/orion-hack-solarwinds-explainer-us-government.
 POLICY STUDIES 17

Pierson, Paul. 2004. Politics in Time: History, Institutions, and Social Analysis. Princeton:
Princeton University Press.
Porter, Patrick. 2018. “Why America’s Grand Strategy Has Not Changed: Power, Habit, and the U.S.
Foreign Policy Establishment.” International Security 42 (4): 9–46. doi:10.1162/ISEC_a_00311.
Presidential Notice. 2017. Continuation of the National Emergency With Respect to Significant
Malicious Cyber-Enabled Activities. Executive Office of the President. 82 FR 16099.
Document no. 2017-06583. Signed March 29, filed 31 Mar 2017. https://www.govinfo.gov/
content/pkg/FR-2017-03-31/pdf/2017-06583.pdf.
Report of the Select Committee on Intelligence United States Senate on Russian Active Measures
and Interference in the 2016 U.S. Election. 2020. Vol. 5: Counterintelligence Threats and
Vulnerabilities. 116th Congress 1st Session. Report 116-XX, August 18. https://www.
intelligence.senate.gov/sites/default/files/documents/report_volume5.pdf
Ruggie, John Gerard. 1975. “International Responses to Technology: Concepts and Trends.”
International Organization 29 (3): 557–583.
Saltzman, Ilai. 2013. “Cyber Posturing and the Offense-Defense Balance.” Contemporary Security
Policy 34 (1): 40–63.
Samuels, Richard J. 1994. “Rich Nation, Strong Army”: National Security and the Technological
Transformation of Japan. Ithaca: Cornell University Press.
Sanger, David E. 2016. “Obama Strikes Back at Russia for Election Hacking.” The New York Times,
December 29. https://www.nytimes.com/2016/12/29/us/politics/russia-election-hacking-
sanctions.html.
Sanger, David E., and William J. Broad. 2017. “Trump Inherits a Secret Cyberwar Against North
Korean Missiles.” The New York Times, March 4. https://www.nytimes.com/2017/03/04/world/
asia/north-korea-missile-program-sabotage.html?_r=2.
Sanger, David E., and Nicole Perlroth. 2019. “U.S. Escalates Online Attacks on Russia’s Power
Grid.” The New York Times, June 15. https://www.nytimes.com/2019/06/15/us/politics/
trump-cyber-russia-grid.html.
Schneider, Jackie. 2019a. “Iran Can Use Cyberattacks Against the U.S. That’s Not Nearly as Bad as
it Sounds.” The Washington Post, Monkey Cage blog, January 6. https://www.washingtonpost.
com/politics/2020/01/06/iran-can-use-cyberattacks-against-us-thats-not-nearly-bad-it-sounds/.
Schneider, Jacquelyn. 2019b. “The Capability/Vulnerability Paradox and Military Revolutions:
Implications for Computing, Cyber, and the Onset of War.” Journal of Strategic Studies 42
(6): 841–863.
Slayton, Rebeca. 2016/2017. “What Is the Cyber Offense-Defense Balance? Conceptions, Causes,
and Assessment” International Security 41 (3): 72–109.
Summary: Department of Defense Cyber Strategy. 2018. https://media.defense.gov/2018/Sep/18/
2002041658/-1/-1/1/CYBER_STRATEGY_SUMMARY_FINAL.PDF.
Talmadge, Caitlin. 2019. “Emerging Technology and Intra-war Escalation Risks: Evidence from
the Cold War, Implications for Today.” Journal of Strategic Studies 42 (6): 864–887.
Taylor, Mark Zachary. 2016. The Politics of Innovation: Why Some Countries are Better Than
Others at Science and Technology. New York: Oxford University Press.
Valeriano, Brandon, and Benjamin Jensen. 2019. “How Cyber Operations Can Help Manage Crisis
Escalation with Iran.” The Washington Post, The Monkey Cage blog. June 25. https://www.
washingtonpost.com/politics/2019/06/25/how-cyber-operations-can-help-manage-crisis-
escalation-with-iran/.
Valeriano, Brandon, and Ryan C. Maness. 2015. Cyber War Versus Cyber Realities: Cyber Conflict
in the International System. New York: Oxford University Press.
Volz, Dustin. 2008. “Trump, Seeking to Relax Rules on U.S. Cyberattacks, Reverses Obama
Directive.” The Wall Street Journal, August 15.
Welch, David A. 2005. Painful Choices: A Theory of Foreign Policy Change. Princeton: Princeton
University Press.
White House. 2011. International Strategy for Cyberspace: Prosperity, Security, and Openness in a
Networked World, May. https://obamawhitehouse.archives.gov/sites/default/files/rss_viewer/
international_strategy_for_cyberspace.pdf.