The architecture of the Nation’s digital infrastructure, based largely upon the Internet, is not secure or resilient. Without major advances in the security of these systems or significant change in how they are constructed or operated, it is doubtful that the United States can protect itself from the growing threat of cybercrime and state-sponsored intrusions and operations. Our digital infrastructure has already sufered intrusions that have allowed criminals to steal hundreds of millions of dollars and nation-states and other entities to steal intellectual property and sensitive military information. Other intrusions threaten to damage portions of our critical infrastructure. These and other risks have the potential to undermine the Nation’s confidence in the information systems that underlie our economic and national security interests.Meanwhile, here is the executive summary...
The President directed a 60-day, comprehensive, “clean-slate” review to assess U.S. policies and structures for cybersecurity. Cybersecurity policy includes strategy, policy, and standards regarding the security of and operations in cyberspace, and encompasses the full range of threat reduction, vulnerability reduction, deterrence, international engagement, incident response, resiliency, and recovery policies and activities, including computer network operations, information assurance, law enforcement, diplomacy, military, and intelligence missions as they relate to the security and stability of the global information and communications infrastructure. The scope does not include other information and communications policy unrelated to national security or securing the infrastructure. The review team of government cybersecurity experts engaged and received input from a broad cross-section of industry, academia, the civil liberties and privacy communities, State governments, international partners, and the Legislative and Executive Branches. This paper summarizes the review team’s conclusions and outlines the beginning of the way forward towards a reliable, resilient, trustworthy digital infrastructure for the future.
The Nation is at a crossroads. The globally-interconnected digital information and communications infrastructure known as “cyberspace”underpins almost every facet of modern society and provides critical support for the U.S. economy, civil infrastructure, public safety, and national security. This technology has transformed the global economy and connected people in ways never imagined. Yet, cybersecurity risks pose some of the most serious economic and national security challenges of the 21st Century. The digital infrastructure’s architecture was driven more by considerations of interoperability and eiciency than of security. Consequently, a growing array of state and non-state actors are compromising, stealing, changing, or destroying information and could cause critical disruptions to U.S. systems. At the same time, traditional telecommunications and Internet networks continue to converge, and other infrastructure sectors are adopting the Internet as a primary means of interconnectivity. The United States faces the dual challenge of maintaining an environment that promotes eiciency, innovation, economic prosperity, and free trade while also promoting safety, security, civil liberties, and privacy rights. It is the fundamental responsibility of our government to address strategic vulnerabilities in cyberspace and ensure that the United States and the world realize the full potential of the information technology revolution.
The status quo is no longer acceptable. The United States must signal to the world that it is serious about addressing this challenge with strong leadership and vision. Leadership should be elevated and strongly anchored within the White House to provide direction, coordinate action, and achieve results. In addition, federal leadership and accountability for cybersecurity should be strengthened. This approach requires clarifying the cybersecurity-related roles and responsibilities of federal departments and agencies while providing the policy, legal structures, and necessary coordination to empower them to perform their missions. While eforts over the past two years started key programs and made great strides by bridging previously disparate agency missions, they provide an incomplete solution. Moreover, this issue transcends the jurisdictional purview of individual departments and agencies because, although each agency has a unique contribution to make, no single agency has a broad enough perspective or authority to match the sweep of the problem.
The national dialogue on cybersecurity must begin today. The government, working with industry, should explain this challenge and discuss what the Nation can do to solve problems in a way that the American people can appreciate the need for action. People cannot value security without first understanding how much is at risk. Therefore, the Federal government should initiate a national public awareness and education campaign informed by previous successful campaigns. Further, similar to the period after the launch of the Sputnik satellite in October, 1957, the United States is in a global race that depends on mathematics and science skills. While we continue to boast the most positive environment for information technology firms in the world, the Nation should develop a workforce of U.S. citizens necessary to compete on a global level and sustain that position of leadership.
The United States cannot succeed in securing cyberspace if it works in isolation. The Federal government should enhance its partnership with the private sector. The public and private sectors’ interests are intertwined with a shared responsibility for ensuring a secure, reliable infrastructure. There are many ways in which the Federal government can work with the private sector, and these alternatives should be explored. The public-private partnership for cybersecurity must evolve to deine clearly the nature of the relationship, including the roles and responsibilities of each of the partners. The Federal government should examine existing public-private partnerships to optimize their capacity to identify priorities and enable eicient execution of concrete actions.
The Nation also needs a strategy for cybersecurity designed to shape the international environment and bring like-minded nations together on a host of issues, such as technical standards and acceptable legal norms regarding territorial jurisdiction, sovereign responsibility, and use of force. International norms are critical to establishing a secure and thriving digital infrastructure. In addition, differing national and regional laws and practices—such as laws concerning the investigation and prosecution of cybercrime; data preservation, protection, and privacy; and approaches for network defense and response to cyber attacks—present serious challenges to achieving a safe, secure, and resilient digital environment. Only by working with international partners can the United States best address these challenges, enhance cybersecurity, and reap the full beneits of the digital age.
The Federal government cannot entirely delegate or abrogate its role in securing the Nation from a cyber incident or accident. The Federal government has the responsibility to protect and defend the country, and all levels of government have the responsibility to ensure the safety and wellbeing of citizens. The private sector, however, designs, builds, owns, and operates most of the digital infrastructures that support government and private users alike. The United States needs a comprehensive framework to ensure a coordinated response by the Federal, State, local, and tribal governments, the private sector, and international allies to signiicant incidents. Implementation of this framework will require developing reporting thresholds, adaptable response and recovery plans, and the necessary coordination, information sharing, and incident reporting mechanisms needed for those plans to succeed. The government, working with key stakeholders, should design an effective mechanism to achieve a true common operating picture that integrates information from the government and the private sector and serves as the basis for informed and prioritized vulnerability mitigation eforts and incident response decisions.
Working with the private sector, performance and security objectives must be defined for the next-generation infrastructure. The United States should harness the full beneits of technology to address national economic needs and national security requirements. Federal policy should address requirements for national security, protection of intellectual property, and the availability and continuity of infrastructure, even when it is under attack by sophisticated adversaries. The Federal government through partnerships with the private sector and academia needs to articulate coordinated national information and communications infrastructure objectives. The government, working with State and local partners, should identify procurement strategies that will incentivize the market to make more secure products and services available to the public. Additional incentive mechanisms that the government should explore include adjustments to liability considerations (reduced liability in exchange for improved security or increased liability for the consequences of poor security), indemniication, tax incentives, and new regulatory requirements and compliance mechanisms.
The White House must lead the way forward. The Nation’s approach to cybersecurity over the past 15 years has failed to keep pace with the threat. We need to demonstrate abroad and at home that the United States takes cybersecurity-related issues, policies, and activities seriously. This requires White House leadership that draws upon the strength, advice, and ideas of the entire Nation.