Disclaimer: The following is a paper I wrote many years ago as an inexperienced and (somewhat) young person interested in security. I’ve decided to share it here based on the policy discussions raised during the recent Senate Intelligence Committee hearing on the Solar Winds incident.
tl;dr My main thesis was that the overall security posture of the United States can be strengthened by a centralized federal authority that possesses both regulatory enforcement powers and the capability to facilitate Private Public Partnerships. At the time, I recommended DHS as the best option for this role–note: this was before CISA even existed, so the reader can draw their own conclusions.
Abstract
Cyber threats are constantly growing in number and level of sophistication. The protection of United States critical infrastructure and privacy data relies on the implementation of effective cybersecurity initiatives and national policy objectives to increase awareness, protect critical infrastructure, and improve our capabilities for incident response. Congress has failed to enact significant legislation to mitigate the weaknesses in our cybersecurity mission, which has demanded a response by the executive branch to take the primary leadership role for U.S. cybersecurity policy efforts. Consistent and widespread application of executive authority presents challenges due to legitimate questions of constitutionality, and also critical difficulties with enforcement capacities. This results in a situation where there is an abundance of voluntary guidance in cybersecurity matters, but a significant lack of mandatory regulation. Exacerbating matters, cybersecurity leadership is ineffective due to redundant application of resources and decentralized authority structures. The national cybersecurity initiative could be better implemented with a clear leader tasked with overall coordination of cyber activities, development of specific policy frameworks, and the enforcement of regulation. The Department of Homeland Security is well positioned to assume this leadership role due to its historical role as an interagency coordinator, its previously established responsibilities for critical infrastructure, and its widespread ability to interface with enterprise and develop effective public-private partnerships.
Table of Contents
- List of Abbreviations and Acronyms
- Introduction
- Literature Review
- United States Cybersecurity Policy Evolution and Review
- Prominent Executive Guidance and Legislation
- Conclusions and Recommendations
- References
List of Abbreviations and Acronyms
- APT Advanced Persistent Threat
- CI Critical Infrastructure
- CNCI Comprehensive National Cyber Security Initiative CTIIC Cyber Threat Intelligence Integration Center DOD Department of Defense
- DHS Department of Homeland Security
- DOJ Department of Justice
- DNI Director of National Intelligence
- EO Executive Order
- FBI Federal Bureau of Investigation
- HSPD Homeland Security Presidential Directive
- IC Intelligence Community
- NCIJTF National Cyber Investigative Joint Task Force NCCIC National Cybersecurity Communications Integration Center NSA National Security Agency
- NSD National Security Directive
- NSPD National Security Presidential Directive
- OEC Office of Emergency Communications
- PDD Presidential Decision Directive
- PPD Presidential Policy Directive
- PPP Public-Private Partnerships
- SECDEF Secretary of Defense
- USCYBERCOM United States Cyber Command
- USSS United States Secret Service
Introduction
Problem Context and Significance
Cyberattacks in the United States are steadily increasing in their frequency and level of complexity, posing a serious threat to our national security in terms of social, economic, and infrastructure stability. The rapid evolution of technology and its increasing level of interconnectedness has contributed to the challenge of securing the foundation of critical services upon which many features of modern American life are maintained. The United States has become dependent on the uninterrupted operations of information systems and networks to provide critical services in the domains of commerce, defense, energy, transportation, and law enforcement.
President Barack Obama identified cybersecurity as one the most serious challenges we face as a nation and described our national policy objective as, “to enhance cybersecurity awareness and protections, protect privacy, maintain public safety as well as economic and national security, and empower Americans to take better control of their digital security (Secretary, 2016).”
Despite cybersecurity representing one of the most critical challenges the nation faces, our cybersecurity policy strategy remains inadequate for effectively addressing these threats to our national security. Several factors contribute to the challenges we face with the United States’ cybersecurity mission: an overall lack of authority and coordination of policy efforts across levels of government and between the private sector, systematic lack of cybersecurity education, an insufficient legislative agenda, and the need for the development of advanced technological solutions.
Legislation and Executive guidance promote The United States cyberpolicy initiative, which is implemented through a confusing patchwork of government agencies with overlapping responsibilities regarding policy oversight, threat prevention, incident response, and investigation. Multiple agencies contain divisions with cybersecurity responsibilities which can lead to poor coordination and misallocation of critical resources. The Department of Homeland Security (DHS), the Department of Defense (DOD), United States Secret Service (USSS), National Security Agency (NSA), Director of National Intelligence (DNI), and the Federal Bureau of Investigations (FBI) and every individual military branch all possess their own missions, operational units and deploy their own solutions for cybersecurity response and investigation. This breadth of cybersecurity responsibility represents the core problem of national cyberpolicy initiatives. Overlapping responsibility leads to redundancy, unnecessary costs, inter departmental politics, a lack of clear direction, and ultimately, critical mission failure. Compounding the lack of coordinated authority across branches of government, the U.S. still lacks significant legislation that addresses cybersecurity to properly fund, enforce regulation, and promote collaboration between government and the private sector.
Research Question
Recognition of cybersecurity as a critical component of national security is becoming ubiquitous. Elected officials, bureaucrats, cybersecurity, and intelligence professionals have recognized the significance of cyberthreats and the escalation of state-actor level incidents as an indication that the national cybersecurity effort must be examined, strengthened, and comprehensively developed to safeguard the nation’s strategic interests while still ensuring the privacy rights and civil liberties guaranteed by the Constitution of the United States. The primary research question and goal of this project will be to determine the most effective allocation of cybersecurity resources and delegation of responsibilities to achieve the nation’s cyberpolicy objectives.
Methods
Research Design. A thorough Literature Review will be conducted to establish the context of the national cybersecurity situation and evaluate the scholarly assessment of the effectiveness of national cybersecurity initiatives. This project will have three major objectives: 1) Provide an overview of the current cybersecurity threat environment for the United States 2) Apply a historical analysis of U.S. cybersecurity policy within the context of executive guidance and legislative initiatives to determine the status and effectiveness of the current national cybersecurity policy effort 3) Determine the appropriate leadership roles and authority structure in the U.S. cybersecurity framework and offer policy recommendations to enhance the efficiency of the allocation of critical resources.
Ultimately, the paper’s discussion will culminate with the further development of objective #3 into specific cybersecurity strategies and policy recommendations for the most reasonable and effective implementation of coordinated efforts across many domains (civilian government, military, private enterprise, IT, law enforcement) and through local, state, and national levels to address the “policy gaps” that exist within our current framework (Kshetri & Murugesan, 2013).
This project presents two complimentary arguments. The first is that the Department of Homeland Security should assume leadership responsibility and act as the primary source of authority for security deployments, policy recommendations, regulatory enforcement, and the coordination of national cybersecurity implementations across government agencies and between public institutions and private enterprise. The second thesis posits that Congress should enact comprehensive legislation that not only ensures the national policy efforts headed by the DHS are properly funded but confers the appropriate regulatory authority to DHS to enforce policy compliance as opposed to simply offering guidance documentation.
Literature Review
The Threat Environment
As the digital age continues to boom, the technological advancements in cyberspace and networking capabilities offer enormous opportunities to enhance our economy and people’s daily lives. However, these opportunities also present new risks to the security of our personal information and economic systems. Criminals, terrorists, and state-level actors have developed a potent arsenal that constantly threatens our identities, critical infrastructure, intellectual property, and sensitive financial data (Secretary, 2016).
Increased attention is now being given to the issues of cybersecurity for two primary reasons. First, is the sharp increase in scope, complexity, and persistence of cyberthreats (Ziring, 2015). This change in activity indicates a transition from simple script kiddies and petty criminals employing widely available exploit kits to the emergence of state-level actors acting as Advanced Persistent Threats (APT) against our national interests. The second reason for cybersecurity focus is the inherent risk with the amount of information that is now stored in online and digital formats; as Ziring notes, “greater reliance leads to greater risk.” (Ziring, 2015). The United States has become dependent on the uninterrupted operations of information systems and networks to provide critical services in the domains of commerce, defense, energy, transportation, and law enforcement (Ziring, 2015).
The Increases in cybercrime is directly related to the explosive growth of online users, which number nearly 2.7 billion on a daily basis (Goutam, 2015). The vulnerabilities inherent with digital information systems are related to the very nature of the online environment itself. Cyberspace is a totally virtual environment that is essentially borderless and expandable without any regard to physical or political boundaries (Goutam, 2015). The expanding virtual environment offers malicious users a wide range of attack vectors and inflates the attack surface beyond the control of some organizations. Individuals, small and medium sized business, and some government organizations simply lack the necessary resources and/or expertise to effectively deploy security controls to protect the data they contain.
The mounting evidence clearly suggests that cyberthreats are real and growing. Former DHS Secretary Janet Naplitano has warned that a “cyber 9/11” may be imminent and supported the enactment of legislation to increase national cybersecurity efforts (Information Management, 2013). The supporting evidence suggests the escalation of hacking activities beyond intellectual property theft with a new focus on targeting critical infrastructure (CI). The American security firm, Mandiant, has investigated a Chinese hacking group called “Comment Crew” and their reports suggest that they are shifting their focus from hacking companies such as Coca-Cola and are now focusing on companies involved with supporting and managing CI such as water, gas, and electrical lines (Information Management, 2013).
Thus far, there have been no major incidents of cyberattacks on US critical infrastructure, such as a “Cyber 9/11”, as many analysts have warned (Rid & Arquilla, 2012). However, considering the mounting evidence that the threat environment in cyberspace is quickly developing into a national security matter with critical aspects suggesting cyber warfare with state-level and terrorist actors as opposed to mere criminal activity. (Rid & Arquilla, 2012). China has launched numerous cyberattack campaigns against US interests that have primarily focused on the exfiltration of intelligence information and intellectual property in the realms of energy, aerospace, and military technologies, and as we have seen, they have refocused their initiatives on CI targets (Wechsler, 2016). Russia, while also actively stealing US intellectual property, has targeted CI, and is launching attacks against the very social framework of the US by creating social strife, inciting dissent, and attempting to undermine our democratic order (Intelligence Community Assessment, 2017).
The escalation of cyberwarfare activities is surely cause for great concern. However, an opposing viewpoint presented by Thomas Rid suggests that cyberwar is not actually occurring and that the current state of cyber-attacks should be categorized as sabotage and espionage and may ultimately reduce the amount of political violence (Rid T., 2013). Rid’s argument hinges on a literal interpretation of the definition of war by the military theorist, Carl von Clausewitz, suggesting that to qualify as an act or war, any aggressive activity must satisfy three criteria: that the act is violent, or potentially violent, that the act is instrumental in the use of force as a means to compel another to cede to the actor’s will, and the attack must have some political goal or intent (Rid T., 2013). Rid argues that no cyber-attack has fulfilled these criteria. Further, he states that cyber-attacks may ultimately be good, because sabotage and espionage activity offer States an opportunity to act against their rivals and promote their interests without actually engaging in physical violence (Rid T., 2013). In this way, cyber-attacks may represent a sort of political pressure valve that allows tension to be periodically relieved through acts of sabotage and not war; it is much easier and safer to launch a cyber-attack than to launch a missile.
Establishing parameters for cyber-attacks and distinguishing between those that constitute acts of war or merely sabotage and espionage is critical because these classifications directly affect the United States’ ability to respond with defensive and offensive operations in support of its overall national cybersecurity objectives (Lin, Allhoff, & Rowe, 2012). Generally speaking, the United States Congress retains legal authority over acts of war and war powers. However, the President does have historical precedent for implementing operations in the interest of national security. The new conflicts in cyberspace challenge the existing regulatory regime because there is no significant legislation that supports objectives related to cybersecurity and policy objectives. With specific regard to issues of cybersecurity, the executive branch has assumed the primary role with guidance efforts, although it lacks the formal, legal authority to enforce regulation (Abebe, 2016). It is in this regard that the executive branch is constrained internally due to the lack of regulatory powers, but also constrained externally due to international law and the principles of just cause for warfare operations (Abebe, 2016).
The Government Response: Policy and Organization
The evidence of escalating cyber-attacks and the failure of Congress to pass any meaningful legislation to address national cybersecurity policy illustrates how the current national cybersecurity defense initiative does not appropriately address the threat environment. The executive branch has tried to fill the void by providing policy leadership, and while significant progress has been made to secure critical infrastructure and enhance public-private partnerships, cybersecurity authority remains decentralized and ineffective at achieving national policy goals.
Several attempts have been made with executive action by the Clinton, Bush, and Obama administrations to address weaknesses with national cybersecurity policy and establish guidelines for policy implementations. However, significant policy gaps remain due to lack of political will, issues with coordination and control of policy objectives, complications with inter-departmental enforcement, and ambiguous or disinterested congressional oversight (Newmeyer, 2012).
Several factors contribute to the lack of effectiveness of current policy, but the most critical issue is the need for strong, centralized leadership with budgetary control and regulatory authority that can implement and enforce policy throughout the federal government and amongst public-private partnerships (Newmeyer, 2012). Current cybersecurity policy is incomplete, because it is primarily based on executive action that cannot compel compliance (Kshetri & Murugesan, 2013). In the absence of legal requirements to comply with national standards, the government cannot penalize departments or private organizations who fail to implement the necessary security controls.
There is also a severe lack of leadership and accountability within private enterprise. With a lack of government enforcement capabilities, other market forces could possibly fill the void (Hathaway, 2012). This would essentially represent shareholders and customers acting as the agents to spur the implementation of security controls to address cyber risks. Still, this would represent reactive leadership, and the current cybersecurity threat environment demands leadership that is proactive in addressing and implementing policies to support cybersecurity initiatives (Hathaway, 2012).
The bottom line is that any significant progress in the advancement in national security objectives must entail collaboration and communication between government agencies and private business organizations. This can most effectively be handled through the establishment of Public-Private Partnerships (PPP) according to methodology supported by research literature. The qualitative model for successful PPP’s is a four-tier model that must be built from the ground up, beginning with Trust, and continuing through Clear Legal Guidance, Structural Approaches, and finally Community Involvement (Manley, 2015). These four essential elements are critical ingredients for establishing a lasting partnership between the government and businesses. The United States is headed in an encouraging direction regarding PPP’s, but trust levels still need to be supported to ensure real cooperation; private enterprise remains wary of government overreach if they can access too much private financial and consumer data (Manley, 2015).
The role of government authority and the extent of its legal application of cyber power can be examined within the context of cybersecurity as a public good (Asllani, Ettkin, & White, 2013). Asllani et al, make the argument that cybersecurity can be compared to concepts such as public safety in that the government should be mandated the responsibility by legislation to ensure and enhance the safety of the American public. This view of a national cybersecurity doctrine provides the legal framework for the financing of cybersecurity through taxes and justifies legal compliance through regulation. Further, viewing cybersecurity as a public good not only justifies governmental responsibility for cybersecurity, but it also demands that government provide comprehensive frameworks to protect citizens from cybercrime, cyberterrorism, and acts of cyberwar (Asllani, Ettkin, & White, 2013).
Mark D. Young continues criticisms of current leadership strategies and argues that it is not merely the misallocation of resources hampering cybersecurity efforts, but the lack of a formal doctrine to assess and ensure national cybersecurity objectives. He suggests that U.S. Cyber Command (USCYBERCOM) was established with too broad of a mission and without specific directives for ensuring inter-agency cooperation (Young, 2010). A national cybersecurity doctrine would encourage better integration between business, government, academic, and civil sectors and not only contribute better decision-making processes but help identify skills gaps and encourage reassessment of education programs to address current security deficiencies (Young, 2010).
We have seen several arguments that a successful national cybersecurity effort can only be successful through effective communication and interagency cooperation. Further, successful policy objectives can only be achieved with the appropriate authority conferred through enforceable legislation with compliance requirements. Most sources agree that cybersecurity is everyone’s responsibility from the individual citizen to private enterprise, to government agency. Very few of the sources agree on who, specifically, should hold the ultimate responsibility for the United States cybersecurity efforts. The lack of consensus through interdepartmental politics and the absence of legal authority delays policy implementations and weakens the overall cybersecurity initiative.
There are several departments that could potentially serve as viable candidates for the primary role of responsibility for cybersecurity, and many authors have presented models for U.S. cyberpolicy leadership. Kevin Newmeyer argues that there are three primary options for an effective cyberpolicy leadership model: 1) The creation of a White House Level “Czar” position in the Executive Office of the President, 2) Designation of current cabinet level department, and 3) Creation of a national Director of Cybersecurity (DCYBER) similar to the creation of the Director of National Intelligence (DNI) in the aftermath of the 9/11 attacks (Newmeyer, 2012). Each option has both positives and negatives, which will be discussed in further detail later in the paper within the context of specific policy implementations.
United States Cybersecurity Policy Evolution and Review
The following policy review presents a chronological analysis regarding the evolution and historical development of U.S. national cybersecurity policy. The analysis will cover certain landmark legislative measures; however, the bulk of cyber policy initiatives are a direct result of executive authority through Executive Orders (EO), Presidential Decision Directives (PDD), National Security Directives (NSD) and Presidential Policy Directives (PPD). Unfortunately, executive action is necessary for the development of any policy directives due to the inadequate Congressional response to cybersecurity challenges. The executive actions taken by President Clinton, President G.W. Bush, and President Obama have certainly helped to establish policy frameworks, improve interagency cooperation, and encourage collaboration between the public and private sectors, but lacking the legal authority to enforce compliance introduces critical gaps in our defensive capabilities. Guidance is not as powerful as regulation, and it is for this reason that cyber policy must be supported by legislation that not only incentivizes but compels policy adoption and adherence. Establishing the following historical context is critical to illustrate the overlapping redundancy in resource allocation and to identify gaps in the implementation.
Prominent Executive Guidance and Legislation
Computer Security Act of 1987. Established computer security at the federal level as a national priority. This was the first major legislation that specifically addressed computer security and established minimum standards for the implementation of security controls. This law is notable for two primary reasons: requiring the development of security policies for government computer systems and the designation of the National Institute of Standards and technology (NIST) as the primary organization with responsibilities to develop the security framework. This act was subsequently superseded with the passing of FISMA in 2002 (Computer Security Act of 1987, 1998).
National Security Directive 42 (NSD-42) (1990). The National Policy for the Security of National Security Telecommunications and Information Systems, or NSD-42 was a classified EO that established the Committee on National Security Systems (CNSS), a specialized council that provides advice and guidance to the president on security matters. The mission of the CNSS is to provide a forum for the discussion of critical security objectives, development of national policy by providing direction, operational procedures, and guidance for the security of information systems that are vital to national security. The CNSS is an interagency collective that is chaired by the Department of Defense, but includes members from the NSA, CIA, FBI, DOJ, and all branches of the U.S. military. This is the first example of interagency cooperation on a large scale with a specific cyber policy focus (White House, 1990).
Creation of the Office of Homeland Security (2001). The terrorist attacks of September 11, 2001 led to the establishment of this executive office. The original purpose of the office was to administer and coordinate “a comprehensive national strategy to safeguard the country against terrorism and respond to any future attacks (DHS, 2014).” The office was created eleven days after the attacks as an urgent action to immediately secure the homeland within the domains of aviation, border security, and information sharing. Its initial mission was more closely aligned with counterterrorism and emergency response and did not explicitly concern national cyber operations.
USA PATRIOT Act (2001). Further response to the 9/11 attacks was the enactment of legislation called, “The Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001.” Being a specific response to 9/11, this law is clearly focused on counterterrorism activities, however it does have broad implications concerning cybersecurity, particularly with respect to the domains of individual privacy, law enforcement, and forensic investigation. The PATRIOT act increased interdepartmental cooperation and information sharing capacities which does have a direct effect on cybersecurity coordination and response (USA PATRIOT Act, 2001).
Homeland Security Act of 2002. Officially reorganized the Office of Homeland Security into the Department of Homeland Security (DHS). The elevation of the office to a cabinet-level department caused DHS to become a new, stand-alone government agency with corresponding cabinet-level authority and congressional oversight. The creation of a new cabinet department was the most significant structural change to the U.S. government in over 50 years and included a widespread reorganization of a confusing patchwork of activities into a singular department with a unified authority (DHS, 2002). The primary mission of DHS remained the prevention of and response to terrorist attacks, but the new legislation also significantly broadened the departments authority to dictate the sharing of information between government agencies (NSA, FBI, CIA, DEA, DOT, USSS) and to facilitate the development of public-private partnerships within the enterprise sector. The Act directed DHS to place a high priority on cyber terrorist attacks and granted it the broad authority to unify cyber activities between a wide range of government units including the Critical Infrastructure Assurance Office (Department of Commerce), the National Infrastructure Protection Center (within the FBI), the Federal Computer Incident Response Center (General Services Administration), and the National Communications System (Department of Defense) (DHS, 2002). This Act arguably represents the most significant example of legislative action with respect to cyber policy, as it set the precedent for DHS to legally consolidate and assume authorities of other governmental agencies, and because of the broad discretion DHS was given to interface with the public sector. Future executive action would build on this legislation with the incremental expansion of DHS authority and capabilities.
Executive Order 13286 (President Bush, 2003). “Amendment of Executive Orders, and Other Actions, in Connection with the Transfer of Certain Functions to the Secretary of Homeland Security.” In EO 13286, the DHS begins taking a major role in cybersecurity operations, particularly in the context of protection of critical infrastructure. It gave the Secretary of Homeland Security executive authority over the National Communication System Committee of Principals, which are the collective agencies and private organizations that own or lease telecommunication assets. The EO also brought the National Infrastructure Advisory Council (NIAC) under the authority of the DHS Secretary. The NIAC is a multidisciplinary advisory council that is made of members from across governmental agencies, enterprise, academia, and non-profit sectors. This EO further consolidated cyber authority under the DHS and broadened its ability to facilitate public-private partnerships (White House, 2003).
Homeland Security Presidential Directive 7 (HSPD 7) (2003). “Directive on Critical Infrastructure Identification, Prioritization, and Protection.” HSPD 7 ordered the DHS to become the “focal point” of cybersecurity operations and facilitated cooperation between governmental agencies and the private sector. The DHS’s role is expanded to include essentially anything related to national security, including cybersecurity operations (White House, 2003).
National Security Presidential Directive 54 / Homeland Security Presidential Directive 23 (NSPD 54 / HSPD 23) (President Bush, 2008). Simply titled, “Cybersecurity Policy,” this dual executive order served as the first major policy document to comprehensively address the United States cybersecurity mission by establishing the policy, strategy, guidelines, and implementation actions to secure the cyber domain. Its further goals were to clarify federal authority roles and integrate technical capabilities across governmental agencies to better address the growing sophistication of cyber threats. There were two major policy developments because of NSPD 54/HSPD 23: The creation of the National Cybersecurity Center (NCSC) and the establishment of the Comprehensive National Cyber Security Initiative (CNCI). The NCSC was a newly formed office under the DHS to serve as the focal point for the sharing of information to protect federal information system networks. The NCSC is comprised of representatives from the NSA, FBI, CIA, and the DoD. The director of the NCSC is appointed by and directly reports to the Secretary of the DHS, although the Secretary of Defense, Attorney General, and the DNI must concur on their appointment. While the creation of the NCSC appears to be a further consolidation of power within DHS, the order explicitly states that the Director has coordinative authority, “however, this authority does not allow the Director to compel agreement or exercise command; rather, it creates a consultative structure (White House, 2008).” Although this order represents a fundamental improvement in interagency cooperation, limitations on overall cybersecurity policy objectives remain due to the lack of enforceable centralized authority. Individual agencies are consult and coordinate but are free to carry out their individual and de-centralized policy implementations. Coordination is certainly advantageous, but it does not equal control.
The second major aspect of NSPD 54/HSPD 23 was the establishment of the Comprehensive National Cyber Security Initiative (CNCI), a forward looking and dynamic policy strategy with a broad scope and multiple objectives. Its main goals were to enhance cybersecurity situational awareness between the private sector, academia, federal, state, and local governments; enhance cybersecurity counterintelligence capabilities and incident response; and to the strengthen the future of cybersecurity research, education, and skills training (White House, 2008).
Executive Order 13587 (President Obama, 2011). “Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information.” The goal of EO 13587 was to establish policy regarding how to share and safeguard classified information while protecting privacy and civil liberties. This EO mainly had personal privacy implications, however from an operational standpoint, it introduced new guidelines and approaches on how the government should address insider threats and to mitigate the potential damage to national security in the event of sensitive data leaks (White House, 2011).
Executive Order 13618 (President Obama, 2012). “Assignment of National Security and Emergency Preparedness Communications Functions.” This EO streamlined government’s ability to communicate during a crisis or emergency situation by establishing operational guidelines. These guidelines included the requirement to dissolve the National Communications System, an office that had been formerly transferred to the DHS from the DoD. The critical functions of the NCS were absorbed into the Office for Emergency Communications (OEC), under the supervision of the Secretary of Homeland Security (White House, 2012).
PPD 21 (President Obama, 2013). “Critical Infrastructure Security and Resilience.” This order’s primary goal is to “provide strategic guidance, promote a national unity of effort, and coordinate the overall Federal effort to promote the security and resilience of the Nation’s critical infrastructure (White House, 2013).” PPD 21 reinforces the U.S. approach to cybersecurity efforts in strengthening the protection of critical infrastructure objectives. The order also formally requires the Secretary of DHS to “provide strategic guidance, promote a national unity of effort, and coordinate the overall federal effort to promote the security and resilience of the Nation’s critical infrastructure (White House, 2013).” PPD 21 clarifies the role of DHS as the primary agency responsible for the protection of CI and as the focal point for the communication and interfacing of public-private partnerships. PPD 21 extends the definition of CI to potentially include new industries by using broad language that defines CI as, “any organization and associated systems where a cyberattack could pose a threat to U.S. national security, public safety and health or economic interests (White House, 2013).”
Executive Order 13636 (President Obama, 2013). “Improving Critical Infrastructure Cybersecurity.” EO 13636 offers further policy guidance for the protection of critical infrastructure by improving information sharing between the public and private sectors. The order builds upon previous designations of NIST as the primary agency for the development of cybersecurity policies and for the implementation of best practices. It builds upon previous orders by directing NIST to develop cybersecurity framework that is technology neutral and broadly applicable in a variety of scenarios. The order also promotes and incentivizes the adoption of these cybersecurity best practices in the private sector. However, the order explicitly states that implementation of suggested best practices is purely voluntary and does not assume any regulatory authority beyond that already established under existing and applicable laws (White House, 2013).
Executive Order 13691 (President Obama, 2015). “Promoting Private Sector Cybersecurity Information Sharing.” Enhances public-private sharing of classified information by building upon the previous directives PPD 21 and EO 13636. This order specifically directs that the ultimate goal of cybersecurity information sharing between government agencies, non-profit organizations, and the private sector must possess the capability to coordinate in “near real-time” in the event of a cybersecurity incident. The EO directs the Secretary of Homeland Security to “strongly encourage” the development and formation of Information Sharing and Analysis Organizations (ISAOs). The DHS is ordered to oversee and coordinate communication between ISAOs through the office of the National Cybersecurity and Communications Integration Center (NCCIC). The Secretary of DHS is given broad collaborative and consultative authority and “shall identify a common set of voluntary standards or guidelines for the creation and functioning of ISAOs under this order (White House, 2015).”
Presidential Memo: Establishment of the Cyber Threat Intelligence Integration Center (CTIIC) (President Obama, 2015). The CTIIC was created under the authority of the Director of National Intelligence and its mission is to facilitate and support the intelligence sharing and improve the national coordination of incident response, network defense, and cyber threat investigation initiatives underway at other federal agencies. The CTIIC is a non-operational center and is not intended to replace functions of other operational cyber facilities, but to support the missions of the NCCIC at the DHS, the NCIJTF at the DOJ, and the USCYBERCOM at the DoD (White House, 2015).
Cybersecurity Information Sharing Act of 2015 (CISA). Signed into law on December 8, 2015. CISA stands as the first major piece of cybersecurity legislation to be enacted in over a decade since the creation of the Department of Homeland Security in 2003. The primary objective of CISA builds upon previous executive action and aims to improve and encourage information sharing between the private sector and governmental agencies. The key provisions CISA allow private organizations to share or receive information regarding cyber threat indicators and defensive measures for a cybersecurity purpose. While this legislation does not legally compel information sharing, it does encourage better communication by protecting private organizations from potential liability from litigation for privacy violations, anti-trust activities, and FOIA waivers of privilege (Cybersecurity Information Sharing Act of 2015, 2015).
Cybersecurity National Action Plan (CNAP) (President Obama, 2016). The CNAP was the culmination of national cybersecurity policy throughout the Obama administration. The approach of CNAP was to serve as a capstone to the incremental improvements and to build upon the lessons learned throughout the President’s eight years in office. The plan contained four major policy areas: 1) Establish the Commission on Enhancing Cybersecurity 2) Invest heavily in the modernization of government’s technology infrastructure 3) Raise public awareness of cybersecurity issues and empower people to better implement security controls 4) Significantly increase general cybersecurity funding across several domains (White House, 2016).
The Commission on Enhancing Cybersecurity was a bi-partisan, multi-disciplinary committee comprised of top strategic members from business, academic, and governmental sectors tasked with developing policy recommendations to further enhance national policy efforts over the coming decade. Policy goals included the strengthening of private and public cybersecurity partnerships, enhancing and protecting privacy rights of individual citizens, and developing new technological solutions for future challenges (White House, 2016).
The second major proposal of CNAP was the establishment of a 3.1-billion-dollar technology modernization fund to assess, re-configure, consolidate, and update the federal governments aging technological infrastructure. This comprehensive overhaul of the federal infrastructure is critical to install better, more secure equipment and to adopt new and emerging technologies to protect national security (White House, 2016).
The third proposal of CNAP was a widespread public education program whose primary goals would be to raise public awareness of critical cybersecurity issues and to invest and expand national efforts in cybersecurity education and job training. Awareness campaigns would be conducted in conjunction with leading technology firms such as Google, Facebook, and Microsoft to empower citizens to become engaged with and take actions to secure their own accounts with a focus on secure password implementations and multi-factor authentication. The federal government will further work with the Small Business Administration to provide cybersecurity training to 1.4 million small business and their workers (White House, 2016).
The final major provision of President Obama’s CNAP was the investment of over 19 billion dollars (a 35% increase) worth of funding to enable agencies to raise their level of cybersecurity, help private sector organizations and individuals better protect themselves, disrupt and deter adversary activity, and respond more effectively to cybersecurity incidents (White House, 2016).
Executive Order: Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure (President Trump, 2017, Proposed Draft). A possible Trump EO draft was widely circulated but signing of the order was delayed due to confusion over possible conflicts with FISMA. If legitimate, the proposed EO seems to suggest that a Trump administration would continue focusing on cybersecurity goals by enhancing public-private partnerships, strengthening protections for CI, and increasing funding for cybersecurity objectives, particularly within the DoD. Signing of the proposed order was delayed/canceled and its current status is unknown (Rosenzweig, 2017).
Policy Roles and Leadership Models
Cybersecurity is one of the most critical economic and national security issues the nation faces (Executive Office of the President of The United States, 2010). Indeed, the “cyber threat is the most pervasive and pernicious threat” challenging the U.S. today (Sharp, 2010). The problem of national cybersecurity is certainly complex and multi-faceted; but it is one that is not insurmountable. It can be addressed with a thorough review and refocusing of federal efforts to reform the U.S. information and communications infrastructure and with the development of a comprehensive approach that focuses on leadership, accountability, and efficient deployment of cyber resources. Despite the universal understanding that national cybersecurity policy is a critical issue, national efforts fall short of our objectives due to a lack of political will and a lack of consensus on the appropriate deployment and configuration of leadership models. We have seen several recurring themes that represent the primary contributing factors that serve as limitations to successfully implementing our national cybersecurity objectives. These basic issues are: 1) The reliance on executive action in the absence of effective legislation 2) Ineffective, voluntary Guidance instead of legally mandated Regulatory Compliance 3) Redundant cyber operations and overlapping resource allocation 4) A lack of centralized authority with budgetary control and regulatory power.
Clearly, with such a complicated and dynamic problem, there is no neat solution that can be implemented to immediately fix all problems. However, there are several actions the government should take to more successfully address the current threat environment of cyber-attacks and better prepare all levels of society to respond to incidents and emergency situations. At its core, the root cause of our cyberpolicy failure is ineffective leadership. The U.S. has sufficient resources and capabilities to address cybersecurity, it simply needs to improve its communication infrastructure and leadership models. Unfortunately, resolving this problem is far from simple when the problem is considered within the context of the federal government, complete with its complex power relationships, budgetary battles, and turf wars over authoritative and operational domains.
Numerous studies and reports have been conducted with the intended objective of offering policy recommendations to guide the future of national cyberpolicy, but often these efforts become overly complicated and bogged down in the same type of detailed administrative minutiae they are intended to address and combat. While these reports hold tremendous value, an in-depth focus on agendas and action-items may only serve to proverbially “put the cart before the horse” in terms of policy. Concrete action-items mean little when there remains a leadership vacuum devoid of the authority to implement them. This report will instead attempt to focus on broad recommendations for a general direction and focus of U.S. cyberpolicy efforts in terms of its organization of leadership models. The effort should result in an acceptable answer to the question: “who should be in charge of cybersecurity?”
The general recommendations of the paper include: 1) Implementing a bold legislative agenda that eliminates redundant operational assets and resources and enacting new regulations for the adoption of cybersecurity best practices; by 2) Consolidating federal cyber power in a specific department with centralized authority and the capacity to enforce regulation and facilitate cooperation with public-private partnerships.
There are a variety of basic options for the implementation of a national cybersecurity policy leadership framework. This includes three primary models that could be implemented to satisfy the role of a national cybersecurity coordinator: 1) a Czar-type position within the White Houses’s Executive Office of the President 2) the designation of a cabinet-level department (with the Department of Homeland Security the Department of Defense as the strongest candidates), or 3) the creation of an entirely new cabinet-level position: the Director of Cybersecurity (DCYBER) similar to the role of the DNI but focused specifically on cyberpolicy.
Cybersecurity Czar or Executive Cyber-Coordinator
The first model, or leadership option is represented by a powerful national coordinator in the White House Executive Office of the President. This is similar to the current configuration and closely represents the option as the federal government’s current status quo approach. However, even within this specific area, there are overlapping roles and redundant structures of responsibilities. There is both a formal position of Chief Information Security Officer (CISO) within the Office of Management and Budget, but it has also been customary for Presidents to appoint an informal policy advisor, or “cyber czar” to act as a special coordinator from within the White House. The Commission on Enhancing National Cybersecurity’s report which was the direct product of President Obama’s 2016 CNAP, recommends clarifying these roles by empowering the President’s cybersecurity advisor to “lead national cybersecurity policy and coordinate programs” while clarifying the OMB’s role of CISO to take the lead in risk management, assessment, and assurance programs (Donilon & Palmisano, 2016).
The centralization of power within the White House has several attractive benefits for the direction of effective cyberpolicy. A White House czar has direct access to the President and has the potential to utilize the increase in visibility and media attention with what is, essentially, a bully pulpit to increase national awareness for cybersecurity issues that may normally go unreported (Newmeyer, 2012). A cyber czar also has the ability to use the President’s authority to diffusely apply political pressure from the White House across the rest of the executive branch to influence policy decisions and encourage cooperation. A national coordinator in the White House with a direct line to the President could also contribute operational agility during emergency response scenarios. The primary benefit of a national cyber coordinator role is the strategic focus that could provide a single point of authority specifically for cybersecurity issues, and cut through the overlapping missions, redundant resources, and poor coordination currently in evidence across the federal government (Sharp, 2010). Despite the attractiveness of cyber leadership roles being consolidated within the White House, there are serious issues with such an implementation. The first issue would be a National Cyber Coordinator’s lack of budgetary control and authority. A White House office would lack the ability to dictate and control resource allocation to DHS and DOD. Money talks in Washington, and without oversight of tangible resources, a coordinating role would lack the power to significantly implement policy. A coordinating role is simply that, a coordinator, they would have no operational authority to direct and control either offensive or defensive cyber operations. Finally, a White House czar would have no legal authority to impose regulation and lacks congressional oversight. Accountability to Congress is critical for the establishment of budgetary control and the authority to enforce regulatory compliance. However, subjecting a National Coordinator to the authority of Congress introduces its own complications in the midst of a bitter political climate. If legislation were enacted to establish a cyber coordinator, potentially undesired circumstances such as compulsory testimony and challenging confirmation procedures could work to offset the advantages the position has gained (Newmeyer, 2012).
Creation of a new Cybersecurity Directorate
An alternative option would be the creation of a new “director level” position in a similar vein as the DNI, but with a specific cybersecurity focus. This could also be considered a variation of the White House cyber czar model, but with a critical and distinct modification. Instead of purely relying on executive authority, this new DCYBER would require legislative efforts to establish senate confirmation with congressional oversight and budgetary powers to control lines of authority across previously autonomous departments. This would eliminate concerns over executive overreach while simultaneously imbuing the director with legitimate legal authority based on constitutional processes. Similar to the DNI model, the new Director of Cybersecurity (DCYBER) would coordinate the cyber activities across all levels of the federal government and direct the communication and sharing of information sharing with the private sector. Just as the DNI serves as the head of the intelligence community, the DCYBER would act as the focal point of authority for all cyber activities and would need to be intimately experienced with interagency cooperation and executing budgetary priorities across departments with competing missions and objectives.
An additional advantage to a DCYBER would be their very specific focus on cybersecurity issues. The DHS has a very diverse range of responsibilities and missions from border security, disaster relief, emergency response, and combating domestic terrorism. Similarly, the DOD is heavily engaged with foreign intelligence and warfighting activities that demand considerable attention and resources. The relative simplicity and narrow focus of DCYBER’s mission would be advantageous to identify priorities and set the national policy agenda and provide the clear leadership that is so desperately needed (Nielsen, 2012).
The challenges with a DCYBER position are primarily related to its reliance on new legislation. Enacting legislation is difficult in our current pollical climate, and whenever the new law contains dramatic reorganizations of the federal government, there would be significant obstacles to overcome. Typically, a congressional action of this kind of significance would require a dramatic cultural event such as a cyber 911 or other devastating event, similar to 911 that spurned the creation of DHS for terrorism. Without such an instigating event, it is doubtful that the political will to achieve such a visionary legislative action would exist.
Even upon the successful passing of laws, creating a new DCYBER position, the effectiveness of the director would rely on how the legislation was written and what level of authority was given to the position. A successful DCYBER would require capabilities with operational authority, directive control of network infrastructure, responsibilities for establishment of best practices, and authority to direct the research and development of new cybersecurity technologies (Sharp, 2010). If the resultant legislation were to fail to provide these powers, the position would become merely a coordinator without directive capabilities. A DCYBER with only coordinating capacities would only represent a rearranging of the deck chairs and result in, essentially the same leadership dilemma the country currently finds itself in.
Current Cabinet Level Department
Placing a cabinet level department in the leadership role for cybersecurity has many attractive advantages, and directly addresses the major limitations of a role that is contained within the White House. Cabinet departments are subject to congressional oversight with budgetary and conformational processes built into the legislative control mechanisms. This gives cabinet departments direct control of resource allocation, operational capabilities, and empowers departments to enforce regulatory authority across government agencies and within the private sector. This statutory authority can be stipulated by law, giving these agencies broader power contexts, and simultaneously alleviating concerns about executive overreach and the potential for bypassing constitutional checks and balances of a position that that only answers directly to the President.
Additionally, addressing national problems through the implements of federal departments is the traditional response of the government. This is the way of operating that the government is comfortable with and experienced in, providing a solid foundation for implementing more visionary changes. Tradition and familiarity should not be discounted when considering the operations of a vast bureaucracy such as the federal government. Of course, simply affirming cabinet-level authority as the most capable role for cybersecurity leadership is insufficient. The obvious follow-up question is which department is best suited to successfully performing as the leader in national cybersecurity policy. There are really only two viable contenders: The Department of Homeland Security and the Department of Defense. Both of these departments have intriguing capabilities and potential factors to limit their effectiveness.
Department of Homeland Security. The DHS is a logical choice to provide centralized leadership for a variety of reasons. The DHS has assumed a broad range of authorities through both executive action and legislation that gives it a powerful combination of authority and capability. It is a cabinet-level department which gives it broad budgetary authority, existing regulatory capacity, and it already assumes a great deal of responsibility for protecting the nation against non-cyber incidents (Coldebella & White, 2010). DHS also currently serves as the leading cyber coordinator for interagency cooperation, interfacing with the private sector, and protection of national critical infrastructure.
The DHS is unique among federal agencies in its breadth and depth responsibilities. It is a great candidate as a national cyber coordinator because the department was devised and constructed to perform in such a role. It was built to coordinate activities across government agencies and within the private sector (Coldebella & White, 2010). A series of legislative and executive actions has only strengthened the case for DHS cyber leadership as more responsibility in cybersecurity specific issues and critical infrastructure has been delegated to DHS. The department already has all of the tools and legal authorities to serve as the cybersecurity leader. The Homeland Security Act of 2002 serves as the basis for DHS information sharing and coordination activities (DHS, 2002). Executive Order 13286 extended DHS authority to establishing public-private partnerships and interfacing with enterprise and academic sectors to increase national cyber situational awareness (White House, 2003). The joint directive, NSPD 54 / HSPD 23 created the NCSC under the authority of the DHS and formally established the lines of communication between law enforcement, intelligence, and defense communities with DHS as the focal point and coordinator (White House, 2008). Executive Order 13618 transferred more emergency preparedness and incident response capabilities from DOD to DHS (White House, 2012). In 2013, President Obama further strengthened the DHS role as the primary department for the protection of critical infrastructure with PPD 21 (White House, 2013). With Executive Order 13691, the DHS gained oversight over the NCCIC and Information Sharing, and Analysis Organizations (ISAOs) further expand its communicative and coordinative authorities with the goals of increasing the critical situational awareness that cybersecurity demands (White House, 2015). Clearly, the DHS could flourish in a coordinating role as this was its primary purpose at its inception. With the added authorities in cybersecurity specific issues and critical infrastructures added to DHS over the years, it makes a lot of sense for DHS to assume the lead role in cybersecurity and implement the necessary policies to achieve our national objectives.
Despite all of the clear advantages of DHS assuming the primary leadership role, there are some challenges inherent with this model and valid criticisms of its application as the leading strategy of U.S. national cyberpolicy. First is the obvious and inescapable evidence of systemic failures of the current cybersecurity regime, which is coordinated by none other than the DHS. This begs the seemingly logical question that if they are unable to currently address the challenges of cyber-threats, what advantages will develop by expanding their authority in the cybersecurity arena? This is a reasonable question but should be tempered by the knowledge that DHS is a relatively young department and is still experiencing growing pains as an organization while trying to figure out extremely complex problems with ever increasing responsibilities, aging infrastructure, and tight budgets.
Further challenges for DHS are the recruitment and retainment of top cybersecurity talent. This is an issue that is an almost emergency scenario where DHS cannot meet the demands that it requires in terms in both quality and quantity of personnel necessary to fulfill cybersecurity objectives and fulfill its missions. This problem is exacerbated with stagnating or frozen government salaries while demand and compensation in the private sector is constantly growing (Newmeyer, 2012). The 19.1-billion-dollar investment proposed by President Obama’s CNAP could drastically and effectively address this particular issue, but it remains unclear whether this strategy is sustainable in the long term, due to the necessary demands to continuously fund such program (White House, 2016).
The final, and perhaps most potent criticism of the DHS assuming the national cybersecurity policy leadership role is the general concept of cybersecurity as an essential national security issue, and one that is outside the scope of the DHS’s capabilities. Essentially, this criticism states that cyber-threats have grown beyond simply defending the homeland and critical infrastructure, and grown to include involvement with foreign intelligence agencies, militaries, diplomatic issues, and a broad potential for clandestine activities that DHS is simply not prepared for and does not possess the appropriate capabilities to address (CSIS, 2008).
Department of Defense. The DODs cyber-mission is the support and defense of all “.mil” federal domains, both military and intelligence infrastructure, developing offensive cyber capabilities, and preparing for cyber warfare engagements (CSIS, 2011). Of all the potential candidates for a centralized cybersecurity authority, The DOD has by far the most extensive technological capabilities and human resource talent (Roesener, Bottolfson, & Fernandez, 2014). Due to ample budgets, they have the capacity for high levels of innovation and can operate competitively with the private sector regarding salaries. They possess considerable experience with network defense by providing the network infrastructure and defense monitoring capabilities for all non-civilian government networks. The DOD also has extensive capacity for offensive cyber operations and foreign intelligence activities. They certainly possess a broader, international scope when compared with the DHS. The DOD also does have some limited experience with establishing public-private partnerships with their relationships with private defense contractors in the military industrial complex (Roesener, Bottolfson, & Fernandez, 2014). Ultimately, however, it is the combination of manpower and technical capabilities that make the DOD an attractive choice for a national leadership role.
Despite these advantages, the concept of the DOD as a national coordinator has crippling limitations. The DOD is not authorized to legally act in a wide range of domestic roles and scenarios due to legal restrictions within the Posse Comitatus Act (Newmeyer, 2012). The purpose of the law was to limit the powers of the federal government in using federal military personnel to enforce domestic policies within the United States. Changing these laws would require significant legislative effort that is both unlikely and perhaps unwise. There is a general level of suspicion with the U.S. citizenry after the fallout from the global surveillance disclosures concerning the NSA collection of big data. Regardless of public sentiment, however, granting domestic enforcement powers to the military could potentially create dangerous precedents for the infringement upon civil liberties. The legal and social difficulties with attempting to establish these domestic powers for DOD would likely cause significant public unrest and would not be politically viable.
Conclusions and Recommendations
Cybersecurity has become one of the most critical national security challenges currently facing the United States. The government’s response to these threats has so far been insufficient, and the leadership model for our national cybersecurity efforts needs to be reassessed. Devising the most effective policy is daunting, as none of the proposed options for cybersecurity leadership and authority are perfect, but the issue is so critical that we cannot afford to wait for a perfect option. In the absence of visionary action, the best option appears to be to maintain and strengthen the current role of the DHS, which already has extensive cyber policy authority and capabilities with coordinating functions across government agencies and establishing public partnerships. Most of the failures of current leadership models is a result of a lack of centralized authority to establish standards and mandate regulatory compliance. While the DHS has been given broad consultative and coordinative powers by executive actions, the department still lacks the formal authority to direct and control compliance across the federal government. Effective legislation should be enacted to transition the DHS’s authority form a guidance role into one with more directive capacity. As long as their authority remains suggestive and voluntary without a coercive element, the leadership model will continue to fail. Further, the DHS needs to be enhanced with its technical capabilities by updating aging infrastructure and expanding its qualified workforce for the future. In order to properly address growing cyber threats and achieve national cybersecurity objectives, the following recommendations should be implemented by the federal government:
➢ Clarify the Department of Homeland Security’s role as the primary leader for national cyberpolicy efforts and implementations by enacting significant legislation granting DHS legal authority to direct actions of other government agencies and enforce regulatory compliance.
➢ Congress should enact legislation that makes the Secretary of DHS a permanent member of the national security council, allowing DHS more fluid communication with the White House, give DHS the ability to call NSC meetings, and allow for the direct presentation of policy initiatives to the President and National Security Advisor.
➢ Continue initiatives for increasing public education of cybersecurity issues, improving cyber education, and developing the capacity to attract, train, and deploy talented cyber personnel throughout all levels of the federal government.
➢ Enact legislation that codifies and supports the partnership between DHS and DOD for the sharing of personnel, resources, and facilities while each department maintains their distinct missions allowing DHS to focus on defensive domestic operations of CI and the establishment of PPPs, while DOD focuses on foreign intelligence, offensive cyber capabilities, and warfighting.
The President and Congress must show decisive political leadership for cyberpolicy objectives in order for our national security efforts to be successful moving forward. Most of the necessary leadership capacity is already in place at DHS, but significant improvements can be made to transition coordinating roles into directive capabilities. By adhering to standards, continuing technological innovation, and developing talented cybersecurity professionals, the government will be able to address the challenges of the cyber threat environment.
References
Abebe, D. (2016, Winter). Cyberwar, International Politics, and Institutional Design. The University of Chicago Law Review, 83(1), 1-22.
Asllani, A., Ettkin, L., & White, C. (2013). Viewing Cybersecurity as a Public Good: The Role of Governments, Business, and Individuals. Journal of Legal, Ethical, and Regulatory Issues, 16(1), 7-14.
Choo, K.-K. (2014). A Conceptual Interdisciplinary Plug-and-Play Cyber Security Framework. In ICTs and the Millennium Development Goals – A United Nations Perspective (pp. 81-99). Newy York: Springer.
Coldebella, G., & White, B. (2010). Foundational Questions Regarding the
Federal Role in Cybersecurity. Journal of National Security Law & Policy, 4(1), 233-245.
Computer Security Act of 1987. (1998). Pub. L. No. 100-235.
CSIS. (2008). Securing Cyberspace for the 44th Presidency. Washington, DC: Center for Strategic and International Studies.
CSIS. (2011). A Report of the CSIS Commission on Cybersecurity for the 44th Presidency: Cybersecurity Two Years Later. Washington, DC: Center for Strategic and International Studies.
Cybersecurity Information Sharing Act of 2015. (2015). Pub. L. No. 114-113. Washington, DC.
DHS. (2002). The Department of Homeland Security. Washington, DC. Retrieved
from https://www.dhs.gov/sites/default/files/publications/book_0.pdf
DHS. (2014). Creation of the Department of Homeland Security. Retrieved from dhs.gov: https://www.dhs.gov/creation-department-homeland-security
Donilon, T., & Palmisano, S. (2016). Commission on Enhancing National Cybersecurity:
Report on Growing and Securing the Digital Economy. Washington, DC.
Executive Office of the President of The United States. (2010). The Comprehensive National Cybersecurity Initiative. Retrieved from The White House Web Site: https://www.whitehouse.gov/issues/foreign-policy/cybersecurity/national-initiative
Franke, U., & Brynielsson, J. (2014). Cyber Situational Awareness — A
systematic Review of the Literature. Computers & Security, 46(10), 18-31.
Goutam, R. (2015). Importance of Cyber Security. International Journal of Computer Applications, 111(7), 14-17.
Hathaway, M. (2012). Leadership and Responsibility for Cybersecurity. Georgetown Journal of International Affairs, Special Issue, 71-80.
Information Management. (2013, May/June). Preventing 9/11 in the Cyber World. Information Management, p. 18.
Intelligence Community Assessment. (2017). Background to “Assessing Russian Activities and Intentions in Recent US Elections”: The Analytic Process and Cyber Incident Attribution. Washington, D.C.: Office of the Director of National Intelligence.
Johnson, C., Badger, L., Waltermire, D., Snyder, J., & Skorupka, C. (2016).
NIST Special Publication 800-150: Guide to Cyber Threat Information Sharing. National Institute of Standards and Technology, U.S. Department of Commerce, Gaithersburg, MD. Retrieved from http://dx.doi.org/10.6028/NIST.SP.800-150
Kshetri, N., & Murugesan, S. (2013, October). EU and US Cybersecurity Strategies and Their Impact on Businesses and Consumers. Computer, 46(10), pp. 84-88.
Lin, P., Allhoff, F., & Rowe, N. (2012, March). War 2.0: Cyberweapons and Ethics. Communications of the ACM, 55(3), 24-27.
Manley, M. (2015). Cyberspace’s Dynamic Duo: Forging a Cybersecurity Public-Private Partnership. Journal of Strategic Security, 8(5), 85-98.
Newmeyer, K. (2012). Who Should Lead U.S. Cybersecurity Efforts? Prism: A Journal of the Center for Complex Operations, 3(2), 115-126.
Nielsen, S. (2012, Summer). Pursuing Security in Cyberspace: Strategic and Organizational Challenges. Orbis, 56(3), 336-356.
Pernik, P., Wojtkowiak, J., & Verschoor-Kirss, A. (2016). National Cyber Security Organisation: United States. NATO Cooperative Cyber Defence Centre of Excellence, Tallinn, Estonia.
Rid, T. (2013, November/December). Cyberwar and Peace: Hacking Can Reduce Real World Violence. Foreign Affairs, 92(6), 77-87.
Rid, T., & Arquilla, J. (2012, March/April). Think Again: Cyberwar. Foreign Policy, 192, 80-84.
Roesener, A., Bottolfson, C., & Fernandez, G. (2014, November-December). Policy for US Cybersecurity. Air & Space Power Journal, 38-54.
Rosenzweig, P. (2017, February 9). Revised Draft Trump EO on Cybersecurity. Retrieved from lawfareblog.com: https://www.lawfareblog.com/revised-draft trump-eo-cybersecurity
Secretary, O. o. (2016, February 09). Fact Sheet: Cybersecurity National Action Plan. Retrieved from White House Web Site:
https://obamawhitehouse.archives.gov/the-press-office/2016/02/09/fact-sheet cybersecurity-national-action-plan
Sharp, W. (2010). The Past, Present, and Future of Cybersecurity. Journal of National Security Law & Policy, 4(13), 13-26.
USA PATRIOT Act. (2001). Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001. Pub. L. No. 107-56, 115 Statute 272.
Wechsler, P. (2016, February 1). China’s Unit 61398 Pulled from the Shadows. Retrieved from SAGE Business Researcher Web Site: businessresearcher.sagepub.com/sbr-1775-981462715481/20160201/chinas-unit-61398-pulled-from-the-shadows
White House. (1990). National Policy for the Security of National Security Telecommunications and Information Systems. National Security Directive 42, Washington, DC. Retrieved from https://fas.org/irp/offdocs/nsd/nsd42.pdf
White House. (2003). Executive Order No. 13286 Amendment of Executive Orders, and
Other Actions, in Connection with the Transfer of Certain Functions to the Secretary of Homeland Security. Retrieved from https://fas.org/irp/offdocs/eo/eo13286.htm
White House. (2003). Homeland Security Presidential Directive No. 7,
Critical Infrastructure Identification, Prioritization, and Protection. Washington, DC. Retrieved from http://csrc.nist.gov/drivers/documents/HSPD-7-Attach-A2.pdf
White House. (2008). National Security Presidential Directive 54 / Homeland Security Presidential Directive 23. Washington, DC. Retrieved from
White House. (2011). Executive Order 13587– Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information. Washington, DC. Retrieved from
https://obamawhitehouse.archives.gov/the-press-office/2011/10/07/executive order-13587-structural-reforms-improve-security-classified-net
White House. (2012). Executive Order 13618 — Assignment of National Security and
Emergency Preparedness Communications Functions. Washington, DC. Retrieved from https://obamawhitehouse.archives.gov/the-press
office/2012/07/06/executive-order-assignment-national-security-and-emergency preparedness
White House. (2013). Executive Order 13636 — Improving Critical Infrastructure Cybersecurity. Washington, DC. Retrieved from
https://obamawhitehouse.archives.gov/the-press-office/2013/02/12/executive order-improving-critical-infrastructure-cybersecurity
White House. (2013). Presidential Policy Directive 21 — Critical Infrastructure Security and Resilience. Washington, DC. Retrieved from
https://obamawhitehouse.archives.gov/the-press-office/2013/02/12/presidential policy-directive-critical-infrastructure-security-and-resil
White House. (2015). Executive Order 13691 — Promoting Private Sector Cybersecurity Information Sharing. Washington, DC. Retrieved from
https://obamawhitehouse.archives.gov/the-press-office/2015/02/13/executive order-promoting-private-sector-cybersecurity-information-sharing.
White House. (2015). Presidential Memorandum — Establishment of the Cyber Threat Intelligence Integration Center. Washington, DC. Retrieved from
https://obamawhitehouse.archives.gov/the-press-office/2015/02/25/presidential memorandum-establishment-cyber-threat-intelligence-integratation.
White House. (2016). FACT SHEET: Cybersecurity National Action Plan. Washington, DC. Retrieved from https://obamawhitehouse.archives.gov/the-press office/2016/02/09/fact-sheet-cybersecurity-national-action-plan
Young, M. (2010). National Cyber Doctrine: The Missing Link in the Application of American Cyber Power. Journal of National Security Law & Policy, 4(173), 173- 196.
Ziring, N. (2015). The Future of Cyber Operations and Defense. Journal of Information Warfare, 14(2), 1-7.