1

Securing Cyberspace:
National Security Strategy and Implications

JR Reagan

May 31, 2014











2

Securing Cyberspace:
National Security Strategy and Implications

Background
The threat to the information and communications infrastructure of the United
States has become a National Security issue
1
and one of the most pressing concerns of
the new Obama administration
2
. The cyberspace infrastructure on which our nation
depends has generated concerns of potential digital Pearl Harbor scenarios including
cyber attacks on critical infrastructure, cyber-espionage and theft, state-sponsored
attacks against US government assets and threats to the Defense Industrial Base. In
May of 2009, President Obama declared
3
:
This new approach starts at the top, with this commitment from me: From now
on, our digital infrastructure -- the networks and computers we depend on every day --
will be treated as they should be: as a strategic national asset. Protecting this
infrastructure will be a national security priority. We will ensure that these networks are
secure, trustworthy and resilient. We will deter, prevent, detect, and defend against
attacks and recover quickly from any disruptions or damage.
Not until recently has the issue of protecting cyberspace been viewed in terms of
national economic impact and its influence on the future success of the United States.

1
Obama, Barack The National Security Strategy of the United States of America. 27 May, 2010,
http://www.whitehouse.gov/sites/default/files/rss_viewer/national_security_strategy.pdf
2
The White House, Cyberspace Policy Review, May 29, 2009, http://www.whitehouse.gov/assets/documents/
Cyberspace_Policy_Review_final.pdf.
3
White House Office of the Press Secretary, Remarks by the President on Securing our Nations Cyber
Infrastructure, press release, May 29, 2009, http://www.whitehouse.gov/the_press_office/Remarks-by-the-Presidenton-
Securing-Our-Nations-Cyber-Infrastructure/.

3
This was highlighted by President Obama last year when he said "America's economic
prosperity in the 21st century will depend on cybersecurity."
4

Cyberspace as a National Priority
A successful cyber attack to any of the financial, military, political and social
infrastructure today could potentially do as much damage or more to the United States
as any conventional terrorist attack. Cyberattacks, historically, have existed as long
as computers were interconnected, but the current dependency to computer systems
and technology makes the potential threat or interference of vital systems (such as
electrical, military, financial) extremely dangerous and costly.
As an example of this, the Federal Communications Commission unveiled in May
2010 a wide-ranging National Broadband Plan
5
that promises to provide millions of
Americans with fast Internet accessibility. The plan acknowledges, however, that
increased broadband will also increase security vulnerabilities and specifies that the
country "needs a clear strategy for securing the vital communications networks upon
which critical infrastructure and public safety communications rely." The impact of
identity theft in 2009 alone has cost Americans more than $54 billion
6
. Other initiatives
such as utility smart grids", and electronic health records, next-generation air-traffic
control, and other national initiatives underscore that the economic security of the
United States now requires more reliance on a national coordinated strategy for
Cybersecurity.

4
White House Office of the Press Secretary, Remarks by the President on Securing our Nations Cyber
Infrastructure, press release, May 29, 2009, http://www.whitehouse.gov/the_press_office/Remarks-by-the-Presidenton-
Securing-Our-Nations-Cyber-Infrastructure/.
5
FCC, Connecting America: The National Broadband Plan (2010), available at http://www.broadband.gov/download-plan/
6
Javelin Strategy & Research, Javelin Study Finds Identity Fraud Reached New High in 2009, but Consumers are Fighting Back,
Feb. 10, 2010, Press Release,
https://www.javelinstrategy.com/news/831/92/Javelin-Study-Finds-Identity-Fraud-Reached-New-High-in-2009-but-Consumers-
are-Fighting-Back/d,pressRoomDetail.
4
U.S. Views and Efforts
More than two decades of legislative oversight as well as executive branch and
National Research Council reports attest to government attention to the overall
Cybersecurity issue. A brief summary of recent major policy initiatives highlights the
importance that Cybersecurity has played in National Security since 1998:
Commission on Cybersecurity for the 44th Presidency
A Cybersecurity Commission
7
organized by the Center for Strategic and
International Studies (CSIS) was formed in 2008 to provide advice to the new
Administration on the creation and maintenance of a comprehensive cybersecurity
strategy. In a December 2008 report, the Commission provided findings and
recommendations to secure cyberspace during the 44th presidency and to help inform
policymaking. The following actions were proposed in the report as areas requiring
priority attention:
create a comprehensive national cybersecurity strategy;
lead from the White House;
reinvent public-private partnership;
regulate cyberspace;
authenticate digital identities;
modernize legal authorities;
use acquisitions to improve security;
build capabilities through research training and education.
The Comprehensive National Cybersecurity Initiative (CNCI) - 2008

7
CSIS Commission on Cybersecurity for the 44th Presidency, Securing Cyberspace for the 44th Presidency, December
2008, http://www.csis.org/tech/cyber/.
5
In January 2008, the Bush Administration initiated the Comprehensive National
Cybersecurity Initiative (CNCI)
8
in an effort to make the United States more secure
against cyber threats. Although Homeland Security Presidential Directive (HSPD) 23
9

and National Security Presidential Directive (NSPD) 54
10
establishing the CNCI are
classified, details of the initiative were recently made public. President Obama
determined that the CNCI and its associated activities should evolve to become key
elements of a broader, updated national U.S. cybersecurity strategy.
The CNCI consists of a number of mutually reinforcing initiatives with the
following major goals designed to help secure the United States in cyberspace:
To establish a front line of defense against todays immediate threats by
creating or enhancing shared situational awareness of network vulnerabilities,
threats, and events within the Federal Governmentand ultimately with state,
local, and tribal governments and private sector partnersand the ability to
act quickly to reduce our current vulnerabilities and prevent intrusions.
To defend against the full spectrum of threats by enhancing U.S.
counterintelligence capabilities and increasing the security of the supply chain
for key information technologies.
To strengthen the future cybersecurity environment by expanding cyber
education; coordinating and redirecting research and development efforts

8
The White House, Comprehensive National Cybersecurity Initiative (CNCI), March 2, 2010,
http://www.whitehouse.gov/sites/default/files/cybersecurity.pdf
9
Department of Homeland Security, Protecting Our Federal Networks Against Cyber Attacks,
www.dhs.gov/files/programs/gc_1234200709381.shtm.
10
Department of Homeland Security, Fact Sheet: Protecting Our Federal Network Against Cyber Attacks, Apr. 8, 2008,
available at http://www.dhs.gov/xnews/releases/pr_12076 84277498.shtm.
6
across the Federal Government; and working to define and develop strategies
to deter hostile or malicious activity in cyberspace.
The CNCI establishes the policy, strategy, and guidelines to secure federal
systems. The CNCI also delineates an approach that anticipates future cyber threats
and technologies, and requires the federal government to integrate many of its technical
and organizational capabilities to better address sophisticated threats and
vulnerabilities. Rather than serving as an overarching national strategy document with
specific instructions for federal agency implementation activities, the CNCI is seen as a
plan of action for programs and initiatives to be addressed at the operational and
tactical level. However, these CNCI initiatives play a key role in supporting the
achievement of many of the key recommendations of President Obamas Cyberspace
Policy Review. The 12 objectives supporting the CNCI goal of addressing U.S. cyber
security concerns include:
1. Move toward managing a single federal enterprise network (an integrated
communications system architecture for the federal government with
common security standards across the network).
2. Deploy intrinsic detection systems.
3. Develop and deploy intrusion prevention tools.
4. Review and potentially redirect research and funding.
5. Connect current government cyber operations centers.
6. Develop a government-wide cyber intelligence plan.
7. Increase the security of classified networks.
8. Expand cyber education.
7
9. Define enduring leap-ahead technologies (investing in high-risk, high-
reward research and development to ensure transformational change).
10. Define enduring deterrent technologies and programs.
11. Develop multi-pronged approaches to supply chain risk management
(potential tampering within the production line and the risk associated with
computer products and parts made outside the United States).
12. Define the role of cybersecurity in private sector domains.
Obama Administration 60-Day Cyberspace Policy Review
With this in mind, the President tasked the National Security Council (NSC) and
Homeland Security Council to conduct a 60-day review
11
of the Cyberspace plans,
programs, and activities across the Federal government. This review would develop
recommendations in order to develop a strategic framework and coordinate initiatives
across the U.S. government. The Cyberspace Policy Review was designed as a clean-
slate, inclusive program involving a far ranging base of public-private stakeholders.
This included over 40 meetings with industry, academia, State governments, civil liberty
groups, unions, international governments, the Legislative Branch, Executive Branch
and others. This process to promote unprecedented transparency and engagement
12

as previous policy setting initiatives regarding Cybersecurity in the U.S. government had
come under heavy criticism for excessive secrecy
13
. The goals for this expanded
inclusion of multiple constituencies included identifying key requirements, illuminating

11
Ibid
12
Hathaway, M. E. (2009, April 22). Remarks by Melissa E. Hathaway, Acting Senior Director for Cyberspace for the National
Security and Homeland Security Councils : RSA Conference 2009, April 22, 2009, San Francisco, California. Paper presented at
the RSA Conference 2009, San Francisco, California.
13
U.S. Congress, 110th Congress, 2d session, House of Representatives, Permanent Select Committee on
Intelligence, Intelligence Authorization Act for Fiscal Year 2009, H.Rept. 110-665, May 21, 2008
8
policy gaps, suggesting areas for improved collaboration, and framing the decision
space for cyberspace policy.
On May 29, 2009, President Obama issued the results of the Administrations 60-
Day Cyberspace Policy Review
14
. Following the issuance of the CNCI, the reviews
goal was to assess U.S. policies and organizational structures for cybersecurity. The
activities under way to implement the recommendations of the Cyberspace Policy
Review built on the Comprehensive National Cybersecurity Initiative (CNCI) launched
by President George W. Bush and the National Security Presidential Directive 54
15

(NSPD-54) / Homeland Security Presidential Directive 23
16
(HSPD-23) in January 2008.
In order to develop a strategic framework to ensure that the U.S. governments
initiatives are appropriately integrated, resourced, and coordinated, the following near-
term action plan steps were noted in the 60-day review:
o Appoint a cybersecurity official to coordinate interagency strategy and policy.
o Prepare and update national strategy to secure the information and
communications infrastructure.
o Designate cybersecurity as one of the Presidents key management priorities and
establish performance metrics.
o Designate a privacy and civil liberties official in the NSC cybersecurity directorate.
o Convene appropriate interagency mechanisms to conduct legal analysis of priority
cybersecurity issues.
o Initiate a national cybersecurity public awareness and education campaign.

14
Ibid
15
Ibid
16
Ibid
9
o Develop U.S. government positions for an international cybersecurity policy
framework.
o Prepare a cybersecurity incident response plan.
o Develop a framework for research and development strategies that focus on game-
changing technologies that enhance security.
o Build a cybersecurity-based identity management vision and strategy that addresses
privacy and civil liberties interests.
Implications on National Security Strategy
The principles of the law of armed conflict (LOAC) and the charter of the United
Nations - including both law governing the legality of going to war (jus ad bellum) and
law governing behavior during war (jus in bello) - do apply to cyber attack, although new
analytical work may be needed to understand how these principles do or should apply
to cyberweapons. That is, some types of cyberattack are difficult to analyze within the
traditional LOAC structure.
Cyber defense and cyber war are unconventional in nature. Among the more
problematic cases are the presumption of nation-to-nation conflict between national
military forces and the exception for espionage. In comparison to Kinetic weapons,
there are many forms of cyberattack weaponry. Cyber attacks are easy to use with high
degrees of anonymity and with plausible deniability, making them well suited for covert
operations and for instigating conflict between other parties. Cyber attacks are more
uncertain in the outcomes they produce, making it difficult to estimate deliberate any
collateral damage. Cyber attacks involve a much larger range of options and possible
outcomes, and may operate on time scales ranging from tenths of a second to years,
10
and at spatial scales anywhere from concentrated in a facility next door to globally
dispersed.
The 2006 National Military Strategy for Cyberspace Operations indicates that the
department of defense will use the full range of military operations and may conduct
cyberspace operations across national boundaries. During the cold war, deterrence
was based on a few key elements: attribution (understanding who attacked us), location
(knowing where a strike came from), response (being able to respond, even if attacked
first) and transparency (the enemys knowledge of our capability and intent to counter
with massive force). These four elements do not provide a clear picture today with
Cyberspace and Computer Network Attacks (CNAs) which not only blurs attribution and
location of the attacker(s) but adds to the complexity with possible open ended
scenarios such as: who is the enemy? What really is an attack?
We can look to the international regulatory systems for some, but not all,
answers. NATO provides in Article 5, operations and collective defense, some insights
into combating threats on a united front stating that if a NATO ally is the victim of an
armed attack, each and every other member of the Alliance will consider this act of
violence as an armed attack against all members and will take the actions it deems
necessary to assist the Ally attacked (NATO 2) however, it is still unclear as to the total
outreach this goes regarding our NATO allies and unconventional attacks. However,
NATO has formed a Cyber Defense Management Authority which will have most of its
capabilities established by 2012.


11
National Security Council
The National Security Council, who advises the president on all security issues,
currently would have significant decision making authority necessary for a Cyber
threat/attack. The National Security Advisor would coordinate with their paralleled
counter parts at the international level: NATO, UN, IGO/NGO, Accords to bring together
a foreign coalition and effort; as well as a formal 3rd party investigation of the cyber
threat/attack. The National Security Advisor would also be in direct communication with
the Director of the Department of Defense, who is on the Council, who oversees the
cyber operations. Each department reporting into the Director of Department of
Defense would work in a collaborative effort and manner that is conducive to swift,
effective action. The National Security Council as a whole would be responsible for any
decision resulting in the use of force. Any attempt for full declaration of Cyber War
would need to follow the Constitution and be approved through Congress legislators.
Cyber Security Coordinator
In May of 2009, a new White House Office of the Cybersecurity Coordinator was
created including a White House Cybersecurity Coordinator that is a member of the
National Security Staff as well as the National Economic Council. This position was
created in response to the weakness cited by critics that no single official oversees
cybersecurity policy across the federal government, and no single agency has the
responsibility or authority to match the scope and scale of the challenge. The White
House Office of the Cybersecurity Coordinator is charged with orchestrating and
integrating all cybersecurity policies for the government; working closely with the Office
of Management and Budget to ensure agency budgets reflect those priorities; and, in
12
the event of major cyber incident or attack, coordinating U.S. response. In December of
2009, the White House Cybersecurity Coordinator was finally appointed (Howard
Schmidt)
17
.
When it comes to cybersecurity, however, the Cybersecurity Coordinator will be
challenged in helping several federal agencies that have overlapping Cyber missions.
First of these is the Department of Homeland Security (DHS), which leads cybersecurity
coordination for nonmilitary departments and agencies across the federal government.
DHS also is home to the National Cyber Security Center, whose is responsible for
coordinating information from all federal agencies to help improve situational
awareness, foster collaboration and secure cyber networks. Within DHS the National
Cyber Security Directorate (NCSD) has the task of working with private on cyber
initiatives including information sharing and coordination.
US Cyber Command
The Department of Defense (DOD) announced the creation in 2009 of a new
Cyber control entity across all services, designated as U.S. Cyber Command
(CYBERCOM), as a sub-unified command under the U.S. Strategic Command
(STRATCOM). This new command (CYBERCOM) is tasked with coordinating a unified
approach to securing and defending military cyber networks. USCYBERCOM will
centralize the command of cyberspace operations to provide the United States with a
unified front to fight cyberwarfare. The USCYBERCOMs mission is to direct the
operations and defense of specified Department of Defense information networks and;
prepare to, and when directed, conduct full-spectrum military cyberspace operations in

17
The White House, Introducing the New Cybersecurity Coordinator, December 22, 2009,
http://www.whitehouse.gov/blog/2009/12/22/introducing-new-cybersecurity-coordinator
13
order to enable actions in all domains, ensure US/Allied freedom of action in
cyberspace and deny the same to our adversaries.
In May of 2010 General Keith Alexander (Director, National Security Agency)
was appointed Commander of U.S. Cyber Command (CYBERCOM). The Deputy
Secretary of the DoD has stated that the mission of CYBERCOM would be to protect
and defend our defense and military networks and that the responsibility for protecting
federal civilian networks would remain with DHS.
18
He also stated that the effectiveness
of U.S. cybersecurity will depend on how the US develops responses to key issues such
as how to develop an effective deterrence strategy, organize government to respond to
the Cyber threat, partner with the private sector, develop international cooperation and
define the procedures for future DoD for cyberspace operations
19
.
Just recently on July 14, 2011 the Pentagon released its new Strategy for
Operating in Cyberspace
20
, the third such formal strategy issued from the government
under the Obama administration. The document is the first of its kind from the Defense
Department (DOD), released amid growing concerns over persistent, sophisticated
cyberattacks targeting the nation's classified networks. The strategy calls for the U.S.
military to treat cyber-space as an operational domain, similar to land, sea or air, and
promises new "operating concepts" to protect defense networks and computers. Other
parts of the initiative include partnering with other government departments, agencies
and the private sector to develop a comprehensive strategy and building robust
relationships with international allies and partners.

18
Remarks of William J. Lynn III, Deputy Secretary of Defense, Protecting the Domain: Cybersecurity as a Defense Priority,
before the Center for Strategic and International Studies, June 15, 2009, available at http://www.defense.gov/Transcripts/
Transcript.aspx?TranscriptID=4433.
19
Ibid
20
Department of Defense Strategy for Operating in Cyberspace, http://www.defense.gov/news/d20110714cyber.pdf
14
The DOD strategy carefully avoids calling Cyberspace a warfighting domain or
global common to ensure that the U.S. is not seen as militarizing the Internet. With
respect to defense, the DOD strategy calls Cyberspace an operational domain to
organize, train, & equip so that the DOD can take full advantage of its potential. The
strategy emphasizes correctly the unique characteristics of cyberspace and places a
premium on active sophisticated defenses of network systems as its primary objective.
This emphasis is an important fundamental shift in strategic orientation for a military that
in the cold war emphasized deterring attacks with the threat of nuclear retaliation. The
Pentagon's cyber strategy recognizes that a focus on active defense and prudent
offensive capabilities, rather than deterrence will likely bring about greater security or at
least mitigate the damage of constant outside attacks.
Conclusion

The national dialogue on cybersecurity has advanced significantly in recent years
but more issues remain, particularly as we view it in a new context of National Security.
The cybersecurity threat to U.S. national security and economic security is far more
difficult in its implications and solutions than kinetic threats we have faced as a nation.
The need to explain the challenges and discuss what the Nation can do to solve
problems collectively is designed to foster a process where the American people can
appreciate the need for action. A key finding of the Cyber Policy Review highlighted the
premise that the United States cannot succeed in securing cyberspace if the
government works in isolation. In the spirit of the new administration, it is seen as a
15
unique opportunity for the United States to work with countries around the world to
collaborate in making Cyber networks safe and drive innovation
21
.
As one of the findings of the Cyber Policy review is that the public and private
sectors interests are intertwined and government and industry leaders both nationally
and internationally need to develop holistic solutions. Recommendations include
improving government efficiency, private sector engagement, public-private
partnerships and information sharing. This may be accomplished through government
alignment of resources; evaluating barriers to partnerships; integrating approach to
policy formulation; and coordinating / expanding international partnerships.
While the Department of Defenses recent five-pronged approach to combating
cyber threats signaled an important first step in the development of a national
cyberwarfare strategy, it also raised many unanswered questions, including policy
issues such as how the U.S. could use the Internet to respond to a cyber threat. The
central tension in this strategy is the contrast between the announced scaling up of U.S.
military activities in cyberspace with repeated reassurances that these increased and
intensified activities do not portend the militarization of cyberspace. The openness and
interconnectedness of the Internet suggest that containing rapidly expanding military
interest, initiatives, and influence in cyberspace will be a very difficult policy challenge --
especially if cybersecurity failures continue in civilian contexts. Stronger moves by the
U.S. military in cyberspace will prompt similar moves by other countries, producing a
collective militarization creep in cyberspace that might threaten, ultimately, the Internet
freedom agenda the Obama administration is championing.

21
Ibid