National Strategy to Secure Cyberspace › sites › prod › files › National Strategy... ·...

T H E N A T I O N A L S T R A T E G Y T O

SECURECYBERSPACEF E B R U A R Y 2 0 0 3

010101110101011110 0 011101010110110101010101110101010 0 0101010 010101110101011110 0 011101010110110101010101110101010

0 0101010 0101011101010101110101011110 0 011101010110110101010101110101010 0 011110 0 011101010110110101010101110101010

0 0101010 0 0101011110 0 011101010110110101010101110101010 0 011110 0 01110101011011010101010110101110101010 0 0101010 010

101110101011110 0 011101010110110101010101110101010 0 0101010 010101110101011110 0 011101010110110101010101110101010 0 0

101010 010101110101011110 0 011101010110110101010101110101010 0 011110 0 011101010110110101010101110101010 0 0101010 0 010

1011110 0 011101010110110101010101110101010 0 011110 0 011101010110110101010101110101010101010 0 010101110101011110 0 011

101010110110101010101110101010 0 0101010 010101110101011110 0 011101010110110101010101110101010 0 0101010 0101011101010

11110 0 011101010 010101110101011101010110110101010101110101010 0 011110 0 011101010110110101010101110101010 0 0101010 0 0

101011110 0 011101010110110101010101110101010 0 011110 0 011101010110110101010101110101010101010 0 01101010 010111010101

0110101010 0 011110 0 011101010110110101010101110101010101010 0 01101010101101010101010111010101110101011101011010101

01010 010 0 011101010 010101110101011101010110110101010101110101010 0 011110 0 011101010110110101010101110101010 0 010101

0 0 0101011110 0 011101010110110101010101110101010 0 011110 0 011101010110110101010101110101010101010 0 01101010 010111010

1010110101010 0 011110 0 011101010110110101010101110101010101010 0 01101010101101010101010111010101110101011101011010

10 0101010 0101011101010101110101011110 0 011101010110110101010101110101010 0 011110 0 011101010110110101010101111010110

010101110101011110 0 011101010110110101010101110101010 0 0101010 010101110101011110 0 011101010110110101010101110101010

0 0101010 0101011101010101110101011110 0 011101010110110101010101110101010 0 011110 0 011101010110110101010101110101010

0 0101010 0 0101011110 0 011101010110110101010101110101010 0 011110 0 01110101011011010101010110101110101010 0 0101010 010

101110101011110 0 011101010110110101010101110101010 0 0101010 010101110101011110 0 011101010110110101010101110101010 0 0

101010 010101110101011110 0 011101010110110101010101110101010 0 011110 0 011101010110110101010101110101010 0 0101010 0 010

1011110 0 011101010110110101010101110101010 0 011110 0 011101010110110101010101110101010101010 0 010101110101011110 0 011

11110 0 011101010 010101110101011101010110110101010101110101010 0 011110 0 011101010110110101010101110101010 0 0101010 0 0

101011110 0 011101010110110101010101110101010 0 011110 0 011101010110110101010101110101010101010 0 01101010 010111010101

0110101010 0 011110 0 011101010110110101010101110101010101010 0 01101010101101010101010111010101110101011101011010101

01010 010 0 011101010 010101110101011101010110110101010101110101010 0 011110 0 011101010110110101010101110101010 0 010101

0 0 0101011110 0 011101010110110101010101110101010 0 011110 0 011101010110110101010101110101010101010 0 01101010 010111010

1010110101010 0 011110 0 011101010110110101010101110101010101010 0 01101010101101010101010111010101110101011101011010

0 0101010 0101011101010101110101011110 0 011101010110110101010101110101010 0 011110 0 011101010110110101010101110101010

0 0101010 0 0101011110 0 011101010110110101010101110101010 0 011110 0 01110101011011010101010110101110101010 0 0101010 010

101110101011110 0 011101010110110101010101110101010 0 0101010 010101110101011110 0 011101010110110101010101110101010 0 0

101010 010101110101011110 0 011101010110110101010101110101010 0 011110 0 011101010110110101010101110101010 0 0101010 0 010

1011110 0 011101010110110101010101110101010 0 011110 0 011101010110110101010101110101010101010 0 010101110101011110 0 011

101010110110101010101110101010 0 0101010 010101110101011110 0 011101010110110101010101110101010 0 0101010 0101011101010

11110 0 011101010 010101110101011101010110110101010101110101010 0 011110 0 011101010110110101010101110101010 0 0101010 0 0

101011110 0 011101010110110101010101110101010 0 011110 0 011101010110110101010101110101010101010 0 01101010 010111010101

0110101010 0 011110 0 011101010110110101010101110101010101010 0 01101010101101010101010111010101110101011101011010101

01010 010 0 011101010 010101110101011101010110110101010101110101010 0 011110 0 011101010110110101010101110101010 0 010101

0 0 0101011110 0 011101010110110101010101110101010 0 011110 0 011101010110110101010101110101010101010 0 01101010 010111010

1010110101010 0 011110 0 011101010110110101010101110101010101010 0 01101010101101010101010111010101110101011101011010

10 0101010 0101011101010101110101011110 0 011101010110110101010101110101010 0 011110 0 011101010110110101010101111010110

010101110101011110 0 011101010110110101010101110101010 0 0101010 010101110101011110 0 011101010110110101010101110101010

0 0101010 0101011101010101110101011110 0 011101010110110101010101110101010 0 011110 0 011101010110110101010101110101010

0 0101010 0 0101011110 0 011101010110110101010101110101010 0 011110 0 01110101011011010101010110101110101010 0 0101010 010

101110101011110 0 011101010110110101010101110101010 0 0101010 010101110101011110 0 011101010110110101010101110101010 0 0

101010 010101110101011110 0 011101010110110101010101110101010 0 011110 0 011101010110110101010101110101010 0 0101010 0 010

1011110 0 011101010110110101010101110101010 0 011110 0 011101010110110101010101110101010101010 0 010101110101011110 0 011

101010110110101010101110101010 0 0101010 010101110101011110 0 011101010110110101010101110101010 0 0101010 0101011101010

11110 0 011101010 010101110101011101010110110101010101110101010 0 011110 0 011101010110110101010101110101010 0 0101010 0 0

101011110 0 011101010110110101010101110101010 0 011110 0 011101010110110101010101110101010101010 0 01101010 010111010101

0110101010 0 011110 0 011101010110110101010101110101010101010 0 01101010101101010101010111010101110101011101011010101

01010 010 0 011101010 010101110101011101010110110101010101110101010 0 011110 0 011101010110110101010101110101010 0 010101

0 0 0101011110 0 011101010110110101010101110101010 0 011110 0 011101010110110101010101110101010101010 0 01101010 010111010

1010110101010 0 011110 0 011101010110110101010101110101010101010 0 01101010101101010101010111010101110101011101011010

10 0101010 0101011101010101110101011110 0 011101010110110101010101110101010 0 011110 0 011101010110110101010101111010110

010101110101011110 0 011101010110110101010101110101010 0 0101010 010101110101011110 0 011101010110110101010101110101010

0 0101010 0101011101010101110101011110 0 011101010110110101010101110101010 0 011110 0 011101010110110101010101110101010

0 0101010 0 0101011110 0 011101010110110101010101110101010 0 011110 0 01110101011011010101010110101110101010 0 0101010 010

101110101011110 0 011101010110110101010101110101010 0 0101010 010101110101011110 0 011101010110110101010101110101010 0 0

101010 010101110101011110 0 011101010110110101010101110101010 0 011110 0 011101010110110101010101110101010 0 0101010 0 010

1011110 0 011101010110110101010101110101010 0 011110 0 011101010110110101010101110101010101010 0 010101110101011110 0 011

101010110110101010101110101010 0 0101010 010101110101011110 0 011101010110110101010101110101010 0 0101010 0101011101010

11110 0 011101010 010101110101011101010110110101010101110101010 0 011110 0 011101010110110101010101110101010 0 0101010 0 0

101011110 0 011101010110110101010101110101010 0 011110 0 011101010110110101010101110101010101010 0 01101010 010111010101

0110101010 0 011110 0 011101010110110101010101110101010101010 0 01101010101101010101010111010101110101011101011010101

01010 010 0 011101010 010101110101011101010110110101010101110101010 0 011110 0 011101010110110101010101110101010 0 010101

0 0 0101011110 0 011101010110110101010101110101010 0 011110 0 011101010110110101010101110101010101010 0 01101010 010111010

10 0101010 0101011101010101110101011110 0 011101010110110101010101110101010 0 011110 0 011101010110110101010101111010110

010101110101011110 0 011101010110110101010101110101010 0 0101010 010101110101011110 0 011101010110110101010101110101010

0 0101010 0101011101010101110101011110 0 011101010110110101010101110101010 0 011110 0 011101010110110101010101110101010

101010 010101110101011110 0 011101010110110101010101110101010 0 011110 0 011101010110110101010101110101010 0 0101010 0 010

1011110 0 011101010110110101010101110101010 0 011110 0 011101010110110101010101110101010101010 0 010101110101011110 0 011

101010110110101010101110101010 0 0101010 010101110101011110 0 011101010110110101010101110101010 0 0101010 0101101011110

0 011101010110110101010101110101010 0 011110 0 011101010110110101010101110101010101010 0 01101010 010111010101011010101

0 0 011110 0 011101010110110101010101110101010101010 0 0110101010110101010101011101010111010101110101101010101010 010 0

011101010 010101110101011101010110110101010101110101010 0 011110 0 011101010110110101010101110101010 0 0101010 0 0101011

110 0 011101010110110101010101110101010 0 011110 0 011101010110110101010101110101010101010 0 01101010 010111010101011010

1010 0 011110 0 011101010110110101010101110101010101010 0 0110101010110101010101011101010111010101110101101010 0101010

0101011101010101110101011110 0 011101010110110101010101110101010 0 011110 0 011101010110110101010101111010110 011010101

0101111010110 0110101010101111010110 0110101010101111010110 0110101010101111010110 0110101010101111010110 011111010110

1010 0 011110 0 011101010110110101010101110101010101010 0 011010101011010101010101110101011101010111010110101011110101

My Fellow Americans:

The way business is transacted, government operates, and national defense isconducted have changed. These activities now rely on an interdependent networkof information technology infrastructures called cyberspace. The National Strategy

to Secure Cyberspace provides a framework for protecting this infrastructure that isessential to our economy, security, and way of life.

In the past few years, threats in cyberspace have risen dramatically. The policy ofthe United States is to protect against the debilitating disruption of the operationof information systems for critical infrastructures and, thereby, help to protect thepeople, economy, and national security of the United States. We must act to reduceour vulnerabilities to these threats before they can be exploited to damage thecyber systems supporting our Nation’s critical infrastructures and ensure that suchdisruptions of cyberspace are infrequent, of minimal duration, manageable, andcause the least damage possible.

Securing cyberspace is an extraordinarily difficult strategic challenge that requires acoordinated and focused effort from our entire society—the federal government,state and local governments, the private sector, and the American people. Toengage Americans in securing cyberspace, a draft version of this strategy wasreleased for public comment, and ten town hall meetings were held around theNation to gather input on the development of a national strategy. Thousands ofpeople and numerous organizations participated in these town hall meetings andresponded with comments. I thank them all for their continuing participation.

The cornerstone of America’s cyberspace security strategy is and will remain apublic-private partnership. The federal government invites the creation of, andparticipation in, public-private partnerships to implement this strategy. Only byacting together can we build a more secure future in cyberspace.

THE WHITE HOUSEWASHINGTON

T H E N A T I O N A L S T R A T E G Y T O S E C U R E C Y B E R S P A C E v

T A B L E O F C O N T E N T S

Executive Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .vii

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1

Cyberspace Threats and Vulnerabilities: A Case for Action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5

National Policy and Guiding Principles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13

National Cyberspace Security Priorities

Priority I: A National Cyberspace Security Response System . . . . . . . . . . . . . . . . . . . . . . . . . . . .19

Priority II: A National Cyberspace Security Threat and Vulnerability Reduction Program . . . .27

Priority III: A National Cyberspace Security Awareness and Training Program . . . . . . . . . . . . .37

Priority IV: Securing Governments’ Cyberspace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .43

Priority V: National Security and International Cyberspace Security Cooperation . . . . . . . . . .49

Conclusion: The Way Forward . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .53

Appendix: Actions and Recommendations (A/R) Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . .55

Table of Contents

T H E N A T I O N A L S T R A T E G Y T O S E C U R E C Y B E R S P A C E vii

E X E C U T I V E S U M M A R Y

Our Nation’s critical infrastructures arecomposed of public and private institutions inthe sectors of agriculture, food, water, publichealth, emergency services, government, defenseindustrial base, information and telecommuni-cations, energy, transportation, banking andfinance, chemicals and hazardous materials, andpostal and shipping. Cyberspace is their nervoussystem—the control system of our country.Cyberspace is composed of hundreds ofthousands of interconnected computers, servers,routers, switches, and fiber optic cables thatallow our critical infrastructures to work. Thus,the healthy functioning of cyberspace isessential to our economy and our nationalsecurity.

This National Strategy to Secure Cyberspace ispart of our overall effort to protect the Nation.It is an implementing component of theNational Strategy for Homeland Security and iscomplemented by a National Strategy for thePhysical Protection of Critical Infrastructures andKey Assets. The purpose of this document is toengage and empower Americans to secure theportions of cyberspace that they own, operate,control, or with which they interact. Securingcyberspace is a difficult strategic challenge thatrequires coordinated and focused effort fromour entire society—the federal government,state and local governments, the private sector,and the American people.

Executive Summary

The National Strategy to Secure Cyberspaceoutlines an initial framework for both organ-izing and prioritizing efforts. It providesdirection to the federal government depart-ments and agencies that have roles incyberspace security. It also identifies steps thatstate and local governments, private companiesand organizations, and individual Americanscan take to improve our collective cybersecurity.The Strategy highlights the role of public-private engagement. The document provides aframework for the contributions that we all canmake to secure our parts of cyberspace. Thedynamics of cyberspace will require adjustmentsand amendments to the Strategy over time.

The speed and anonymity of cyber attacksmakes distinguishing among the actions ofterrorists, criminals, and nation states difficult, atask which often occurs only after the fact, if atall. Therefore, the National Strategy to SecureCyberspace helps reduce our Nation’s vulnera-bility to debilitating attacks against our criticalinformation infrastructures or the physicalassets that support them.

Strategic Objectives

Consistent with the National Strategy forHomeland Security, the strategic objectives of this National Strategy to Secure Cyberspaceare to:

• Prevent cyber attacks against America’scritical infrastructures;

• Reduce national vulnerability to cyberattacks; and

• Minimize damage and recovery time fromcyber attacks that do occur.

Threat and Vulnerability

Our economy and national security are fullydependent upon information technology andthe information infrastructure. At the core ofthe information infrastructure upon which wedepend is the Internet, a system originally

designed to share unclassified research amongscientists who were assumed to be uninterestedin abusing the network. It is that same Internetthat today connects millions of other computernetworks making most of the nation’s essentialservices and infrastructures work. Thesecomputer networks also control physical objectssuch as electrical transformers, trains, pipelinepumps, chemical vats, radars, and stockmarkets, all of which exist beyond cyberspace.

A spectrum of malicious actors can and doconduct attacks against our critical informationinfrastructures. Of primary concern is the threatof organized cyber attacks capable of causingdebilitating disruption to our Nation’s criticalinfrastructures, economy, or national security.The required technical sophistication to carryout such an attack is high—and partiallyexplains the lack of a debilitating attack to date.We should not, however, be too sanguine. Therehave been instances where organized attackershave exploited vulnerabilities that may beindicative of more destructive capabilities.

Uncertainties exist as to the intent and fulltechnical capabilities of several observedattacks. Enhanced cyber threat analysis isneeded to address long-term trends related tothreats and vulnerabilities. What is known isthat the attack tools and methodologies arebecoming widely available, and the technicalcapability and sophistication of users bent oncausing havoc or disruption is improving.

In peacetime America’s enemies may conductespionage on our Government, universityresearch centers, and private companies. Theymay also seek to prepare for cyber strikes duringa confrontation by mapping U.S. informationsystems, identifying key targets, and lacing ourinfrastructure with back doors and other meansof access. In wartime or crisis, adversaries mayseek to intimidate the Nation’s political leadersby attacking critical infrastructures and keyeconomic functions or eroding public confi-dence in information systems.

viii T H E N A T I O N A L S T R A T E G Y T O S E C U R E C Y B E R S P A C E


Cyber attacks on United States informationnetworks can have serious consequences such asdisrupting critical operations, causing loss ofrevenue and intellectual property, or loss of life.Countering such attacks requires the devel-opment of robust capabilities where they do notexist today if we are to reduce vulnerabilitiesand deter those with the capabilities and intentto harm our critical infrastructures.

The Government Role in SecuringCyberspace

In general, the private sector is best equippedand structured to respond to an evolving cyberthreat. There are specific instances, however,where federal government response is mostappropriate and justified. Looking inward,providing continuity of government requiresensuring the safety of its own cyber infra-structure and those assets required forsupporting its essential missions and services.Externally, a government role in cybersecurity iswarranted in cases where high transaction costsor legal barriers lead to significant coordinationproblems; cases in which governments operatein the absence of private sector forces;resolution of incentive problems that lead tounder provisioning of critical shared resources;and raising awareness.

Public-private engagement is a key componentof our Strategy to secure cyberspace. This istrue for several reasons. Public-private partner-ships can usefully confront coordinationproblems. They can significantly enhance information exchange and cooperation.Public-private engagement will take a variety of forms and will address awareness, training,technological improvements, vulnerabilityremediation, and recovery operations.

A federal role in these and other cases is onlyjustified when the benefits of interventionoutweigh the associated costs. This standard isespecially important in cases where there areviable private sector solutions for addressing anypotential threat or vulnerability. For each case,

consideration should be given to the broad-based costs and impacts of a given governmentaction, versus other alternative actions, versusnon-action, taking into account any existing orfuture private solutions.

Federal actions to secure cyberspace arewarranted for purposes including: forensics andattack attribution, protection of networks andsystems critical to national security, indicationsand warnings, and protection against organizedattacks capable of inflicting debilitating damageto the economy. Federal activities should alsosupport research and technology developmentthat will enable the private sector to bettersecure privately-owned portions of the Nation’scritical infrastructure.

Department of Homeland Security andCyberspace Security

On November 25, 2002, President Bush signedlegislation creating the Department ofHomeland Security (DHS). This new cabinet-level department will unite 22 federal entitiesfor the common purpose of improving ourhomeland security. The Secretary of DHS willhave important responsibilities in cyberspacesecurity. These responsibilities include:

• Developing a comprehensive national planfor securing the key resources and criticalinfrastructure of the United States;

• Providing crisis management in responseto attacks on critical information systems;

• Providing technical assistance to theprivate sector and other governmententities with respect to emergencyrecovery plans for failures of critical infor-mation systems;

• Coordinating with other agencies of thefederal government to provide specificwarning information and advice aboutappropriate protective measures andcountermeasures to state, local, andnongovernmental organizations including

T H E N A T I O N A L S T R A T E G Y T O S E C U R E C Y B E R S P A C E ix


the private sector, academia, and thepublic; and

• Performing and funding research anddevelopment along with other agenciesthat will lead to new scientific under-standing and technologies in support ofhomeland security.

Consistent with these responsibilities, DHS willbecome a federal center of excellence for cyber-security and provide a focal point for federaloutreach to state, local, and nongovernmentalorganizations including the private sector,academia, and the public.

Critical Priorities for CyberspaceSecurity

The National Strategy to Secure Cyberspacearticulates five national priorities including:

I. A National Cyberspace SecurityResponse System;

II. A National Cyberspace Security Threatand Vulnerability Reduction Program;

III. A National Cyberspace SecurityAwareness and Training Program;

IV. Securing Governments’ Cyberspace; and

V. National Security and InternationalCyberspace Security Cooperation.

The first priority focuses on improving ourresponse to cyber incidents and reducing thepotential damage from such events. The second,third, and fourth priorities aim to reduce threatsfrom, and our vulnerabilities to, cyber attacks.The fifth priority is to prevent cyber attacksthat could impact national security assets and toimprove the international management of andresponse to such attacks.

Priority I: A National CyberspaceSecurity Response System

Rapid identification, information exchange, andremediation can often mitigate the damagecaused by malicious cyberspace activity. Forthose activities to be effective at a national level,the United States needs a partnership betweengovernment and industry to perform analyses,issue warnings, and coordinate response efforts.Privacy and civil liberties must be protected inthe process. Because no cybersecurity plan canbe impervious to concerted and intelligentattack, information systems must be able tooperate while under attack and have theresilience to restore full operations quickly.

The National Strategy to Secure Cyberspaceidentifies eight major actions and initiatives forcyberspace security response:

1. Establish a public-private architecture forresponding to national-level cyberincidents;

2. Provide for the development of tacticaland strategic analysis of cyber attacks andvulnerability assessments;

3. Encourage the development of a privatesector capability to share a synoptic viewof the health of cyberspace;

4. Expand the Cyber Warning andInformation Network to support the roleof DHS in coordinating crisismanagement for cyberspace security;

5. Improve national incident management;

6. Coordinate processes for voluntaryparticipation in the development ofnational public-private continuity andcontingency plans;

7. Exercise cybersecurity continuity plansfor federal systems; and

8. Improve and enhance public-privateinformation sharing involving cyberattacks, threats, and vulnerabilities.

x T H E N A T I O N A L S T R A T E G Y T O S E C U R E C Y B E R S P A C E


Priority II: A National CyberspaceSecurity Threat and VulnerabilityReduction Program

By exploiting vulnerabilities in our cybersystems, an organized attack may endanger thesecurity of our Nation’s critical infrastructures.The vulnerabilities that most threaten cyber-space occur in the information assets of criticalinfrastructure enterprises themselves and theirexternal supporting structures, such as themechanisms of the Internet. Lesser-securedsites on the interconnected network of networksalso present potentially significant exposures tocyber attacks. Vulnerabilities result fromweaknesses in technology and because ofimproper implementation and oversight oftechnological products.

The National Strategy to Secure Cyberspaceidentifies eight major actions and initiatives toreduce threats and related vulnerabilities:

1. Enhance law enforcement’s capabilitiesfor preventing and prosecuting cyber-space attacks;

2. Create a process for national vulnerabilityassessments to better understand thepotential consequences of threats andvulnerabilities;

3. Secure the mechanisms of the Internet byimproving protocols and routing;

4. Foster the use of trusted digital controlsystems/supervisory control and dataacquisition systems;

5. Reduce and remediate software vulnera-bilities;

6. Understand infrastructure interdepen-dencies and improve the physical securityof cyber systems and telecommunications;

7. Prioritize federal cybersecurity researchand development agendas; and

8. Assess and secure emerging systems.

Priority III: A National CyberspaceSecurity Awareness and TrainingProgram

Many cyber vulnerabilities exist because of alack of cybersecurity awareness on the part ofcomputer users, systems administrators,technology developers, procurement officials,auditors, chief information officers (CIOs),chief executive officers, and corporate boards.Such awareness-based vulnerabilities presentserious risks to critical infrastructures regardlessof whether they exist within the infrastructureitself. A lack of trained personnel and theabsence of widely accepted, multi-level certification programs for cybersecurity professionals complicate the task of addressingcyber vulnerabilities.

T H E N A T I O N A L S T R A T E G Y T O S E C U R E C Y B E R S P A C E xi


The National Strategy to Secure Cyberspaceidentifies four major actions and initiatives forawareness, education, and training:

1. Promote a comprehensive nationalawareness program to empower allAmericans—businesses, the generalworkforce, and the general population—to secure their own parts of cyberspace;

2. Foster adequate training and educationprograms to support the Nation’s cyberse-curity needs;

3. Increase the efficiency of existing federalcybersecurity training programs; and

4. Promote private-sector support for well-coordinated, widely recognizedprofessional cybersecurity certifications.

Priority IV: Securing Governments’Cyberspace

Although governments administer only aminority of the Nation’s critical infrastructurecomputer systems, governments at all levelsperform essential services in the agriculture,food, water, public health, emergency services,defense, social welfare, information andtelecommunications, energy, transportation,banking and finance, chemicals, and postal andshipping sectors that depend upon cyberspacefor their delivery. Governments can lead byexample in cyberspace security, includingfostering a marketplace for more securetechnologies through their procurement.

The National Strategy to Secure Cyberspaceidentifies five major actions and initiatives forthe securing of governments’ cyberspace:

1. Continuously assess threats and vulnera-bilities to federal cyber systems;

2. Authenticate and maintain authorizedusers of federal cyber systems;

3. Secure federal wireless local areanetworks;

4. Improve security in governmentoutsourcing and procurement; and

5. Encourage state and local governments toconsider establishing informationtechnology security programs and partic-ipate in information sharing and analysiscenters with similar governments.

Priority V: National Security andInternational Cyberspace SecurityCooperation

America’s cyberspace links the United States tothe rest of the world. A network of networksspans the planet, allowing malicious actors onone continent to act on systems thousands ofmiles away. Cyber attacks cross borders at lightspeed, and discerning the source of maliciousactivity is difficult. America must be capable ofsafeguarding and defending its critical systemsand networks. Enabling our ability to do sorequires a system of international cooperation tofacilitate information sharing, reduce vulnerabil-ities, and deter malicious actors.

The National Strategy to Secure Cyberspaceidentifies six major actions and initiatives tostrengthen U.S. national security and interna-tional cooperation:

1. Strengthen cyber-related counterintelli-gence efforts;

2. Improve capabilities for attack attributionand response;

3. Improve coordination for responding tocyber attacks within the U.S. nationalsecurity community;

4. Work with industry and through interna-tional organizations to facilitate dialogueand partnerships among internationalpublic and private sectors focused onprotecting information infrastructuresand promoting a global “culture ofsecurity;”

xii T H E N A T I O N A L S T R A T E G Y T O S E C U R E C Y B E R S P A C E


5. Foster the establishment of national andinternational watch-and-warningnetworks to detect and prevent cyberattacks as they emerge; and

6. Encourage other nations to accede to theCouncil of Europe Convention onCybercrime, or to ensure that their lawsand procedures are at least as compre-hensive.

A National Effort

Protecting the widely distributed assets ofcyberspace requires the efforts of manyAmericans. The federal government alonecannot sufficiently defend America’s cyberspace.Our traditions of federalism and limitedgovernment require that organizations outsidethe federal government take the lead in many ofthese efforts. Every American who cancontribute to securing part of cyberspace isencouraged to do so. The federal governmentinvites the creation of, and participation in,public-private partnerships to raise cyberse-curity awareness, train personnel, stimulatemarket forces, improve technology, identify andremediate vulnerabilities, exchange information,and plan recovery operations.

People and organizations across the UnitedStates have already taken steps to improvecyberspace security. On September 18, 2002,many private-sector entities released plans andstrategies for securing their respective infra-structures. The Partnership for CriticalInfrastructure Security has played a unique rolein facilitating private-sector contributions to

this Strategy. Inputs from the critical sector’sthemselves can be found athttp://www.pcis.org. (These documents were not subject to government approval.)

These comprehensive infrastructure plansdescribe the strategic initiatives of varioussectors, including:

• Banking and Finance;

• Insurance;

• Chemical;

• Oil and Gas;

• Electric;

• Law Enforcement;

• Higher Education;

• Transportation (Rail);

• Information Technology andTelecommunications; and

• Water.

As each of the critical infrastructure sectorsimplements these initiatives, threats and vulner-abilities to our infrastructures will be reduced.

For the foreseeable future two things will betrue: America will rely upon cyberspace and thefederal government will seek a continuing broadpartnership with the private sector to develop,implement, and refine a National Strategy toSecure Cyberspace.

T H E N A T I O N A L S T R A T E G Y T O S E C U R E C Y B E R S P A C E xiii


xiv T H E N A T I O N A L S T R A T E G Y T O S E C U R E C Y B E R S P A C E


T H E N A T I O N A L S T R A T E G Y T O S E C U R E C Y B E R S P A C E 1

I N T R O D U C T I O N

A Nation in Cyberspace

Our Nation’s critical infrastructures consist ofthe physical and cyber assets of public andprivate institutions in several sectors:agriculture, food, water, public health,emergency services, government, defense indus-trial base, information and telecommunications,energy, transportation, banking and finance,chemicals and hazardous materials, and postaland shipping. Cyberspace is the nervous systemof these infrastructures—the control system ofour country. Cyberspace comprises hundreds ofthousands of interconnected computers, servers,routers, switches, and fiber optic cables thatmake our critical infrastructures work. Thus, thehealthy functioning of cyberspace is essential to

our economy and our national security.Unfortunately, recent events have highlightedthe existence of cyberspace vulnerabilities andthe fact that malicious actors seek to exploitthem. (See, Cyberspace Threats andVulnerabilities.)

This National Strategy to Secure Cyberspace ispart of an overall effort to protect the Nation. Itis an implementing component of the NationalStrategy for Homeland Security and is comple-mented by the National Strategy for the PhysicalProtection of Critical Infrastructures and KeyAssets. The purpose of this document is toengage and empower Americans to secure theportions of cyberspace that they own, operate,or control, or with which they interact. Securing

Introduction

cyberspace is a difficult strategic challenge thatrequires coordinated and focused effort fromour entire society—the federal government,state and local governments, the private sector,and the American people.

A Unique Problem, a Unique Process

Most critical infrastructures, and the cyberspaceon which they rely, are privately owned andoperated. The technologies that create andsupport cyberspace evolve rapidly from private-sector and academic innovation. Governmentalone cannot sufficiently secure cyberspace.Thus, President Bush has called for voluntarypartnerships among government, industry,academia, and nongovernmental groups tosecure and defend cyberspace. (See, NationalPolicy and Guiding Principles.)

In recognition of this need for partnership, theprocess to develop the National Strategy toSecure Cyberspace included soliciting views fromboth the public and private sectors. To do so,the White House sponsored town hall meetingson cyberspace security in ten metropolitanareas. Consequently, individual sectors (e.g.,higher education, state and local government,banking and finance) formed workgroups tocreate initial sector-specific cyberspace securitystrategies. Additionally, the White Housecreated a Presidential advisory panel, theNational Infrastructure Advisory Council,consisting of leaders from the key sectors of theeconomy, government, and academia. ThePresident’s National SecurityTelecommunications Advisory Committeereviewed and commented on the Strategy.

In September 2002, the President’s CriticalInfrastructure Protection Board soughtcomments from individuals and institutionsnationwide by placing a draft version of theStrategy online for review. Thousands partici-pated in the town hall meetings and providedcomments online. Their comments contributedto shaping the Strategy by narrowing its focusand sharpening its priorities.

This process recognizes that we can only securecyberspace successfully through an inclusivenational effort that engages major institutionsthroughout the country. The federalgovernment designed the Strategy developmentprocess to raise the Nation’s level of awarenessof the importance of cybersecurity. Its intentwas to produce a Strategy that many Americanscould feel they had a direct role in developing,and to which they would be committed.

Although the redrafting process reflects manyof the comments provided, not everyone willagree with each component of the NationalStrategy to Secure Cyberspace. Many issues couldnot be addressed in detail, and others are notyet ripe for national policy. The Strategy is notimmutable; actions will evolve as technologiesadvance, as threats and vulnerabilities change,and as our understanding of the cybersecurityissues improves and clarifies. A nationaldialogue on cyberspace security must thereforecontinue.

In the weeks following the release of the draftStrategy, Congress approved the creation of theDepartment of Homeland Security (DHS),assigned to it many agencies that are active incybersecurity, and directed it to perform newcybersecurity missions. This Strategy reflectsthose changes. Congress passed and thePresident signed the Cyber Security Research andDevelopment Act (Public Law 107-305), author-izing a multi-year effort to create more securecyber technologies, to expand cybersecurityresearch and development, and to improve thecybersecurity workforce.

Five National Cyberspace SecurityPriorities

The National Strategy to Secure Cyberspace is acall for national awareness and action byindividuals and institutions throughout theUnited States, to increase the level of cyberse-curity nationwide and to implement continuousprocesses for identifying and remedying cybervulnerabilities. Its framework is an agenda of

2 T H E N A T I O N A L S T R A T E G Y T O S E C U R E C Y B E R S P A C E


five broad priorities that require widespreadvoluntary participation. Each individualprogram consists of several components, manyof which were drawn from the draft Strategy’srecommendations and related public comments.

Addressing these priorities requires theleadership of DHS as well as several other keyfederal departments and agencies. As part ofthe Office of Management and Budget(OMB)-led budget process, and with thesupport of Congress, these departments andagencies now have the task of translating theStrategy’s recommendations into actions.

Corporations, universities, state and localgovernments, and other partners are alsoencouraged to take actions consistent with thesefive national cyberspace security priorities, bothindependently and in partnership with thefederal government. Each private-sector organi-zation must make its own decisions based oncost effectiveness analysis and risk-managementand mitigation strategies.

The National Strategy to Secure Cyberspace artic-ulates five national priorities. The first priorityfocuses on improving our ability to respond tocyber incidents and reduce the potentialdamage from such events. The second, third,and fourth priorities aim to reduce the numbersof cyber threats and our overall vulnerability tocyber attacks. The fifth priority focuses onpreventing cyber attacks with the potential toimpact national security assets and improvinginternational management of and response tosuch attacks.


Rapid identification, information exchange, andremediation can often mitigate the damagecaused by malicious cyberspace activity. Forthose activities to take place effectively at anational level, the United States requires apartnership between government and industryto perform analyses, issue warnings, and

coordinate response efforts. Privacy and civilliberties must be protected in the process.Because no cybersecurity plan can be imper-vious to concerted and intelligent attacks,information systems must be able to operatewhile under attack and also have the resilienceto restore full operations in their wake. Toprepare for the possibility of major cyberattacks, America needs a national cyber disasterrecovery plan. The National CyberspaceSecurity Response System will involve publicand private institutions and cyber centers toperform analysis, conduct watch and warningactivities, enable information exchange, andfacilitate restoration efforts.


By exploiting vulnerabilities in our cybersystems, an organized cyber attack mayendanger the security of our Nation’s criticalinfrastructures. Cyberspace vulnerabilities occurin the critical infrastructure enterprises andgovernment departments themselves, in theirexternal supporting structures (such as themechanisms of the Internet), and in unsecuredsites across the interconnected network ofnetworks. Vulnerabilities exist for severalreasons including technological weaknesses,poor security-control implementation, andabsences of effective oversight.

A National Cyberspace Security Threat andVulnerability reduction program will includecoordinated national efforts conducted bygovernments and the private sector to identifyand remediate the most serious cyber vulnera-bilities through collaborative activities, such assharing best practices and evaluating and imple-menting new technologies. Additional programcomponents will include raising cybersecurityawareness, increasing criminal justice activities,and developing national security programs todeter future cyber threats.




Many information-system vulnerabilities existbecause of a lack of cyberspace securityawareness on the part of computer users,systems administrators, technology developers,procurement officials, auditors, chief infor-mation officers, chief executive officers, andcorporate boards. These vulnerabilities canpresent serious risks to the infrastructures evenif they are not actually part of the infrastructureitself. A lack of trained personnel and theabsence of widely accepted, multi-level certifi-cations for personnel further complicate thetask of reducing vulnerabilities.

The National Cyberspace Security Awarenessand Training Program will raise cybersecurityawareness in companies, government agencies,universities, and among the Nation’s computerusers. It will further address shortfalls in thenumbers of trained and certified cybersecuritypersonnel.


Although governments administer only aminority of the Nation’s critical infrastructurecomputer systems, governments at all levelsperform essential services that rely on each ofthe critical infrastructure sectors, which areagriculture, food, water, public health,emergency services, government, defense indus-trial base, information and telecommunications,energy, transportation, banking and finance,chemicals and hazardous materials, and postaland shipping. With respect to investment incyberspace security, government can lead by

example by fostering a marketplace for moresecure technologies through large procurementsof advanced information assurance technologies.A program to implement such products willhelp to ensure that federal computer systemsand networks are secure. The federalgovernment will also assist state and localgovernments with cybersecurity awareness,training, and information exchange.


America’s cyberspace links the United States tothe rest of the world. A network of networksspans the planet, allowing malicious actors onone continent to act on systems thousands ofmiles away. Cyber attacks cross borders at lightspeed, and discerning the source of maliciousactivity is difficult. America must be capable ofsafeguarding and defending its critical systemsand networks—regardless of where an attackoriginates. Facilitating our ability to do sorequires a system of international cooperation toenable the information sharing, reduce vulnera-bilities, and deter malicious actors.

Actions and Recommendations

The Strategy highlights actions that the federalgovernment will take and makes recommenda-tions to our partners in nongovernmentalorganizations. The actions and recommenda-tions (A/R) are italicized throughout theStrategy and numbered according to theassociated priority. For example A/R 1-1 is thefirst action or recommendation in Priority I.Appendix A provides a summary of all of theA/Rs proposed.




C Y B E R S P A C E T H R E A T S A N D V U L N E R A B I L I T I E S

A Case for Action

The terrorist attacks against the United Statesthat took place on September 11, 2001, had aprofound impact on our Nation. The federalgovernment and society as a whole have beenforced to reexamine conceptions of security onour home soil, with many understanding onlyfor the first time the lengths to which self-designated enemies of our country are willing togo to inflict debilitating damage.

We must move forward with the understandingthat there are enemies who seek to inflictdamage on our way of life. They are ready toattack us on our own soil, and they have showna willingness to use unconventional means toexecute those attacks. While the attacks of

September 11 were physical attacks, we arefacing increasing threats from hostile adver-saries in the realm of cyberspace as well.

A Nation Now Fully Dependent onCyberspace

For the United States, the informationtechnology revolution quietly changed the waybusiness and government operate. Without agreat deal of thought about security, the Nationshifted the control of essential processes inmanufacturing, utilities, banking, and commu-nications to networked computers. As a result,the cost of doing business dropped and productivity skyrocketed. The trend towardgreater use of networked systems continues.

Cyberspace Threats and Vulnerabilities

A Mapping ofCode RedPenetration on aPortion of theInternet.

Image courtesyUCSD/CAIDA(www.caida.org) © 2002 The Regents of the University ofCalifornia.

By 2003, our economy and national securitybecame fully dependent upon informationtechnology and the information infrastructure.A network of networks directly supports theoperation of all sectors of our economy—energy(electric power, oil and gas), transportation (rail,air, merchant marine), finance and banking,information and telecommunications, publichealth, emergency services, water, chemical,defense industrial base, food, agriculture, andpostal and shipping. The reach of thesecomputer networks exceeds the bounds ofcyberspace. They also control physical objectssuch as electrical transformers, trains, pipelinepumps, chemical vats, and radars.

Threats in Cyberspace

A spectrum of malicious actors can and doconduct attacks against our critical informationinfrastructures. Of primary concern is the threatof organized cyber attacks capable of causingdebilitating disruption to our Nation’s criticalinfrastructures, economy, or national security.The required technical sophistication to carryout such an attack is high—and partiallyexplains the lack of a debilitating attack to date.We should not, however, be too sanguine. Therehave been instances where attackers haveexploited vulnerabilities that may be indicativeof more destructive capabilities.

Uncertainties exist as to the intent and fulltechnical capabilities of several observedattacks. Enhanced cyber threat analysis isneeded to address long-term trends related tothreats and vulnerabilities. What is known isthat the attack tools and methodologies arebecoming widely available, and the technicalcapability and sophistication of users bent oncausing havoc or disruption is improving.

As an example, consider the “NIMDA”(“ADMIN” spelled backwards) attack. Despitethe fact that NIMDA did not create acatastrophic disruption to the critical infra-structure, it is a good example of the increasedtechnical sophistication showing up in cyber

attacks. It demonstrated that the arsenal ofweapons available to organized attackers nowcontains the capability to learn and adapt to itslocal environment. NIMDA was an automatedcyber attack, a blend of a computer worm and acomputer virus. It propagated across the Nationwith enormous speed and tried several differentways to infect computer systems it invaded untilit gained access and destroyed files. It wentfrom nonexistent to nationwide in an hour,lasted for days, and attacked 86,000 computers.

Speed is also increasing. Consider that twomonths before NIMDA, a cyber attack calledCode Red infected 150,000 computer systemsin 14 hours.

Because of the increasing sophistication ofcomputer attack tools, an increasing number ofactors are capable of launching nationallysignificant assaults against our infrastructuresand cyberspace. In peacetime America’s enemiesmay conduct espionage on our Government,university research centers, and privatecompanies. They may also seek to prepare forcyber strikes during a confrontation by mappingU.S. information systems, identifying keytargets, lacing our infrastructure with backdoors and other means of access. In wartime orcrisis, adversaries may seek to intimidate thenation’s political leaders by attacking criticalinfrastructures and key economic functions oreroding public confidence in informationsystems.

Cyber attacks on U.S. information networks canhave serious consequences such as disruptingcritical operations, causing loss of revenue andintellectual property, or loss of life. Counteringsuch attacks requires the development of robustcapabilities where they do not exist today if weare to reduce vulnerabilities and deter thosewith the capabilities and intent to harm ourcritical infrastructures.

Cyberspace provides a means for organizedattack on our infrastructure from a distance.These attacks require only commodity



technology, and enable attackers to obfuscatetheir identities, locations, and paths of entry.Not only does cyberspace provide the ability toexploit weaknesses in our critical infrastructures,but it also provides a fulcrum for leveragingphysical attacks by allowing the possibility ofdisrupting communications, hindering U.S.defensive or offensive response, or delayingemergency responders who would be essentialfollowing a physical attack.

In the last century, geographic isolation helpedprotect the United States from a direct physicalinvasion. In cyberspace national boundarieshave little meaning. Information flows continu-ously and seamlessly across political, ethnic, andreligious divides. Even the infrastructure thatmakes up cyberspace—software and hardware—is global in its design and development. Becauseof the global nature of cyberspace, the vulnera-bilities that exist are open to the world andavailable to anyone, anywhere, with sufficientcapability to exploit them.

Reduce Vulnerabilities in the Absenceof Known Threats

While the Nation’s critical infrastructures must, of course, deal with specific threats asthey arise, waiting to learn of an imminentattack before addressing important critical infrastructure vulnerabilities is a risky andunacceptable strategy. Cyber attacks can burstonto the Nation’s networks with little or nowarning and spread so fast that many victimsnever have a chance to hear the alarms. Evenwith forewarning, they likely would not havehad the time, knowledge, or tools needed to protect themselves. In some cases creatingdefenses against these attacks would have taken days.

A key lesson derived from these and other suchcyber attacks is that organizations that rely onnetworked computer systems must takeproactive steps to identify and remedy theirvulnerabilities, rather than waiting for anattacker to be stopped or until alerted of an

impending attack. Vulnerability assessment andremediation activities must be ongoing. Aninformation technology security auditconducted by trained professionals to identifyinfrastructure vulnerabilities can take months.Subsequently, the process of creating a multi-layered defense and a resilient network toremedy the most serious vulnerabilities couldtake several additional months. The processmust then be regularly repeated.

Threat and Vulnerability: A Five-LevelProblem

Managing threat and reducing vulnerability incyberspace is a particularly complex challengebecause of the number and range of differenttypes of users. Cyberspace security requiresaction on multiple levels and by a diverse groupof actors because literally hundreds of millionsof devices are interconnected by a network ofnetworks. The problem of cyberspace securitycan be best addressed on five levels.

Level 1, the Home User/Small Business

Though not a part of a critical infrastructurethe computers of home users can become partof networks of remotely controlled machinesthat are then used to attack critical infrastruc-tures. Undefended home and small businesscomputers, particularly those using digitalsubscriber line (DSL) or cable connections, arevulnerable to attackers who can employ the useof those machines without the owner’sknowledge. Groups of such “zombie” machinescan then be used by third-party actors to launchdenial-of-service (DoS) attacks on key Internetnodes and other important enterprises orcritical infrastructures.

Level 2, Large Enterprises

Large-scale enterprises (corporations,government agencies, and universities) arecommon targets for cyber attacks. Many suchenterprises are part of critical infrastructures.Enterprises require clearly articulated, active



information security policies and programs toaudit compliance with cybersecurity bestpractices. According to the U.S. intelligencecommunity, American networks will be increas-ingly targeted by malicious actors both for thedata and the power they possess.

Level 3, Critical Sectors/Infrastructures

When organizations in sectors of the economy,government, or academia unite to addresscommon cybersecurity problems, they can oftenreduce the burden on individual enterprises.Such collaboration often produces shared insti-tutions and mechanisms, which, in turn, couldhave cyber vulnerabilities whose exploitationcould directly affect the operations of memberenterprises and the sector as a whole.Enterprises can also reduce cyber risks byparticipating in groups that develop bestpractices, evaluate technological offerings,certify products and services, and share infor-mation.

Several sectors have formed InformationSharing and Analysis Centers (ISACs) tomonitor for cyber attacks directed against theirrespective infrastructures. ISACs are also avehicle for sharing information about attacktrends, vulnerabilities, and best practices.

Level 4, National Issues and Vulnerabilities

Some cybersecurity problems have nationalimplications and cannot be solved by individualenterprises or infrastructure sectors alone. Allsectors share the Internet. Accordingly, they areall at risk if its mechanisms (e.g., protocols androuters) are not secure. Weaknesses in widelyused software and hardware products can alsocreate problems at the national level, requiringcoordinated activities for the research anddevelopment of improved technologies.Additionally, the lack of trained and certifiedcybersecurity professionals also merits national-level concern.

Level 5, Global

The worldwide web is a planetary informationgrid of systems. Internationally shared standardsenable interoperability among the world’scomputer systems. This interconnectedness,however, also means that problems on onecontinent have the potential to affect computerson another. We therefore rely on internationalcooperation to share information related tocyber issues and, further, to prosecute cybercriminals. Without such cooperation, ourcollective ability to detect, deter, and minimizethe effects of cyber-based attacks would begreatly diminished.

New Vulnerabilities RequiringContinuous Response

New vulnerabilities are created or discoveredregularly. The process of securing networks andsystems, therefore, must also be continuous.The Computer Emergency ResponseTeam/Coordination Center (CERT/CC) notesthat not only are the numbers of cyber incidentsand attacks increasing at an alarming rate, sotoo are the numbers of vulnerabilities that anattacker could exploit. Identified computersecurity vulnerabilities—faults in software andhardware that could permit unauthorizednetwork access or allow an attacker to causenetwork damage—increased significantly from2000 to 2002, with the number of vulnerabil-ities going from 1,090 to 4,129.

The mere installation of a network securitydevice is not a substitute for maintaining andupdating a network’s defenses. Ninety percentof the participants in a recent ComputerSecurity Institute survey reported usingantivirus software on their network systems, yet85 percent of their systems had been damagedby computer viruses. In the same survey, 89percent of the respondents had installedcomputer firewalls, and 60 percent hadintrusion detection systems. Nevertheless, 90percent reported that security breaches hadtaken place, and 40 percent of their systems had



been penetrated from outside their network.

The majority of security vulnerabilities can bemitigated through good security practices. Asthese survey numbers indicate, however,practicing good security includes more thansimply installing those devices. It also requiresoperating them correctly and keeping themcurrent through regular patching and virusupdates.

Cybersecurity and Opportunity Cost

For individual companies and the nationaleconomy as a whole, improving computersecurity requires investing attention, time, andmoney. For fiscal year 2003, President Bushrequested that Congress increase funds tosecure federal computers by 64 percent.President Bush’s investment in securing federalcomputer networks now will eventually reduceoverall expenditures through cost-saving E-Government solutions, modern enterprisemanagement, and by reducing the number ofopportunities for waste and fraud.

For the national economy—particularly its information technology industrycomponent—the dearth of trusted, reliable,secure information systems presents a barrier tofuture growth. Much of the potential foreconomic growth made possible by the information technology revolution has yet to berealized—deterred in part by cyberspacesecurity risks. Cyberspace vulnerabilities placemore than transactions at risk; they jeopardize intellectual property, business operations,infrastructure services, and consumer trust.

Conversely, cybersecurity investments result inmore than costly overhead expenditures. Theyproduce a return on investment. Surveysrepeatedly show that:

• Although the likelihood of suffering asevere cyber attack is difficult to estimate,the costs associated with a successful oneare likely to be greater than the investmentin a cybersecurity program to prevent it; and



Roles and Responsibilites in Securing CyberspacePriority 1 Priority 2 Priority 3 Priority 4 Priority 5

NationalCyberspace

Security ResponseSystem

NationalCyberspace

Security Threat andVulnerability

Reduction System

NationalCyberspace

Security Awarenessand Training

Program

SecuringGovernments’

Cyberspace

National Securityand International

CyberspaceSecurity

Cooperation

Home User/Small Business ✗ ✗

Large Enterprises ✗ ✗ ✗ ✗ ✗

Critical Sectors/Infrastructures ✗ ✗ ✗ ✗ ✗

National Issues andVulnerabilities ✗ ✗ ✗ ✗

Global ✗

• Designing strong security protocols intothe information systems architecture of anenterprise can reduce its overall opera-tional costs by enabling cost-savingprocesses, such as remote access andcustomer or supply-chain interactions,which could not occur in networks lackingappropriate security.

These results suggest that, with greaterawareness of the issues, companies can benefitfrom increasing their levels of cybersecurity.Greater awareness and voluntary efforts arecritical components of the National Strategy toSecure Cyberspace.

Individual and National RiskManagement

Until recently overseas terrorist networks hadcaused limited damage in the United States. OnSeptember 11, 2001, that quickly changed. Oneestimate places the increase in cost to oureconomy from attacks to U.S. informationsystems at 400 percent over four years. Whilethose losses remain relatively limited, that toocould change abruptly.

Every day in the United States individualcompanies, and home computer users, sufferdamage from cyber attacks that, to the victims,represent significant losses. Conditions likewiseexist for relative measures of damage to occuron a national level, affecting the networks andsystems on which the Nation depends:

• Potential adversaries have the intent;

• Tools that support malicious activities arebroadly available; and,

• Vulnerabilities of the Nation’s systems aremany and well known.

No single strategy can completely eliminatecyberspace vulnerabilities and their associatedthreats. Nevertheless, the Nation must act tomanage risk responsibly and to enhance itsability to minimize the damage that results

from attacks that do occur. Through thisstatement, we reveal nothing to potential foesthat they and others do not already know. In1997 a Presidential Commission identified therisks in a seminal public report. In 2000 thefirst national plan to address the problem waspublished. Citing these risks, President Bushissued an Executive Order in 2001, makingcybersecurity a priority, and accordingly,increasing funds to secure federal networks.In 2002 the President moved to consolidate andstrengthen federal cybersecurity agencies as part of the proposed Department of HomelandSecurity.



19951996 1998

1997 19992000

20012002

19881989

19901991

19921993 1994

19951996

19981997

1999 20002001

Source CERT CC ©

2002

Government Alone Cannot SecureCyberspace

Despite increased awareness around the importance of cybersecurity and the measurestaken thus far to improve our capabilities, cyberrisks continue to underlie our national infor-mation networks and the critical systems theymanage. Reducing that risk requires anunprecedented, active partnership amongdiverse components of our country and ourglobal partners.

The federal government could not—and,indeed, should not—secure the computernetworks of privately owned banks, energycompanies, transportation firms, and other partsof the private sector. The federal governmentshould likewise not intrude into homes andsmall businesses, into universities, or state andlocal agencies and departments to create securecomputer networks. Each American whodepends on cyberspace, the network of information networks, must secure the part thatthey own or for which they are responsible.




N A T I O N A L P O L I C Y A N D G U I D I N G P R I N C I P L E S

National Policy, Principles, andOrganization

This section describes the national policy thatshapes the National Strategy to Secure Cyberspaceand the basic framework of principles withinwhich it was developed. It also outlines theroles and missions of federal agencies.

National Policy

The information technology revolution haschanged the way business is transacted,government operates, and national defense isconducted. These three functions now dependon an interdependent network of critical infor-mation infrastructures that we refer to as“cyberspace.”

It is the policy of the United States to preventor minimize disruptions to critical informationinfrastructures and thereby protect the people,the economy, the essential human andgovernment services, and the national securityof the United States. Disruptions that do occurshould be infrequent, of minimal duration andmanageable and cause the least damagepossible. The policy requires a continuous effortto secure information systems for critical infra-structure and includes voluntary public-privatepartnerships involving corporate andnongovernmental organizations.

Consistent with the objectives of the NationalStrategy for Homeland Security, the objectives ofthe National Strategy to Secure Cyberspace are to:

National Policy and Guiding Principles

• Prevent cyber attacks against our criticalinfrastructures;

• Reduce our national vulnerabilities tocyber attack; and,

• Minimize the damage and recovery timefrom cyber attacks that do occur.

Guiding Principles

In January 2001, the Administration began toreview the role of information systems andcybersecurity. In October 2001, President Bushissued Executive Order 13231, authorizing aprotection program that consists of continuousefforts to secure information systems for criticalinfrastructure, including emergencypreparedness communications and the physicalassets that support such systems. The FederalInformation Security Management Act(FISMA) and Executive Order 13231, togetherwith other relevant Presidential directives andstatutory authorities, provide the framework forexecutive branch cyberspace security activities.

The protection of these cyber systems isessential to every sector of the economy. Thedevelopment and implementation of thisprogram directive has been guided by thefollowing organizing principles:

1. A National Effort: Protecting the widelydistributed assets of cyberspace requiresthe efforts of many Americans. Thefederal government alone cannot defendAmerica’s cyberspace. Our traditions offederalism and limited governmentrequire that organizations outside thefederal government take the lead in manyof these efforts. The government’s role insecuring cyberspace includes promotingbetter security in privately owned infra-structures when there is a need to:

• Convene and facilitate discussionsbetween and with nongovernmentalentities;

• Identify instances where the “tragedyof the commons” can affecthomeland, national, and economicsecurity; and

• Share information about cyberthreats and vulnerabilities sonongovernmental entities can adjusttheir risk management strategies andplans, as appropriate.

In every case, the scope for governmentinvolvement is limited to those caseswhen the benefits of intervention outweigh the direct andindirect costs.

Every American who can contribute tosecuring part of cyberspace isencouraged to do so. The federalgovernment promotes the creation of,and participation in, public-privatepartnerships to raise awareness, trainpersonnel, stimulate market forces,improve technology, identify andremediate vulnerabilities, exchangeinformation, and plan recovery opera-tions. Many sectors have undertaken theimportant step of developing ISACs,which facilitate communication, thedevelopment of best practices, and thedissemination of security-related infor-mation. In addition, various sectors havedeveloped plans to secure their parts ofcyberspace, which complement thisStrategy, and the government intendsfor this productive and collaborativepartnership to continue.

2. Protect Privacy and Civil Liberties: Theabuse of cyberspace infringes on ourprivacy and our liberty. It is incumbenton the federal government to avoid suchabuse and infringement. Cybersecurityand personal privacy need not beopposing goals. Cyberspace securityprograms must strengthen, not weaken,such protections. Accordingly, care mustbe taken to respect privacy interests and



other civil liberties. Consumers andoperators must have confidence theirvoluntarily shared, nonpublic informationwill be handled accurately, confidentially,and reliably. The federal government willlead by example in implementing strongprivacy policies and practices in theagencies. As part of this process, thefederal government will consult regularlywith privacy advocates and experts.

3. Regulation and Market Forces: federalregulation will not become a primarymeans of securing cyberspace. Broadregulations mandating how all corpora-tions must configure their informationsystems could divert more successfulefforts by creating a lowest-common-denominator approach to cybersecurity,which evolving technology would quicklymarginalize. Even worse, such anapproach could result in less secure andmore homogeneous security architecturesthan we have now. By law, some federalregulatory agencies already include cyber-security considerations in their oversightactivity. However, the market itself isexpected to provide the major impetus toimprove cybersecurity.

4. Accountability and Responsibility: TheNational Strategy to Secure Cyberspace isfocused on producing a more resilientand reliable information infrastructure.When possible, it designates leadexecutive branch departments or agenciesfor federal cyberspace security initiatives.On November 25, 2002, the Presidentsigned the Homeland Security Act of 2002establishing the Department ofHomeland Security (DHS). DHS will beresponsible for many of the initiativesoutlined in the National Strategy to SecureCyberspace. The Strategy also recommendsactions federal, state and local govern-ments, the private sector, and theAmerican people can take to help securecyberspace.

5. Ensure Flexibility: Cyber threats changerapidly. Accordingly, the National Strategyto Secure Cyberspace emphasizes flexibilityin our ability to respond to cyber attacksand manage vulnerability reduction. Therapid development of attack toolsprovides potential attackers with astrategic advantage to adapt theiroffensive tactics quickly to targetperceived weaknesses in networked infor-mation systems and organizations’abilities to respond. Flexible planningallows organizations to reassess prioritiesand realign resources as the cyber threatevolves.

6. Multi-Year Planning: Securing cyberspaceis an ongoing process, as newtechnologies appear and new vulnerabil-ities are identified. The National Strategyto Secure Cyberspace provides an initialframework for achieving cyberspacesecurity objectives. Departments andagencies should adopt multi-year cyberse-curity plans for sustaining their respectiveroles. Other public- and private-sectororganizations are also encouraged toconsider multi-year plans.

Department of Homeland Security andCyberspace Security

DHS unites 22 federal entities for the commonpurpose of improving homeland security. TheDepartment also creates a focal point formanaging cyberspace incidents that couldimpact the federal government or even thenational information infrastructures. TheSecretary of Homeland Security will haveimportant responsibilities in cyberspace security,including:

• Developing a comprehensive national planfor securing the key resources and criticalinfrastructures of the United States,including information technology andtelecommunications systems (including



satellites) and the physical and techno-logical assets that support such systems;

• Providing crisis management support inresponse to threats to, or attacks on,critical information systems;

• Providing technical assistance to theprivate sector and other governmentalentities with respect to emergencyrecovery plans that respond to majorfailures of critical information systems;

• Coordinating with other federal agenciesto provide specific warning informationand advice about appropriate protectivemeasures and countermeasures to stateand local government agencies andauthorities, the private sector, otherentities, and the public; and

• Performing and funding research anddevelopment along with other agenciesthat will lead to new scientific under-standing and technologies in support ofhomeland security.



LEAD AGENCY SECTORS

Department of Homeland Security • Information and Telecommunications• Transportation (aviation, rail, mass transit, waterborne

commerce, pipelines, and highways (including trucking and intelligent transportation systems)

• Postal and Shipping• Emergency Services• Continuity of Government

Department of the Treasury • Banking and Finance

Department of Health and Human Services • Public Health (including prevention, surveillance, laboratoryservices, and personal health services)

• Food (all except for meat and poultry)

Department of Energy • Energy (electric power, oil and gas production, and storage)

Environmental Protection Agency • Water• Chemical Industry and Hazardous Materials

Department of Agriculture • Agriculture• Food (meat and poultry)

Department of Defense • Defense Industrial Base

CRITICAL INFRASTRUCTURE LEAD AGENCIES

Designation of Coordinating Agencies

A productive partnership between the federalgovernment and the private sector depends oneffective coordination and communication. Tofacilitate and enhance this collaborativestructure, the government has designated a “Lead Agency” for each of the major sectorsof the economy vulnerable to infrastructureattack. In addition, the Office of Science andTechnology Policy (OSTP) coordinates researchand development to support critical infra-structure protection. The Office ofManagement and Budget (OMB) oversees theimplementation of governmentwide policies,principles, standards, and guidelines for federalgovernment computer security programs. TheDepartment of State coordinates internationaloutreach on cybersecurity. The Director ofCentral Intelligence is responsible for assessingthe foreign threat to U.S. networks and infor-mation systems. The Department of Justice(DOJ) and the Federal Bureau of Investigation(FBI) lead the national effort to investigate andprosecute cybercrime.

The government will continue to support thedevelopment of public-private partnerships.Working together, sector representatives andfederal lead agencies assess their respectivesectors’ vulnerabilities to cyber or physicalattacks and, accordingly, recommend plans ormeasures to eliminate significant exposures.Both technology and the threat environmentcan change rapidly. Therefore, sectors and lead agencies should frequently assess the reliability, vulnerability, and threat environmentsof the Nation’s infrastructures and employappropriate protective measures and responsesto safeguard them.

The government’s full authority, capabilities,and resources must be available to supportcritical infrastructure protection efforts. Theseinclude, as appropriate, crisis management, lawenforcement, regulation, foreign intelligence,and defense preparedness.




P R I O R I T Y I

In the 1950s and 1960s, our Nation becamevulnerable to attacks from aircraft and missilesfor the first time. The federal governmentresponded by creating a national system to:monitor our airspace with radar to detectunusual activity, analyze and warn of possibleattacks, coordinate our fighter aircraft defensesduring an attack, and restore our Nation afteran attack through civil defense programs.

Today, the Nation’s critical assets could beattacked through cyberspace. The United Statesnow requires a different kind of nationalresponse system in order to detect potentiallydamaging activity in cyberspace, to analyzeexploits and warn potential victims, to

coordinate incident responses, and to restoreessential services that have been damaged.

The fact that the vast majority of cyberspace isneither owned nor operated by any single group—public or private—presents a challenge forcreating a National Cyberspace SecurityResponse System. There is no synoptic orholistic view of cyberspace. Therefore, there isno panoramic vantage point from which we cansee attacks coming or spreading. Informationthat indicates an attack has occurred (worms,viruses, denial-of-service attacks) accumulatesthrough many different organizations. However,there is no organized mechanism for reviewing


these indicators and determining their implications.

To mitigate the impact of cyber attacks, infor-mation about them must disseminate widelyand quickly. Analytical and incident responsecapabilities that exist in numerous organizationscould be coordinated to determine how to bestdefend against an attack, mitigate effects, andrestore service.

Establishing a proper administrative mechanismfor the National Cyberspace Security ResponseSystem presents another challenge. Unlike theU.S. airspace-monitoring program during theCold War, individuals who operate the systemsthat enable and protect cyberspace usually arenot federal employees. Thus, the NationalCyberspace Security Response System mustoperate from a less formal, collaborativenetwork of governmental and nongovernmentalorganizations.

DHS is responsible for developing the nationalcyberspace security response system, whichincludes:

• Providing crisis management support inresponse to threats to, or attacks on,critical information systems; and

• Coordinating with other agencies of thefederal government to provide specificwarning information, and advice aboutappropriate protective measures andcountermeasures, to state and localgovernment agencies and authorities,the private sector, other entities, and the public.

DHS will lead and synchronize efforts for theNational Cyberspace Security Response Systemas part of its overall information sharing andcrisis coordination mandate; however, thesystem itself will consist of many organizationsfrom both government and private sectors. Theauthorizing legislation for the Department ofHomeland Security also created the position ofa privacy officer to ensure that any mechanisms

associated with the National CyberspaceSecurity Response System appropriately balanceits mission with civil liberty and privacyconcerns. This officer will consult regularly withprivacy advocates, industry experts, and thepublic at large to ensure broad input andconsideration of privacy issues so that weachieve solutions that protect privacy whileenhancing security.

Among the system components outlined beloware existing federal programs and new federalinitiatives pending budget-review consideration,as well as initiatives recommended for ourpartners.

A. ESTABLISH PUBLIC-PRIVATE ARCHITECTURE FOR RESPONDINGTO NATIONAL-LEVEL CYBERINCIDENTS

Establishing the National Cyberspace SecurityResponse System will not require an expensiveor bureaucratic federal program. In many casesthe system will augment the capabilities ofseveral important federal entities with existingcyberspace security responsibilities, which are


P R I O R I T Y I

The National Cyberspace SecurityResponse System

The National Cyberspace SecurityResponse System is a public-private archi-tecture, coordinated by the Department ofHomeland Security, for analyzing andwarning; managing incidents of nationalsignificance; promoting continuity ingovernment systems and private sectorinfrastructures; and increasing informationsharing across and between organizations toimprove cyberspace security. The NationalCyberspace Security Response System willinclude governmental entities andnongovernmental entities, such as privatesector information sharing and analysiscenters (ISACs).

now part of DHS. The synergy that resultsfrom integrating the resources of the NationalCommunications System, the NationalInfrastructure Protection Center’s analysis andwarning functions, the Federal ComputerIncident Response Center, the Office of EnergyAssurance, and the Critical InfrastructureAssurance Office under the purview of theUnder Secretary for Information Analysis andInfrastructure Protection will help build thenecessary foundation for the NationalCyberspace Security Response System.

The Nation’s private-sector networks areincreasingly targeted, and they will thereforelikely be the first organizations to detect attackswith potential national significance. Thus,ISACs will play an increasingly important rolein the National Cyberspace Security ResponseSystem and the overall missions of homelandsecurity. ISACs possess unique operationalinsight into their industries’ core functions andwill help provide the necessary analysis tosupport national efforts.

Typically, an ISAC is an industry-ledmechanism for gathering, analyzing, sanitizing,and disseminating sector-specific security infor-mation and articulating and promulgating best

practices. ISACs are designed by the varioussectors to meet their respective needs andfinanced through their memberships. DHS willwork closely with ISACs as appropriate toensure that they receive timely and actionablethreat and vulnerability data and to coordinatevoluntary contingency planning efforts. Thefederal government encourages the privatesector to continue to establish ISACs and,further, to enhance the analytical capabilities ofexisting ISACs.

1. Analysis

a. Provide for the Development of Tactical andStrategic Analysis of Cyber Attacks andVulnerability Assessments

Analysis is the first step toward gainingimportant insight about a cyber incident,including the nature of attack, the informationit compromised, and the extent of damage itcaused. Analysis can also provide an indicationof the intruder’s possible intentions, thepotential tools he used, and the vulnerabilitieshe exploited. There are three closely related,but discrete, categories of analysis related to cyberspace:


P R I O R I T Y I

National Cyberspace Security Response System

Analysis Warning IncidentManagement

Response/Recovery

DHS Analysis Center

• Strategic group• Tactical group• Vulnerability

assessments

DHS Incident OperationsCenter

• Cyber Warning andInformation Network

• ISACs

DHS IncidentManagement Structure

• Federal coordination• Private, state and

local coordination

National ResponseContingency Plans

• Federal plans• Private plan

coordination

Components/ Capabilities

(i) Tactical analysis examines factors associatedwith incidents under investigation or specific,identified vulnerabilities to generate indicationsand warnings. Examples of tactical analysisinclude: examining the delivery mechanism of acomputer virus to develop and issue immediateguidance on ways to prevent or mitigatedamage; and studying a specific computerintrusion, or set of intrusions, to determine theperpetrator, his motive, and his method ofattack.

(ii) Strategic analysis looks beyond specificincidents to consider broader sets of incidentsor implications that may indicate threats ofpotential national importance. For example,strategic analyses may identify long-term trendsrelated to threat and vulnerability that could beused to provide advanced warnings of increasingrisks, such as emerging attack methods.Strategic analysis also provides policymakerswith information they can use to anticipate andprepare for attacks, thereby diminishing thedamage they cause. Strategic analysis alsoprovides a foundation to identify patterns thatcan support indications and warnings.

(iii) Vulnerability assessments are detailedreviews of cyber systems and their physicalcomponents to identify and study theirweaknesses. Vulnerability assessments are anintegral part of the intelligence cycle for cyber-space security. These assessments enableplanners to predict the consequences of possiblecyber attacks against specific facilities or sectorsof the economy or government. These projec-tions then allow infrastructure owners andoperators to strengthen their defenses againstvarious types of threat. (This will be discussedin the Cyberspace Security Threat andVulnerability Reduction Program.)

DHS will foster the development of stronganalytic capabilities in each of these areas. Itshould seek partnership and assistance from theprivate sector, including the ISACs, in devel-oping these capabilities.

2. Warning

a. Encourage the Development of a Private SectorCapability to Share a Synoptic View of theHealth of Cyberspace

The lack of a synoptic view of the Internetfrustrates efforts to develop Internet threatanalysis and indication and warning capabilities.The effects of a cyber attack on one sector havethe potential to cascade across several othersectors, thereby producing significant conse-quences that could rapidly overwhelm thecapabilities of many private companies and stateand local governments. DHS’s integration ofseveral key federal cybersecurity operationscenters creates a focal point for the federalgovernment to manage cybersecurityemergencies in its own systems, and, ifrequested, facilitate crisis management in non-federal critical infrastructure systems.

Separately, industry is encouraged to develop amechanism—whether virtual or physical—thatcould enable the sharing of aggregated information on Internet health to improveanalysis, warning, response, and recovery. To theextent permitted by law, this voluntary coordination of activities among nongovern-mental entities could enable different networkoperators and Internet backbone providers toanalyze and exchange data about attacks. Suchcoordination could prevent exploits fromescalating and causing damage or disruption of vital systems.

DHS will create a single point-of-contact for thefederal government’s interaction with industry andother partners for 24 x7 functions, including cyberspace analysis, warning, information sharing,major incident response, and national-levelrecovery efforts. Private sector organizations, whichhave major contributions for those functions, areencouraged to coordinate activities, as permitted bylaw, in order to provide a synoptic view of thehealth of cyberspace on a 24 x 7 basis. (A/R 1-1)


P R I O R I T Y I

b. Expand the Cyber Warning and InformationNetwork to Support DHS’s Role inCoordinating Crisis Management forCyberspace

Hours and minutes can make a differencebetween a major disruption and a manageableincident. Improving national capabilities forwarning requires a secure infrastructure toprovide assured communications betweencritical asset owners and operators and theirservice providers. The Cyber Warning andInformation Network (CWIN) will provide anout-of-band private and secure communicationsnetwork for government and industry, with thepurpose of sharing cyber alert and warninginformation. The network will include voiceconferencing and data collaboration.

While the first phase was implemented betweenthe federal government cyber watch centers,CWIN participants will ultimately includeother critical government and industry partners,such as ISACs that deal with cyber threats on adaily basis. As other entities expand in this area,membership will increase as well. Key toCWIN membership is the ability to sharesensitive cyber threat information in a secure,protected, and trusted environment.

As outlined in the 2003 budget, the federalgovernment will complete the installation of CWINto key government cybersecurity-related networkoperation centers, to disseminate analysis andwarning information and perform crisis coordi-nation. The federal government will also explorelinking the ISACs to CWIN. (A/R 1-2)

3. National Incident Management

Enhancing analytical capabilities within DHS,the private sector ISACs, and expandingCWIN will contribute to the improvement ofnational cyber incident management. However,incident management within the federalgovernment will still require coordination withorganizations other than those being transferredto DHS. For example, the Departments of

Justice, Defense, and Commerce all have rolesto perform in response to incidents in cyberspace. Within the White House a numberoffices have responsibilities, including theOffice of Science and Technology Policy, whichis responsible for executing emergency telecom-munications authorities, the National SecurityCouncil, which coordinates all matters relatedto national security and international cooperation, and the Office of Management and Budget.

In addition, national incident managementcapabilities will also integrate state chief infor-mation officers as well as international entities,as appropriate. (See, Priorities IV and V.)

4. Response and Recovery

a. Create Processes to Coordinate the VoluntaryDevelopment of National Public-PrivateContinuity and Contingency Plans

Among the lessons learned from securityreviews following the events of September 11,2001, was that federal agencies had vastlyinconsistent, and in most cases incomplete,contingency capabilities for their communica-tions and other systems. Contingency planningis a key element of cybersecurity. Withoutadequate contingency planning and training,agencies may not be able to effectively handledisruptions in service and ensure business conti-nuity. OMB, through the Federal InformationSecurity Management Act requirements andwith assistance from the inspectors general, isholding agencies accountable for developingcontinuity plans.

b. Exercise Cybersecurity Continuity Plans inFederal Cyber Systems

DHS has the responsibility for providing crisismanagement support in response to threats to,or attacks on, critical information systems for other government agencies, state and localgovernments and, upon request, the privatesector. In order to establish a baseline


P R I O R I T Y I

understanding of federal readiness, DHS willexplore exercises for the civilian agencies similarto the Defense Department “Eligible Receiver”exercises that test cybersecurity preparedness.

To test civilian agencies’ security preparedness and contingency planning, DHS will use exercisesto evaluate the impact of cyber attacks on governmentwide processes. Weaknesses discoveredwill be included in agency corrective action plansand submitted to OMB. DHS also will exploresuch exercises as a way to test the coordination ofpublic and private incident management, responseand recovery capabilities. (A/R 1-3)

(i) Encourage increased cyber risk managementand business continuity. There are a number ofmeasures that nongovernmental entities canemploy to manage the risk posed by cyberspaceand plan for business continuity. Riskmanagement is a discipline that involves riskassessment, risk prevention, risk mitigation, risktransfer, and risk retention.

There is no special technology that can makean enterprise completely secure. No matter howmuch money companies spend on cybersecurity,they may not be able to prevent disruptionscaused by organized attackers. Some businesseswhose products or services directly or indirectlyimpact the economy or the health, welfare orsafety of the public have begun to use cyber riskinsurance programs as a means of transferringrisk and providing for business continuity.

An important way to reduce an organization’sexposure to cyber-related losses, as well as tohelp protect companies from operational andfinancial impairment, is to ensure that adequatecontingency plans are developed and tested.

Corporations are encouraged to regularly reviewand exercise IT continuity plans and to considerdiversity in IT service providers as a way ofmitigating risk. (A/R 1-4)

(ii) Promote public-private contingency planningfor cybersecurity. It may not be possible toprevent a wide-range of cyber attacks. For thoseattacks that do occur, the Nation needs anintegrated public-private plan for responding tosignificant outages or disruptions in cyberspace.Some organizations have plans for how theywill recover their cyber network and capabilitiesin the event of a major outage or catastrophe.However, there is no mechanism for coordi-nating such plans across an entire infrastructureor at a national level.

The legislation establishing DHS also providesa trusted mechanism for private industry todevelop contingency planning by using thevoluntary preparedness planning provisions thatwere established in the Defense Production Actof 1950, as amended.

Infrastructure sectors are encouraged to establishmutual assistance programs for cybersecurityemergencies. DoJ and the Federal TradeCommission should work with the sectors to addressbarriers to such cooperation, as appropriate. Inaddition, DHS’s Information Analysis andInfrastructure Protection Directorate willcoordinate the development and regular update ofvoluntary, joint government-industry cybersecuritycontingency plans, including a plan for recoveringInternet functions. (A/R 1-5)

B. INFORMATION SHARING

1. Improve and Enhance Public-PrivateInformation Sharing about Cyber Attacks,Threats, and Vulnerabilities

Successfully developing capabilities for analysis,indications, and warnings requires a voluntarypublic-private information sharing effort. Thevoluntary sharing of information about suchincidents or attacks is vital to cybersecurity.Real or perceived legal obstacles make someorganizations hesitant to share informationabout cyber incidents with the government orwith each other. First, some fear that shareddata that is confidential, proprietary, or


P R I O R I T Y I

potentially embarrassing could become subjectto public examination when shared with thegovernment. Second, concerns about compet-itive advantage may impede informationsharing between companies within an industry.Finally, in some cases, the mechanisms aresimply not yet in place to allow efficient sharingof information.

The legislation establishing DHS providesseveral specific mechanisms intended toimprove two-way information sharing. First, thelegislation encourages industry to share infor-mation with DHS by ensuring that suchvoluntarily provided data about threats andvulnerabilities will not be disclosed in a mannerthat could damage the submitter. Second, thelegislation requires that the federal governmentshare information and analysis with the privatesector as appropriate and consistent with theneed to protect classified and other sensitivenational security information.

As required by law, DHS, in consultation withappropriate federal agencies, will establishuniform procedures for the receipt, care, andstorage by federal agencies of critical infra-structure information that is voluntarilysubmitted to the government.

The procedures will address how theDepartment will:

• Acknowledge the receipt of voluntarilysubmitted critical infrastructure infor-mation;

• Maintain the information as voluntarilysubmitted critical infrastructure infor-mation;

• Establish protocols for the care andstorage of such information; and

• Create methods for protecting the confi-dentiality of the submitting entity whilestill allowing the information to be used inthe issuance of notices and warnings forprotection of the critical infrastructure.

DHS will raise awareness about the removal ofimpediments to information sharing about cyberse-curity and infrastructure vulnerabilities betweenthe public and private sectors. The Department willalso establish an infrastructure protection programoffice to manage the information flow, includingthe development of protocols for how to care for“voluntarily submitted critical infrastructure infor-mation.” (A/R 1-6)

2. Encourage Broader Information Sharing onCybersecurity

Nongovernmental organizations with signif-icant computing resources are encouraged totake active roles in information sharing organi-zations. Corporations, colleges, and universitiescan play important roles in detecting andreporting cyber attacks, exploits, or vulnerabil-ities. In particular, both corporations andinstitutions of higher learning can gain fromincreased sharing on cyberspace security issues.Programs such as ISACs, FBI Infragard, or theUnited States Secret Service electronic crimestask forces can also benefit the respective participants. Because institutions of higherlearning have vast computer resources that canbe used as launch pads for attacks, colleges anduniversities are encouraged to consider estab-lishing an on-call point-of-contact to Internetservice providers (ISPs) and law enforcementofficials.

Corporations are encouraged to consider activeinvolvement in industrywide programs to shareinformation on IT security, including the potentialbenefits of joining an appropriate ISAC. Collegesand universities are encouraged to consider estab-lishing: (1) one or more ISACs to deal with cyberattacks and vulnerabilities; and, (2) an on-callpoint-of-contact, to Internet service providers andlaw enforcement officials in the event that theschool’s IT systems are discovered to be launchingcyber attacks. (A/R 1-7)


P R I O R I T Y I


P R I O R I T Y I


P R I O R I T Y I I

Malicious actors in cyberspace can take manyforms including individuals, criminal cartels,terrorists, or nation states. While attackers takemany forms, they all seek to exploit vulnerabil-ities created by the design or implementation ofsoftware, hardware, networks, and protocols toachieve a wide range of political or economiceffects. As our reliance on cyberspace increasesso too does the scope of damage that maliciousactors can impose.

Waiting to act until we learn that a maliciousactor is about to exploit a particular vulnera-

bility is risky. Such warning information maynot always be available. Even when warningdata is available, remediation of some vulnera-bilities may take days, weeks, or even years. As aresult, vulnerabilities must be identified andcorrected in critical networks before threatssurface. The most dangerous vulnerabilitiesmust be prioritized and reduced in a systematicfashion.

As technology evolves and new systems areintroduced, new vulnerabilities emerge.Our strategy cannot be to eliminate all

Priority II: A National Cyberspace SecurityThreat and Vulnerability ReductionProgram

vulnerabilities, or to deter all threats. Rather, wewill pursue a three-part effort to:

(1) Reduce threats and deter maliciousactors through effective programs toidentify and punish them;

(2) Identify and remediate those existingvulnerabilities that could create the mostdamage to critical systems, if exploited;and

(3) Develop new systems with less vulnera-bility and assess emerging technologiesfor vulnerabilities.

The federal government cannot accomplishthese goals acting alone. It can only do so inpartnership with state and local governmentsand the private sector. Many federal agenciesmust play a part in this effort, which will be ledand coordinated by DHS as part of its overallvulnerability reduction mandate.

The components of this program are discussedin this section. They include federal programs(both existing programs and initiatives that willbe considered as part of the budget decisionmaking process) and activities that the federalgovernment recommends to its partners. Manyactivities that can be taken by individuals,companies, and other private organizations toreduce vulnerabilities will be stimulated andaccelerated through awareness and are discussedas part of the awareness initiative described inPriority III.

A. REDUCE THREAT AND DETERMALICIOUS ACTORS

1. Enhance Law Enforcement’s Capabilities forPreventing and Prosecuting

The National Strategy to Secure Cyberspace isespecially concerned with those threats thatcould cause significant damage to our economyor security through actions taken using oragainst our cyber infrastructure. By identifyingthreats that would cause us significant harm, we

can reduce the threats to homeland security,national security, and the economy. Lawenforcement and the national securitycommunity play a critical role in preventingattacks in cyberspace. Law enforcement playsthe central role in attributing an attack throughthe exercise of criminal justice authorities.

Many cyber-based attacks are crimes. As aresult the Justice Department’s ComputerCrime and Intellectual Property Section, theFBI’s Cyber Division, and the U.S. SecretService all play a central role in apprehendingand swiftly bringing to justice the responsibleindividuals. When incidents do occur, a rapidresponse can stem the tide of an ongoing attackand lessen the harm that is ultimately caused.The Nation currently has laws and mechanismsto ensure quick responses to large incidents.Ideally, an investigation, arrest, and prosecutionof the perpetrators, or a diplomatic or militaryresponse in the case of a state-sponsored action,will follow such an incident.

Threat reduction, however, involves more thanprosecution. Analyzing and disseminatingpractical information gathered by lawenforcement can help promote national infra-structure security. For example, through variousinitiatives such as the FBI Infragard programand the U.S. Secret Service electronic crimestask forces, law enforcement can share lessonslearned from attacks with private sector organi-zations. The information gleaned frominvestigations can provide the federalgovernment and private industry a frameworkfor examining the robustness of their cyberse-curity skill sets, and assist in prioritizing theirlimited resources to manage the unique risk oftheir enterprise.

Justice and the FBI will need to work closelywith DHS to ensure that the informationgleaned from investigations is appropriatelyanalyzed and shared with ISACs and othernongovernmental entities to promote improvedrisk management in critical infrastructuresectors.


P R I O R I T Y I I

The Nation will seek to prevent, deter, andsignificantly reduce cyber attacks by ensuringthe identification of actual or attempted perpe-trators followed by an appropriate governmentresponse. In the case of cybercrime this wouldinclude swift apprehension, and appropriatelysevere punishment.

DOJ and other appropriate agencies will developand implement efforts to reduce cyber attacks andcyber threats through the following means: (1)identifying ways to improve information sharingand investigative coordination within the federal,state, and local law enforcement communityworking on critical infrastructure and cyberspacesecurity matters, and with other agencies and theprivate sector; (2) exploring means to provide suffi-cient investigative and forensic resources andtraining to facilitate expeditious investigation andresolution of critical infrastructure incidents; and,(3) developing better data about victims of cyber-crime and intrusions in order to understand thescope of the problem and be able to track changesover time. (A/R 2-1)

2. Create a Process for National VulnerabilityAssessments to Better Understand thePotential Consequences of Threats andVulnerabilities

a. Assess the Potential Impact of Strategic CyberAttacks

To better understand how to further detect andprevent attacks, the Nation must know thethreat it is facing. To date, no comprehensiveassessment of the impact of a strategic cyberattack against the United States has beenconducted. Because nation states and terroristsare developing capabilities for cyber-basedattacks, it is important to understand thepotential impact of such an attack and possibleways to mitigate the effects. DHS, in coordi-nation with appropriate agencies and the privatesector, will lead in the development and conduct ofa national threat assessment including red teaming,blue teaming, and other methods to identify the

impact of possible attacks on a variety of targets.(A/R 2-2)

B. IDENTIFY AND REMEDIATEEXISTING VULNERABILITIES

Reducing vulnerabilities can be resourceintensive. Accordingly, our national efforts toidentify and remediate vulnerabilities must befocused to reduce vulnerabilities in a costeffective and systematic manner. The UnitedStates must reduce vulnerabilities in four majorcomponents of cyberspace, including: (1) themechanisms of the Internet; (2) digital control


P R I O R I T Y I I

How the Internet Works

Data sent from one computer to anotheracross the Internet is broken into smallpackets of information containingaddressing information as well as a portionof the total message. The packets travelacross the Internet separately and arereassembled at the receiving computer.There are two primary protocols that enablethese packets of data to traverse thecomplex networks and arrive in an under-standable format. These protocols are: (1)the Transmission Control Protocol (TCP)which decomposes data into packets andensures that they are reassembled properlyat the destination; and (2) the InternetProtocol (IP), which guides or routes thepackets of data though the Internet.Together they are referred to as TCP/IP.

IP is essential to almost all Internet activities including sending data such as e-mail. Data is transmitted based on IPaddresses, which are a series of numbers.The Domain Name System (DNS) wasdeveloped to simplify the management ofIP addresses. The DNS maps IP numbersto recognizable sets of letters, words ornumbers. The DNS does this by estab-lishing domains and a structuredhierarchical addressing scheme.

systems/supervisory control and data acquisitionsystems; (3) software and hardware vulnerabilityremediation; and, (4) physical infrastructure andinterdependency. These four areas have broadimplications for the majority of the Nation’scritical infrastructures. Initiating efforts toeliminate vulnerabilities in these importantareas will reduce the vulnerability of criticalinfrastructure services to attack or compromise.

1. Secure the Mechanisms of the Internet

The development and implementation of themechanisms for securing the Internet areresponsibilities shared by its owners, operators,and users. Private industry is leading the effortto ensure that the core functions of the Internetdevelop in a secure manner. As appropriate, thefederal government will continue to supportthese efforts. The goal is the development ofsecure and robust mechanisms that will enablethe Internet to support the Nation’s needs nowand in the future. This will include securing theprotocols on which the Internet is based,ensuring the security of the routers that directthe flow of data, and implementing effectivemanagement practices.

a. Improve the Security and Resilience of KeyInternet Protocols

Essential to the security of the Internet infra-structure is ensuring the reliability and secureuse of three key protocols: the Internet Protocol(IP), the Domain Name System (DNS), andthe Border Gateway Protocol (BGP).

(i) Internet Protocol. The Internet is currentlybased on Internet Protocol version 4 (IPv4).Some organizations and countries are movingto an updated version of the protocol, version 6(IPv6). IPv6 offers several advantages overIPv4. In addition to offering a vast amount ofaddresses, it provides for improved securityfeatures, including attribution and native IPsecurity (IPSEC), as well as enabling newapplications and capabilities. Some countries aremoving aggressively to adopt IPv6. Japan has

committed to a fully IPv6 based infrastructureby 2005. The European Union has initiatedsteps to move to IPv6. China is also consideringearly adoption of the protocol.

The United States must understand the meritsof, and obstacles to, moving to IPv6 and, basedon that understanding, identify a process formoving to an IPv6 based infrastructure. Thefederal government can lead in developing thisunderstanding by employing IPv6 on some ofits own networks and by coordinating its activ-ities with those in the private sector. TheDepartment of Commerce will form a task force toexamine the issues related to IPv6, including theappropriate role of government, internationalinteroperability, security in transition, and costsand benefits. The task force will solicit input frompotentially impacted industry segments. (A/R 2-3).

(ii) Secure the Domain Name System. DNSserves as the central database that helps routeinformation throughout the Internet. Theability to route information can be disruptedwhen the databases cannot be accessed orupdated or when they have been corrupted.Attackers can disrupt the DNS by flooding thesystem with information or requests or bygaining access to the system and corrupting ordestroying the information that it contains. TheOctober 21, 2002 attacks on the core DNS rootservers revealed a vulnerability of the Internetby degrading or disrupting some of the 13 rootservers necessary for the DNS to function. Theoccurrence of this attack punctuates the urgentneed for expeditious action to make suchattacks more difficult and less effective.

(iii) Border Gateway Protocol. Of the manyrouting protocols in use within the Internet, theBorder Gateway Protocol (BGP) is at greatestrisk of being the target of attacks designed todisrupt or degrade service on a large scale. BGPis used to interconnect the thousands ofnetworks that make up the Internet. It allowsrouting information to be exchanged betweennetworks that may have separate administrators,administrative policies, or protocols.


P R I O R I T Y I I

Propagation of false routing information in theInternet can deny service to small or largeportions of the Internet. For example, falseroutes can create “black holes” that absorbtraffic destined for a particular block of addressspace. They can also lead to cascade failuresthat have occurred in other types of largerouting/switching systems in the past, wherethe failure of one switch or mechanism resultsin the failure of those connected to it, resultingin additional waves of failures expandingoutward from the initial fault.

More secure forms of BGP and DNS willbenefit all owners, operators and users of theInternet. To address this issue, the InternetEngineering Task Force, a voluntary privatebody consisting of users, owners, and operatorsof the Internet, has established working groupsfor securing BGP and DNS. These groups havemade progress, but have been limited bytechnical obstacles and the need for coordi-nation.

The security and continued functioning of theInternet will be greatly influenced by thesuccess or failure of implementing more secureand more robust BGP and DNS. The Nationhas a vital interest in ensuring that this workproceeds. The government should play a rolewhen private efforts break down due to a needfor coordination or a lack of proper incentives.

b. Promote Improved Internet Routing

Routers on the Internet share a number ofdesign characteristics that make them relativelyeasy to disable, especially through denial-of-service (DoS) attacks that overwhelm a router’sprocessing capability. Internet routing can besubstantially improved by promoting increaseduse of address verification and “out-of-band”management.

(i) Address Verification. Today there are feweffective solutions available, even commercially,to mitigate the effect of DoS attacks, as thescale and lack of address verification and

accountability makes filtering and contactingthe sources of an attack impossible. One of thelargest weaknesses in our current Internet infra-structure is the lack of source addressverification. Establishing an Internet infra-structure that provides forged source addressfiltering is a critical step towards defeating thesetypes of attacks.

(ii) Out-of-Band Management. DoS attacks aredifficult to mitigate because they preventcontrol data from reaching the router. Separatecontrol networks, commonly called “out-of-band” management links, are one techniquethat can be used to counter DoS attacks.

DHS will examine the need for increasedresearch to improve router security through newtechnology or approaches to routing infor-mation. In particular, DHS will assess progresson out-of-band management and addressfiltering and recommend steps that can betaken by government or the private sector toimprove their effectiveness and use. In addition,DHS will work with the private sector tounderstand the most efficient path andobstacles to increasing router security usingcurrent techniques and technology.

c. Improve Management

Much improvement can be made in the securityof the Internet infrastructure if best practicesfor managing the Internet, including the datathat flows through it and the equipment thatsupports it, are widely employed. DHS willwork with organizations that own and operatethe Internet to develop and promote theadoption of best practices. In particular, DHSwill work with Internet service providers to helpdevelop a widely accepted “code of conduct” fornetwork management. This work will include areview of existing documented best practicessuch as those published by Network Reliabilityand Interoperability Council (NRIC) of theFederal Communications Commission (FCC).


P R I O R I T Y I I

DHS, in coordination with the CommerceDepartment and appropriate agencies, willcoordinate public-private partnerships to encourage:(1) the adoption of improved security protocols; (2)the development of more secure router technology;and, (3) the adoption by ISPs of a “code of goodconduct,” including cybersecurity practices andsecurity related cooperation. DHS will support theseefforts as required for their success, subject to otherbudget considerations. (A/R 2-4)

2. Foster Trusted Digital Control Systems /Supervisory Control and Data AcquisitionSystems

Many industries in America have radicallytransformed the way they control and monitorequipment over the last 20 years by employingdigital control systems (DCS) and supervisorycontrol and data acquisition systems (SCADA).DCS/SCADA are computer-based systems thatare used by many infrastructures and industriesto remotely control sensitive processes andphysical functions that once had to becontrolled manually. DCS and SCADA arepresent in almost every sector of the economyincluding water, transportation, chemicals,energy, and manufacturing, among others.Increasingly DCS/SCADA systems use theInternet to transmit data rather than the closednetworks used in the past.

Securing DCS/SCADA is a national priority.Disruption of these systems can have significantconsequences for public health and safety.However, securing these systems is complicatedby various factors. First, adding security requiresinvestment in systems and in research anddevelopment that companies cannot afford orjustify on their own. Such research may requirethe involvement of multiple infrastructureoperators or industries. Second, current techno-logical limitations could impede theimplementation of security measures. Forexample, DCS/SCADA systems are typicallysmall and self-contained units with limitedpower supplies. Security features are not easilyadapted to the space or power requirements. In

addition, these systems operate in real time andsecurity measures could reduce performance orimpact the synchronization of larger processes.

Both the private and public sectors have a rolein securing SCADA systems. DHS, in coordi-nation with the Department of Energy andother concerned agencies, will work inpartnership with private industry to ensure thatthere is broad awareness among industryvendors and users, both regulated and unregu-lated, of the vulnerabilities in DCS/SCADAsystems, and the consequences of exploitation ofthose vulnerabilities. For operators ofDCS/SCADA systems, these efforts shouldinclude developing and deploying training andcertification of DCS/SCADA-orientedsoftware and hardware security. In addition,DHS will work with the private sector topromote voluntary standards efforts, andsecurity policy creation.

The development of adequate test bed environ-ments and the development of technology inthe areas of extremely low latency linkencryptors/authenticators, key management,and network status/state-of-health monitoringwill aid in the effort to secure DCS/SCADA.DHS, in coordination with DOE and otherconcerned agencies and in partnership withindustry, will develop best practices and newtechnology to increase security of DCS/SCADA, todetermine the most critical DCS/SCADA-relatedsites, and to develop a prioritized plan for short-term cybersecurity improvements in those sites.(A/R 2-5)

3. Reduce and Remediate SoftwareVulnerabilities

A third critical area of national exposure is themany flaws that exist in critical infrastructuredue to software vulnerabilities. New vulnerabil-ities emerge daily as use of software revealsflaws that malicious actors can exploit.Currently, approximately 3,500 vulnerabilitiesare reported annually. Corrections are usuallycompleted by the manufacturer in the form of a


P R I O R I T Y I I

patch and made available for distribution to fixthe flaws.

Many known flaws, for which solutions areavailable, remain uncorrected for long periods oftime. For example, the top ten known vulnera-bilities account for the majority of reportedincidents of cyber attacks. This happens formultiple reasons. Many system administratorsmay lack adequate training or may not havetime to examine every new patch to determinewhether it applies to their system. The softwareto be patched may affect a complex set of inter-connected systems that take a long time to testbefore a patch can be installed with confidence.If the systems are critical, it could be difficult toshut them down to install the patch.

Unpatched software in critical infrastructuresmakes those infrastructures vulnerable topenetration and exploitation. Software flaws areexploited to propagate “worms” that can resultin denial of service, disruption, or other seriousdamage. Such flaws can be used to gain accessto and control over physical infrastructure.Improving the speed, coverage, and effec-tiveness of remediation of these vulnerabilitiesis important for both the public and privatesector.

Several steps will help. First, the Nation needs abetter-defined approach to the disclosure ofvulnerabilities. The issue is complex becauseexposing vulnerabilities both helps speed thedevelopment of solutions and also createsopportunities for would be attackers. Inaddition, the clearinghouse for such disclosuresmust be a neutral body between vendors,security companies, and the public at large.Today the government partially funds suchorganizations. However, the appropriate leveland form for this funding need to be reviewed.DHS will work with the National InfrastructureAdvisory Council and private sector organizationsto develop an optimal approach and mechanism forvulnerability disclosure. (A/R 2-6)

A second step that will speed the distribution ofpatches in software systems is the creation ofcommon test-beds. Such test-beds runningapplications that are common amonggovernment agencies or companies can speedpatch implementation by testing one time, formany users, the impact that a patch will haveon a variety of applications. GSA will work withDHS on an improved approach to implementing apatch clearinghouse for the federal government.DHS will also share lessons learned with theprivate sector and encourage the development of avoluntary, industry-led, national effort to developa similar clearinghouse for other sectors includinglarge enterprises. (A/R 2-7)

Finally, best practices in vulnerability remedi-ation should be established and shared in areassuch as training requirements for systemadministrators, the use of automated tools, andmanagement processes for patch implemen-tation. DHS will work with public and privateentities on the development and disseminationof such practices. More secure initial configura-tions for shipped cyber products would facilitatemore secure use by making the default set-upsecure rather than insecure. The softwareindustry is encouraged to consider promoting moresecure “out-of-the-box” installation and implemen-tation of their products, including increasing: (1)user awareness of the security features in products;(2) ease-of-use for security functions; and, (3)where feasible, promotion of industry guidelines andbest practices that support such efforts. (A/R 2-8)

4. Understand Infrastructure Interdependencyand Improve Physical Security of CyberSystems and Telecommunications

Reducing the vulnerability of the cyber infra-structure includes mitigating the potentiallydevastating attacks on cyberspace that can occurwhen key physical linkages are destroyed. Theimpact of such attacks can be amplified bycascading impacts through a variety ofdependant infrastructures affecting both theeconomy and the health and welfare of citizens:a train derailed in a Baltimore tunnel and the


P R I O R I T Y I I

Internet slowed in Chicago; a campfire in NewMexico damaged a gas pipeline and IT-relatedproduction halted in Silicon Valley; a satellitespun out of control hundreds of miles above theEarth and affected bank customers could notuse their ATMs.

Cyberspace has physical manifestations: thebuildings and conduits that support telecom-munications and Internet networks. Thesephysical elements have been designed and builtto create redundancy and avoid single points offailure. Nonetheless, the carriers and serviceproviders are encouraged to independently andcollectively continue to analyze their networksto strengthen reliability and intentional redun-dancy. The FCC, through its NetworkReliability and Interoperability Council, and theNational Security TelecommunicationsAdvisory Committee, can contribute to suchefforts and should identify any governmentalimpediments to strengthening the nationalnetworks.

DHS will work actively to reduce interdepen-dencies and physical vulnerability. DHS willestablish and lead a public-private partnership toidentify cross-sectoral interdependencies, both cyberand physical. The partnership will develop plans toreduce related vulnerabilities in conjunction withprograms proposed in the National Strategy forHomeland Security. The National InfrastructureSimulation and Analysis Center in DHS willsupport these efforts by developing models toidentify the impact of cyber and physical interde-pendencies. (A/R 2-9)

DHS also will support, when requested and asappropriate, voluntary efforts by owners andoperators of information system networks andnetwork data centers to develop remediation andcontingency plans to reduce the consequences oflarge-scale physical damage to facilities supportingsuch networks, and to develop appropriate proce-dures for limiting access to critical facilities.(A/R 2-10)

C. DEVELOP SYSTEMS WITH FEWERVULNERABILITIES AND ASSESSEMERGING TECHNOLOGIES FORVULNERABILITIES

As the Nation takes steps to improve thesecurity of current systems, it must also ensurethat future cyber systems and infrastructure arebuilt to be secure. This will become increasinglyimportant as more and more of our dailyeconomic and physical lives come to depend oncyber infrastructure. Future security requiresresearch in cyberspace security topics and acommitment to the development of more secureproducts.

1. Prioritize the Federal Research andDevelopment Agenda

Federal investment in research for the nextgeneration of technologies to maintain andsecure cyberspace must keep pace with anincreasing number of vulnerabilities. Flexibilityand nimbleness are important in ensuring thatthe research and development process accom-modates the dynamic technology environmentin the years ahead.

The Nation will prioritize and provide resourcesas necessary to advance the research to securecyberspace. A new generation of enablingtechnologies will serve to “modernize” theInternet for rapidly growing traffic volumes,expanded e-commerce, and the advanced appli-cations that will be possible only whennext-generation networks are widely available.As a result, national research efforts must beprioritized to support the transition of cyber-space into a secure, high-speed knowledge andcommunications infrastructure for this century.Vital research is required for this effort. TheNation must prioritize its cyberspace securityresearch efforts across all sectors and fundingsources.

To meet these needs, the Director of OSTP willcoordinate the development, and update on anannual basis, a federal government research and


P R I O R I T Y I I

development agenda that includes near-term (1-3years), mid-term (3-5 years), and later (5 years outand longer) IT security research for Fiscal Year2004 and beyond. Existing priorities include,among others, intrusion detection, Internet infra-structure security (including protocols such as BGPand DNS), application security, DoS, communica-tions security (including SCADA system encryptionand authentication), high-assurance systems, andsecure system composition. (A/R 2-11)

To optimize research efforts relative to those of theprivate sector, DHS will ensure that adequatemechanisms exist for coordination of research anddevelopment among academia, industry, andgovernment, and will develop new mechanismswhere needed. (A/R 2-12)

An important goal of cybersecurity research willbe the development of highly secure, trust-worthy, and resilient computing systems. In thefuture, working with a computer, the Internet,or any other cyber system may become asdependable as turning on the lights or thewater.

The Nation must seek to ensure that futurecomponents of the cyber infrastructure are builtto be inherently secure and dependable for theirusers. Development of highly secure andreliable systems will be pursued, subject tobudgeting constraints, through the nationalcyberspace security research agenda.

The private sector is encouraged to considerincluding in near-term research and developmentpriorities, programs for highly secure and trust-worthy operating systems. If such systems aredeveloped and successfully evaluated, the federalgovernment will, subject to budget considerations,accelerate procurement of such systems. (A/R 2-13)

In addition, DHS will facilitate a national public-private effort to promulgate best practices andmethodologies that promote integrity, security, andreliability in software code development, including

processes and procedures that diminish the possibil-ities of erroneous code, malicious code, or trap doorsthat could be introduced during development.(A/R 2-14)

2. Assess and Secure Emerging Systems

As new technologies are developed theyintroduce the potential for new security vulner-abilities. Some new technologies introducesecurity weaknesses that are only corrected overtime, with great difficulty, or sometimes not atall. A person driving in a car around a city, forexample, can access many wireless local areanetworks without the knowledge of theirowners unless strong security measures areadded to those systems.

As telephones and personal digital assistants,and many other mobile devices, incorporatemore sophisticated operating systems andconnectivity they may require security featuresto prevent their exploitation for distributedattacks on mobile networks and even theInternet.

Emerging areas of research also can produceunforeseen consequences for security. Theemergence of optical computing and intelligentagents, as well as in the longer term, develop-ments in areas such as nanotechnology andquantum computing, among others, will likelyreshape cyberspace and its security. The Nationmust be at the leading edge in understandingthese technologies and their implications forsecurity.

DHS, in coordination with OSTP and otheragencies, as appropriate, will facilitate communi-cation between the public and private research andthe security communities, to ensure that emergingtechnologies are periodically reviewed by the appro-priate body within the National Science andTechnology Council, in the context of possiblehomeland and cyberspace security implications, andrelevance to the federal research agenda. (A/R 2-15)


P R I O R I T Y I I


P R I O R I T Y I I


P R I O R I T Y I I I

Everyone who relies on part of cyberspace isencouraged to help secure the part of cyber-space that they can influence or control.

To do that, users need to know the simplethings that they can do to help to preventintrusions, cyber attacks, or other securitybreaches. All users of cyberspace have someresponsibility, not just for their own security,but also for the overall security and health ofcyberspace.

In addition to the vulnerabilities in existinginformation technology systems, there are atleast two other major barriers to users andmanagers acting to improve cybersecurity:(1) a lack of familiarity, knowledge, and

understanding of the issues; and (2) an inabilityto find sufficient numbers of adequately trainedand/or appropriately certified personnel tocreate and manage secure systems.

Among the components of this priority are thefollowing:

• Promote a comprehensive nationalawareness program to empower allAmericans—businesses, the generalworkforce, and the general population—to secure their own parts of cyberspace;

• Foster adequate training and educationprograms to support the Nation’s cyberse-curity needs;

Priority III: A National CyberspaceSecurity Awareness and Training Program

• Increase the efficiency of existing federalcybersecurity training programs; and

• Promote private sector support for well-coordinated, widely recognizedprofessional cybersecurity certification.

Key to any successful national effort to enhancecybersecurity must be a national effort to raiseawareness (of users and managers at all levels)and maintain an adequate pool of well trainedand certified IT security specialists. The federalgovernment cannot by itself create or manageall aspects of such an effort. It can only do so inpartnership with industry, other governments,and nongovernmental actors.

Many federal agencies must play a part in thiseffort, which will be led and coordinated byDHS. The components of this program willinclude the following federal programs (bothexisting programs and initiatives which will beconsidered as part of the budget decisionmaking process) and activities, which werecommend to our partners.

A. AWARENESS

1. Promote a Comprehensive NationalAwareness Program to Empower AllAmericans—Businesses, the GeneralWorkforce, and the General Population—to Secure their Own Parts of Cyberspace

In many cases solutions to cybersecurity issuesexist, but the people who need them do notknow they exist or do not know how or whereto find them. In other cases people may noteven be aware of the need to make a networkelement secure. A small business, for example,may not realize that the configuration of its webserver uses a default password that allowsanyone to gain control of the system. Educationand outreach play an important role in makingusers and operators of cyberspace sensitive tosecurity needs. These activities are an importantpart of the solution for almost all of the issuesdiscussed in the National Strategy to Secure

Cyberspace, from securing digital control systemsin industry, to securing broadband Internetaccess at home.

DHS, working in coordination with appropriatefederal, state, and local entities and private sectororganizations, will facilitate a comprehensiveawareness campaign including audience-specificawareness materials, expansion of theStaySafeOnline campaign, and development ofawards programs for those in industry makingsignificant contributions to security. (A/R 3-1)

Increasing awareness and education preparesprivate sectors, organizations, and individuals tosecure their parts of cyberspace. Actions takenby one entity on a network can immediatelyand substantially affect one or many others.Because the insecurity of one participant incyberspace can have a major impact on theothers, the actions they take to secure their ownnetworks contribute to the security of thewhole. For example, a few subverted serversrecently enabled an attack on some of theInternet Domain Name System root serversand threatened to disrupt service for manyusers. Through improved awareness the Nationcan stimulate actions to secure cyberspace bycreating an understanding at all audience levelsof both cybersecurity issues and solutions. DHSwill lead an effort to increase cybersecurityawareness for key audiences:

a. Home Users and Small Business

Home users and small business are not part ofthe critical infrastructures. However, theirsystems are being increasingly subverted bymalicious actors to attack critical systems.Therefore, increasing the awareness aboutcybersecurity among these users contributes togreater infrastructure security. Home users andsmall business owners of cyber systems oftenstart with the greatest knowledge gap aboutcybersecurity.

DHS, in coordination with other agencies andprivate organizations, will work to educate the



general public of home users, students, children,and small businesses on basic cyberspace safetyand security issues. As part of these efforts,DHS will partner with the Department ofEducation and state and local governments toelevate the exposure of cybersecurity issues inprimary and secondary schools. In addition, theFederal Trade Commission will continue toprovide information on cybersecurity forconsumers and small businesses throughhttp://www.ftc.gov/infosecurity.

DHS, in coordination with the Department ofEducation, will encourage and support, whereappropriate subject to budget considerations, state,local, and private organizations in the developmentof programs and guidelines for primary andsecondary school students in cybersecurity. (A/R 3-2)

In recent years, with the spread of “always on”connections for systems, such as cable modems,digital subscriber lines (DSL), and wireless andsatellite systems, the security of home user andsmall business systems has become moreimportant not only to the users themselves, butto others to which they are connected throughthe Internet. For example, these connectionsgenerally mean that larger amounts of data canbe sent and done so in a continuous stream.These two factors can be exploited and used toattack other systems, possibly even resulting innationally significant damage. The Internetservice providers, antivirus software companies,and operating system/application softwaredevelopers that provide services or products tohome users and small businesses can help raisetheir awareness of cybersecurity issues.

Home users and small businesses can help theNation secure cyberspace by securing their ownconnections to it. Installing firewall software andupdating it regularly, maintaining currentantivirus software, and regularly updatingoperating systems and major applications withsecurity enhancements are actions that individualsand enterprise operators can take to help securecyberspace. To facilitate such actions, DHS willcreate a public-private task force of private

companies, organizations, and consumer usersgroups to identify ways that providers of infor-mation technology products and services, and otherorganizations can make it easier for home users andsmall businesses to secure their systems. (A/R 3-3)

b. Large Enterprises

The security of large enterprises is importantnot only to individual businesses, but to theNation as a whole. Large enterprises own majorcyber networks and computing systems that, ifnot secure, can be exploited for attacks on otherbusinesses in an increasingly interconnectedeconomy, and could, in the case of a massiveattack, have major economic consequences. Thecybersecurity of large enterprises can beimproved through strong management toensure that best practices and efficienttechnology are being employed, especially in theareas of configuration management, authenti-cation, training, incident response, and networkmanagement. DHS will continue the work ofsensitizing the owners of these networks totheir vulnerabilities and what can be done tomitigate them. DHS, working with othergovernment agencies and private sector organi-zations, will build upon and expand existingefforts to direct the attention of key corporatedecision makers (e.g., CEOs and members ofboards of directors) to the business case forsecuring their companies’ information systems.

Decision makers can take a variety of steps toimprove the security of their enterprisenetworks and to ensure that their networkscannot be maliciously exploited. Large enter-prises are encouraged to evaluate the security oftheir networks that impact the security of theNation’s critical infrastructures. Such evaluationsmight include: (1) conducting audits to ensure effec-tiveness and use of best practices; (2) developingcontinuity plans which consider offsite staff andequipment; and, (3) participating in industrywideinformation sharing and best practice dissemi-nation. (A/R 3-4)



(i) Insider Threats. Many cyber attacks on enter-prise systems are perpetrated by trusted“insiders.” Insiders are people trusted with legit-imate access rights to enterprise informationsystems and networks. Such trusted individualscan pose a significant threat to the enterpriseand beyond. The insider threat poses a key riskbecause it provides a potential avenue forindividuals who seek to harm the Nation togain access to systems that could support theirmalicious objectives. Effectively mitigating theinsider threat requires policies, practices, andcontinued training. Three common policy areaswhich can reduce insider threat include: (1)access controls, (2) segregation of duties, and,(3) effective policy enforcement.

• Poor access controls enable an individualor group to inappropriately modify,destroy, or disclose sensitive data orcomputer programs for purposes such aspersonal gain or sabotage.

• Segregation of duties is important inassuring the integrity of an enterprise’sinformation system. No one person shouldhave complete control of any system.

• Effective enforcement of an enterprisesecurity policy can be challenging andrequires regular auditing. New automatedsoftware is beginning to emerge which canfacilitate efficient enforcement of enter-prise security. These programs allow theinput of policy in human terms, trans-lation to machine code, and thenmonitoring at the packet level of all datatransactions within, and outbound from,the network. Such software can detect andstop inappropriate use of networks andcyber-based resources.

c. Institutions of Higher Education (IHEs)

Awareness plays an especially important role inincreasing the cybersecurity of IHEs. As recentexperience has shown, organized attackers havecollectively exploited many insecure computersystems traceable to the campus networks of

higher education as a platform from which tolaunch denial-of-service attacks and otherthreats to unrelated systems on the Internet.Such attacks harm not only the targetedsystems, but also the owners of those systemsand those who desire to use their services. IHEsare subject to exploitation for two reasons: (1)they possess vast amounts of computing power;and (2) they allow relatively open access tothose resources. The computing power ownedby IHEs is extensive, covering over 3,000schools, many with research and significantcentral computing facilities.

The higher education community, collectively,has been actively engaged in efforts to organizeits members and coordinate action to raiseawareness and enhance cybersecurity onAmerica’s campuses. Most notably, throughEDUCAUSE, the community has raised theissue of the Strategy’s development with topleaders of higher education, including theAmerican Council on Education and theHigher Education IT Alliance. Significantly,through this effort, top university presidentshave adopted a 5-point Framework for Actionthat commits them to giving IT security highpriority and to adopting the policies andmeasures necessary to realize greater systemsecurity:

(1) Make IT security a priority in highereducation;

(2) Revise institutional security policy andimprove the use of existing securitytools;

(3) Improve security for future research andeducation networks;

(4) Improve collaboration between highereducation, industry, and government;and

(5) Integrate work in higher education withthe national effort to strengthen criticalinfrastructure.



Colleges and universities are encouraged to securetheir cyber systems by establishing some or all of thefollowing as appropriate: (1) one or more ISACs todeal with cyber attacks and vulnerabilities; (2)model guidelines empowering Chief InformationOfficers (CIOs) to address cybersecurity; (3) one ormore sets of best practices for IT security; and, (4)model user awareness programs and materials.(A/R 3-5)

d. Private Sectors

DHS will work with private sectors on generalawareness as well as on specific issues impactingparticular sectors. Private sectors own andoperate the vast majority of the Nation’s cyber-space. As long time partners in the effort tosecure cyberspace, many sectors have developedplans in parallel with the National Strategy toSecure Cyberspace to help secure their criticalinfrastructures. The sectors can serve a vital rolein the reduction of vulnerabilities by creatingsector-wide awareness of issues that affectmultiple members. Members can develop andshare best practices and work together towardcommon security solutions. For example,SCADA systems are a widespread security issuein the energy sector. Solutions are being coordi-nated with the Department of Energy andacross the sector. The sectors also play a role inthe identification of research needs. DHS willclosely coordinate with private sectors on plansand initiatives to secure cyberspace.

A public-private partnership should continue workin helping to secure the Nation’s cyber infrastructurethrough participation in, as appropriate andfeasible, a technology and R&D gap analysis toprovide input into the federal cybersecurity researchagenda, coordination on the conduct of associatedresearch, and the development and dissemination ofbest practices for cybersecurity. (A/R 3-6)

e. State and Local Governments

DHS will implement plans to focus keydecision makers in state and local govern-ments—such as governors, state legislatures,

mayors, city managers, and county commis-sioners/boards of supervisors—to supportinvestment in information systems securitymeasures and adopt enforceable managementpolicies and practices.

B. TRAINING

In addition to raising general awareness, theNation must focus resources on training atalented and innovative pool of citizens that canspecialize in securing the infrastructure. Whilethe need for this pool has grown quickly withthe expansion of the Internet and the perva-siveness of computers, networks, and othercyber devices, the investment in training hasnot kept pace. Universities are turning outfewer engineering graduates, and much of theirresources are dedicated to other subjects, suchas biology and life sciences. This trend must bereversed if the United States is to lead theworld with its cyber economy.

1. Foster Adequate Training and EducationPrograms to Support the Nation’sCybersecurity Needs

Improvements in cybersecurity training will beaccomplished primarily through the work ofprivate training organizations, institutions oflearning, and the Nation’s school systems.

DHS will also encourage private efforts toensure that adequate opportunities exist forcontinuing education and advanced training inthe workplace to maintain high skills standardsand the capacity to innovate.

The federal government can play a direct role inseveral ways. First, DHS will implement andencourage the establishment of programs to advancethe training of cybersecurity professionals in theUnited States, including coordination with NSF,OPM, and NSA, to identify ways to leverage theexisting Cyber Corps Scholarship for Serviceprogram as well as the various graduate, postdoc-toral, senior researcher, and faculty developmentfellowship and traineeship programs created by the



Cyber Security Research and Development Act, toaddress these important training and educationworkforce issues. (A/R 3-7)

2. Increase the Efficiency of Existing FederalCybersecurity Training Programs

Second, DHS will explore the benefits of acenter for the development of cybersecuritytraining practices that would draw togetherexpertise and be consistent with the federal“build once, use many” approach. DHS, incoordination with other agencies with cybersecuritytraining expertise, will develop a coordinationmechanism linking federal cybersecurity andcomputer forensics training programs. (A/R 3-8)

C. CERTIFICATION

1. Promote Private Sector Support for Well-coordinated Widely Recognized ProfessionalCybersecurity Certifications

Related to education and training is the needfor certification of qualified persons.Certification can provide employers andconsumers with greater information about thecapabilities of potential employees or securityconsultants. Currently, some certifications forcybersecurity workers exist; however, they varygreatly in the requirements they impose. Forexample, some programs emphasize broadknowledge verified by an extensive multiple-choice exam, while others verify in-depth

practical knowledge on a particular cybercomponent. No one certification offers a levelof assurance about a person’s practical andacademic qualifications, similar to those offeredby the medical and legal professions.

To address this issue, a number of industrystakeholders including representatives of bothconsumers and providers of IT security certifi-cations are beginning to explore approaches todeveloping nationally recognized certificationsand guidelines for certification.

Aspects that warrant consideration by theseorganizations include levels of education andexperience, peer recognition, continuingeducation requirements, testing guidance, asapplicable for various levels of certification thatmay be established, and models for adminis-tering a certification for IT securityprofessionals similar to those successfullyemployed in other professions. DHS and otherfederal agencies, as downstream consumers(prospective employers of certified personnel),can aid these efforts by effectively articulatingthe needs of the federal IT security community.

DHS will encourage efforts that are needed to buildfoundations for the development of security certifi-cation programs that will be broadly accepted by thepublic and private sectors. DHS and other federalagencies can aid these efforts by effectively articu-lating the needs of the federal IT securitycommunity. (A/R 3-9)




P R I O R I T Y I V

Although most critical infrastructures are in theprivate sector, governments at various levelsperform many key functions. Among those keyfunctions are national defense, homelandsecurity, emergency response, taxation,payments to citizens, central bank activities,criminal justice, and public health. All of thosefunctions and others now depend upon infor-mation networks and systems. Thus, it is theduty of governments to secure their informationsystems in order to provide essential services. Atthe federal level it is also required by law.

The foundation for the federal government’scybersecurity requires assigning clear andunambiguous authority and responsibility for

security, holding officials accountable forfulfilling those responsibilities, and integratingsecurity requirements into budget and capitalplanning processes.

The federal government will lead by example,giving cybersecurity appropriate attention andcare, and encouraging others to do so. Thefederal government’s procurement practices willbe used to help promote cybersecurity. Forexample, federal agencies should become earlyadopters of new, more secure systems andprotocols where appropriate.

State and local governments can have a similareffect on cybersecurity. The federal government


is ready to partner with both state and localgovernments to promote cybersecurity.

Within the federal government the Director ofOMB is responsible for ensuring thatdepartment and agency heads carry out theirlegal responsibilities to secure IT systems, withthe exception of classified systems of nationalsecurity departments and agencies that are theresponsibility of the Secretary of Defense andthe Director of Central Intelligence.

A. THE FEDERAL GOVERNMENT

Beginning with the Budget Blueprint inFebruary 2001, continuing in the fiscal year2002 and 2003 budgets, and the ManagementReform Agenda, this administration has set aclear agenda for government reform. Thesereforms include unifying federal governmentsecurity and critical infrastructure protectioninitiatives, and making strong security acondition of funding for all federal investmentsin information-technology systems.

The National Strategy to Secure Cyberspacesupports these efforts by working to ensure that the federal government can identify vulnerabilities, anticipate threats, mitigateattacks when possible, and provide for continuity of operations.

To overcome deficiencies in cybersecurity,OMB established a governmentwide ITsecurity program, as required by law, to set ITsecurity policies and perform oversight offederal agency compliance with securityrequirements. This program is based on a cost-effective, risk-based approach. Agencies mustensure that security is integrated within everyIT investment. This approach is designed toenable federal government business operations,not to unnecessarily impede those functions.

1. Continuously Assess Threats andVulnerabilities to Federal Cyber Systems

A key step to ensuring the security of federalinformation technology is to understand thecurrent state of the effectiveness of security andprivacy controls in individual systems. Onceidentified, it is equally important to maintainthat understanding through a continuing cycleof risk assessment. This approach is reflected inOMB security policies, and is featured inFISMA.

OMB’s first report to Congress on governmentinformation security reform in February 2002identified six common governmentwide securityperformance gaps.

These weaknesses included:

(1) Lack of senior management attention;

(2) Lack of performance measurement;

(3) Poor security education and awareness;

(4) Failure to fully fund and integratesecurity into capital planning andinvestment control;

(5) Failure to ensure that contractor servicesare adequately secure; and

(6) Failure to detect, report, and share infor-mation on vulnerabilities.

These gaps are not new or surprising. OMB,along with the General Accounting Office andagency inspectors general, has found them to beproblems for at least 6 years. The evaluationand reporting requirements established by lawhave given OMB and federal agencies anopportunity to develop a comprehensive, cross-government baseline of agency IT securityperformance that had not been previouslyavailable. More importantly, through the devel-opment and use of corrective action plans, thefederal government has a uniform process totrack progress in fixing those weaknesses.


P R I O R I T Y I V

Before OMB approves funding for a system anagency must demonstrate that it has resolvedoutstanding security issues related to thesystem. Additionally, agencies must ensure thatsecurity has been incorporated and securitycosts reported for every IT investment throughthe federal capital planning process. OMBpolicy stipulates that specific lifecycle securitycosts be identified, built into, and funded aspart of each system investment. Failure to do soresults in disapproval of funding for the entiresystem.

2. Agency-Specific Processes

The federal government must have a compre-hensive and crosscutting approach to improvingcybersecurity. Three processes central toimproving and maintaining federal cyberse-curity in the agencies are: identifying anddocumenting enterprise architectures; continu-ously assessing threats and vulnerabilities, andunderstanding the risks they pose to agencyoperations and assets; and implementingsecurity controls and remediation efforts toreduce and manage those risks. Each agencywill be expected to create and implement thisformal three-step process to achieve greatersecurity.

a. Identify and Document Enterprise Architectures

OMB policy requires each agency to identifyand document their enterprise architecture,including an authoritative inventory of alloperations and assets, all agency IT systems,critical business processes, and their inter-relationships with other organizations. Thisprocess yields a governmentwide view of criticalsecurity needs.

Through the budget process, the federalgovernment will drive agency investments incommercially available tools to improve theirarchitectures and system configuration.Configuration management and control hasincidental and important benefits to security.For example, controlling system configuration

permits agencies to more effectively andefficiently enforce policies and permissions andmore easily install antivirus definitions andother software updates and patches across anentire system or network.

b. Continuously Assess Threats and Vulnerabilities

Commercially available automated auditing andreporting mechanisms should be used tovalidate the effectiveness of the security controlsacross a system and are essential to continuouslyunderstand risks to those systems. These toolscan help in analyzing data, providing forward-looking assessments, and alerting agencies ofunacceptable risks to their operations.

Federal agencies will continue to expand the use ofautomated, enterprise-wide security assessment andsecurity policy enforcement tools and actively deploythreat management tools to deter attacks. Thefederal government will determine whether specificactions are necessary (e.g., through the policy orbudget processes) to promote the greater use of thesetools. (A/R 4-1)

c. Implement Security Controls and RemediationEfforts

The implementation of security controls thatmaintain risk at an acceptable level can often beaccomplished in a relatively brief amount oftime. However, the remediation of vulnerabil-ities is a much more complex challenge.Software is constantly changing and each newupgrade can introduce new vulnerabilities. As aresult, vulnerabilities must be assessed continu-ously. Remediation often involves “patching” orinstalling pieces of software or code that areused to update the main program. The remedi-ation of federal systems must be planned in aconsistent fashion.


P R I O R I T Y I V

B. ADDITIONAL GOVERNMENTWIDECHALLENGES

In addition, there are four specific government-wide security challenges that need to beaddressed. Each agency, as appropriate, shouldwork with OMB to resolve these challenges.

1. Authenticate and Maintain Authorizationfor Users of Federal Systems

Identifying and authenticating each system useris the first link in the system security chain, andit must take place whenever system access isinitiated. To establish and maintain securesystem operations, organizations must ensurethat the people on the system are who they saythey are and are doing only what they areauthorized to do. Many authentication proce-dures used today are inadequate. Passwords arenot being changed from the system default, areoften incorrectly configured, and are rarelyupdated.

The federal government will continue topromote a continuing chain of security for allfederal employees and processes, including theuse, where appropriate, of biometric smart cardsfor access to buildings and computers, andauthentication from the moment of computerlog on. The benefits of such an approach areclear. By promoting multi-layered identificationand authentication—the use of strongpasswords, smart tokens, and biometrics - thefederal government will eliminate many signif-icant security problems that it has today.

Through the ongoing E-Authentication initiative,the federal government will review the need forstronger access control and authentication; explorethe extent to which all departments can employ thesame physical and logical access control tools andauthentication mechanisms; and consequently,further promote consistency and interoperability.(A/R 4-2)

2. Secure Federal Wireless Local AreaNetworks

When using wireless technology, the federalgovernment will carefully evaluate the risksassociated with using such technology forcritical functions. The National Institute ofStandards and Technology (NIST) notes thatwireless communications can be intercepted and that wireless networks can also experiencedenial-of-service attacks. Federal agenciesshould use the NIST findings and


P R I O R I T Y I V

The National InformationAssurance Partnership (NIAP)

NIAP is a U.S. Government initiative tomeet testing, evaluation, and assessmentneeds of both information technology (IT)producers and consumers. NIAP is acollaboration between the NationalInstitute of Standards and Technology(NIST) and the National Security Agency(NSA) in fulfilling their respective respon-sibilities under the Computer Security Actof 1987.

The partnership, originated in 1997,combines the extensive security experienceof both agencies to promote the devel-opment of technically sound securityrequirements for IT products and systemsand appropriate metrics for evaluating thoseproducts and systems. The long-term goalof NIAP is to help increase the level oftrust consumers have in their informationsystems and networks through the use ofcost-effective security testing, evaluation,and assessment programs. NIAP continuesto build important relationships withgovernment agencies and industry in avariety of areas to help meet current andfuture IT security challenges affecting theNation’s critical information infrastructure.More information on the partnership canbe found at http://www.niap.nist.gov.

recommendations on wireless systems as a guideto the operation of wireless networks.

Federal agencies should consider installing systemsthat continuously check for unauthorized connec-tions to their networks. Agency policy andprocedures should reflect careful consideration ofadditional risk reduction measures, including theuse of strong encryption, bi-directional authenti-cation, shielding standards and other technicalsecurity considerations, configuration management,intrusion detection, incident handling, andcomputer security awareness and trainingprograms. (A/R 4-3)

3. Improve Security in GovernmentOutsourcing and Procurement

Through a joint effort of OMB’s Office ofFederal Procurement Policy, the FederalAcquisition Regulations Council, and theExecutive Branch Information Systems SecurityCommittee, the federal government is identi-fying ways to improve security in agencycontracts and evaluating the overall federalprocurement process as it relates to security.Agencies’ maintenance of security foroutsourced operations was cited as one of thekey weaknesses identified in OMB’s February2002 security report to Congress.

Additionally, the federal government will beconducting a comprehensive review of the NationalInformation Assurance Partnership (NIAP), todetermine the extent to which it is adequatelyaddressing the continuing problem of security flawsin commercial software products. This review willinclude lessons learned from implementation of theDefense Department’s July 2002 policy requiringthe acquisition of products reviewed under theNIAP or similar evaluation processes. (A/R 4-4)

Department of Defense (DOD) policy stipu-lates that if an evaluated product of the typebeing sought is available for use, then the DODcomponent must procure the evaluated product.If no evaluated product is currently available,the component must require prospective

vendors to submit their product for evaluationto be further considered.

Following this program review, the governmentwill evaluate the cost effectiveness of expandingthe program to cover all federal agencies. If thisproves workable, it could both improvegovernment security and leverage thegovernment’s significant purchasing power toinfluence the market and begin to improve thesecurity of all consumer information technologyproducts.

4. Develop Specific Criteria for IndependentSecurity Reviews and Reviewers andCertification

With the growing emphasis on security comesthe corresponding need for expert independentverification and validation of agency securityprograms and practices. FISMA and OMB’simplementing guidance require that agencies’program officials and CIOs review at leastannually the status of their programs. Fewagencies have available personnel resources toconduct such reviews, and thus they frequentlycontract for such services. Agencies and OMBhave found that contractor security expertisevaries widely from the truly expert to less thanacceptable. Moreover, many independent verifi-cation and validation contractors are also in thebusiness of providing security program imple-mentation services; thus, their program reviewsmay be biased toward their preferred way ofimplementing security.

The federal government will explore whetherprivate sector security service providers to thefederal government should be certified as meetingcertain minimum capabilities, including the extentto which they are adequately independent. (A/R 4-5)

C. STATE AND LOCAL GOVERNMENTS

American democracy is rooted in the preceptsof federalism—a system of government inwhich power is allocated between federal andstate governments. This structure of overlapping


P R I O R I T Y I V

federal, state, and local governance has morethan 87,000 different jurisdictions and providesunique opportunity and challenges for cyberspace security efforts. State and localgovernments, like the federal government,operate large, interconnected informationsystems upon which critical governmentservices depend.

States provide services that make up the “publicsafety net” for millions of Americans and theirfamilies. Services include essential socialsupport activities as well as critical public safetyfunctions, such as law enforcement andemergency response services. States also ownand operate critical infrastructure systems, suchas electric power and transmission, trans-portation, and water systems. They play acatalytic role in bringing together the differentstakeholders that deliver critical services withintheir state to prepare for, respond to, manage,and recover from a crisis. Delivering criticalservices unique to their roles and responsibilitieswithin our federalist system makes stategovernment a critical infrastructure sector in itsown right.

Many of these critical functions carried out bystates are inexorably tied to IT—includingmaking payments to welfare recipients,supporting law enforcement with electronicaccess to criminal records, and operating state-owned utility and transportation services.Preventing cyber attacks and respondingquickly when they do occur, ensures that these24/7 systems remain available and in place toprovide important services that the public needsand expects. Information technology systems

have the potential for bringing unprecedentedefficiency and responsiveness from state govern-ments for their residents. Citizen confidence inthe integrity of these systems and the datacollected and maintained by them is essentialfor expanded use and capture of these potentialbenefits.

With an increasing dependence on integratedsystems, state, local, and federal agencies haveto collectively combat cyber attacks. Sharinginformation to protect systems is an importantfoundation for ensuring government continuity.States have adopted several mechanisms tofacilitate the sharing of information on cyberattacks and in reporting incidents.

These mechanisms are continually modifiedand improved as new policy emerges and astechnological solutions become available. Inaddition, states are exploring options forimproving information sharing both internallyand externally. These options include enactinglegislation that provides additional funding andtraining for cybersecurity and forming partner-ships across state, local, and federalgovernments to manage cyber threats.

1. DHS will Work with State and Local Governments and Encourage them toConsider Establishing IT Security Programsand to Participate in ISACs with SimilarGovernments

State and local governments are encouraged toestablish IT security programs for their departmentsand agencies, including awareness, audits, andstandards; and to participate in the establishedISACs with similar governments. (A/R 4-6)


P R I O R I T Y I V


P R I O R I T Y V

America’s cyberspace is linked to that of the restof the world. Attacks cross borders at lightspeed. Distinguishing between maliciousactivity originating from criminals, nation stateactors, and terrorists in real time is difficult.This requires America to be prepared to defendcritical networks and respond to attacks in eachcase. Systems supporting this country’s criticalnational defense and the intelligencecommunity must be secure, reliable, andresilient—able to withstand attack regardless ofthe origin of attack. America must also beprepared to respond as appropriate to attacksagainst its critical infrastructure. At the same

time, America must be ready to lead globalefforts, working with governments and industryalike, to secure cyberspace that is vital to theoperation of the world’s economy and markets.Global efforts require raising awareness,promoting stronger security standards, andaggressively investigating and prosecutingcybercrime.

A. ENSURING AMERICA’S NATIONALSECURITY

We face adversaries, including nation states andterrorists, who could launch cyber attacks or


seek to exploit our systems. In peacetimeAmerica’s enemies will conduct espionageagainst our government, university researchcenters, and private companies. Activities wouldlikely include mapping U.S. informationsystems, identifying key targets, lacing ourinfrastructure with “back doors” and othermeans of access. In wartime or crisis, adver-saries may seek to intimidate by attackingcritical infrastructures and key economicfunctions or eroding public confidence in infor-mation systems. They may also attempt to slowthe U.S. military response by disrupting systemsof the Department of Defense (DoD), theIntelligence Community, and other governmentorganizations as well as critical infrastructures.

America has already experienced significantnational cybersecurity events. In 1998, attackerscarried out a sophisticated, tightly orchestratedseries of cyber intrusions into the computers ofDoD, NASA, and government research labs.The intrusions were targeted against thoseorganizations that conduct advanced technicalresearch on national security, including atmos-pheric and oceanographic topics as well asaircraft and cockpit design.

The United States must have the capability tosecure and defend systems and infrastructuresthat are deemed national security assets, anddevelop the capability to quickly identify theorigin of malicious activity. We must improveour national security posture in cyberspace tolimit the ability of adversaries to conductespionage or pressure the United States.

1. Strengthen Counterintelligence Efforts inCyberspace

The FBI and intelligence community should ensurea strong counterintelligence posture to countercyber-based intelligence collection against theUnited States government, and commercial andeducational organizations. This effort must includea deeper understanding of the capability and intentof our adversaries to use cyberspace as a means forespionage. (A/R 5-1)

2. Improve Attack Attribution and PreventionCapabilities

The intelligence community, DoD, and the lawenforcement agencies must improve the Nation’sability to quickly attribute the source of threateningattacks or actions to enable timely and effectiveresponse. Consistent with the National SecurityStrategy, these efforts will also seek to developcapabilities to prevent attacks from reaching criticalsystems and infrastructures. (A/R 5-2)

3. Improve Coordination for Responding toCyber Attacks within the United StatesNational Security Community

The United States must improve interagencycoordination between law enforcement, nationalsecurity, and defense agencies involving cyber-basedattacks and espionage, ensuring that criminalmatters are referred, as appropriate, among thoseagencies. The National Security Council and theOffice of Homeland Security will lead a study toensure that appropriate mechanisms are in place.(A/R 5-3)

4. Reserve the Right to Respond in anAppropriate Manner

When a nation, terrorist group, or other adversaryattacks the United States through cyberspace, theU.S. response need not be limited to criminal prose-cution. The United States reserves the right torespond in an appropriate manner. The UnitedStates will be prepared for such contingencies. (A/R5-4)

B. INTERNATIONAL COOPERATION

The Department of State will lead federalefforts to enhance international cyberspacesecurity cooperation. Key initiatives include:

1. Work through International Organizationsand with Industry to Facilitate and toPromote a Global “Culture of Security”

America’s interest in promoting global cyberse-curity extends beyond our borders. Our


P R I O R I T Y V

information infrastructure is directly linkedwith Canada, Mexico, Europe, Asia, and SouthAmerica. The United States and worldeconomy increasingly depend upon globalmarkets and multinational corporationsconnected via information networks. The vastmajority of cyber attacks originates or passesthrough systems abroad, crosses several borders,and requires international investigative cooper-ation to be stopped.

Global networks supporting critical economicand security operations must be secure andreliable. Securing global cyberspace will requireinternational cooperation to raise awareness,increase information sharing, promote securitystandards, and investigate and prosecute thosewho engage in cybercrime. The United States iscommitted to working with nations to ensurethe integrity of the global information networksthat support critical economic and securityinfrastructure. We are also ready to utilizegovernment-sponsored organizations such asthe Organization of Economic Cooperationand Development (OECD), G-8, the AsiaPacific Economic Cooperation forum (APEC),and the Organization of American States(OAS), and other relevant organizations tofacilitate global coordination on cybersecurity.In order to facilitate coordination with theprivate sector, we will also utilize such organiza-tions as the Transatlantic Business Dialogue.

2. Develop Secure Networks

The United States will engage in cooperativeefforts to solve technical, scientific, and policy-related problems to assure the integrity ofinformation networks. We will encourage thedevelopment and adoption of internationaltechnical standards and facilitate collaborationand research among the world’s best scientistsand researchers. We will promote such efforts asthe OECD’s Guidelines for the Security ofInformation Systems and Networks, which striveto inculcate a “culture of security” across allparticipants in the new information society.

Because most nations’ key information infrastructures reside in private hands, theUnited States will seek the participation ofUnited States industry to engage foreigncounterparts in a peer-to-peer dialogue, withthe twin objectives of making an effectivebusiness case for cybersecurity, and explainingsuccessful means for partnering withgovernment on cybersecurity.

The United States will work through appropriateinternational organizations and in partnershipwith industry to facilitate dialogue between foreignpublic and private sectors on information infra-structure protection and promote a global “culture ofsecurity.” (A/R 5-5)

3. Promote North American CyberspaceSecurity

The United States will work with Canada andMexico to make North America a “Safe CyberZone.” We will expand programs to identify andsecure critical common networks that underpintelecommunications, energy, transportation,banking and finance systems, emergency services,food, public health, and water systems. (A/R 5-6)

4. Foster the Establishment of National andInternational Watch-and-WarningNetworks to Detect and Prevent CyberAttacks as they Emerge

The United States will urge each nation to build onthe common Y2K experience and appoint acentralized point-of-contact who can act as aliaison between domestic and global cybersecurityefforts. Establishing points of contact can greatlyenhance the international coordination andresolution of cyberspace security issues. We will alsoencourage each nation to develop its own watch-and-warning network capable of informinggovernment agencies, the public, and other countriesabout impending attacks or viruses. (A/R 5-7)

To facilitate real-time sharing of the threat information as it comes to light, the United Stateswill foster the establishment of an international


P R I O R I T Y V

network capable of receiving, assessing, and dissem-inating this information globally. Such a networkcan build on the capabilities of nongovernmentalinstitutions such as the Forum of Incident Responseand Security Teams. (A/R 5-8)

The United States will encourage regional organi-zations, such as the APEC, EU, and OAS, to eachform or designate a committee responsible for cyber-security. Such committees would also benefit fromestablishing parallel working groups with represen-tatives from the private sector. The United Stateswill also encourage regional organizations—such asthe APEC, EU, and OAS—to establish a jointcommittee on cybersecurity with representativesfrom government and the private sector. (A/R 5-9)

5. Encourage Other Nations to Accede to theCouncil of Europe Convention onCybercrime, or to Ensure that their Lawsand Procedures are at Least asComprehensive

The United States will actively foster international cooperation in investigating andprosecuting cybercrime. The United States has

signed and supports the recently concludedCouncil of Europe Convention on Cybercrime,which requires countries to make cyber attacksa substantive criminal offense and to adoptprocedural and mutual assistance measures tobetter combat cybercrime across internationalborders.

The United States will encourage other nations toaccede to the Council of Europe Convention onCybercrime or to ensure that their laws and proce-dures are at least as comprehensive. (A/R 5-10)

Ongoing multilateral efforts, such as those inthe G-8, APEC, and OECD are alsoimportant. The United States will work toimplement agreed-upon recommendations andaction plans that are developed in these forums.Among these initiatives, the United States inparticular will urge countries to join the 24-hour, high-tech crime contact network begunwithin the G-8, and now expanded to theCouncil of Europe membership, as well as other countries.


P R I O R I T Y V


C O N C L U S I O N : T H E W A Y F O R W A R D

Our reliance on cyberspace will only continueto grow in the years ahead. Cyberspace and thenetworks that connect to it now support oureconomy and provide for our national andhomeland defense. This national dependencymust be managed with continuous efforts tosecure the cyber systems that control our infra-structures.

Securing cyberspace is a complex and evolvingchallenge. The National Strategy to SecureCyberspace was developed in close collaborationwith key sectors of the economy that rely oncyberspace, state and local governments,colleges and universities, and concerned organi-zations. Town hall meetings were held aroundthe country, and fifty-three clusters of keyquestions were published to spark public debate.

In addition, a draft version of the NationalStrategy to Secure Cyberspace was shared with theNation for public comment. The response hasbeen overwhelming.

The public-private partnerships that formed inresponse to the President’s call have developedtheir own strategies to protect the parts ofcyberspace on which they rely. This uniquepartnership and process was and will continueto be necessary because the majority of thecountry’s cyber resources are controlled byentities outside of government. For the NationalStrategy to Secure Cyberspace to work it must be aplan in which a broad cross section of thecountry is both invested and committed.Accordingly, the dialogue about how we securecyberspace will continue.

Conclusion: The Way Forward

The National Strategy to Secure Cyberspaceidentifies five national priorities that will helpus achieve this ambitious goal. These are: (1) anational cyberspace security response system;(2) a national cyberspace security threat andvulnerability reduction program; (3) a nationalcyberspace security awareness and trainingprogram; (4) securing governments’ cyberspace;and, (5) national security and internationalcyberspace security cooperation. These fivepriorities will serve to prevent, deter, andprotect against attacks. In addition, they alsocreate a process for minimizing the damage andrecovering from attacks that do occur.

The National Strategy to Secure Cyberspace is,however, only a first step in a long-term effortto secure our information infrastructures. Thefederal executive branch will use a variety oftools to implement this Strategy. TheAdministration will work with Congress tocraft future federal security budgets based onthe Strategy, providing every department andagency involved in cybersecurity with resourcesto execute its responsibilities. Each leaddepartment and agency will plan and programto execute the initiatives assigned by theNational Strategy to Secure Cyberspace.

Within the federal government DHS will play acentral role in implementing the NationalStrategy to Secure Cyberspace. In addition toexecuting its assigned initiatives, theDepartment would also serve as the primaryfederal point-of-contact for state and localgovernments, the private sector, and theAmerican people on issues related to cyberspacesecurity. Working with the White House, the

Department therefore would coordinate andsupport implementation of non-federal tasksrecommended in the National Strategy to SecureCyberspace.

Each department and agency will also beaccountable for its performance on cyberse-curity efforts. The federal government willemploy performance measures—and encouragethe same for state and local governments—toevaluate the effectiveness of the cybersecurityprograms outlined in this Strategy. Theseperformance measures will allow agencies tomeasure their progress, make resource allocationdecisions, and adjust priorities accordingly.

Federal, state, and local governments, as well asorganizations and people all across the UnitedStates will continue to work to improve cyber-space security. As these strategies and plans areimplemented, we will begin to incrementallyreduce threats and vulnerabilities.

Cybersecurity and personal privacy need not beopposing goals. Cyberspace security programsmust strengthen, not weaken, such protections.The federal government will continue toregularly meet with privacy advocates to discusscybersecurity and the implementation of thisStrategy.

For the foreseeable future, two things will betrue: America will rely upon cyberspace and thefederal government will seek a continuing broadpartnership to develop, implement, and refinethe National Strategy to Secure Cyberspace.


C O N C L U S I O N : T H E W A Y F O R W A R D


A P P E N D I X


A/R 1-1: DHS will create a single point-of-contact for the federal government’s interactionwith industry and other partners for 24 x7functions, including cyberspace analysis,warning, information sharing, major incidentresponse, and national-level recovery efforts.Private sector organizations, which have majorcontributions for those functions, areencouraged to coordinate activities, as permittedby law, in order to provide a synoptic view ofthe health of cyberspace on a 24 x 7 basis.

A/R 1-2: As outlined in the 2003 budget, thefederal government will complete the instal-lation of CWIN to key governmentcybersecurity-related network operation centers,to disseminate analysis and warning infor-mation and perform crisis coordination. Thefederal government will also explore linking theISACs to CWIN.

A/R 1-3: To test civilian agencies’ securitypreparedness and contingency planning, DHSwill use exercises to evaluate the impact of cyberattacks on governmentwide processes.Weaknesses discovered will be included inagency corrective action plans and submitted tothe OMB. DHS also will explore such exercisesas a way to test the coordination of public andprivate incident management, response andrecovery capabilities.

A/R 1-4: Corporations are encouraged toregularly review and exercise IT continuityplans and to consider diversity in IT serviceproviders as a way of mitigating risk.

A/R 1-5: Infrastructure sectors are encouragedto establish mutual assistance programs forcybersecurity emergencies. DoJ and the FederalTrade Commission should work with thesectors to address barriers to such cooperation,as appropriate. In addition, DHS’s InformationAnalysis and Infrastructure ProtectionDirectorate will coordinate the developmentand regular update of voluntary jointgovernment-industry cybersecurity contingencyplans, including a plan for recovering Internetfunctions.

A/R 1-6: DHS will raise awareness about theremoval of impediments to information sharingabout cybersecurity and infrastructure vulnera-bilities between the public and private sectors.The Department will also establish an infra-structure protection program office to managethe information flow, including the devel-opment of protocols for how to care for“voluntarily submitted critical infrastructureinformation.”

A/R 1-7: Corporations are encouraged toconsider active involvement in industrywideprograms to share information on IT security,including the potential benefits of joining anappropriate ISAC. Colleges and universities areencouraged to consider establishing: (1) one ormore ISACs to deal with cyber attacks andvulnerabilities; and, (2) an on-call point-of-contact to Internet service providers and lawenforcement officials in the event that theschool’s IT systems are discovered to belaunching cyber attacks.

Actions and Recommendations (A/R)Summary


A/R 2-1: DoJ and other appropriate agencieswill develop and implement efforts to reducecyber attacks and cyber threats through thefollowing means: (1) identifying ways toimprove information sharing and investigativecoordination within the federal, state, and locallaw enforcement community working on criticalinfrastructure and cyberspace security matters,and with other agencies and the private sector;(2) exploring means to provide sufficient inves-tigative and forensic resources and training tofacilitate expeditious investigation andresolution of critical infrastructure incidents;and, (3) developing better data about victims ofcybercrime and intrusions in order to under-stand the scope of the problem and be able totrack changes over time.

A/R 2-2: DHS, in coordination with appro-priate agencies and the private sector, will leadin the development and conduct of a nationalthreat assessment including red teaming, blueteaming, and other methods to identify theimpact of possible attacks on a variety oftargets.

A/R 2-3: The Department of Commerce willform a task force to examine the issues relatedto IPv6, including the appropriate role ofgovernment, international interoperability,security in transition, and costs and benefits.The task force will solicit input from potentiallyimpacted industry segments.

A/R 2-4: DHS, in coordination with theCommerce Department and appropriateagencies, will coordinate public-private partner-ships to encourage: (1) the adoption ofimproved security protocols; (2) the devel-opment of more secure router technology; and,(3) the adoption by ISPs of a “code of goodconduct,” including cybersecurity practices andsecurity related cooperation. DHS will support

these efforts as required for their success,subject to other budget considerations.

A/R 2-5: DHS, in coordination with DOE andother concerned agencies and in partnershipwith industry, will develop best practices andnew technology to increase security ofDCS/SCADA, to determine the most criticalDCS/SCADA-related sites, and to develop aprioritized plan for short-term cybersecurityimprovements in those sites.

A/R 2-6: DHS will work with the NationalInfrastructure Advisory Council and privatesector organizations to develop an optimalapproach and mechanism for vulnerabilitydisclosure.

A/R 2-7: GSA will work with DHS on animproved approach to implementing a patchclearinghouse for the federal government. DHSwill also share lessons learned with the privatesector and encourage the development of avoluntary, industry-led, national effort todevelop a similar clearinghouse for other sectorsincluding large enterprises.

A/R 2-8: The software industry is encouragedto consider promoting more secure “out-of-the-box” installation and implementation of theirproducts, including increasing: (1) userawareness of the security features in products;(2) ease-of-use for security functions; and, (3)where feasible, promotion of industry guidelinesand best practices that support such efforts.

A/R 2-9: DHS will establish and lead a public-private partnership to identify cross-sectoralinterdependencies both cyber and physical. Thepartnership will develop plans to reduce relatedvulnerabilities in conjunction with programsproposed in the National Strategy forHomeland Security. The NationalInfrastructure Simulation and Analysis Centerin DHS will support these efforts by developingmodels to identify the impact of cyber andphysical interdependencies.


A P P E N D I X

A/R 2-10: DHS also will support, whenrequested and as appropriate, voluntary effortsby owners and operators of information systemnetworks and network data centers to developremediation and contingency plans to reducethe consequences of large-scale physical damageto facilities supporting such networks, and todevelop appropriate procedures for limitingaccess to critical facilities.

A/R 2-11: To meet these needs, the Director ofOSTP will coordinate the development, andupdate on an annual basis a federal governmentresearch and development agenda that includesnear-term (1-3 years), mid-term (3-5 years),and later (5 years out and longer) IT securityresearch for Fiscal Year 2004 and beyond.Existing priorities include, among others,intrusion detection, Internet infrastructuresecurity (including protocols such as BGP andDNS), application security, DoS, communica-tions security (including SCADA systemencryption and authentication), high-assurancesystems, and secure system composition.

A/R 2-12: To optimize research efforts relativeto those of the private sector, DHS will ensurethat adequate mechanisms exist for coordi-nation of research and development amongacademia, industry and government, and willdevelop new mechanisms where needed.

A/R 2-13: The private sector is encouraged toconsider including in near-term research anddevelopment priorities, programs for highlysecure and trustworthy operating systems. Ifsuch systems are developed and successfullyevaluated, the federal government will, subjectto budget considerations, accelerateprocurement of such systems.

A/R 2-14: DHS will facilitate a nationalpublic-private effort to promulgate bestpractices and methodologies that promoteintegrity, security, and reliability in softwarecode development, including processes andprocedures that diminish the possibilities of

erroneous code, malicious code, or trap doorsthat could be introduced during development.

A/R 2-15: DHS, in coordination with OSTPand other agencies, as appropriate, will facilitatecommunication between the public and privateresearch and the security communities, toensure that emerging technologies are periodi-cally reviewed by the appropriate body withinthe National Science and Technology Council,in the context of possible homeland and cyber-space security implications, and relevance to thefederal research agenda.


A/R 3-1: DHS, working in coordination withappropriate federal, state, and local entities andprivate sector organizations, will facilitate acomprehensive awareness campaign includingaudience-specific awareness materials,expansion of the StaySafeOnline campaign, anddevelopment of awards programs for those inindustry making significant contributions tosecurity.

A/R 3-2: DHS, in coordination with theDepartment of Education, will encourage andsupport, where appropriate subject to budgetconsiderations, state, local, and private organi-zations in the development of programs andguidelines for primary and secondary schoolstudents in cybersecurity.

A/R 3-3: Home users and small businesses canhelp the Nation secure cyberspace by securingtheir own connections to it. Installing firewallsoftware and updating it regularly, maintainingcurrent antivirus software, and regularlyupdating operating systems and major applica-tions with security enhancements are actionsthat individuals and enterprise operators cantake to help secure cyberspace. To facilitate suchactions, DHS will create a public-private taskforce of private companies, organizations, andconsumer users groups to identify ways that


A P P E N D I X

providers of information technology productsand services, and other organizations can makeit easier for home users and small businesses tosecure their systems.

A/R 3-4: Large enterprises are encouraged toevaluate the security of their networks thatimpact the security of the Nation’s critical infra-structures. Such evaluations might include: (1)conducting audits to ensure effectiveness anduse of best practices; (2) developing continuityplans which consider offsite staff andequipment; and, (3) participating in indus-trywide information sharing and best practicesdissemination.

A/R 3-5: Colleges and universities areencouraged to secure their cyber systems byestablishing some or all of the following asappropriate: (1) one or more ISACs to dealwith cyber attacks and vulnerabilities; (2) modelguidelines empowering Chief InformationOfficers (CIOs) to address cybersecurity; (3)one or more sets of best practices for ITsecurity; and, (4) model user awarenessprograms and materials.

A/R 3-6: A public-private partnership shouldcontinue work in helping to secure the Nation’scyber infrastructure through participation in, asappropriate and feasible, a technology andR&D gap analysis to provide input into thefederal cybersecurity research agenda, coordi-nation on the conduct of associated research,and the development and dissemination of bestpractices for cybersecurity.

A/R 3-7: DHS will implement and encouragethe establishment of programs to advance thetraining of cybersecurity professionals in theUnited States, including coordination withNSF, OPM, and NSA, to identify ways toleverage the existing Cyber Corps Scholarshipfor Service program as well as the variousgraduate, postdoctoral, senior researcher, andfaculty development fellowship and traineeshipprograms created by the Cyber SecurityResearch and Development Act, to address

these important training and educationworkforce issues.

A/R 3-8: DHS, in coordination with otheragencies with cybersecurity training expertise,will develop a coordination mechanism linkingfederal cybersecurity and computer forensicstraining programs.

A/R 3-9: DHS will encourage efforts that areneeded to build foundations for the devel-opment of security certification programs thatwill be broadly accepted by the public andprivate sectors. DHS and other federal agenciescan aid these efforts by effectively articulatingthe needs of the Federal IT security community.


A/R 4-1: Federal agencies will continue toexpand the use of automated, enterprise-widesecurity assessment and security policyenforcement tools and actively deploy threatmanagement tools to deter attacks. The federalgovernment will determine whether specificactions are necessary (e.g., through the policy orbudget processes) to promote the greater use ofthese tools.

A/R 4-2: Through the ongoing E-Authentication initiative, the federalgovernment will review the need for strongeraccess control and authentication; explore theextent to which all departments can employ thesame physical and logical access control toolsand authentication mechanisms; and, conse-quently, further promote consistency andinteroperability.

A/R 4-3: Federal agencies should considerinstalling systems that continuously check forunauthorized connections to their networks.Agency policy and procedures should reflectcareful consideration of additional riskreduction measures, including the use of strongencryption, bi-directional authentication,shielding standards and other technical security


A P P E N D I X

considerations, configuration management,intrusion detection, incident handling, andcomputer security awareness and trainingprograms.

A/R 4-4: Additionally, the federal governmentwill be conducting a comprehensive review ofthe National Information AssurancePartnership (NIAP), to determine the extent towhich it is adequately addressing the continuingproblem of security flaws in commercialsoftware products. This review will includelessons-learned from implementation of theDefense Department’s July 2002 policyrequiring the acquisition of products reviewedunder the NIAP or similar evaluation processes.

A/R 4-5: The federal government will explorewhether private sector security service providersto the federal government should be certified asmeeting certain minimum capabilities,including the extent to which they areadequately independent.

A/R 4-6: State and local governments areencouraged to establish IT security programsfor their departments and agencies, includingawareness, audits, and standards; and to partic-ipate in the established ISACs with similargovernments.


A/R 5-1: The FBI and intelligence communityshould ensure a strong counterintelligenceposture to counter cyber-based intelligencecollection against the U.S. Government, andcommercial and educational organizations. Thiseffort must include a deeper understanding ofthe capability and intent of our adversaries touse cyberspace as a means for espionage.

A/R 5-2: The intelligence community, DoD,and the law enforcement agencies must improvethe Nation’s ability to quickly attribute thesource of threatening attacks or actions to

enable timely and effective response.Consistent with the National Security Strategy,these efforts will also seek to develop capabil-ities to prevent attacks from reaching criticalsystems and infrastructures.

A/R 5-3: The United States must improveinteragency coordination between lawenforcement, national security, and defenseagencies involving cyber-based attacks andespionage, ensuring that criminal matters arereferred, as appropriate, among those agencies.The National Security Council and the Officeof Homeland Security will lead a study toensure that appropriate mechanisms are inplace.

A/R 5-4: When a nation, terrorist group, orother adversary attacks the United Statesthrough cyberspace, the U.S. response need notbe limited to criminal prosecution. The UnitedStates reserves the right to respond in an appro-priate manner. The United States will beprepared for such contingencies.

A/R 5-5: The United States will work throughappropriate international organizations and inpartnership with industry to facilitate dialoguebetween foreign public and private sectors oninformation infrastructure protection andpromote a global “culture of security.”

A/R 5-6: The United States will work withCanada and Mexico to make North America a“Safe Cyber Zone.” We will expand programsto identify and secure critical common networksthat underpin telecommunications, energy,transportation, banking and finance systems,emergency services, food, public health, andwater systems.

A/R 5-7: The United States will urge eachnation to build on the common Y2K experienceand appoint a centralized point-of-contact whocan act as a liaison between domestic and globalcybersecurity efforts. Establishing points ofcontact can greatly enhance the internationalcoordination and resolution of cyberspace


A P P E N D I X

security issues. We will also encourage eachnation to develop its own watch-and-warningnetwork capable of informing governmentagencies, the public, and other countries aboutimpending attacks or viruses.

A/R 5-8: To facilitate real-time sharing of thethreat information as it comes to light; theUnited States will foster the establishment of aninternational network capable of receiving,assessing, and disseminating this informationglobally. Such a network can build on thecapabilities of nongovernmental institutionssuch as the Forum of Incident Response andSecurity Teams.

A/R 5-9: The United States will encourageregional organizations, such as the APEC,

EU, and OAS, to each form or designate acommittee responsible for cybersecurity. Suchcommittees would also benefit from estab-lishing parallel working groups withrepresentatives from the private sector. TheUnited States will also encourage regionalorganizations—such as the APEC, EU, andOAS—to establish a joint committee on cyber-security with representatives from governmentand the private sector.

A/R 5-10: The United States will encourageother nations to accede to the Council ofEurope Convention on Cybercrime or to ensurethat their laws and procedures are at least ascomprehensive.


A P P E N D I X



010101110101011110 0 011101010110110101010101110101010 0 0101010 010101110101011110 0 011101010110110101010101110101010

0 0101010 0101011101010101110101011110 0 011101010110110101010101110101010 0 011110 0 011101010110110101010101110101010

0 0101010 0 0101011110 0 011101010110110101010101110101010 0 011110 0 01110101011011010101010110101110101010 0 0101010 010

101110101011110 0 011101010110110101010101110101010 0 0101010 010101110101011110 0 011101010110110101010101110101010 0 0

101010 010101110101011110 0 011101010110110101010101110101010 0 011110 0 011101010110110101010101110101010 0 0101010 0 010

1011110 0 011101010110110101010101110101010 0 011110 0 011101010110110101010101110101010101010 0 010101110101011110 0 011

101010110110101010101110101010 0 0101010 010101110101011110 0 011101010110110101010101110101010 0 0101010 0101011101010

11110 0 011101010 010101110101011101010110110101010101110101010 0 011110 0 011101010110110101010101110101010 0 0101010 0 0

101011110 0 011101010110110101010101110101010 0 011110 0 011101010110110101010101110101010101010 0 01101010 010111010101

0110101010 0 011110 0 011101010110110101010101110101010101010 0 01101010101101010101010111010101110101011101011010101

01010 010 0 011101010 010101110101011101010110110101010101110101010 0 011110 0 011101010110110101010101110101010 0 010101

0 0 0101011110 0 011101010110110101010101110101010 0 011110 0 011101010110110101010101110101010101010 0 01101010 010111010

1010110101010 0 011110 0 011101010110110101010101110101010101010 0 01101010101101010101010111010101110101011101011010

10 0101010 0101011101010101110101011110 0 011101010110110101010101110101010 0 011110 0 011101010110110101010101111010110

010101110101011110 0 011101010110110101010101110101010 0 0101010 010101110101011110 0 011101010110110101010101110101010

0 0101010 0101011101010101110101011110 0 011101010110110101010101110101010 0 011110 0 011101010110110101010101110101010

0 0101010 0 0101011110 0 011101010110110101010101110101010 0 011110 0 01110101011011010101010110101110101010 0 0101010 010

101110101011110 0 011101010110110101010101110101010 0 0101010 010101110101011110 0 011101010110110101010101110101010 0 0

101010 010101110101011110 0 011101010110110101010101110101010 0 011110 0 011101010110110101010101110101010 0 0101010 0 010

1011110 0 011101010110110101010101110101010 0 011110 0 011101010110110101010101110101010101010 0 010101110101011110 0 011

11110 0 011101010 010101110101011101010110110101010101110101010 0 011110 0 011101010110110101010101110101010 0 0101010 0 0

101011110 0 011101010110110101010101110101010 0 011110 0 011101010110110101010101110101010101010 0 01101010 010111010101

0110101010 0 011110 0 011101010110110101010101110101010101010 0 01101010101101010101010111010101110101011101011010101

01010 010 0 011101010 010101110101011101010110110101010101110101010 0 011110 0 011101010110110101010101110101010 0 010101

0 0 0101011110 0 011101010110110101010101110101010 0 011110 0 011101010110110101010101110101010101010 0 01101010 010111010

1010110101010 0 011110 0 011101010110110101010101110101010101010 0 01101010101101010101010111010101110101011101011010

0 0101010 0101011101010101110101011110 0 011101010110110101010101110101010 0 011110 0 011101010110110101010101110101010

0 0101010 0 0101011110 0 011101010110110101010101110101010 0 011110 0 01110101011011010101010110101110101010 0 0101010 010

101110101011110 0 011101010110110101010101110101010 0 0101010 010101110101011110 0 011101010110110101010101110101010 0 0

101010 010101110101011110 0 011101010110110101010101110101010 0 011110 0 011101010110110101010101110101010 0 0101010 0 010

1011110 0 011101010110110101010101110101010 0 011110 0 011101010110110101010101110101010101010 0 010101110101011110 0 011

101010110110101010101110101010 0 0101010 010101110101011110 0 011101010110110101010101110101010 0 0101010 0101011101010

11110 0 011101010 010101110101011101010110110101010101110101010 0 011110 0 011101010110110101010101110101010 0 0101010 0 0

101011110 0 011101010110110101010101110101010 0 011110 0 011101010110110101010101110101010101010 0 01101010 010111010101

0110101010 0 011110 0 011101010110110101010101110101010101010 0 01101010101101010101010111010101110101011101011010101

01010 010 0 011101010 010101110101011101010110110101010101110101010 0 011110 0 011101010110110101010101110101010 0 010101

0 0 0101011110 0 011101010110110101010101110101010 0 011110 0 011101010110110101010101110101010101010 0 01101010 010111010

1010110101010 0 011110 0 011101010110110101010101110101010101010 0 01101010101101010101010111010101110101011101011010

10 0101010 0101011101010101110101011110 0 011101010110110101010101110101010 0 011110 0 011101010110110101010101111010110

010101110101011110 0 011101010110110101010101110101010 0 0101010 010101110101011110 0 011101010110110101010101110101010

0 0101010 0101011101010101110101011110 0 011101010110110101010101110101010 0 011110 0 011101010110110101010101110101010

0 0101010 0 0101011110 0 011101010110110101010101110101010 0 011110 0 01110101011011010101010110101110101010 0 0101010 010

101110101011110 0 011101010110110101010101110101010 0 0101010 010101110101011110 0 011101010110110101010101110101010 0 0

101010 010101110101011110 0 011101010110110101010101110101010 0 011110 0 011101010110110101010101110101010 0 0101010 0 010

1011110 0 011101010110110101010101110101010 0 011110 0 011101010110110101010101110101010101010 0 010101110101011110 0 011

101010110110101010101110101010 0 0101010 010101110101011110 0 011101010110110101010101110101010 0 0101010 0101011101010

11110 0 011101010 010101110101011101010110110101010101110101010 0 011110 0 011101010110110101010101110101010 0 0101010 0 0

101011110 0 011101010110110101010101110101010 0 011110 0 011101010110110101010101110101010101010 0 01101010 010111010101

0110101010 0 011110 0 011101010110110101010101110101010101010 0 01101010101101010101010111010101110101011101011010101

01010 010 0 011101010 010101110101011101010110110101010101110101010 0 011110 0 011101010110110101010101110101010 0 010101

0 0 0101011110 0 011101010110110101010101110101010 0 011110 0 011101010110110101010101110101010101010 0 01101010 010111010

1010110101010 0 011110 0 011101010110110101010101110101010101010 0 01101010101101010101010111010101110101011101011010

10 0101010 0101011101010101110101011110 0 011101010110110101010101110101010 0 011110 0 011101010110110101010101111010110

010101110101011110 0 011101010110110101010101110101010 0 0101010 010101110101011110 0 011101010110110101010101110101010

0 0101010 0101011101010101110101011110 0 011101010110110101010101110101010 0 011110 0 011101010110110101010101110101010

0 0101010 0 0101011110 0 011101010110110101010101110101010 0 011110 0 01110101011011010101010110101110101010 0 0101010 010

101110101011110 0 011101010110110101010101110101010 0 0101010 010101110101011110 0 011101010110110101010101110101010 0 0

101010 010101110101011110 0 011101010110110101010101110101010 0 011110 0 011101010110110101010101110101010 0 0101010 0 010

1011110 0 011101010110110101010101110101010 0 011110 0 011101010110110101010101110101010101010 0 010101110101011110 0 011

101010110110101010101110101010 0 0101010 010101110101011110 0 011101010110110101010101110101010 0 0101010 0101011101010

11110 0 011101010 010101110101011101010110110101010101110101010 0 011110 0 011101010110110101010101110101010 0 0101010 0 0

101011110 0 011101010110110101010101110101010 0 011110 0 011101010110110101010101110101010101010 0 01101010 010111010101

0110101010 0 011110 0 011101010110110101010101110101010101010 0 01101010101101010101010111010101110101011101011010101

01010 010 0 011101010 010101110101011101010110110101010101110101010 0 011110 0 011101010110110101010101110101010 0 010101

0 0 0101011110 0 011101010110110101010101110101010 0 011110 0 011101010110110101010101110101010101010 0 01101010 010111010

10 0101010 0101011101010101110101011110 0 011101010110110101010101110101010 0 011110 0 011101010110110101010101111010110

010101110101011110 0 011101010110110101010101110101010 0 0101010 010101110101011110 0 011101010110110101010101110101010

0 0101010 0101011101010101110101011110 0 011101010110110101010101110101010 0 011110 0 011101010110110101010101110101010

101010 010101110101011110 0 011101010110110101010101110101010 0 011110 0 011101010110110101010101110101010 0 0101010 0 010

1011110 0 011101010110110101010101110101010 0 011110 0 011101010110110101010101110101010101010 0 010101110101011110 0 011

101010110110101010101110101010 0 0101010 010101110101011110 0 011101010110110101010101110101010 0 0101010 0101101011110

0 011101010110110101010101110101010 0 011110 0 011101010110110101010101110101010101010 0 01101010 010111010101011010101

0 0 011110 0 011101010110110101010101110101010101010 0 0110101010110101010101011101010111010101110101101010101010 010 0

011101010 010101110101011101010110110101010101110101010 0 011110 0 011101010110110101010101110101010 0 0101010 0 0101011

110 0 011101010110110101010101110101010 0 011110 0 011101010110110101010101110101010101010 0 01101010 010111010101011010

1010 0 011110 0 011101010110110101010101110101010101010 0 0110101010110101010101011101010111010101110101101010 0101010

0101011101010101110101011110 0 011101010110110101010101110101010 0 011110 0 011101010110110101010101111010110 011010101

0101111010110 0110101010101111010110 0110101010101111010110 0110101010101111010110 0110101010101111010110 011111010110

1010 0 011110 0 011101010110110101010101110101010101010 0 011010101011010101010101110101011101010111010110101011110101

National Strategy to Secure Cyberspace › sites › prod › files › National Strategy... ·...

Documents

Transcript of National Strategy to Secure Cyberspace › sites › prod › files › National Strategy... ·...