On March 2, the Office of the National Cyber Director released the public version of the long-awaited National Cybersecurity Strategy. This document is intended to provide strategic guidance for how the United States should protect its digital ecosystem against malicious criminal and nation-state actors. The document is a welcome and sharp break from a few past practices and principles. If fully implemented, it has the potential to change the U.S. cybersecurity posture significantly for the better.
The scope of the document is limited to cybersecurity, as its title is “National Cybersecurity Strategy” rather than “National Cyber Strategy.” Many press reports (e.g., here and here) on the strategy’s release have conflated the two, but they are not identical in scope. The U.S. government generally operates from a definition of “cybersecurity” promulgated in 2008 under NSPD-54 and HSPD-23:
"cybersecurity'' means prevention of damage to, protection of, and restoration of computers, electronic communications systems, electronic communication services, wire communication, and electronic communication, including information contained therein, to ensure its availability, integrity, authentication, confidentiality, and non-repudiation.
Two omissions from this definition are noteworthy—the lack of reference to information or influence operations and to the use of offensive operations in cyberspace to advance any national goals other than the one explicitly noted. Both of these topics would naturally be included in a National Cyber Strategy, but that is not what this document is—and it should not be criticized for those omissions. The strategy document is also silent on cybersecurity for national security systems, such as those operated by the Department of Defense and the intelligence community.
Although the strategy builds on cybersecurity efforts from the previous three administrations, its most important characteristic is its departure from past perspectives and practices.
Continue reading at lawfareblog.com