Promises and Pitfalls of the National Strategy to Secure Cyberspace — Panayotis A. Yannakogeorgos


Human activity is increasingly being transferred to, and becoming reliant on, cyberspace. Governments, militaries, critical infrastructures, businesses, and societies now depend on information and communications technology (ICT) to function. The reliance of the United States on such systems, the possible misuse of the cyber-domain by violent non-state actors such as terrorists, and the proliferation of nation-state strategic information warfare programs has raised awareness of the need to incorporate cybersecurity strategies into U.S. foreign and national security policies. To date, there has been no (unclassified) large scale, nationally significant event from which to judge the costs of an attack on ICT critical to U.S. national security. Other nations have not been as fortunate. Russian hacker-networks indirectly linked to the Kremlin opened a devastating cyber-front against Estonia in 2007 as part of a political protest. During the recent war against Georgia, Russian hackers instigated a front in cyberspace the night before conventional forces began their operations. Over the years, in the United States, Chinese based hacker networks have managed to extract forty terabytes of information critical to U.S. national security from cyberspace. Many military analysts believe cyber defense and attack will be vital to future military efforts.

The National Strategy to Secure Cyberspace (NSSC) is the codification of earlier Presidential Directives and laws into a coherent national strategy. As per NSSC mandate, the Department of Homeland Security (DHS) is assigned as the lead agency to serve as a federal focal point for the coordination of government and industry cybersecurity efforts. As noted in the Cyber Incident Annex of the National Response Framework, during a cyber-attack, the Interagency Advisory Council (IAC) and National Cyber Response Coordination Group (NCRCG) are the main mechanisms activated to coordinate the interagency response within the National Cyber Security Division (NCSD) at DHS. Upon the detection of an attack, the IAC, comprised of senior representatives from 13 Federal agencies, is activated by the Director of Homeland Security. The NCRCG provides expertise to the IAC and facilitates a harmonized response to a cyber-attack. To date, these mechanisms have only been activated during crisis management exercises. Additionally, the NSSC grants private industry significant responsibility to secure cyberspace. This element of strategy has drawn criticism from experts. Further, modifications to the NSSC were made with the issuance of the classified Presidential Directive 54/Homeland Security Presidential Directive 23 in 2008 which detailed a Comprehensive National Cybersecurity Initiative (CNSI). Part of this initiative is the creation of the National Cyber Security Center (NCSC) within DHS to secure cyberspace vital to national security.

The implementation of the NSSC strategy for responding to and preparing for cyber-attacks among agencies and departments has proceeded well in most key areas. The DHS/NCRCG/IAC have demonstrated through crisis management exercises their utility in coordinating a response to a cyber incident of national significance. However, there is a significant lapse in implementing the cybersecurity strategy within individual agencies/departments. To address this, the NCSC is tasked with securing all federal information systems. Another point of concern brought up in the secondary literature with regard to cooperation involves information sharing limitations between DHS and the private sector since the private sector tends to withhold information on the threats to and vulnerabilities of their systems out of fear that their customers will discontinue use of a service after discovering a networks’ weakness.

Following the guidelines of the NSSC, DHS has produced an interagency mechanism to secure cyberspace. However, DHS exercises indicate that limitations exist in implementing the strategy due to the technological complexity of the subject and lack of private-sector understanding of federal security postures after activation of the IAC and NCRCG. In addition, competing priorities and limited resources and cybersecurity personnel are problems. Further, the private-sector and intelligence community’s unwillingness to share information with non-members of their respective organizations contributes to the weakness of current cybersecurity efforts. This, combined with similar secrecy concerns within DOD, obstructs cybersecurity information sharing. Overlapping responsibilities with various DHS units, limited available resources to deal with the multitude of competing priorities, redundant capabilities in various government departments and agencies, and the lack of an integrated mechanism for coordinating response are additional variables contributing to the weaknesses in the strategy. Finally, the inherent insecurity of Internet communication protocol, domain name-server, and other technical variables makes pinpointing the origin of an attack difficult, thereby complicating the response to a security breach.

The United States continues to face significant risk from cyber-attacks. Although DHS leads the interagency response to such threats, and DOD is also organized and equipped to respond to cyber-attacks, failure to plug holes in federal and private critical information systems leaves U.S. cyberspace interests vulnerable to both amateur and professional attackers. Thus far, cyber-assaults of particular note have been Chinese efforts. These attacks are best described as cyber-espionage since their scope is geared more towards gathering information rather than destroying ICT. Yet, it has been noted that the full extent of such attacks cannot be known, and it is possible that the hacker networks responsible for carrying them out have left computer programs that may allow for future access to the U.S.’s critical information infrastructure.

To date, the cybersecurity strategy and U.S. organizations responsible for securing ICT remain in a state of near constant flux. Overall, the government has been generally flexible in adjusting its cyber strategies as necessary and despite its flaws, the NSSC has brought a degree of organization to the interagency. The anti-regulatory framework remains a critical flaw in current national cybersecurity strategy since private industry is not likely to fully disclose threats and vulnerabilities to information systems.