The New Problem of Cybersecurity Policy

Presentation Outline

I. General Principles & DefinitionsII. Unique Factors Affecting

Cybersecurity PolicyIII. Brief Assessment of Bush vs.

Obama Cybersecurity PolicyIV. The Way Forward

I.General Principles and

Definitions

Public Policy

Definition: Public Policy is a collection of unofficial norms, written laws, and administrative regulations that guide and constrain the behavior of actors within a policy arena.

Policy Arena: Definition

A functional field of action within which disparate actors are guided and obligated to abide by a common policy.

Policy Arena: Typical Actors & Elements

1. Traditional Political Institutions (Congress/Presidency/Courts)

2. National Administrative Agency3. State Administrative Agencies4. Interest Groups (Private/Public5. Norms6. Individuals and Organizations Subject

to Norms of Policy Arena

Creating and Growing a Policy Arena in a

Federal System is Very Difficult

General Rules for Creating & Growing a Federal Policy

Arena

Maximize Support Constituents: Those who be benefit

disproportionately Clients: Those who mildly benefit

Minimize Barriers Victims: Those who suffer from or

significantly coerced by the Policy

Federal Policy Arena Growth Must Be in Two Directions

Vertical Barriers

The U.S. Constitution 10th Amendment Diversity of State Cultures Diversity of Local Culture Private Property Rights

Federal Resources

Vertical Construction:Intergovernmental Command and

Control Hierarchies

Generating Support Sense of Vulnerability Desire to be Regulated $$$$

The Golden Rule Intergovernmental Monetary Transfers

(NIMS)

Horizontal Growth: Construction of Policy Networks

Barriers Mistrust Indifference or Unawareness of the Problem Lack of threat or other incentives to collaborate (Ohio Dept

Agriculture)

Support Strong State/Local/Regional Government Support Strong Private Sector Support Sense that a Regional Problem Exists that Federal

Government Policy does not address (International Symposium on Agroterrorism)

The End Result: US Federal Policy Arenas

Education

Labor

Enviromment

Nuclear

Cyber

Security

Federal

State

Local

II.Unique Factors Affecting the Creation & Growth of

a Cybersecurity Policy Arena

Comparing Policy Arenas

Nuclear Policy: History(65 Years)

Cybersecurity Policy: History(8 Years)

1946: AEC

1947: NSA

1974:NRC

1950:CDA

2003:NSSC--Bush

2009:CPR—ObamaCyber-Czar

Present: 2011

Present: 20112011:DSOC (July)

Nuclear vs Cyber Technology

Nuclear Technology Lethal

Origins: World War II Established Opposition

Groups that oppose Regulation

Centralized Highly Restricted Use

(expensive licenses, strict supervision, extensive training

Cyber Technology Non Lethal

Origins: Peacetime Fulcrum of Domestic

Economy Regulation

Decentralized Unregulated Citizen Use

(no license or supervision or training required)

The Tribble Problem

3 Essential Components of a

Cybersecurity Policy Arena

1. Intergovernmental Authority Hierarchy

2. Voluntary Public/Private Networks3. Citizen Acceptance & Support

of Cybersecurity Policy Norms

The Cybersecurity Triad. Journal of Homeland Security & Emergency Management, 2009, Vol 6, Issue 1, Article 79

1: The Intergovernmental Cybersecurity Hierarchy

Vertical

Construction

Federal Political Institutions & Administrative Agencies

State Political Institutions & Administrative Agencies

Local Political Institutions & Administrative Agencies

Top Down

Bottom Up

2: The Horizontal Network

Horizontal Construction: Policy Networks

No Hierarchy: Voluntary Coordination

Private Corporations

Public Agencies

Example: Infragard

3: Citizen Acceptance of Policy Arena Norms

Essential for Survival of Policy Arena

Facilitated by Educational Campaigns Crisis that Shapes public opinion Citizen Awareness of Threat/Danger

The Components of aCybersecurity Policy Arena

The Cybersecurity Triad

Cybersecurity Cit-izenship Norms

Public/PrivateNetworks

CybersecurityIntergovernmentalHierarchy

III.A Brief Assessment of the Differing Bush and Obama

Approaches to Cybersecurity Policy

Bush Era Cybersecurity Initiatives

National Strategy to Secure Cyberspace (2003)

National Infrastructure Protection Plan NIPP 2006 NIPP IT Sector Specific Plan 2007 NIPP 2009

Comprehensive National Cybersecurity Initiative 2008

The Bush Soft Management Cyber Approach

Managing and Coordinating Sector Responsibilities:As described in HSPD-7, the DHS is responsible for managing and coordinating IT Sector CI/KR protection activities, including leading the development of an SSP for the IT Sector. Within the department, this responsibility has been delegated to NCSD. Sector responsibilities include maintenance and update of the SSP, annual reporting, resources and budgets, and training and education. Public and private sector security partners have common and unique roles and responsibilities

NIPP Information Technology Sector Specific Plan, 2007, p 4

The Bush Era Approach

Minimal Attention to Cybersecurity Citizenship Norms

Extensive Reliance Upon Public/Pri-vateNetworks

Cautious Construc-tion of a Cybersecu-rityIntergovernmentalHierarchy

The Obama Era Approach

Minimal Attention to Cybersecurity Citizenship Norms

Defacto Reliance onPublic/PrivateNetworks

White House Con-trol of the Cyber-securityIntergovernmentalHierarchy

Obama Era Cybersecurity Initiatives

Appointment of Cyber Coordinator, January 2009 Cyberspace Policy Review, March 2009 Legislative Initiative, May, 2011 (déjà vu)

Reinsertion of DHS into Cybersecurity Loop Emphasis of Public/Private Networks

The Obama Top Down Approach

I. Leading from the Top

Ensuring that cyberspace is sufficiently resilient and trustworthy to support U.S. goals of economic growth, civil liberties and privacy protections, national security, and the continued advancement of democratic institutions requires making cybersecurity a national priority. Accomplishing this critical and complex task will only be possible with leadership at the highest levels of government.

Cyberspace Policy Review, March 2009

Finding aWhite House Cybersecurity Coordinator

The Nation’s First Cyber-CzarDecember 22, 2009

February to April 2009

Produced Cyberspace Policy Review, March, 2009

Melissa Hathaway

Howard A. Schmidt

The GAO Assessment of CNCI: December 2008 Through March 2010

Agency Roles not Defined No Effectiveness Measures Little Leadership/Transparency Little Progress in Public Education

GAO-10-338

IV.The Way Forward

Combine Incrementalism & Strategic Vision

IncrementalismAccept Limitations Lack of Resources Public Lacks Appreciation for

Cyber Threat The Outline of the

Intergovernmental Hierarchy is barely recognizeable

StrategyBuild the Cybersecurity

Triad Intergovernmental hierarchy Public/Private network Citizen Awareness