the new problem of cybersecurity policy
DESCRIPTION
The New Problem of Cybersecurity Policy. Presentation Outline. General Principles & Definitions Unique Factors Affecting Cybersecurity Policy Brief Assessment of Bush vs. Obama Cybersecurity Policy The Way Forward. I. General Principles and Definitions. Public Policy. - PowerPoint PPT PresentationTRANSCRIPT
The New Problem of Cybersecurity Policy
Presentation Outline
I. General Principles & DefinitionsII. Unique Factors Affecting
Cybersecurity PolicyIII. Brief Assessment of Bush vs.
Obama Cybersecurity PolicyIV. The Way Forward
I.General Principles and
Definitions
Public Policy
Definition: Public Policy is a collection of unofficial norms, written laws, and administrative regulations that guide and constrain the behavior of actors within a policy arena.
Policy Arena: Definition
A functional field of action within which disparate actors are guided and obligated to abide by a common policy.
Policy Arena: Typical Actors & Elements
1. Traditional Political Institutions (Congress/Presidency/Courts)
2. National Administrative Agency3. State Administrative Agencies4. Interest Groups (Private/Public5. Norms6. Individuals and Organizations Subject
to Norms of Policy Arena
Creating and Growing a Policy Arena in a
Federal System is Very Difficult
General Rules for Creating & Growing a Federal Policy
Arena
Maximize Support Constituents: Those who be benefit
disproportionately Clients: Those who mildly benefit
Minimize Barriers Victims: Those who suffer from or
significantly coerced by the Policy
Federal Policy Arena Growth Must Be in Two Directions
Vertical Barriers
The U.S. Constitution 10th Amendment Diversity of State Cultures Diversity of Local Culture Private Property Rights
Federal Resources
Vertical Construction:Intergovernmental Command and
Control Hierarchies
Generating Support Sense of Vulnerability Desire to be Regulated $$$$
The Golden Rule Intergovernmental Monetary Transfers
(NIMS)
Horizontal Growth: Construction of Policy Networks
Barriers Mistrust Indifference or Unawareness of the Problem Lack of threat or other incentives to collaborate (Ohio Dept
Agriculture)
Support Strong State/Local/Regional Government Support Strong Private Sector Support Sense that a Regional Problem Exists that Federal
Government Policy does not address (International Symposium on Agroterrorism)
The End Result: US Federal Policy Arenas
Education
Labor
Enviromment
Nuclear
Cyber
Security
Federal
State
Local
II.Unique Factors Affecting the Creation & Growth of
a Cybersecurity Policy Arena
Comparing Policy Arenas
Nuclear Policy: History(65 Years)
Cybersecurity Policy: History(8 Years)
1946: AEC
1947: NSA
1974:NRC
1950:CDA
2003:NSSC--Bush
2009:CPR—ObamaCyber-Czar
Present: 2011
Present: 20112011:DSOC (July)
Nuclear vs Cyber Technology
Nuclear Technology Lethal
Origins: World War II Established Opposition
Groups that oppose Regulation
Centralized Highly Restricted Use
(expensive licenses, strict supervision, extensive training
Cyber Technology Non Lethal
Origins: Peacetime Fulcrum of Domestic
Economy Regulation
Decentralized Unregulated Citizen Use
(no license or supervision or training required)
The Tribble Problem
3 Essential Components of a
Cybersecurity Policy Arena
1. Intergovernmental Authority Hierarchy
2. Voluntary Public/Private Networks3. Citizen Acceptance & Support
of Cybersecurity Policy Norms
The Cybersecurity Triad. Journal of Homeland Security & Emergency Management, 2009, Vol 6, Issue 1, Article 79
1: The Intergovernmental Cybersecurity Hierarchy
Vertical
Construction
Federal Political Institutions & Administrative Agencies
State Political Institutions & Administrative Agencies
Local Political Institutions & Administrative Agencies
Top Down
Bottom Up
2: The Horizontal Network
Horizontal Construction: Policy Networks
No Hierarchy: Voluntary Coordination
Private Corporations
Public Agencies
Example: Infragard
3: Citizen Acceptance of Policy Arena Norms
Essential for Survival of Policy Arena
Facilitated by Educational Campaigns Crisis that Shapes public opinion Citizen Awareness of Threat/Danger
The Components of aCybersecurity Policy Arena
The Cybersecurity Triad
Cybersecurity Cit-izenship Norms
Public/PrivateNetworks
CybersecurityIntergovernmentalHierarchy
III.A Brief Assessment of the Differing Bush and Obama
Approaches to Cybersecurity Policy
Bush Era Cybersecurity Initiatives
National Strategy to Secure Cyberspace (2003)
National Infrastructure Protection Plan NIPP 2006 NIPP IT Sector Specific Plan 2007 NIPP 2009
Comprehensive National Cybersecurity Initiative 2008
The Bush Soft Management Cyber Approach
Managing and Coordinating Sector Responsibilities:As described in HSPD-7, the DHS is responsible for managing and coordinating IT Sector CI/KR protection activities, including leading the development of an SSP for the IT Sector. Within the department, this responsibility has been delegated to NCSD. Sector responsibilities include maintenance and update of the SSP, annual reporting, resources and budgets, and training and education. Public and private sector security partners have common and unique roles and responsibilities
NIPP Information Technology Sector Specific Plan, 2007, p 4
The Bush Era Approach
Minimal Attention to Cybersecurity Citizenship Norms
Extensive Reliance Upon Public/Pri-vateNetworks
Cautious Construc-tion of a Cybersecu-rityIntergovernmentalHierarchy
The Obama Era Approach
Minimal Attention to Cybersecurity Citizenship Norms
Defacto Reliance onPublic/PrivateNetworks
White House Con-trol of the Cyber-securityIntergovernmentalHierarchy
Obama Era Cybersecurity Initiatives
Appointment of Cyber Coordinator, January 2009 Cyberspace Policy Review, March 2009 Legislative Initiative, May, 2011 (déjà vu)
Reinsertion of DHS into Cybersecurity Loop Emphasis of Public/Private Networks
The Obama Top Down Approach
I. Leading from the Top
Ensuring that cyberspace is sufficiently resilient and trustworthy to support U.S. goals of economic growth, civil liberties and privacy protections, national security, and the continued advancement of democratic institutions requires making cybersecurity a national priority. Accomplishing this critical and complex task will only be possible with leadership at the highest levels of government.
Cyberspace Policy Review, March 2009
Finding aWhite House Cybersecurity Coordinator
The Nation’s First Cyber-CzarDecember 22, 2009
February to April 2009
Produced Cyberspace Policy Review, March, 2009
Melissa Hathaway
Howard A. Schmidt
The GAO Assessment of CNCI: December 2008 Through March 2010
Agency Roles not Defined No Effectiveness Measures Little Leadership/Transparency Little Progress in Public Education
GAO-10-338
IV.The Way Forward
Combine Incrementalism & Strategic Vision
IncrementalismAccept Limitations Lack of Resources Public Lacks Appreciation for
Cyber Threat The Outline of the
Intergovernmental Hierarchy is barely recognizeable
StrategyBuild the Cybersecurity
Triad Intergovernmental hierarchy Public/Private network Citizen Awareness