Cyberspace Strategy PDF

0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111
0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0
0 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0
0 0 1 0 1 0 1 0 0 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 11 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 1 0 0 0 1 0 1 0 1 0 0 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 11 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 1 0
1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0
1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 0 1 0
1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 1 0 1 0 1 0 0 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 11 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 1 0 1 0 1 0 0 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 11
1111 0 0 0 111 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0
1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 1 0 1 0 1 0 0 0 11 0 1 0 1 0 0 1 0 111 0 1 0 1 0 1 1111 0 0 0 111 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 0
0 11 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 1 0 1 0 1 0 0 0 11 0 1 0 1 0 1 0 11 0 1 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 11 0 1 0 1 0 1 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 1 0 1 0 1 0 0 0 11 0 1 0 1 0 0 1 0 111 0 1 0 1 0 1
0 1 0 1 0 0 1 0 0 0 111 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 11 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 1 0 1 0 1 0 0 0 11 0 1 0 1 0 1 0 11 0 1 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 11 0 1 0 1 0 1
0 0 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 1 0 1 0 1 0 0 0 11 0 1 0 1 0 0 1 0 111 0 1 0 0 1 0 1 0 0 1 0 0 0 111 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1
1 0 1 0 11 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 1 0 1 0 1 0 0 0 11 0 1 0 1 0 1 0 11 0 1 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 11 0 1 0 0 0 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 1 0 1 0 1 0 0 0 11 0 1 0 1 0 0 1 0 111 0 1 0
0 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 1 0 1 0 11 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 1 0 1 0 1 0 0 0 11 0 1 0 1 0 1 0 11 0 1 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 11 0 1 0
0 0 1 0 1 0 1 0 0 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 11 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 1 0 1 0 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 1111 0 1 0 11 0
1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0
1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 0 1 0
1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 1 0 1 0 1 0 0 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 11
1 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0
1111 0 0 0 111 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 0
1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 1 0 1 0 1 0 0 0 11 0 1 0 1 0 0 1 0 111 0 1 0 1 0 1
0 11 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 1 0 1 0 1 0 0 0 11 0 1 0 1 0 1 0 11 0 1 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 11 0 1 0 1 0 1
0 1 0 1 0 0 1 0 0 0 111 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1
0 0 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 1 0 1 0 1 0 0 0 11 0 1 0 1 0 0 1 0 111 0 1 0
T H E N A T I O N A L S T R A T E G Y T O
1 0 1 0 11 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 1 0 1 0 1 0 0 0 11 0 1 0 1 0 1 0 11 0 1 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 11 0 1 0
1 0 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 1111 0 1 0 11 0
SECURE
0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0
0 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0
0 0 1 0 1 0 1 0 0 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 11 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 1 0
1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0
1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 0 1 0
1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 1 0 1 0 1 0 0 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 11
CYBERSPACE
1 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0
1111 0 0 0 111 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 0
1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 1 0 1 0 1 0 0 0 11 0 1 0 1 0 0 1 0 111 0 1 0 1 0 1
0 11 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 1 0 1 0 1 0 0 0 11 0 1 0 1 0 1 0 11 0 1 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 11 0 1 0 1 0 1
0 1 0 1 0 0 1 0 0 0 111 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1
0 0 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 1 0 1 0 1 0 0 0 11 0 1 0 1 0 0 1 0 111 0 1 0
1 0 1 0 11 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 1 0 1 0 1 0 0 0 11 0 1 0 1 0 1 0 11 0 1 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 11 0 1 0
1 0 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 1111 0 1 0 11 0
0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 F E B R U A R Y 2 0 0 3
0 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0
0 0 1 0 1 0 1 0 0 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 11 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 1 0
1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0
1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 0 1 0
1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 1 0 1 0 1 0 0 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 11
1 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0
1111 0 0 0 111 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 0
1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 1 0 1 0 1 0 0 0 11 0 1 0 1 0 0 1 0 111 0 1 0 1 0 1
0 11 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 1 0 1 0 1 0 0 0 11 0 1 0 1 0 1 0 11 0 1 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 11 0 1 0 1 0 1
0 1 0 1 0 0 1 0 0 0 111 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1
0 0 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 1 0 1 0 1 0 0 0 11 0 1 0 1 0 0 1 0 111 0 1 0
1 0 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 1111 0 1 0 11 0
0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0
0 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0
1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 0 1 0
1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 1 0 1 0 1 0 0 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 11
1 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 1 0 11 0 1 0 1111 0
0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 1 0 1 0 1 0 0 0 11 0 1 0 1 0 0 1 0 111 0 1 0 1 0 1 0 11 0 1 0 1 0 1
0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 1 0 1 0 1 0 0 0 11 0 1 0 1 0 1 0 11 0 1 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 11 0 1 0 1 0 1 0 1 0 1 0 0 1 0 0
0 111 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 0 1 0 1 0 11
11 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 1 0 1 0 1 0 0 0 11 0 1 0 1 0 0 1 0 111 0 1 0 1 0 1 0 11 0 1 0
1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 1 0 1 0 1 0 0 0 11 0 1 0 1 0 1 0 11 0 1 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 11 0 1 0 1 0 0 1 0 1 0 1 0
0 1 0 1 0 111 0 1 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 1111 0 1 0 11 0 0 11 0 1 0 1 0 1
0 1 0 1111 0 1 0 11 0 0 11 0 1 0 1 0 1 0 1 0 1111 0 1 0 11 0 0 11 0 1 0 1 0 1 0 1 0 1111 0 1 0 11 0 0 11 0 1 0 1 0 1 0 1 0 1111 0 1 0 11 0 0 11 0 1 0 1 0 1 0 1 0 1111 0 1 0 11 0 0 11111 0 1 0 11 0
1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 1 0 1 0 1 0 0 0 11 0 1 0 1 0 1 0 11 0 1 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 11 0 1 0 1 0 1111 0 1 0 1
SECURE
CYBERSPACE
F E B R U A R Y 2 0 0 3
THE WHITE HOUSE
WASHINGTON
My Fellow Americans:
The way business is transacted, government operates, and national defense is

conducted have changed. These activities now rely on an interdependent network
of information technology infrastructures called cyberspace. The National Strategy
to Secure Cyberspace provides a framework for protecting this infrastructure that is
essential to our economy, security, and way of life.
In the past few years, threats in cyberspace have risen dramatically. The policy of
the United States is to protect against the debilitating disruption of the operation
of information systems for critical infrastructures and, thereby, help to protect the
people, economy, and national security of the United States. We must act to reduce
our vulnerabilities to these threats before they can be exploited to damage the
cyber systems supporting our Nation’s critical infrastructures and ensure that such
disruptions of cyberspace are infrequent, of minimal duration, manageable, and
cause the least damage possible.
Securing cyberspace is an extraordinarily difficult strategic challenge that requires a

coordinated and focused effort from our entire society—the federal government,
state and local governments, the private sector, and the American people. To
engage Americans in securing cyberspace, a draft version of this strategy was
released for public comment, and ten town hall meetings were held around the
Nation to gather input on the development of a national strategy. Thousands of
people and numerous organizations participated in these town hall meetings and
responded with comments. I thank them all for their continuing participation.
The cornerstone of America’s cyberspace security strategy is and will remain a

public-private partnership. The federal government invites the creation of, and
participation in, public-private partnerships to implement this strategy. Only by
acting together can we build a more secure future in cyberspace.
T A B L E O F C O N T E N T S
Table of Contents
Executive Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .vii

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1
Cyberspace Threats and Vulnerabilities: A Case for Action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5
National Policy and Guiding Principles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13
National Cyberspace Security Priorities

Priority I: A National Cyberspace Security Response System . . . . . . . . . . . . . . . . . . . . . . . . . . . .19
Priority II: A National Cyberspace Security Threat and Vulnerability Reduction Program . . . .27
Priority III: A National Cyberspace Security Awareness and Training Program . . . . . . . . . . . . .37
Priority IV: Securing Governments’ Cyberspace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .43
Priority V: National Security and International Cyberspace Security Cooperation . . . . . . . . . .49
Conclusion: The Way Forward . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .53

Appendix: Actions and Recommendations (A/R) Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . .55
T H E N AT I O N A L S T R AT E G Y T O S E C U R E C Y B E R S PA C E v
E X E C U T I V E S U M M A R Y
Executive Summary
Our Nation’s critical infrastructures are This National Strategy to Secure Cyberspace is
composed of public and private institutions in part of our overall effort to protect the Nation.
the sectors of agriculture, food, water, public It is an implementing component of the
health, emergency services, government, defense National Strategy for Homeland Security and is
industrial base, information and telecommuni- complemented by a National Strategy for the
cations, energy, transportation, banking and Physical Protection of Critical Infrastructures and
finance, chemicals and hazardous materials, and Key Assets. The purpose of this document is to
postal and shipping. Cyberspace is their nervous engage and empower Americans to secure the
system—the control system of our country. portions of cyberspace that they own, operate,
Cyberspace is composed of hundreds of control, or with which they interact. Securing
thousands of interconnected computers, servers, cyberspace is a difficult strategic challenge that
routers, switches, and fiber optic cables that requires coordinated and focused effort from
allow our critical infrastructures to work. Thus, our entire society—the federal government,
the healthy functioning of cyberspace is state and local governments, the private sector,
essential to our economy and our national and the American people.
security.
T H E N A T I O N A L S T R A T E G Y T O S E C U R E C Y B E R S P A C E vii
The National Strategy to Secure Cyberspace designed to share unclassified research among
outlines an initial framework for both organ- scientists who were assumed to be uninterested
izing and prioritizing efforts. It provides in abusing the network. It is that same Internet
direction to the federal government depart- that today connects millions of other computer
ments and agencies that have roles in networks making most of the nation’s essential
cyberspace security. It also identifies steps that services and infrastructures work. These
state and local governments, private companies computer networks also control physical objects
and organizations, and individual Americans such as electrical transformers, trains, pipeline
can take to improve our collective cybersecurity. pumps, chemical vats, radars, and stock
The Strategy highlights the role of public- markets, all of which exist beyond cyberspace.
private engagement. The document provides a
framework for the contributions that we all can A spectrum of malicious actors can and do
make to secure our parts of cyberspace. The conduct attacks against our critical information
dynamics of cyberspace will require adjustments infrastructures. Of primary concern is the threat
and amendments to the Strategy over time. of organized cyber attacks capable of causing
debilitating disruption to our Nation’s critical
The speed and anonymity of cyber attacks infrastructures, economy, or national security.
makes distinguishing among the actions of The required technical sophistication to carry
terrorists, criminals, and nation states difficult, a out such an attack is high—and partially
task which often occurs only after the fact, if at explains the lack of a debilitating attack to date.
all. Therefore, the National Strategy to Secure We should not, however, be too sanguine. There
Cyberspace helps reduce our Nation’s vulnera- have been instances where organized attackers
bility to debilitating attacks against our critical have exploited vulnerabilities that may be
information infrastructures or the physical indicative of more destructive capabilities.
assets that support them.
Uncertainties exist as to the intent and full
Strategic Objectives technical capabilities of several observed
attacks. Enhanced cyber threat analysis is
Consistent with the National Strategy for needed to address long-term trends related to
Homeland Security, the strategic objectives threats and vulnerabilities. What is known is
of this National Strategy to Secure Cyberspace that the attack tools and methodologies are
are to: becoming widely available, and the technical
capability and sophistication of users bent on
• Prevent cyber attacks against America’s
causing havoc or disruption is improving.
critical infrastructures;
• Reduce national vulnerability to cyber In peacetime America’s enemies may conduct
attacks; and espionage on our Government, university
research centers, and private companies. They
• Minimize damage and recovery time from may also seek to prepare for cyber strikes during
cyber attacks that do occur. a confrontation by mapping U.S. information
systems, identifying key targets, and lacing our
Threat and Vulnerability infrastructure with back doors and other means
Our economy and national security are fully of access. In wartime or crisis, adversaries may
dependent upon information technology and seek to intimidate the Nation’s political leaders
the information infrastructure. At the core of by attacking critical infrastructures and key
the information infrastructure upon which we economic functions or eroding public confi-
depend is the Internet, a system originally dence in information systems.
viii T H E N A T I O N A L S T R A T E G Y T O S E C U R E C Y B E R S P A C E
Cyber attacks on United States information consideration should be given to the broad-
networks can have serious consequences such as based costs and impacts of a given government
disrupting critical operations, causing loss of action, versus other alternative actions, versus
revenue and intellectual property, or loss of life. non-action, taking into account any existing or
Countering such attacks requires the devel- future private solutions.
opment of robust capabilities where they do not
exist today if we are to reduce vulnerabilities Federal actions to secure cyberspace are
and deter those with the capabilities and intent warranted for purposes including: forensics and
to harm our critical infrastructures. attack attribution, protection of networks and
systems critical to national security, indications
The Government Role in Securing and warnings, and protection against organized
Cyberspace attacks capable of inflicting debilitating damage
to the economy. Federal activities should also
In general, the private sector is best equipped support research and technology development
and structured to respond to an evolving cyber that will enable the private sector to better
threat. There are specific instances, however, secure privately-owned portions of the Nation’s
where federal government response is most critical infrastructure.
appropriate and justified. Looking inward,
providing continuity of government requires Department of Homeland Security and
ensuring the safety of its own cyber infra- Cyberspace Security
structure and those assets required for
supporting its essential missions and services. On November 25, 2002, President Bush signed
Externally, a government role in cybersecurity is legislation creating the Department of
warranted in cases where high transaction costs Homeland Security (DHS). This new cabinet-
or legal barriers lead to significant coordination level department will unite 22 federal entities
problems; cases in which governments operate for the common purpose of improving our
in the absence of private sector forces; homeland security. The Secretary of DHS will
resolution of incentive problems that lead to have important responsibilities in cyberspace
under provisioning of critical shared resources; security. These responsibilities include:
and raising awareness.
• Developing a comprehensive national plan
Public-private engagement is a key component for securing the key resources and critical
of our Strategy to secure cyberspace. This is infrastructure of the United States;
true for several reasons. Public-private partner- • Providing crisis management in response
ships can usefully confront coordination to attacks on critical information systems;
problems. They can significantly enhance
information exchange and cooperation. • Providing technical assistance to the
Public-private engagement will take a variety private sector and other government
of forms and will address awareness, training, entities with respect to emergency
technological improvements, vulnerability recovery plans for failures of critical infor-
remediation, and recovery operations. mation systems;
A federal role in these and other cases is only • Coordinating with other agencies of the
justified when the benefits of intervention federal government to provide specific
outweigh the associated costs. This standard is warning information and advice about
especially important in cases where there are appropriate protective measures and
viable private sector solutions for addressing any countermeasures to state, local, and
potential threat or vulnerability. For each case, nongovernmental organizations including
T H E N A T I O N A L S T R A T E G Y T O S E C U R E C Y B E R S P A C E ix
the private sector, academia, and the Priority I: A National Cyberspace

public; and Security Response System
• Performing and funding research and Rapid identification, information exchange, and
development along with other agencies remediation can often mitigate the damage
that will lead to new scientific under- caused by malicious cyberspace activity. For
standing and technologies in support of those activities to be effective at a national level,
homeland security. the United States needs a partnership between
government and industry to perform analyses,
Consistent with these responsibilities, DHS will
issue warnings, and coordinate response efforts.
become a federal center of excellence for cyber-
Privacy and civil liberties must be protected in
security and provide a focal point for federal
the process. Because no cybersecurity plan can
outreach to state, local, and nongovernmental
be impervious to concerted and intelligent
organizations including the private sector,
attack, information systems must be able to
academia, and the public.
operate while under attack and have the
resilience to restore full operations quickly.
Critical Priorities for Cyberspace
Security The National Strategy to Secure Cyberspace
The National Strategy to Secure Cyberspace identifies eight major actions and initiatives for
articulates five national priorities including: cyberspace security response:
I. A National Cyberspace Security 1. Establish a public-private architecture for

Response System; responding to national-level cyber
incidents;
II. A National Cyberspace Security Threat
and Vulnerability Reduction Program; 2. Provide for the development of tactical
and strategic analysis of cyber attacks and
III. A National Cyberspace Security vulnerability assessments;
Awareness and Training Program;
3. Encourage the development of a private
IV. Securing Governments’ Cyberspace; and sector capability to share a synoptic view
of the health of cyberspace;
V. National Security and International
Cyberspace Security Cooperation. 4. Expand the Cyber Warning and
Information Network to support the role
The first priority focuses on improving our of DHS in coordinating crisis
response to cyber incidents and reducing the management for cyberspace security;
potential damage from such events. The second,
third, and fourth priorities aim to reduce threats 5. Improve national incident management;
from, and our vulnerabilities to, cyber attacks.
6. Coordinate processes for voluntary
The fifth priority is to prevent cyber attacks
participation in the development of
that could impact national security assets and to
national public-private continuity and
improve the international management of and
contingency plans;
response to such attacks.
7. Exercise cybersecurity continuity plans
for federal systems; and
8. Improve and enhance public-private
information sharing involving cyber
attacks, threats, and vulnerabilities.
x T H E N AT I O N A L S T R AT E G Y T O S E C U R E C Y B E R S PA C E
1. Enhance law enforcement’s capabilities

for preventing and prosecuting cyber-
space attacks;
2. Create a process for national vulnerability
assessments to better understand the
potential consequences of threats and
vulnerabilities;
3. Secure the mechanisms of the Internet by
improving protocols and routing;
4. Foster the use of trusted digital control
systems/supervisory control and data
acquisition systems;
5. Reduce and remediate software vulnera-
bilities;
6. Understand infrastructure interdepen-
dencies and improve the physical security
of cyber systems and telecommunications;
7. Prioritize federal cybersecurity research
and development agendas; and
8. Assess and secure emerging systems.
Priority III: A National Cyberspace

Priority II: A National Cyberspace Security Awareness and Training
Security Threat and Vulnerability Program
Reduction Program
Many cyber vulnerabilities exist because of a
By exploiting vulnerabilities in our cyber lack of cybersecurity awareness on the part of
systems, an organized attack may endanger the computer users, systems administrators,
security of our Nation’s critical infrastructures. technology developers, procurement officials,
The vulnerabilities that most threaten cyber- auditors, chief information officers (CIOs),
space occur in the information assets of critical chief executive officers, and corporate boards.
infrastructure enterprises themselves and their Such awareness-based vulnerabilities present
external supporting structures, such as the serious risks to critical infrastructures regardless
mechanisms of the Internet. Lesser-secured of whether they exist within the infrastructure
sites on the interconnected network of networks itself. A lack of trained personnel and the
also present potentially significant exposures to absence of widely accepted, multi-level
cyber attacks. Vulnerabilities result from certification programs for cybersecurity
weaknesses in technology and because of professionals complicate the task of addressing
improper implementation and oversight of cyber vulnerabilities.
technological products.
The National Strategy to Secure Cyberspace

identifies eight major actions and initiatives to
reduce threats and related vulnerabilities:
T H E N A T I O N A L S T R A T E G Y T O S E C U R E C Y B E R S P A C E xi
The National Strategy to Secure Cyberspace 4. Improve security in government

identifies four major actions and initiatives for outsourcing and procurement; and
awareness, education, and training:
5. Encourage state and local governments to
1. Promote a comprehensive national consider establishing information
awareness program to empower all technology security programs and partic-
Americans—businesses, the general ipate in information sharing and analysis
workforce, and the general population— centers with similar governments.
to secure their own parts of cyberspace;
Priority V: National Security and
2. Foster adequate training and education International Cyberspace Security
programs to support the Nation’s cyberse- Cooperation
curity needs;
America’s cyberspace links the United States to
3. Increase the efficiency of existing federal the rest of the world. A network of networks
cybersecurity training programs; and spans the planet, allowing malicious actors on
one continent to act on systems thousands of
4. Promote private-sector support for
miles away. Cyber attacks cross borders at light
well-coordinated, widely recognized
speed, and discerning the source of malicious
professional cybersecurity certifications.
activity is difficult. America must be capable of
Priority IV: Securing Governments’ safeguarding and defending its critical systems
Cyberspace and networks. Enabling our ability to do so
requires a system of international cooperation to
Although governments administer only a facilitate information sharing, reduce vulnerabil-
minority of the Nation’s critical infrastructure ities, and deter malicious actors.
computer systems, governments at all levels
perform essential services in the agriculture, The National Strategy to Secure Cyberspace
food, water, public health, emergency services, identifies six major actions and initiatives to
defense, social welfare, information and strengthen U.S. national security and interna-
telecommunications, energy, transportation, tional cooperation:
banking and finance, chemicals, and postal and
1. Strengthen cyber-related counterintelli-
shipping sectors that depend upon cyberspace
gence efforts;
for their delivery. Governments can lead by
example in cyberspace security, including 2. Improve capabilities for attack attribution
fostering a marketplace for more secure and response;
technologies through their procurement.
3. Improve coordination for responding to
The National Strategy to Secure Cyberspace cyber attacks within the U.S. national
identifies five major actions and initiatives for security community;
the securing of governments’ cyberspace:
4. Work with industry and through interna-
1. Continuously assess threats and vulnera- tional organizations to facilitate dialogue
bilities to federal cyber systems; and partnerships among international
public and private sectors focused on
2. Authenticate and maintain authorized protecting information infrastructures
users of federal cyber systems; and promoting a global “culture of
3. Secure federal wireless local area security;”
networks;
xii T H E N A T I O N A L S T R A T E G Y T O S E C U R E C Y B E R S P A C E
5. Foster the establishment of national and this Strategy. Inputs from the critical sector’s
international watch-and-warning themselves can be found at
networks to detect and prevent cyber http://www.pcis.org. (These documents
attacks as they emerge; and were not subject to government approval.)
6. Encourage other nations to accede to the These comprehensive infrastructure plans
Council of Europe Convention on describe the strategic initiatives of various
Cybercrime, or to ensure that their laws sectors, including:
and procedures are at least as compre-
hensive. • Banking and Finance;
A National Effort • Insurance;
Protecting the widely distributed assets of • Chemical;

cyberspace requires the efforts of many • Oil and Gas;
Americans. The federal government alone
cannot sufficiently defend America’s cyberspace. • Electric;
Our traditions of federalism and limited
• Law Enforcement;
government require that organizations outside
the federal government take the lead in many of • Higher Education;
these efforts. Every American who can
contribute to securing part of cyberspace is • Transportation (Rail);
encouraged to do so. The federal government • Information Technology and
invites the creation of, and participation in, Telecommunications; and
public-private partnerships to raise cyberse-
curity awareness, train personnel, stimulate • Water.
market forces, improve technology, identify and
remediate vulnerabilities, exchange information, As each of the critical infrastructure sectors
and plan recovery operations. implements these initiatives, threats and vulner-
abilities to our infrastructures will be reduced.
People and organizations across the United
States have already taken steps to improve For the foreseeable future two things will be
cyberspace security. On September 18, 2002, true: America will rely upon cyberspace and the
many private-sector entities released plans and federal government will seek a continuing broad
strategies for securing their respective infra- partnership with the private sector to develop,
structures. The Partnership for Critical implement, and refine a National Strategy to
Infrastructure Security has played a unique role Secure Cyberspace.
in facilitating private-sector contributions to
T H E N A T I O N A L S T R A T E G Y T O S E C U R E C Y B E R S P A C E xiii
xiv T H E N A T I O N A L S T R A T E G Y T O S E C U R E C Y B E R S P A C E
I N T R O D U C T I O N
Introduction
A Nation in Cyberspace our economy and our national security.
Unfortunately, recent events have highlighted
Our Nation’s critical infrastructures consist of the existence of cyberspace vulnerabilities and
the physical and cyber assets of public and the fact that malicious actors seek to exploit
private institutions in several sectors: them. (See, Cyberspace Threats and
agriculture, food, water, public health, Vulnerabilities.)
emergency services, government, defense indus-
trial base, information and telecommunications, This National Strategy to Secure Cyberspace is
energy, transportation, banking and finance, part of an overall effort to protect the Nation. It
chemicals and hazardous materials, and postal is an implementing component of the National
and shipping. Cyberspace is the nervous system Strategy for Homeland Security and is comple-
of these infrastructures—the control system of mented by the National Strategy for the Physical
our country. Cyberspace comprises hundreds of Protection of Critical Infrastructures and Key
thousands of interconnected computers, servers, Assets. The purpose of this document is to
routers, switches, and fiber optic cables that engage and empower Americans to secure the
make our critical infrastructures work. Thus, the portions of cyberspace that they own, operate,
healthy functioning of cyberspace is essential to or control, or with which they interact. Securing
T H E N AT I O N A L S T R AT E G Y T O S E C U R E C Y B E R S PA C E 1
cyberspace is a difficult strategic challenge that This process recognizes that we can only secure
requires coordinated and focused effort from cyberspace successfully through an inclusive
our entire society—the federal government, national effort that engages major institutions
state and local governments, the private sector, throughout the country. The federal
and the American people. government designed the Strategy development
process to raise the Nation’s level of awareness
A Unique Problem, a Unique Process of the importance of cybersecurity. Its intent
was to produce a Strategy that many Americans
Most critical infrastructures, and the cyberspace could feel they had a direct role in developing,
on which they rely, are privately owned and and to which they would be committed.
operated. The technologies that create and
support cyberspace evolve rapidly from private- Although the redrafting process reflects many
sector and academic innovation. Government of the comments provided, not everyone will
alone cannot sufficiently secure cyberspace. agree with each component of the National
Thus, President Bush has called for voluntary Strategy to Secure Cyberspace. Many issues could
partnerships among government, industry, not be addressed in detail, and others are not
academia, and nongovernmental groups to yet ripe for national policy. The Strategy is not
secure and defend cyberspace. (See, National immutable; actions will evolve as technologies
Policy and Guiding Principles.) advance, as threats and vulnerabilities change,
and as our understanding of the cybersecurity
In recognition of this need for partnership, the issues improves and clarifies. A national
process to develop the National Strategy to dialogue on cyberspace security must therefore
Secure Cyberspace included soliciting views from continue.
both the public and private sectors. To do so,
the White House sponsored town hall meetings In the weeks following the release of the draft
on cyberspace security in ten metropolitan Strategy, Congress approved the creation of the
areas. Consequently, individual sectors (e.g., Department of Homeland Security (DHS),
higher education, state and local government, assigned to it many agencies that are active in
banking and finance) formed workgroups to cybersecurity, and directed it to perform new
create initial sector-specific cyberspace security cybersecurity missions. This Strategy reflects
strategies. Additionally, the White House those changes. Congress passed and the
created a Presidential advisory panel, the President signed the Cyber Security Research and
National Infrastructure Advisory Council, Development Act (Public Law 107-305), author-
consisting of leaders from the key sectors of the izing a multi-year effort to create more secure
economy, government, and academia. The cyber technologies, to expand cybersecurity
President’s National Security research and development, and to improve the
Telecommunications Advisory Committee cybersecurity workforce.
reviewed and commented on the Strategy.
Five National Cyberspace Security
In September 2002, the President’s Critical Priorities
Infrastructure Protection Board sought
comments from individuals and institutions The National Strategy to Secure Cyberspace is a
nationwide by placing a draft version of the call for national awareness and action by
Strategy online for review. Thousands partici- individuals and institutions throughout the
pated in the town hall meetings and provided United States, to increase the level of cyberse-
comments online. Their comments contributed curity nationwide and to implement continuous
to shaping the Strategy by narrowing its focus processes for identifying and remedying cyber
and sharpening its priorities. vulnerabilities. Its framework is an agenda of
2 T H E N AT I O N A L S T R AT E G Y T O S E C U R E C Y B E R S PA C E
five broad priorities that require widespread coordinate response efforts. Privacy and civil
voluntary participation. Each individual liberties must be protected in the process.
program consists of several components, many Because no cybersecurity plan can be imper-
of which were drawn from the draft Strategy’s vious to concerted and intelligent attacks,
recommendations and related public comments. information systems must be able to operate
while under attack and also have the resilience
Addressing these priorities requires the to restore full operations in their wake. To
leadership of DHS as well as several other key prepare for the possibility of major cyber
federal departments and agencies. As part of attacks, America needs a national cyber disaster
the Office of Management and Budget recovery plan. The National Cyberspace
(OMB)-led budget process, and with the Security Response System will involve public
support of Congress, these departments and and private institutions and cyber centers to
agencies now have the task of translating the perform analysis, conduct watch and warning
Strategy’s recommendations into actions. activities, enable information exchange, and
facilitate restoration efforts.
Corporations, universities, state and local
governments, and other partners are also Priority II: A National Cyberspace
encouraged to take actions consistent with these Security Threat and Vulnerability
five national cyberspace security priorities, both Reduction Program
independently and in partnership with the
federal government. Each private-sector organi- By exploiting vulnerabilities in our cyber
zation must make its own decisions based on systems, an organized cyber attack may
cost effectiveness analysis and risk-management endanger the security of our Nation’s critical
and mitigation strategies. infrastructures. Cyberspace vulnerabilities occur
in the critical infrastructure enterprises and
The National Strategy to Secure Cyberspace artic- government departments themselves, in their
ulates five national priorities. The first priority external supporting structures (such as the
focuses on improving our ability to respond to mechanisms of the Internet), and in unsecured
cyber incidents and reduce the potential sites across the interconnected network of
damage from such events. The second, third, networks. Vulnerabilities exist for several
and fourth priorities aim to reduce the numbers reasons including technological weaknesses,
of cyber threats and our overall vulnerability to poor security-control implementation, and
cyber attacks. The fifth priority focuses on absences of effective oversight.
preventing cyber attacks with the potential to
impact national security assets and improving A National Cyberspace Security Threat and
international management of and response to Vulnerability reduction program will include
such attacks. coordinated national efforts conducted by
governments and the private sector to identify
Priority I: A National Cyberspace and remediate the most serious cyber vulnera-
Security Response System bilities through collaborative activities, such as
sharing best practices and evaluating and imple-
Rapid identification, information exchange, and menting new technologies. Additional program
remediation can often mitigate the damage components will include raising cybersecurity
caused by malicious cyberspace activity. For awareness, increasing criminal justice activities,
those activities to take place effectively at a and developing national security programs to
national level, the United States requires a deter future cyber threats.
partnership between government and industry
to perform analyses, issue warnings, and
Priority III: A National Cyberspace example by fostering a marketplace for more

Security Awareness and Training secure technologies through large procurements
Program of advanced information assurance technologies.
A program to implement such products will
Many information-system vulnerabilities exist help to ensure that federal computer systems
because of a lack of cyberspace security and networks are secure. The federal
awareness on the part of computer users, government will also assist state and local
systems administrators, technology developers, governments with cybersecurity awareness,
procurement officials, auditors, chief infor- training, and information exchange.
mation officers, chief executive officers, and
corporate boards. These vulnerabilities can Priority V: National Security and
present serious risks to the infrastructures even International Cyberspace Security
if they are not actually part of the infrastructure Cooperation
itself. A lack of trained personnel and the
absence of widely accepted, multi-level certifi- America’s cyberspace links the United States to
cations for personnel further complicate the the rest of the world. A network of networks
task of reducing vulnerabilities. spans the planet, allowing malicious actors on
one continent to act on systems thousands of
The National Cyberspace Security Awareness miles away. Cyber attacks cross borders at light
and Training Program will raise cybersecurity speed, and discerning the source of malicious
awareness in companies, government agencies, activity is difficult. America must be capable of
universities, and among the Nation’s computer safeguarding and defending its critical systems
users. It will further address shortfalls in the and networks—regardless of where an attack
numbers of trained and certified cybersecurity originates. Facilitating our ability to do so
personnel. requires a system of international cooperation to
enable the information sharing, reduce vulnera-
Priority IV: Securing Governments’ bilities, and deter malicious actors.
Cyberspace
Actions and Recommendations
Although governments administer only a
minority of the Nation’s critical infrastructure The Strategy highlights actions that the federal
computer systems, governments at all levels government will take and makes recommenda-
perform essential services that rely on each of tions to our partners in nongovernmental
the critical infrastructure sectors, which are organizations. The actions and recommenda-
agriculture, food, water, public health, tions (A/R) are italicized throughout the
emergency services, government, defense indus- Strategy and numbered according to the
trial base, information and telecommunications, associated priority. For example A/R 1-1 is the
energy, transportation, banking and finance, first action or recommendation in Priority I.
chemicals and hazardous materials, and postal Appendix A provides a summary of all of the
and shipping. With respect to investment in A/Rs proposed.
cyberspace security, government can lead by
C Y B E R S P A C E T H R E A T S A N D V U L N E R A B I L I T I E S
A Mapping of
Code Red
Penetration on a
Portion of the
Internet.
Image courtesy
UCSD/CAIDA
(www.caida.org)
© 2002 The Regents
of the University of
California.
Cyberspace Threats and Vulnerabilities

A Case for Action September 11 were physical attacks, we are
facing increasing threats from hostile adver-
The terrorist attacks against the United States saries in the realm of cyberspace as well.
that took place on September 11, 2001, had a
profound impact on our Nation. The federal A Nation Now Fully Dependent on
government and society as a whole have been Cyberspace
forced to reexamine conceptions of security on
our home soil, with many understanding only For the United States, the information
for the first time the lengths to which self- technology revolution quietly changed the way
designated enemies of our country are willing to business and government operate. Without a
go to inflict debilitating damage. great deal of thought about security, the Nation
shifted the control of essential processes in
We must move forward with the understanding manufacturing, utilities, banking, and commu-
that there are enemies who seek to inflict nications to networked computers. As a result,
damage on our way of life. They are ready to the cost of doing business dropped and
attack us on our own soil, and they have shown productivity skyrocketed. The trend toward
a willingness to use unconventional means to greater use of networked systems continues.
execute those attacks. While the attacks of
By 2003, our economy and national security attacks. It demonstrated that the arsenal of
became fully dependent upon information weapons available to organized attackers now
technology and the information infrastructure. contains the capability to learn and adapt to its
A network of networks directly supports the local environment. NIMDA was an automated
operation of all sectors of our economy—energy cyber attack, a blend of a computer worm and a
(electric power, oil and gas), transportation (rail, computer virus. It propagated across the Nation
air, merchant marine), finance and banking, with enormous speed and tried several different
information and telecommunications, public ways to infect computer systems it invaded until
health, emergency services, water, chemical, it gained access and destroyed files. It went
defense industrial base, food, agriculture, and from nonexistent to nationwide in an hour,
postal and shipping. The reach of these lasted for days, and attacked 86,000 computers.
computer networks exceeds the bounds of
cyberspace. They also control physical objects Speed is also increasing. Consider that two
such as electrical transformers, trains, pipeline months before NIMDA, a cyber attack called
pumps, chemical vats, and radars. Code Red infected 150,000 computer systems
in 14 hours.
Threats in Cyberspace
Because of the increasing sophistication of
A spectrum of malicious actors can and do computer attack tools, an increasing number of
conduct attacks against our critical information actors are capable of launching nationally
infrastructures. Of primary concern is the threat significant assaults against our infrastructures
of organized cyber attacks capable of causing and cyberspace. In peacetime America’s enemies
debilitating disruption to our Nation’s critical may conduct espionage on our Government,
infrastructures, economy, or national security. university research centers, and private
The required technical sophistication to carry companies. They may also seek to prepare for
out such an attack is high—and partially cyber strikes during a confrontation by mapping
explains the lack of a debilitating attack to date. U.S. information systems, identifying key
We should not, however, be too sanguine. There targets, lacing our infrastructure with back
have been instances where attackers have doors and other means of access. In wartime or
exploited vulnerabilities that may be indicative crisis, adversaries may seek to intimidate the
of more destructive capabilities. nation’s political leaders by attacking critical
infrastructures and key economic functions or
Uncertainties exist as to the intent and full eroding public confidence in information
technical capabilities of several observed systems.
attacks. Enhanced cyber threat analysis is
needed to address long-term trends related to Cyber attacks on U.S. information networks can
threats and vulnerabilities. What is known is have serious consequences such as disrupting
that the attack tools and methodologies are critical operations, causing loss of revenue and
becoming widely available, and the technical intellectual property, or loss of life. Countering
capability and sophistication of users bent on such attacks requires the development of robust
causing havoc or disruption is improving. capabilities where they do not exist today if we
are to reduce vulnerabilities and deter those
As an example, consider the “NIMDA” with the capabilities and intent to harm our
(“ADMIN” spelled backwards) attack. Despite critical infrastructures.
the fact that NIMDA did not create a
catastrophic disruption to the critical infra- Cyberspace provides a means for organized
structure, it is a good example of the increased attack on our infrastructure from a distance.
technical sophistication showing up in cyber These attacks require only commodity
technology, and enable attackers to obfuscate impending attack. Vulnerability assessment and
their identities, locations, and paths of entry. remediation activities must be ongoing. An
Not only does cyberspace provide the ability to information technology security audit
exploit weaknesses in our critical infrastructures, conducted by trained professionals to identify
but it also provides a fulcrum for leveraging infrastructure vulnerabilities can take months.
physical attacks by allowing the possibility of Subsequently, the process of creating a multi-
disrupting communications, hindering U.S. layered defense and a resilient network to
defensive or offensive response, or delaying remedy the most serious vulnerabilities could
emergency responders who would be essential take several additional months. The process
following a physical attack. must then be regularly repeated.
In the last century, geographic isolation helped Threat and Vulnerability: A Five-Level
protect the United States from a direct physical Problem
invasion. In cyberspace national boundaries
have little meaning. Information flows continu- Managing threat and reducing vulnerability in
ously and seamlessly across political, ethnic, and cyberspace is a particularly complex challenge
religious divides. Even the infrastructure that because of the number and range of different
makes up cyberspace—software and hardware— types of users. Cyberspace security requires
is global in its design and development. Because action on multiple levels and by a diverse group
of the global nature of cyberspace, the vulnera- of actors because literally hundreds of millions
bilities that exist are open to the world and of devices are interconnected by a network of
available to anyone, anywhere, with sufficient networks. The problem of cyberspace security
capability to exploit them. can be best addressed on five levels.
Reduce Vulnerabilities in the Absence Level 1, the Home User/Small Business

of Known Threats Though not a part of a critical infrastructure
While the Nation’s critical infrastructures the computers of home users can become part
must, of course, deal with specific threats as of networks of remotely controlled machines
they arise, waiting to learn of an imminent that are then used to attack critical infrastruc-
attack before addressing important critical tures. Undefended home and small business
infrastructure vulnerabilities is a risky and computers, particularly those using digital
unacceptable strategy. Cyber attacks can burst subscriber line (DSL) or cable connections, are
onto the Nation’s networks with little or no vulnerable to attackers who can employ the use
warning and spread so fast that many victims of those machines without the owner’s
never have a chance to hear the alarms. Even knowledge. Groups of such “zombie” machines
with forewarning, they likely would not have can then be used by third-party actors to launch
had the time, knowledge, or tools needed denial-of-service (DoS) attacks on key Internet
to protect themselves. In some cases creating nodes and other important enterprises or
defenses against these attacks would have critical infrastructures.
taken days.
Level 2, Large Enterprises
A key lesson derived from these and other such
cyber attacks is that organizations that rely on Large-scale enterprises (corporations,
networked computer systems must take government agencies, and universities) are
proactive steps to identify and remedy their common targets for cyber attacks. Many such
vulnerabilities, rather than waiting for an enterprises are part of critical infrastructures.
attacker to be stopped or until alerted of an Enterprises require clearly articulated, active
information security policies and programs to Level 5, Global

audit compliance with cybersecurity best
practices. According to the U.S. intelligence The worldwide web is a planetary information
community, American networks will be increas- grid of systems. Internationally shared standards
ingly targeted by malicious actors both for the enable interoperability among the world’s
data and the power they possess. computer systems. This interconnectedness,
however, also means that problems on one
Level 3, Critical Sectors/Infrastructures continent have the potential to affect computers
on another. We therefore rely on international
When organizations in sectors of the economy, cooperation to share information related to
government, or academia unite to address cyber issues and, further, to prosecute cyber
common cybersecurity problems, they can often criminals. Without such cooperation, our
reduce the burden on individual enterprises. collective ability to detect, deter, and minimize
Such collaboration often produces shared insti- the effects of cyber-based attacks would be
tutions and mechanisms, which, in turn, could greatly diminished.
have cyber vulnerabilities whose exploitation
could directly affect the operations of member New Vulnerabilities Requiring
enterprises and the sector as a whole. Continuous Response
Enterprises can also reduce cyber risks by
participating in groups that develop best New vulnerabilities are created or discovered
practices, evaluate technological offerings, regularly. The process of securing networks and
certify products and services, and share infor- systems, therefore, must also be continuous.
mation. The Computer Emergency Response
Team/Coordination Center (CERT/CC) notes
Several sectors have formed Information that not only are the numbers of cyber incidents
Sharing and Analysis Centers (ISACs) to and attacks increasing at an alarming rate, so
monitor for cyber attacks directed against their too are the numbers of vulnerabilities that an
respective infrastructures. ISACs are also a attacker could exploit. Identified computer
vehicle for sharing information about attack security vulnerabilities—faults in software and
trends, vulnerabilities, and best practices. hardware that could permit unauthorized
network access or allow an attacker to cause
Level 4, National Issues and Vulnerabilities network damage—increased significantly from
2000 to 2002, with the number of vulnerabil-
Some cybersecurity problems have national ities going from 1,090 to 4,129.
implications and cannot be solved by individual
enterprises or infrastructure sectors alone. All The mere installation of a network security
sectors share the Internet. Accordingly, they are device is not a substitute for maintaining and
all at risk if its mechanisms (e.g., protocols and updating a network’s defenses. Ninety percent
routers) are not secure. Weaknesses in widely of the participants in a recent Computer
used software and hardware products can also Security Institute survey reported using
create problems at the national level, requiring antivirus software on their network systems, yet
coordinated activities for the research and 85 percent of their systems had been damaged
development of improved technologies. by computer viruses. In the same survey, 89
Additionally, the lack of trained and certified percent of the respondents had installed
cybersecurity professionals also merits national- computer firewalls, and 60 percent had
level concern. intrusion detection systems. Nevertheless, 90
percent reported that security breaches had
taken place, and 40 percent of their systems had
Roles and Responsibilites in Securing Cyberspace

Priority 1 Priority 2 Priority 3 Priority 4 Priority 5
National National National Security
National
Cyberspace Cyberspace Securing and International
Cyberspace
Security Threat and Security Awareness Governments’ Cyberspace
Security Response
Vulnerability and Training Cyberspace Security
System
Reduction System Program Cooperation
Home User/Small Business ✗ ✗

Large Enterprises ✗ ✗ ✗ ✗ ✗
Critical Sectors/
Infrastructures
✗ ✗ ✗ ✗ ✗
National Issues and
Vulnerabilities
✗ ✗ ✗ ✗
Global ✗
been penetrated from outside their network. For the national economy—particularly
its information technology industry
The majority of security vulnerabilities can be component—the dearth of trusted, reliable,
mitigated through good security practices. As secure information systems presents a barrier to
these survey numbers indicate, however, future growth. Much of the potential for
practicing good security includes more than economic growth made possible by the
simply installing those devices. It also requires information technology revolution has yet to be
operating them correctly and keeping them realized—deterred in part by cyberspace
current through regular patching and virus security risks. Cyberspace vulnerabilities place
updates. more than transactions at risk; they jeopardize
intellectual property, business operations,
Cybersecurity and Opportunity Cost infrastructure services, and consumer trust.
For individual companies and the national Conversely, cybersecurity investments result in
economy as a whole, improving computer more than costly overhead expenditures. They
security requires investing attention, time, and produce a return on investment. Surveys
money. For fiscal year 2003, President Bush repeatedly show that:
requested that Congress increase funds to
secure federal computers by 64 percent. • Although the likelihood of suffering a
President Bush’s investment in securing federal severe cyber attack is difficult to estimate,
computer networks now will eventually reduce the costs associated with a successful one
overall expenditures through cost-saving are likely to be greater than the investment
E-Government solutions, modern enterprise in a cybersecurity program to prevent it; and
management, and by reducing the number of
opportunities for waste and fraud.
• Designing strong security protocols into from attacks that do occur. Through this
the information systems architecture of an statement, we reveal nothing to potential foes
enterprise can reduce its overall opera- that they and others do not already know. In
tional costs by enabling cost-saving 1997 a Presidential Commission identified the
processes, such as remote access and risks in a seminal public report. In 2000 the
customer or supply-chain interactions, first national plan to address the problem was
which could not occur in networks lacking published. Citing these risks, President Bush
appropriate security. issued an Executive Order in 2001, making
cybersecurity a priority, and accordingly,
These results suggest that, with greater increasing funds to secure federal networks.
awareness of the issues, companies can benefit In 2002 the President moved to consolidate and
from increasing their levels of cybersecurity. strengthen federal cybersecurity agencies as
Greater awareness and voluntary efforts are part of the proposed Department of Homeland
critical components of the National Strategy to Security.
Secure Cyberspace.
Individual and National Risk

Management
Until recently overseas terrorist networks had
caused limited damage in the United States. On
September 11, 2001, that quickly changed. One
estimate places the increase in cost to our
economy from attacks to U.S. information
systems at 400 percent over four years. While
those losses remain relatively limited, that too
could change abruptly.
Every day in the United States individual

companies, and home computer users, suffer
damage from cyber attacks that, to the victims,
represent significant losses. Conditions likewise 199
5
199
6
199
7
199
8
199
9
200
0
200
1
200
2
exist for relative measures of damage to occur

on a national level, affecting the networks and
systems on which the Nation depends:
• Potential adversaries have the intent;

• Tools that support malicious activities are
broadly available; and,
• Vulnerabilities of the Nation’s systems are
many and well known.
No single strategy can completely eliminate

cyberspace vulnerabilities and their associated
threats. Nevertheless, the Nation must act to 8 9 90 1 2 3 4 5 6 7 8 9 0 1 2
198 198 19 199 199 199 199 199 199 199 199 199 200 200 200
manage risk responsibly and to enhance its Source CERT CC ©
ability to minimize the damage that results
10 T H E N A T I O N A L S T R A T E G Y T O S E C U R E C Y B E R S P A C E
Government Alone Cannot Secure The federal government could not—and,

Cyberspace indeed, should not—secure the computer
networks of privately owned banks, energy
Despite increased awareness around the companies, transportation firms, and other parts
importance of cybersecurity and the measures of the private sector. The federal government
taken thus far to improve our capabilities, cyber should likewise not intrude into homes and
risks continue to underlie our national infor- small businesses, into universities, or state and
mation networks and the critical systems they local agencies and departments to create secure
manage. Reducing that risk requires an computer networks. Each American who
unprecedented, active partnership among depends on cyberspace, the network of
diverse components of our country and our information networks, must secure the part that
global partners. they own or for which they are responsible.
T H E N A T I O N A L S T R A T E G Y T O S E C U R E C Y B E R S P A C E 11
N A T I O N A L P O L I C Y A N D G U I D I N G P R I N C I P L E S
National Policy and Guiding Principles

National Policy, Principles, and It is the policy of the United States to prevent
Organization or minimize disruptions to critical information
infrastructures and thereby protect the people,
This section describes the national policy that the economy, the essential human and
shapes the National Strategy to Secure Cyberspace government services, and the national security
and the basic framework of principles within of the United States. Disruptions that do occur
which it was developed. It also outlines the should be infrequent, of minimal duration and
roles and missions of federal agencies. manageable and cause the least damage
possible. The policy requires a continuous effort
National Policy to secure information systems for critical infra-
The information technology revolution has structure and includes voluntary public-private
changed the way business is transacted, partnerships involving corporate and
government operates, and national defense is nongovernmental organizations.
conducted. These three functions now depend
Consistent with the objectives of the National
on an interdependent network of critical infor-
Strategy for Homeland Security, the objectives of
mation infrastructures that we refer to as
the National Strategy to Secure Cyberspace are to:
“cyberspace.”
• Prevent cyber attacks against our critical • Identify instances where the “tragedy
infrastructures; of the commons” can affect
homeland, national, and economic
• Reduce our national vulnerabilities to security; and
cyber attack; and,
• Share information about cyber
• Minimize the damage and recovery time threats and vulnerabilities so
from cyber attacks that do occur. nongovernmental entities can adjust
their risk management strategies and
Guiding Principles
plans, as appropriate.
In January 2001, the Administration began to
In every case, the scope for government
review the role of information systems and
involvement is limited to those cases
cybersecurity. In October 2001, President Bush
when the benefits of
issued Executive Order 13231, authorizing a
intervention outweigh the direct and
protection program that consists of continuous
indirect costs.
efforts to secure information systems for critical
infrastructure, including emergency Every American who can contribute to
preparedness communications and the physical securing part of cyberspace is
assets that support such systems. The Federal encouraged to do so. The federal
Information Security Management Act government promotes the creation of,
(FISMA) and Executive Order 13231, together and participation in, public-private
with other relevant Presidential directives and partnerships to raise awareness, train
statutory authorities, provide the framework for personnel, stimulate market forces,
executive branch cyberspace security improve technology, identify and
activities. remediate vulnerabilities, exchange
information, and plan recovery opera-
The protection of these cyber systems is tions. Many sectors have undertaken the
essential to every sector of the economy. The important step of developing ISACs,
development and implementation of this which facilitate communication, the
program directive has been guided by the development of best practices, and the
following organizing principles: dissemination of security-related infor-
mation. In addition, various sectors have
1. A National Effort: Protecting the widely
developed plans to secure their parts of
distributed assets of cyberspace requires
cyberspace, which complement this
the efforts of many Americans. The
Strategy, and the government intends
federal government alone cannot defend
for this productive and collaborative
America’s cyberspace. Our traditions of
partnership to continue.
federalism and limited government
require that organizations outside the 2. Protect Privacy and Civil Liberties: The
federal government take the lead in many abuse of cyberspace infringes on our
of these efforts. The government’s role in privacy and our liberty. It is incumbent
securing cyberspace includes promoting on the federal government to avoid such
better security in privately owned infra- abuse and infringement. Cybersecurity
structures when there is a need to: and personal privacy need not be
opposing goals. Cyberspace security
• Convene and facilitate discussions
programs must strengthen, not weaken,
between and with nongovernmental
such protections. Accordingly, care must
entities;
be taken to respect privacy interests and
other civil liberties. Consumers and 5. Ensure Flexibility: Cyber threats change
operators must have confidence their rapidly. Accordingly, the National Strategy
voluntarily shared, nonpublic information to Secure Cyberspace emphasizes flexibility
will be handled accurately, confidentially, in our ability to respond to cyber attacks
and reliably. The federal government will and manage vulnerability reduction. The
lead by example in implementing strong rapid development of attack tools
privacy policies and practices in the provides potential attackers with a
agencies. As part of this process, the strategic advantage to adapt their
federal government will consult regularly offensive tactics quickly to target
with privacy advocates and experts. perceived weaknesses in networked infor-
mation systems and organizations’
3. Regulation and Market Forces: federal abilities to respond. Flexible planning
regulation will not become a primary allows organizations to reassess priorities
means of securing cyberspace. Broad and realign resources as the cyber threat
regulations mandating how all corpora- evolves.
tions must configure their information
systems could divert more successful 6. Multi-Year Planning: Securing cyberspace
efforts by creating a lowest-common- is an ongoing process, as new
denominator approach to cybersecurity, technologies appear and new vulnerabil-
which evolving technology would quickly ities are identified. The National Strategy
marginalize. Even worse, such an to Secure Cyberspace provides an initial
approach could result in less secure and framework for achieving cyberspace
more homogeneous security architectures security objectives. Departments and
than we have now. By law, some federal agencies should adopt multi-year cyberse-
regulatory agencies already include cyber- curity plans for sustaining their respective
security considerations in their oversight roles. Other public- and private-sector
activity. However, the market itself is organizations are also encouraged to
expected to provide the major impetus to consider multi-year plans.
improve cybersecurity.
Department of Homeland Security and
4. Accountability and Responsibility: The Cyberspace Security
National Strategy to Secure Cyberspace is
focused on producing a more resilient DHS unites 22 federal entities for the common
and reliable information infrastructure. purpose of improving homeland security. The
When possible, it designates lead Department also creates a focal point for
executive branch departments or agencies managing cyberspace incidents that could
for federal cyberspace security initiatives. impact the federal government or even the
On November 25, 2002, the President national information infrastructures. The
signed the Homeland Security Act of 2002 Secretary of Homeland Security will have
establishing the Department of important responsibilities in cyberspace security,
Homeland Security (DHS). DHS will be including:
responsible for many of the initiatives
outlined in the National Strategy to Secure • Developing a comprehensive national plan
Cyberspace. The Strategy also recommends for securing the key resources and critical
actions federal, state and local govern- infrastructures of the United States,
ments, the private sector, and the including information technology and
American people can take to help secure telecommunications systems (including
cyberspace.
CRITICAL INFRASTRUCTURE LEAD AGENCIES
LEAD AGENCY SECTORS

Department of Homeland Security • Information and Telecommunications
• Transportation (aviation, rail, mass transit, waterborne
commerce, pipelines, and highways (including trucking
and intelligent transportation systems)
• Postal and Shipping
• Emergency Services
• Continuity of Government
Department of the Treasury • Banking and Finance
Department of Health and Human Services • Public Health (including prevention, surveillance, laboratory
services, and personal health services)
• Food (all except for meat and poultry)
Department of Energy • Energy (electric power, oil and gas production, and storage)
Environmental Protection Agency • Water

• Chemical Industry and Hazardous Materials
Department of Agriculture • Agriculture

• Food (meat and poultry)
Department of Defense • Defense Industrial Base
satellites) and the physical and techno- • Coordinating with other federal agencies
logical assets that support such systems; to provide specific warning information
and advice about appropriate protective
• Providing crisis management support in measures and countermeasures to state
response to threats to, or attacks on, and local government agencies and
critical information systems; authorities, the private sector, other
• Providing technical assistance to the entities, and the public; and
private sector and other governmental • Performing and funding research and
entities with respect to emergency development along with other agencies
recovery plans that respond to major that will lead to new scientific under-
failures of critical information systems; standing and technologies in support of
homeland security.
Designation of Coordinating Agencies The government will continue to support the

development of public-private partnerships.
A productive partnership between the federal Working together, sector representatives and
government and the private sector depends on federal lead agencies assess their respective
effective coordination and communication. To sectors’ vulnerabilities to cyber or physical
facilitate and enhance this collaborative attacks and, accordingly, recommend plans or
structure, the government has designated measures to eliminate significant exposures.
a “Lead Agency” for each of the major sectors Both technology and the threat environment
of the economy vulnerable to infrastructure can change rapidly. Therefore, sectors and
attack. In addition, the Office of Science and lead agencies should frequently assess the
Technology Policy (OSTP) coordinates research reliability, vulnerability, and threat environments
and development to support critical infra- of the Nation’s infrastructures and employ
structure protection. The Office of appropriate protective measures and responses
Management and Budget (OMB) oversees the to safeguard them.
implementation of governmentwide policies,
principles, standards, and guidelines for federal The government’s full authority, capabilities,
government computer security programs. The and resources must be available to support
Department of State coordinates international critical infrastructure protection efforts. These
outreach on cybersecurity. The Director of include, as appropriate, crisis management, law
Central Intelligence is responsible for assessing enforcement, regulation, foreign intelligence,
the foreign threat to U.S. networks and infor- and defense preparedness.
mation systems. The Department of Justice
(DOJ) and the Federal Bureau of Investigation
(FBI) lead the national effort to investigate and
prosecute cybercrime.
P R I O R I T Y I
Priority I: A National Cyberspace

Security Response System
In the 1950s and 1960s, our Nation became coordinate incident responses, and to restore
vulnerable to attacks from aircraft and missiles essential services that have been damaged.
for the first time. The federal government
responded by creating a national system to: The fact that the vast majority of cyberspace is
monitor our airspace with radar to detect neither owned nor operated by any single group
unusual activity, analyze and warn of possible —public or private—presents a challenge for
attacks, coordinate our fighter aircraft defenses creating a National Cyberspace Security
during an attack, and restore our Nation after Response System. There is no synoptic or
an attack through civil defense programs. holistic view of cyberspace. Therefore, there is
no panoramic vantage point from which we can
Today, the Nation’s critical assets could be see attacks coming or spreading. Information
attacked through cyberspace. The United States that indicates an attack has occurred (worms,
now requires a different kind of national viruses, denial-of-service attacks) accumulates
response system in order to detect potentially through many different organizations. However,
damaging activity in cyberspace, to analyze there is no organized mechanism for reviewing
exploits and warn potential victims, to
P R I O R I T Y I
these indicators and determining their

implications. The National Cyberspace Security
Response System
To mitigate the impact of cyber attacks, infor-
mation about them must disseminate widely The National Cyberspace Security
and quickly. Analytical and incident response Response System is a public-private archi-
capabilities that exist in numerous organizations tecture, coordinated by the Department of
could be coordinated to determine how to best Homeland Security, for analyzing and
defend against an attack, mitigate effects, and warning; managing incidents of national
restore service. significance; promoting continuity in
government systems and private sector
Establishing a proper administrative mechanism infrastructures; and increasing information
for the National Cyberspace Security Response sharing across and between organizations to
System presents another challenge. Unlike the improve cyberspace security. The National
U.S. airspace-monitoring program during the Cyberspace Security Response System will
Cold War, individuals who operate the systems include governmental entities and
that enable and protect cyberspace usually are nongovernmental entities, such as private
not federal employees. Thus, the National sector information sharing and analysis
Cyberspace Security Response System must centers (ISACs).
operate from a less formal, collaborative
network of governmental and nongovernmental
organizations. associated with the National Cyberspace
Security Response System appropriately balance
DHS is responsible for developing the national its mission with civil liberty and privacy
cyberspace security response system, which concerns. This officer will consult regularly with
includes: privacy advocates, industry experts, and the
public at large to ensure broad input and
• Providing crisis management support in consideration of privacy issues so that we
response to threats to, or attacks on, achieve solutions that protect privacy while
critical information systems; and enhancing security.
• Coordinating with other agencies of the Among the system components outlined below
federal government to provide specific are existing federal programs and new federal
warning information, and advice about initiatives pending budget-review consideration,
appropriate protective measures and as well as initiatives recommended for our
countermeasures, to state and local partners.
government agencies and authorities,
the private sector, other entities, and A. ESTABLISH PUBLIC-PRIVATE
the public. ARCHITECTURE FOR RESPONDING
DHS will lead and synchronize efforts for the
TO NATIONAL-LEVEL CYBER
National Cyberspace Security Response System
INCIDENTS
as part of its overall information sharing and Establishing the National Cyberspace Security
crisis coordination mandate; however, the Response System will not require an expensive
system itself will consist of many organizations or bureaucratic federal program. In many cases
from both government and private sectors. The the system will augment the capabilities of
authorizing legislation for the Department of several important federal entities with existing
Homeland Security also created the position of cyberspace security responsibilities, which are
a privacy officer to ensure that any mechanisms
P R I O R I T Y I
National Cyberspace Security Response System
Analysis Warning Incident Response/

Management Recovery
Components/ Capabilities
DHS Analysis Center DHS Incident Operations DHS Incident National Response
Center Management Structure Contingency Plans
• Strategic group • Cyber Warning and
• Federal coordination • Federal plans
• Tactical group Information Network
• Private, state and • Private plan
• Vulnerability • ISACs
local coordination coordination
assessments
now part of DHS. The synergy that results practices. ISACs are designed by the various
from integrating the resources of the National sectors to meet their respective needs and
Communications System, the National financed through their memberships. DHS will
Infrastructure Protection Center’s analysis and work closely with ISACs as appropriate to
warning functions, the Federal Computer ensure that they receive timely and actionable
Incident Response Center, the Office of Energy threat and vulnerability data and to coordinate
Assurance, and the Critical Infrastructure voluntary contingency planning efforts. The
Assurance Office under the purview of the federal government encourages the private
Under Secretary for Information Analysis and sector to continue to establish ISACs and,
Infrastructure Protection will help build the further, to enhance the analytical capabilities of
necessary foundation for the National existing ISACs.
Cyberspace Security Response System.
1. Analysis
The Nation’s private-sector networks are
increasingly targeted, and they will therefore a. Provide for the Development of Tactical and
likely be the first organizations to detect attacks Strategic Analysis of Cyber Attacks and
with potential national significance. Thus, Vulnerability Assessments
ISACs will play an increasingly important role
in the National Cyberspace Security Response Analysis is the first step toward gaining
System and the overall missions of homeland important insight about a cyber incident,
security. ISACs possess unique operational including the nature of attack, the information
insight into their industries’ core functions and it compromised, and the extent of damage it
will help provide the necessary analysis to caused. Analysis can also provide an indication
support national efforts. of the intruder’s possible intentions, the
potential tools he used, and the vulnerabilities
Typically, an ISAC is an industry-led he exploited. There are three closely related,
mechanism for gathering, analyzing, sanitizing, but discrete, categories of analysis related
and disseminating sector-specific security infor- to cyberspace:
mation and articulating and promulgating best
P R I O R I T Y I
(i) Tactical analysis examines factors associated 2. Warning

with incidents under investigation or specific,
identified vulnerabilities to generate indications a. Encourage the Development of a Private Sector
and warnings. Examples of tactical analysis Capability to Share a Synoptic View of the
include: examining the delivery mechanism of a Health of Cyberspace
computer virus to develop and issue immediate
guidance on ways to prevent or mitigate The lack of a synoptic view of the Internet
damage; and studying a specific computer frustrates efforts to develop Internet threat
intrusion, or set of intrusions, to determine the analysis and indication and warning capabilities.
perpetrator, his motive, and his method of The effects of a cyber attack on one sector have
attack. the potential to cascade across several other
sectors, thereby producing significant conse-
(ii) Strategic analysis looks beyond specific quences that could rapidly overwhelm the
incidents to consider broader sets of incidents capabilities of many private companies and state
or implications that may indicate threats of and local governments. DHS’s integration of
potential national importance. For example, several key federal cybersecurity operations
strategic analyses may identify long-term trends centers creates a focal point for the federal
related to threat and vulnerability that could be government to manage cybersecurity
used to provide advanced warnings of increasing emergencies in its own systems, and, if
risks, such as emerging attack methods. requested, facilitate crisis management in
Strategic analysis also provides policymakers non-federal critical infrastructure systems.
with information they can use to anticipate and
prepare for attacks, thereby diminishing the Separately, industry is encouraged to develop a
damage they cause. Strategic analysis also mechanism—whether virtual or physical—that
provides a foundation to identify patterns that could enable the sharing of aggregated
can support indications and warnings. information on Internet health to improve
analysis, warning, response, and recovery. To the
(iii) Vulnerability assessments are detailed extent permitted by law, this voluntary
reviews of cyber systems and their physical coordination of activities among nongovern-
components to identify and study their mental entities could enable different network
weaknesses. Vulnerability assessments are an operators and Internet backbone providers to
integral part of the intelligence cycle for cyber- analyze and exchange data about attacks. Such
space security. These assessments enable coordination could prevent exploits from
planners to predict the consequences of possible escalating and causing damage or disruption
cyber attacks against specific facilities or sectors of vital systems.
of the economy or government. These projec-
tions then allow infrastructure owners and DHS will create a single point-of-contact for the
operators to strengthen their defenses against federal government’s interaction with industry and
various types of threat. (This will be discussed other partners for 24 x7 functions, including
in the Cyberspace Security Threat and cyberspace analysis, warning, information sharing,
Vulnerability Reduction Program.) major incident response, and national-level
recovery efforts. Private sector organizations, which
DHS will foster the development of strong have major contributions for those functions, are
analytic capabilities in each of these areas. It encouraged to coordinate activities, as permitted by
should seek partnership and assistance from the law, in order to provide a synoptic view of the
private sector, including the ISACs, in devel- health of cyberspace on a 24 x 7 basis. (A/R 1-1)
oping these capabilities.
P R I O R I T Y I
b. Expand the Cyber Warning and Information Justice, Defense, and Commerce all have roles
Network to Support DHS’s Role in to perform in response to incidents in
Coordinating Crisis Management for cyberspace. Within the White House a number
Cyberspace offices have responsibilities, including the
Office of Science and Technology Policy, which
Hours and minutes can make a difference is responsible for executing emergency telecom-
between a major disruption and a manageable munications authorities, the National Security
incident. Improving national capabilities for Council, which coordinates all matters related
warning requires a secure infrastructure to to national security and international
provide assured communications between cooperation, and the Office of Management
critical asset owners and operators and their and Budget.
service providers. The Cyber Warning and
Information Network (CWIN) will provide an In addition, national incident management
out-of-band private and secure communications capabilities will also integrate state chief infor-
network for government and industry, with the mation officers as well as international entities,
purpose of sharing cyber alert and warning as appropriate. (See, Priorities IV and V.)
information. The network will include voice
conferencing and data collaboration. 4. Response and Recovery
While the first phase was implemented between a. Create Processes to Coordinate the Voluntary
the federal government cyber watch centers, Development of National Public-Private
CWIN participants will ultimately include Continuity and Contingency Plans
other critical government and industry partners,
such as ISACs that deal with cyber threats on a Among the lessons learned from security
daily basis. As other entities expand in this area, reviews following the events of September 11,
membership will increase as well. Key to 2001, was that federal agencies had vastly
CWIN membership is the ability to share inconsistent, and in most cases incomplete,
sensitive cyber threat information in a secure, contingency capabilities for their communica-
protected, and trusted environment. tions and other systems. Contingency planning
is a key element of cybersecurity. Without
As outlined in the 2003 budget, the federal adequate contingency planning and training,
government will complete the installation of CWIN agencies may not be able to effectively handle
to key government cybersecurity-related network disruptions in service and ensure business conti-
operation centers, to disseminate analysis and nuity. OMB, through the Federal Information
warning information and perform crisis coordi- Security Management Act requirements and
nation. The federal government will also explore with assistance from the inspectors general, is
linking the ISACs to CWIN. (A/R 1-2) holding agencies accountable for developing
continuity plans.
3. National Incident Management
b. Exercise Cybersecurity Continuity Plans in
Enhancing analytical capabilities within DHS, Federal Cyber Systems
the private sector ISACs, and expanding
CWIN will contribute to the improvement of DHS has the responsibility for providing crisis
national cyber incident management. However, management support in response to threats to,
incident management within the federal or attacks on, critical information systems
government will still require coordination with for other government agencies, state and local
organizations other than those being transferred governments and, upon request, the private
to DHS. For example, the Departments of sector. In order to establish a baseline
P R I O R I T Y I
understanding of federal readiness, DHS will (ii) Promote public-private contingency planning
explore exercises for the civilian agencies similar for cybersecurity. It may not be possible to
to the Defense Department “Eligible Receiver” prevent a wide-range of cyber attacks. For those
exercises that test cybersecurity preparedness. attacks that do occur, the Nation needs an
integrated public-private plan for responding to
To test civilian agencies’ security preparedness significant outages or disruptions in cyberspace.
and contingency planning, DHS will use exercises Some organizations have plans for how they
to evaluate the impact of cyber attacks on will recover their cyber network and capabilities
governmentwide processes. Weaknesses discovered in the event of a major outage or catastrophe.
will be included in agency corrective action plans However, there is no mechanism for coordi-
and submitted to OMB. DHS also will explore nating such plans across an entire infrastructure
such exercises as a way to test the coordination of or at a national level.
public and private incident management, response
and recovery capabilities. (A/R 1-3) The legislation establishing DHS also provides
a trusted mechanism for private industry to
(i) Encourage increased cyber risk management develop contingency planning by using the
and business continuity. There are a number of voluntary preparedness planning provisions that
measures that nongovernmental entities can were established in the Defense Production Act
employ to manage the risk posed by cyberspace of 1950, as amended.
and plan for business continuity. Risk
management is a discipline that involves risk Infrastructure sectors are encouraged to establish
assessment, risk prevention, risk mitigation, risk mutual assistance programs for cybersecurity
transfer, and risk retention. emergencies. DoJ and the Federal Trade
Commission should work with the sectors to address
There is no special technology that can make barriers to such cooperation, as appropriate. In
an enterprise completely secure. No matter how addition, DHS’s Information Analysis and
much money companies spend on cybersecurity, Infrastructure Protection Directorate will
they may not be able to prevent disruptions coordinate the development and regular update of
caused by organized attackers. Some businesses voluntary, joint government-industry cybersecurity
whose products or services directly or indirectly contingency plans, including a plan for recovering
impact the economy or the health, welfare or Internet functions. (A/R 1-5)
safety of the public have begun to use cyber risk
insurance programs as a means of transferring B. INFORMATION SHARING
risk and providing for business continuity.
1. Improve and Enhance Public-Private
An important way to reduce an organization’s Information Sharing about Cyber Attacks,
exposure to cyber-related losses, as well as to Threats, and Vulnerabilities
help protect companies from operational and
financial impairment, is to ensure that adequate Successfully developing capabilities for analysis,
contingency plans are developed and tested. indications, and warnings requires a voluntary
public-private information sharing effort. The
Corporations are encouraged to regularly review voluntary sharing of information about such
and exercise IT continuity plans and to consider incidents or attacks is vital to cybersecurity.
diversity in IT service providers as a way of Real or perceived legal obstacles make some
mitigating risk. (A/R 1-4) organizations hesitant to share information
about cyber incidents with the government or
with each other. First, some fear that shared
data that is confidential, proprietary, or
P R I O R I T Y I
potentially embarrassing could become subject DHS will raise awareness about the removal of
to public examination when shared with the impediments to information sharing about cyberse-
government. Second, concerns about compet- curity and infrastructure vulnerabilities between
itive advantage may impede information the public and private sectors. The Department will
sharing between companies within an industry. also establish an infrastructure protection program
Finally, in some cases, the mechanisms are office to manage the information flow, including
simply not yet in place to allow efficient sharing the development of protocols for how to care for
of information. “voluntarily submitted critical infrastructure infor-
mation.” (A/R 1-6)
The legislation establishing DHS provides
several specific mechanisms intended to 2. Encourage Broader Information Sharing on
improve two-way information sharing. First, the Cybersecurity
legislation encourages industry to share infor-
mation with DHS by ensuring that such Nongovernmental organizations with signif-
voluntarily provided data about threats and icant computing resources are encouraged to
vulnerabilities will not be disclosed in a manner take active roles in information sharing organi-
that could damage the submitter. Second, the zations. Corporations, colleges, and universities
legislation requires that the federal government can play important roles in detecting and
share information and analysis with the private reporting cyber attacks, exploits, or vulnerabil-
sector as appropriate and consistent with the ities. In particular, both corporations and
need to protect classified and other sensitive institutions of higher learning can gain from
national security information. increased sharing on cyberspace security issues.
Programs such as ISACs, FBI Infragard, or the
As required by law, DHS, in consultation with United States Secret Service electronic crimes
appropriate federal agencies, will establish task forces can also benefit the respective
uniform procedures for the receipt, care, and participants. Because institutions of higher
storage by federal agencies of critical infra- learning have vast computer resources that can
structure information that is voluntarily be used as launch pads for attacks, colleges and
submitted to the government. universities are encouraged to consider estab-
lishing an on-call point-of-contact to Internet
The procedures will address how the service providers (ISPs) and law enforcement
Department will: officials.
• Acknowledge the receipt of voluntarily Corporations are encouraged to consider active
submitted critical infrastructure infor- involvement in industrywide programs to share
mation; information on IT security, including the potential
• Maintain the information as voluntarily benefits of joining an appropriate ISAC. Colleges
submitted critical infrastructure infor- and universities are encouraged to consider estab-
mation; lishing: (1) one or more ISACs to deal with cyber
attacks and vulnerabilities; and, (2) an on-call
• Establish protocols for the care and point-of-contact, to Internet service providers and
storage of such information; and law enforcement officials in the event that the
school’s IT systems are discovered to be launching
• Create methods for protecting the confi-
cyber attacks. (A/R 1-7)
dentiality of the submitting entity while
still allowing the information to be used in
the issuance of notices and warnings for
protection of the critical infrastructure.
P R I O R I T Y I
P R I O R I T Y I I
Priority II: A National Cyberspace Security

Threat and Vulnerability Reduction
Program
Malicious actors in cyberspace can take many bility is risky. Such warning information may
forms including individuals, criminal cartels, not always be available. Even when warning
terrorists, or nation states. While attackers take data is available, remediation of some vulnera-
many forms, they all seek to exploit vulnerabil- bilities may take days, weeks, or even years. As a
ities created by the design or implementation of result, vulnerabilities must be identified and
software, hardware, networks, and protocols to corrected in critical networks before threats
achieve a wide range of political or economic surface. The most dangerous vulnerabilities
effects. As our reliance on cyberspace increases must be prioritized and reduced in a systematic
so too does the scope of damage that malicious fashion.
actors can impose.
As technology evolves and new systems are
Waiting to act until we learn that a malicious introduced, new vulnerabilities emerge.
actor is about to exploit a particular vulnera- Our strategy cannot be to eliminate all
P R I O R I T Y I I
vulnerabilities, or to deter all threats. Rather, we can reduce the threats to homeland security,
will pursue a three-part effort to: national security, and the economy. Law
enforcement and the national security
(1) Reduce threats and deter malicious community play a critical role in preventing
actors through effective programs to attacks in cyberspace. Law enforcement plays
identify and punish them; the central role in attributing an attack through
(2) Identify and remediate those existing the exercise of criminal justice authorities.
vulnerabilities that could create the most
Many cyber-based attacks are crimes. As a
damage to critical systems, if exploited;
result the Justice Department’s Computer
and
Crime and Intellectual Property Section, the
(3) Develop new systems with less vulnera- FBI’s Cyber Division, and the U.S. Secret
bility and assess emerging technologies Service all play a central role in apprehending
for vulnerabilities. and swiftly bringing to justice the responsible
individuals. When incidents do occur, a rapid
The federal government cannot accomplish response can stem the tide of an ongoing attack
these goals acting alone. It can only do so in and lessen the harm that is ultimately caused.
partnership with state and local governments The Nation currently has laws and mechanisms
and the private sector. Many federal agencies to ensure quick responses to large incidents.
must play a part in this effort, which will be led Ideally, an investigation, arrest, and prosecution
and coordinated by DHS as part of its overall of the perpetrators, or a diplomatic or military
vulnerability reduction mandate. response in the case of a state-sponsored action,
will follow such an incident.
The components of this program are discussed
in this section. They include federal programs Threat reduction, however, involves more than
(both existing programs and initiatives that will prosecution. Analyzing and disseminating
be considered as part of the budget decision practical information gathered by law
making process) and activities that the federal enforcement can help promote national infra-
government recommends to its partners. Many structure security. For example, through various
activities that can be taken by individuals, initiatives such as the FBI Infragard program
companies, and other private organizations to and the U.S. Secret Service electronic crimes
reduce vulnerabilities will be stimulated and task forces, law enforcement can share lessons
accelerated through awareness and are discussed learned from attacks with private sector organi-
as part of the awareness initiative described in zations. The information gleaned from
Priority III. investigations can provide the federal
government and private industry a framework
A. REDUCE THREAT AND DETER for examining the robustness of their cyberse-
MALICIOUS ACTORS curity skill sets, and assist in prioritizing their
limited resources to manage the unique risk of
1. Enhance Law Enforcement’s Capabilities for
their enterprise.
Preventing and Prosecuting
Justice and the FBI will need to work closely
The National Strategy to Secure Cyberspace is
with DHS to ensure that the information
especially concerned with those threats that
gleaned from investigations is appropriately
could cause significant damage to our economy
analyzed and shared with ISACs and other
or security through actions taken using or
nongovernmental entities to promote improved
against our cyber infrastructure. By identifying
risk management in critical infrastructure
threats that would cause us significant harm, we
sectors.
P R I O R I T Y I I
The Nation will seek to prevent, deter, and impact of possible attacks on a variety of targets.
significantly reduce cyber attacks by ensuring (A/R 2-2)
the identification of actual or attempted perpe-
trators followed by an appropriate government B. IDENTIFY AND REMEDIATE
response. In the case of cybercrime this would EXISTING VULNERABILITIES
include swift apprehension, and appropriately
severe punishment. Reducing vulnerabilities can be resource
intensive. Accordingly, our national efforts to
DOJ and other appropriate agencies will develop identify and remediate vulnerabilities must be
and implement efforts to reduce cyber attacks and focused to reduce vulnerabilities in a cost
cyber threats through the following means: (1) effective and systematic manner. The United
identifying ways to improve information sharing States must reduce vulnerabilities in four major
and investigative coordination within the federal, components of cyberspace, including: (1) the
state, and local law enforcement community mechanisms of the Internet; (2) digital control
working on critical infrastructure and cyberspace
security matters, and with other agencies and the
private sector; (2) exploring means to provide suffi- How the Internet Works
cient investigative and forensic resources and
Data sent from one computer to another
training to facilitate expeditious investigation and
across the Internet is broken into small
resolution of critical infrastructure incidents; and,
packets of information containing
(3) developing better data about victims of cyber-
addressing information as well as a portion
crime and intrusions in order to understand the
of the total message. The packets travel
scope of the problem and be able to track changes
across the Internet separately and are
over time. (A/R 2-1)
reassembled at the receiving computer.
2. Create a Process for National Vulnerability There are two primary protocols that enable
Assessments to Better Understand the these packets of data to traverse the
Potential Consequences of Threats and complex networks and arrive in an under-
Vulnerabilities standable format. These protocols are: (1)
the Transmission Control Protocol (TCP)
a. Assess the Potential Impact of Strategic Cyber which decomposes data into packets and
Attacks ensures that they are reassembled properly
at the destination; and (2) the Internet
To better understand how to further detect and Protocol (IP), which guides or routes the
prevent attacks, the Nation must know the packets of data though the Internet.
threat it is facing. To date, no comprehensive Together they are referred to as TCP/IP.
assessment of the impact of a strategic cyber
attack against the United States has been IP is essential to almost all Internet
conducted. Because nation states and terrorists activities including sending data such as
are developing capabilities for cyber-based e-mail. Data is transmitted based on IP
attacks, it is important to understand the addresses, which are a series of numbers.
potential impact of such an attack and possible The Domain Name System (DNS) was
ways to mitigate the effects. DHS, in coordi- developed to simplify the management of
nation with appropriate agencies and the private IP addresses. The DNS maps IP numbers
sector, will lead in the development and conduct of to recognizable sets of letters, words or
a national threat assessment including red teaming, numbers. The DNS does this by estab-
blue teaming, and other methods to identify the lishing domains and a structured
hierarchical addressing scheme.
P R I O R I T Y I I
systems/supervisory control and data acquisition committed to a fully IPv6 based infrastructure
systems; (3) software and hardware vulnerability by 2005. The European Union has initiated
remediation; and, (4) physical infrastructure and steps to move to IPv6. China is also considering
interdependency. These four areas have broad early adoption of the protocol.
implications for the majority of the Nation’s
critical infrastructures. Initiating efforts to The United States must understand the merits
eliminate vulnerabilities in these important of, and obstacles to, moving to IPv6 and, based
areas will reduce the vulnerability of critical on that understanding, identify a process for
infrastructure services to attack or compromise. moving to an IPv6 based infrastructure. The
federal government can lead in developing this
1. Secure the Mechanisms of the Internet understanding by employing IPv6 on some of
its own networks and by coordinating its activ-
The development and implementation of the ities with those in the private sector. The
mechanisms for securing the Internet are Department of Commerce will form a task force to
responsibilities shared by its owners, operators, examine the issues related to IPv6, including the
and users. Private industry is leading the effort appropriate role of government, international
to ensure that the core functions of the Internet interoperability, security in transition, and costs
develop in a secure manner. As appropriate, the and benefits. The task force will solicit input from
federal government will continue to support potentially impacted industry segments. (A/R 2-3).
these efforts. The goal is the development of
secure and robust mechanisms that will enable (ii) Secure the Domain Name System. DNS
the Internet to support the Nation’s needs now serves as the central database that helps route
and in the future. This will include securing the information throughout the Internet. The
protocols on which the Internet is based, ability to route information can be disrupted
ensuring the security of the routers that direct when the databases cannot be accessed or
the flow of data, and implementing effective updated or when they have been corrupted.
management practices. Attackers can disrupt the DNS by flooding the
system with information or requests or by
a. Improve the Security and Resilience of Key gaining access to the system and corrupting or
Internet Protocols destroying the information that it contains. The
October 21, 2002 attacks on the core DNS root
Essential to the security of the Internet infra- servers revealed a vulnerability of the Internet
structure is ensuring the reliability and secure by degrading or disrupting some of the 13 root
use of three key protocols: the Internet Protocol servers necessary for the DNS to function. The
(IP), the Domain Name System (DNS), and occurrence of this attack punctuates the urgent
the Border Gateway Protocol (BGP). need for expeditious action to make such
attacks more difficult and less effective.
(i) Internet Protocol. The Internet is currently
based on Internet Protocol version 4 (IPv4). (iii) Border Gateway Protocol. Of the many
Some organizations and countries are moving routing protocols in use within the Internet, the
to an updated version of the protocol, version 6 Border Gateway Protocol (BGP) is at greatest
(IPv6). IPv6 offers several advantages over risk of being the target of attacks designed to
IPv4. In addition to offering a vast amount of disrupt or degrade service on a large scale. BGP
addresses, it provides for improved security is used to interconnect the thousands of
features, including attribution and native IP networks that make up the Internet. It allows
security (IPSEC), as well as enabling new routing information to be exchanged between
applications and capabilities. Some countries are networks that may have separate administrators,
moving aggressively to adopt IPv6. Japan has administrative policies, or protocols.
P R I O R I T Y I I
Propagation of false routing information in the accountability makes filtering and contacting
Internet can deny service to small or large the sources of an attack impossible. One of the
portions of the Internet. For example, false largest weaknesses in our current Internet infra-
routes can create “black holes” that absorb structure is the lack of source address
traffic destined for a particular block of address verification. Establishing an Internet infra-
space. They can also lead to cascade failures structure that provides forged source address
that have occurred in other types of large filtering is a critical step towards defeating these
routing/switching systems in the past, where types of attacks.
the failure of one switch or mechanism results
in the failure of those connected to it, resulting (ii) Out-of-Band Management. DoS attacks are
in additional waves of failures expanding difficult to mitigate because they prevent
outward from the initial fault. control data from reaching the router. Separate
control networks, commonly called “out-of-
More secure forms of BGP and DNS will band” management links, are one technique
benefit all owners, operators and users of the that can be used to counter DoS attacks.
Internet. To address this issue, the Internet
Engineering Task Force, a voluntary private DHS will examine the need for increased
body consisting of users, owners, and operators research to improve router security through new
of the Internet, has established working groups technology or approaches to routing infor-
for securing BGP and DNS. These groups have mation. In particular, DHS will assess progress
made progress, but have been limited by on out-of-band management and address
technical obstacles and the need for coordi- filtering and recommend steps that can be
nation. taken by government or the private sector to
improve their effectiveness and use. In addition,
The security and continued functioning of the DHS will work with the private sector to
Internet will be greatly influenced by the understand the most efficient path and
success or failure of implementing more secure obstacles to increasing router security using
and more robust BGP and DNS. The Nation current techniques and technology.
has a vital interest in ensuring that this work
proceeds. The government should play a role c. Improve Management
when private efforts break down due to a need
for coordination or a lack of proper incentives. Much improvement can be made in the security
of the Internet infrastructure if best practices
b. Promote Improved Internet Routing for managing the Internet, including the data
that flows through it and the equipment that
Routers on the Internet share a number of supports it, are widely employed. DHS will
design characteristics that make them relatively work with organizations that own and operate
easy to disable, especially through denial-of- the Internet to develop and promote the
service (DoS) attacks that overwhelm a router’s adoption of best practices. In particular, DHS
processing capability. Internet routing can be will work with Internet service providers to help
substantially improved by promoting increased develop a widely accepted “code of conduct” for
use of address verification and “out-of-band” network management. This work will include a
management. review of existing documented best practices
such as those published by Network Reliability
(i) Address Verification. Today there are few and Interoperability Council (NRIC) of the
effective solutions available, even commercially, Federal Communications Commission (FCC).
to mitigate the effect of DoS attacks, as the
scale and lack of address verification and
P R I O R I T Y I I
DHS, in coordination with the Commerce addition, these systems operate in real time and
Department and appropriate agencies, will security measures could reduce performance or
coordinate public-private partnerships to encourage: impact the synchronization of larger processes.
(1) the adoption of improved security protocols; (2)
the development of more secure router technology; Both the private and public sectors have a role
and, (3) the adoption by ISPs of a “code of good in securing SCADA systems. DHS, in coordi-
conduct,” including cybersecurity practices and nation with the Department of Energy and
security related cooperation. DHS will support these other concerned agencies, will work in
efforts as required for their success, subject to other partnership with private industry to ensure that
budget considerations. (A/R 2-4) there is broad awareness among industry
vendors and users, both regulated and unregu-
2. Foster Trusted Digital Control Systems / lated, of the vulnerabilities in DCS/SCADA
Supervisory Control and Data Acquisition systems, and the consequences of exploitation of
Systems those vulnerabilities. For operators of
DCS/SCADA systems, these efforts should
Many industries in America have radically include developing and deploying training and
transformed the way they control and monitor certification of DCS/SCADA-oriented
equipment over the last 20 years by employing software and hardware security. In addition,
digital control systems (DCS) and supervisory DHS will work with the private sector to
control and data acquisition systems (SCADA). promote voluntary standards efforts, and
DCS/SCADA are computer-based systems that security policy creation.
are used by many infrastructures and industries
to remotely control sensitive processes and The development of adequate test bed environ-
physical functions that once had to be ments and the development of technology in
controlled manually. DCS and SCADA are the areas of extremely low latency link
present in almost every sector of the economy encryptors/authenticators, key management,
including water, transportation, chemicals, and network status/state-of-health monitoring
energy, and manufacturing, among others. will aid in the effort to secure DCS/SCADA.
Increasingly DCS/SCADA systems use the DHS, in coordination with DOE and other
Internet to transmit data rather than the closed concerned agencies and in partnership with
networks used in the past. industry, will develop best practices and new
technology to increase security of DCS/SCADA, to
Securing DCS/SCADA is a national priority. determine the most critical DCS/SCADA-related
Disruption of these systems can have significant sites, and to develop a prioritized plan for short-
consequences for public health and safety. term cybersecurity improvements in those sites.
However, securing these systems is complicated (A/R 2-5)
by various factors. First, adding security requires
investment in systems and in research and 3. Reduce and Remediate Software
development that companies cannot afford or Vulnerabilities
justify on their own. Such research may require
the involvement of multiple infrastructure A third critical area of national exposure is the
operators or industries. Second, current techno- many flaws that exist in critical infrastructure
logical limitations could impede the due to software vulnerabilities. New vulnerabil-
implementation of security measures. For ities emerge daily as use of software reveals
example, DCS/SCADA systems are typically flaws that malicious actors can exploit.
small and self-contained units with limited Currently, approximately 3,500 vulnerabilities
power supplies. Security features are not easily are reported annually. Corrections are usually
adapted to the space or power requirements. In completed by the manufacturer in the form of a
P R I O R I T Y I I
patch and made available for distribution to fix A second step that will speed the distribution of
the flaws. patches in software systems is the creation of
common test-beds. Such test-beds running
Many known flaws, for which solutions are applications that are common among
available, remain uncorrected for long periods of government agencies or companies can speed
time. For example, the top ten known vulnera- patch implementation by testing one time, for
bilities account for the majority of reported many users, the impact that a patch will have
incidents of cyber attacks. This happens for on a variety of applications. GSA will work with
multiple reasons. Many system administrators DHS on an improved approach to implementing a
may lack adequate training or may not have patch clearinghouse for the federal government.
time to examine every new patch to determine DHS will also share lessons learned with the
whether it applies to their system. The software private sector and encourage the development of a
to be patched may affect a complex set of inter- voluntary, industry-led, national effort to develop
connected systems that take a long time to test a similar clearinghouse for other sectors including
before a patch can be installed with confidence. large enterprises. (A/R 2-7)
If the systems are critical, it could be difficult to
shut them down to install the patch. Finally, best practices in vulnerability remedi-
ation should be established and shared in areas
Unpatched software in critical infrastructures such as training requirements for system
makes those infrastructures vulnerable to administrators, the use of automated tools, and
penetration and exploitation. Software flaws are management processes for patch implemen-
exploited to propagate “worms” that can result tation. DHS will work with public and private
in denial of service, disruption, or other serious entities on the development and dissemination
damage. Such flaws can be used to gain access of such practices. More secure initial configura-
to and control over physical infrastructure. tions for shipped cyber products would facilitate
Improving the speed, coverage, and effec- more secure use by making the default set-up
tiveness of remediation of these vulnerabilities secure rather than insecure. The software
is important for both the public and private industry is encouraged to consider promoting more
sector. secure “out-of-the-box” installation and implemen-
tation of their products, including increasing: (1)
Several steps will help. First, the Nation needs a user awareness of the security features in products;
better-defined approach to the disclosure of (2) ease-of-use for security functions; and, (3)
vulnerabilities. The issue is complex because where feasible, promotion of industry guidelines and
exposing vulnerabilities both helps speed the best practices that support such efforts. (A/R 2-8)
development of solutions and also creates
opportunities for would be attackers. In 4. Understand Infrastructure Interdependency
addition, the clearinghouse for such disclosures and Improve Physical Security of Cyber
must be a neutral body between vendors, Systems and Telecommunications
security companies, and the public at large.
Today the government partially funds such Reducing the vulnerability of the cyber infra-
organizations. However, the appropriate level structure includes mitigating the potentially
and form for this funding need to be reviewed. devastating attacks on cyberspace that can occur
DHS will work with the National Infrastructure when key physical linkages are destroyed. The
Advisory Council and private sector organizations impact of such attacks can be amplified by
to develop an optimal approach and mechanism for cascading impacts through a variety of
vulnerability disclosure. (A/R 2-6) dependant infrastructures affecting both the
economy and the health and welfare of citizens:
a train derailed in a Baltimore tunnel and the
P R I O R I T Y I I
Internet slowed in Chicago; a campfire in New C. DEVELOP SYSTEMS WITH FEWER

Mexico damaged a gas pipeline and IT-related VULNERABILITIES AND ASSESS
production halted in Silicon Valley; a satellite EMERGING TECHNOLOGIES FOR
spun out of control hundreds of miles above the VULNERABILITIES
Earth and affected bank customers could not
use their ATMs. As the Nation takes steps to improve the
security of current systems, it must also ensure
Cyberspace has physical manifestations: the that future cyber systems and infrastructure are
buildings and conduits that support telecom- built to be secure. This will become increasingly
munications and Internet networks. These important as more and more of our daily
physical elements have been designed and built economic and physical lives come to depend on
to create redundancy and avoid single points of cyber infrastructure. Future security requires
failure. Nonetheless, the carriers and service research in cyberspace security topics and a
providers are encouraged to independently and commitment to the development of more secure
collectively continue to analyze their networks products.
to strengthen reliability and intentional redun-
dancy. The FCC, through its Network 1. Prioritize the Federal Research and
Reliability and Interoperability Council, and the Development Agenda
National Security Telecommunications
Advisory Committee, can contribute to such Federal investment in research for the next
efforts and should identify any governmental generation of technologies to maintain and
impediments to strengthening the national secure cyberspace must keep pace with an
networks. increasing number of vulnerabilities. Flexibility
and nimbleness are important in ensuring that
DHS will work actively to reduce interdepen- the research and development process accom-
dencies and physical vulnerability. DHS will modates the dynamic technology environment
establish and lead a public-private partnership to in the years ahead.
identify cross-sectoral interdependencies, both cyber
and physical. The partnership will develop plans to The Nation will prioritize and provide resources
reduce related vulnerabilities in conjunction with as necessary to advance the research to secure
programs proposed in the National Strategy for cyberspace. A new generation of enabling
Homeland Security. The National Infrastructure technologies will serve to “modernize” the
Simulation and Analysis Center in DHS will Internet for rapidly growing traffic volumes,
support these efforts by developing models to expanded e-commerce, and the advanced appli-
identify the impact of cyber and physical interde- cations that will be possible only when
pendencies. (A/R 2-9) next-generation networks are widely available.
As a result, national research efforts must be
DHS also will support, when requested and as prioritized to support the transition of cyber-
appropriate, voluntary efforts by owners and space into a secure, high-speed knowledge and
operators of information system networks and communications infrastructure for this century.
network data centers to develop remediation and Vital research is required for this effort. The
contingency plans to reduce the consequences of Nation must prioritize its cyberspace security
large-scale physical damage to facilities supporting research efforts across all sectors and funding
such networks, and to develop appropriate proce- sources.
dures for limiting access to critical facilities.
(A/R 2-10) To meet these needs, the Director of OSTP will
coordinate the development, and update on an
annual basis, a federal government research and
P R I O R I T Y I I
development agenda that includes near-term (1-3 processes and procedures that diminish the possibil-
years), mid-term (3-5 years), and later (5 years out ities of erroneous code, malicious code, or trap doors
and longer) IT security research for Fiscal Year that could be introduced during development.
2004 and beyond. Existing priorities include, (A/R 2-14)
among others, intrusion detection, Internet infra-
structure security (including protocols such as BGP 2. Assess and Secure Emerging Systems
and DNS), application security, DoS, communica-
tions security (including SCADA system encryption As new technologies are developed they
and authentication), high-assurance systems, and introduce the potential for new security vulner-
secure system composition. (A/R 2-11) abilities. Some new technologies introduce
security weaknesses that are only corrected over
To optimize research efforts relative to those of the time, with great difficulty, or sometimes not at
private sector, DHS will ensure that adequate all. A person driving in a car around a city, for
mechanisms exist for coordination of research and example, can access many wireless local area
development among academia, industry, and networks without the knowledge of their
government, and will develop new mechanisms owners unless strong security measures are
where needed. (A/R 2-12) added to those systems.
An important goal of cybersecurity research will As telephones and personal digital assistants,
be the development of highly secure, trust- and many other mobile devices, incorporate
worthy, and resilient computing systems. In the more sophisticated operating systems and
future, working with a computer, the Internet, connectivity they may require security features
or any other cyber system may become as to prevent their exploitation for distributed
dependable as turning on the lights or the attacks on mobile networks and even the
water. Internet.
The Nation must seek to ensure that future Emerging areas of research also can produce
components of the cyber infrastructure are built unforeseen consequences for security. The
to be inherently secure and dependable for their emergence of optical computing and intelligent
users. Development of highly secure and agents, as well as in the longer term, develop-
reliable systems will be pursued, subject to ments in areas such as nanotechnology and
budgeting constraints, through the national quantum computing, among others, will likely
cyberspace security research agenda. reshape cyberspace and its security. The Nation
must be at the leading edge in understanding
The private sector is encouraged to consider these technologies and their implications for
including in near-term research and development security.
priorities, programs for highly secure and trust-
worthy operating systems. If such systems are DHS, in coordination with OSTP and other
developed and successfully evaluated, the federal agencies, as appropriate, will facilitate communi-
government will, subject to budget considerations, cation between the public and private research and
accelerate procurement of such systems. (A/R 2-13) the security communities, to ensure that emerging
technologies are periodically reviewed by the appro-
In addition, DHS will facilitate a national public- priate body within the National Science and
private effort to promulgate best practices and Technology Council, in the context of possible
methodologies that promote integrity, security, and homeland and cyberspace security implications, and
reliability in software code development, including relevance to the federal research agenda. (A/R 2-15)
P R I O R I T Y I I
P R I O R I T Y I I I
Priority III: A National Cyberspace

Security Awareness and Training Program
Everyone who relies on part of cyberspace is understanding of the issues; and (2) an inability
encouraged to help secure the part of cyber- to find sufficient numbers of adequately trained
space that they can influence or control. and/or appropriately certified personnel to
create and manage secure systems.
To do that, users need to know the simple
things that they can do to help to prevent Among the components of this priority are the
intrusions, cyber attacks, or other security following:
breaches. All users of cyberspace have some
responsibility, not just for their own security, • Promote a comprehensive national
but also for the overall security and health of awareness program to empower all
cyberspace. Americans—businesses, the general
workforce, and the general population—
In addition to the vulnerabilities in existing to secure their own parts of cyberspace;
information technology systems, there are at
• Foster adequate training and education
least two other major barriers to users and
programs to support the Nation’s cyberse-
managers acting to improve cybersecurity:
curity needs;
(1) a lack of familiarity, knowledge, and
• Increase the efficiency of existing federal Cyberspace, from securing digital control systems
cybersecurity training programs; and in industry, to securing broadband Internet
access at home.
• Promote private sector support for well-
coordinated, widely recognized DHS, working in coordination with appropriate
professional cybersecurity certification. federal, state, and local entities and private sector
organizations, will facilitate a comprehensive
Key to any successful national effort to enhance
awareness campaign including audience-specific
cybersecurity must be a national effort to raise
awareness materials, expansion of the
awareness (of users and managers at all levels)
StaySafeOnline campaign, and development of
and maintain an adequate pool of well trained
awards programs for those in industry making
and certified IT security specialists. The federal
significant contributions to security. (A/R 3-1)
government cannot by itself create or manage
all aspects of such an effort. It can only do so in Increasing awareness and education prepares
partnership with industry, other governments, private sectors, organizations, and individuals to
and nongovernmental actors. secure their parts of cyberspace. Actions taken
by one entity on a network can immediately
Many federal agencies must play a part in this
and substantially affect one or many others.
effort, which will be led and coordinated by
Because the insecurity of one participant in
DHS. The components of this program will
cyberspace can have a major impact on the
include the following federal programs (both
others, the actions they take to secure their own
existing programs and initiatives which will be
networks contribute to the security of the
considered as part of the budget decision
whole. For example, a few subverted servers
making process) and activities, which we
recently enabled an attack on some of the
recommend to our partners.
Internet Domain Name System root servers
and threatened to disrupt service for many
A. AWARENESS
users. Through improved awareness the Nation
1. Promote a Comprehensive National can stimulate actions to secure cyberspace by
Awareness Program to Empower All creating an understanding at all audience levels
Americans—Businesses, the General of both cybersecurity issues and solutions. DHS
Workforce, and the General Population— will lead an effort to increase cybersecurity
to Secure their Own Parts of Cyberspace awareness for key audiences:
In many cases solutions to cybersecurity issues a. Home Users and Small Business
exist, but the people who need them do not
know they exist or do not know how or where Home users and small business are not part of
to find them. In other cases people may not the critical infrastructures. However, their
even be aware of the need to make a network systems are being increasingly subverted by
element secure. A small business, for example, malicious actors to attack critical systems.
may not realize that the configuration of its web Therefore, increasing the awareness about
server uses a default password that allows cybersecurity among these users contributes to
anyone to gain control of the system. Education greater infrastructure security. Home users and
and outreach play an important role in making small business owners of cyber systems often
users and operators of cyberspace sensitive to start with the greatest knowledge gap about
security needs. These activities are an important cybersecurity.
part of the solution for almost all of the issues
DHS, in coordination with other agencies and
discussed in the National Strategy to Secure
private organizations, will work to educate the
general public of home users, students, children, companies, organizations, and consumer users
and small businesses on basic cyberspace safety groups to identify ways that providers of infor-
and security issues. As part of these efforts, mation technology products and services, and other
DHS will partner with the Department of organizations can make it easier for home users and
Education and state and local governments to small businesses to secure their systems. (A/R 3-3)
elevate the exposure of cybersecurity issues in
primary and secondary schools. In addition, the b. Large Enterprises
Federal Trade Commission will continue to
provide information on cybersecurity for The security of large enterprises is important
consumers and small businesses through not only to individual businesses, but to the
http://www.ftc.gov/infosecurity. Nation as a whole. Large enterprises own major
cyber networks and computing systems that, if
DHS, in coordination with the Department of not secure, can be exploited for attacks on other
Education, will encourage and support, where businesses in an increasingly interconnected
appropriate subject to budget considerations, state, economy, and could, in the case of a massive
local, and private organizations in the development attack, have major economic consequences. The
of programs and guidelines for primary and cybersecurity of large enterprises can be
secondary school students in cybersecurity. (A/R 3-2) improved through strong management to
ensure that best practices and efficient
In recent years, with the spread of “always on” technology are being employed, especially in the
connections for systems, such as cable modems, areas of configuration management, authenti-
digital subscriber lines (DSL), and wireless and cation, training, incident response, and network
satellite systems, the security of home user and management. DHS will continue the work of
small business systems has become more sensitizing the owners of these networks to
important not only to the users themselves, but their vulnerabilities and what can be done to
to others to which they are connected through mitigate them. DHS, working with other
the Internet. For example, these connections government agencies and private sector organi-
generally mean that larger amounts of data can zations, will build upon and expand existing
be sent and done so in a continuous stream. efforts to direct the attention of key corporate
These two factors can be exploited and used to decision makers (e.g., CEOs and members of
attack other systems, possibly even resulting in boards of directors) to the business case for
nationally significant damage. The Internet securing their companies’ information systems.
service providers, antivirus software companies,
and operating system/application software Decision makers can take a variety of steps to
developers that provide services or products to improve the security of their enterprise
home users and small businesses can help raise networks and to ensure that their networks
their awareness of cybersecurity issues. cannot be maliciously exploited. Large enter-
prises are encouraged to evaluate the security of
Home users and small businesses can help the their networks that impact the security of the
Nation secure cyberspace by securing their own Nation’s critical infrastructures. Such evaluations
connections to it. Installing firewall software and might include: (1) conducting audits to ensure effec-
updating it regularly, maintaining current tiveness and use of best practices; (2) developing
antivirus software, and regularly updating continuity plans which consider offsite staff and
operating systems and major applications with equipment; and, (3) participating in industrywide
security enhancements are actions that individuals information sharing and best practice dissemi-
and enterprise operators can take to help secure nation. (A/R 3-4)
cyberspace. To facilitate such actions, DHS will
create a public-private task force of private
(i) Insider Threats. Many cyber attacks on enter- higher education as a platform from which to
prise systems are perpetrated by trusted launch denial-of-service attacks and other
“insiders.” Insiders are people trusted with legit- threats to unrelated systems on the Internet.
imate access rights to enterprise information Such attacks harm not only the targeted
systems and networks. Such trusted individuals systems, but also the owners of those systems
can pose a significant threat to the enterprise and those who desire to use their services. IHEs
and beyond. The insider threat poses a key risk are subject to exploitation for two reasons: (1)
because it provides a potential avenue for they possess vast amounts of computing power;
individuals who seek to harm the Nation to and (2) they allow relatively open access to
gain access to systems that could support their those resources. The computing power owned
malicious objectives. Effectively mitigating the by IHEs is extensive, covering over 3,000
insider threat requires policies, practices, and schools, many with research and significant
continued training. Three common policy areas central computing facilities.
which can reduce insider threat include: (1)
access controls, (2) segregation of duties, and, The higher education community, collectively,
(3) effective policy enforcement. has been actively engaged in efforts to organize
its members and coordinate action to raise
• Poor access controls enable an individual awareness and enhance cybersecurity on
or group to inappropriately modify, America’s campuses. Most notably, through
destroy, or disclose sensitive data or EDUCAUSE, the community has raised the
computer programs for purposes such as issue of the Strategy’s development with top
personal gain or sabotage. leaders of higher education, including the
American Council on Education and the
• Segregation of duties is important in
Higher Education IT Alliance. Significantly,
assuring the integrity of an enterprise’s
through this effort, top university presidents
information system. No one person should
have adopted a 5-point Framework for Action
have complete control of any system.
that commits them to giving IT security high
• Effective enforcement of an enterprise priority and to adopting the policies and
security policy can be challenging and measures necessary to realize greater system
requires regular auditing. New automated security:
software is beginning to emerge which can
(1) Make IT security a priority in higher
facilitate efficient enforcement of enter-
education;
prise security. These programs allow the
input of policy in human terms, trans- (2) Revise institutional security policy and
lation to machine code, and then improve the use of existing security
monitoring at the packet level of all data tools;
transactions within, and outbound from,
the network. Such software can detect and (3) Improve security for future research and
stop inappropriate use of networks and education networks;
cyber-based resources.
(4) Improve collaboration between higher
c. Institutions of Higher Education (IHEs) education, industry, and government;
and
Awareness plays an especially important role in
(5) Integrate work in higher education with
increasing the cybersecurity of IHEs. As recent
the national effort to strengthen critical
experience has shown, organized attackers have
infrastructure.
collectively exploited many insecure computer
systems traceable to the campus networks of
Colleges and universities are encouraged to secure mayors, city managers, and county commis-
their cyber systems by establishing some or all of the sioners/boards of supervisors—to support
following as appropriate: (1) one or more ISACs to investment in information systems security
deal with cyber attacks and vulnerabilities; (2) measures and adopt enforceable management
model guidelines empowering Chief Information policies and practices.
Officers (CIOs) to address cybersecurity; (3) one or
more sets of best practices for IT security; and, (4) B. TRAINING
model user awareness programs and materials.
(A/R 3-5) In addition to raising general awareness, the
Nation must focus resources on training a
d. Private Sectors talented and innovative pool of citizens that can
specialize in securing the infrastructure. While
DHS will work with private sectors on general the need for this pool has grown quickly with
awareness as well as on specific issues impacting the expansion of the Internet and the perva-
particular sectors. Private sectors own and siveness of computers, networks, and other
operate the vast majority of the Nation’s cyber- cyber devices, the investment in training has
space. As long time partners in the effort to not kept pace. Universities are turning out
secure cyberspace, many sectors have developed fewer engineering graduates, and much of their
plans in parallel with the National Strategy to resources are dedicated to other subjects, such
Secure Cyberspace to help secure their critical as biology and life sciences. This trend must be
infrastructures. The sectors can serve a vital role reversed if the United States is to lead the
in the reduction of vulnerabilities by creating world with its cyber economy.
sector-wide awareness of issues that affect
multiple members. Members can develop and 1. Foster Adequate Training and Education
share best practices and work together toward Programs to Support the Nation’s
common security solutions. For example, Cybersecurity Needs
SCADA systems are a widespread security issue
in the energy sector. Solutions are being coordi- Improvements in cybersecurity training will be
nated with the Department of Energy and accomplished primarily through the work of
across the sector. The sectors also play a role in private training organizations, institutions of
the identification of research needs. DHS will learning, and the Nation’s school systems.
closely coordinate with private sectors on plans
DHS will also encourage private efforts to
and initiatives to secure cyberspace.
ensure that adequate opportunities exist for
A public-private partnership should continue work continuing education and advanced training in
in helping to secure the Nation’s cyber infrastructure the workplace to maintain high skills standards
through participation in, as appropriate and and the capacity to innovate.
feasible, a technology and R&D gap analysis to
The federal government can play a direct role in
provide input into the federal cybersecurity research
several ways. First, DHS will implement and
agenda, coordination on the conduct of associated
encourage the establishment of programs to advance
research, and the development and dissemination of
the training of cybersecurity professionals in the
best practices for cybersecurity. (A/R 3-6)
United States, including coordination with NSF,
e. State and Local Governments OPM, and NSA, to identify ways to leverage the
existing Cyber Corps Scholarship for Service
DHS will implement plans to focus key program as well as the various graduate, postdoc-
decision makers in state and local govern- toral, senior researcher, and faculty development
ments—such as governors, state legislatures, fellowship and traineeship programs created by the
Cyber Security Research and Development Act, to practical knowledge on a particular cyber
address these important training and education component. No one certification offers a level
workforce issues. (A/R 3-7) of assurance about a person’s practical and
academic qualifications, similar to those offered
2. Increase the Efficiency of Existing Federal by the medical and legal professions.
Cybersecurity Training Programs
To address this issue, a number of industry
Second, DHS will explore the benefits of a stakeholders including representatives of both
center for the development of cybersecurity consumers and providers of IT security certifi-
training practices that would draw together cations are beginning to explore approaches to
expertise and be consistent with the federal developing nationally recognized certifications
“build once, use many” approach. DHS, in and guidelines for certification.
coordination with other agencies with cybersecurity
training expertise, will develop a coordination Aspects that warrant consideration by these
mechanism linking federal cybersecurity and organizations include levels of education and
computer forensics training programs. (A/R 3-8) experience, peer recognition, continuing
education requirements, testing guidance, as
C. CERTIFICATION applicable for various levels of certification that
may be established, and models for adminis-
1. Promote Private Sector Support for Well- tering a certification for IT security
coordinated Widely Recognized Professional professionals similar to those successfully
Cybersecurity Certifications employed in other professions. DHS and other
federal agencies, as downstream consumers
Related to education and training is the need
(prospective employers of certified personnel),
for certification of qualified persons.
can aid these efforts by effectively articulating
Certification can provide employers and
the needs of the federal IT security community.
consumers with greater information about the
capabilities of potential employees or security DHS will encourage efforts that are needed to build
consultants. Currently, some certifications for foundations for the development of security certifi-
cybersecurity workers exist; however, they vary cation programs that will be broadly accepted by the
greatly in the requirements they impose. For public and private sectors. DHS and other federal
example, some programs emphasize broad agencies can aid these efforts by effectively articu-
knowledge verified by an extensive multiple- lating the needs of the federal IT security
choice exam, while others verify in-depth community. (A/R 3-9)
P R I O R I T Y I V
Priority IV: Securing Governments’

Cyberspace
Although most critical infrastructures are in the security, holding officials accountable for
private sector, governments at various levels fulfilling those responsibilities, and integrating
perform many key functions. Among those key security requirements into budget and capital
functions are national defense, homeland planning processes.
security, emergency response, taxation,
payments to citizens, central bank activities, The federal government will lead by example,
criminal justice, and public health. All of those giving cybersecurity appropriate attention and
functions and others now depend upon infor- care, and encouraging others to do so. The
mation networks and systems. Thus, it is the federal government’s procurement practices will
duty of governments to secure their information be used to help promote cybersecurity. For
systems in order to provide essential services. At example, federal agencies should become early
the federal level it is also required by law. adopters of new, more secure systems and
protocols where appropriate.
The foundation for the federal government’s
cybersecurity requires assigning clear and State and local governments can have a similar
unambiguous authority and responsibility for effect on cybersecurity. The federal government
P R I O R I T Y I V
is ready to partner with both state and local 1. Continuously Assess Threats and
governments to promote cybersecurity. Vulnerabilities to Federal Cyber Systems
Within the federal government the Director of A key step to ensuring the security of federal
OMB is responsible for ensuring that information technology is to understand the
department and agency heads carry out their current state of the effectiveness of security and
legal responsibilities to secure IT systems, with privacy controls in individual systems. Once
the exception of classified systems of national identified, it is equally important to maintain
security departments and agencies that are the that understanding through a continuing cycle
responsibility of the Secretary of Defense and of risk assessment. This approach is reflected in
the Director of Central Intelligence. OMB security policies, and is featured in
FISMA.
A. THE FEDERAL GOVERNMENT
OMB’s first report to Congress on government
Beginning with the Budget Blueprint in information security reform in February 2002
February 2001, continuing in the fiscal year identified six common governmentwide security
2002 and 2003 budgets, and the Management performance gaps.
Reform Agenda, this administration has set a
clear agenda for government reform. These These weaknesses included:
reforms include unifying federal government
security and critical infrastructure protection (1) Lack of senior management attention;
initiatives, and making strong security a (2) Lack of performance measurement;
condition of funding for all federal investments
in information-technology systems. (3) Poor security education and awareness;
The National Strategy to Secure Cyberspace (4) Failure to fully fund and integrate
supports these efforts by working to ensure security into capital planning and
that the federal government can identify investment control;
vulnerabilities, anticipate threats, mitigate
(5) Failure to ensure that contractor services
attacks when possible, and provide for
are adequately secure; and
continuity of operations.
(6) Failure to detect, report, and share infor-
To overcome deficiencies in cybersecurity, mation on vulnerabilities.
OMB established a governmentwide IT
security program, as required by law, to set IT These gaps are not new or surprising. OMB,
security policies and perform oversight of along with the General Accounting Office and
federal agency compliance with security agency inspectors general, has found them to be
requirements. This program is based on a cost- problems for at least 6 years. The evaluation
effective, risk-based approach. Agencies must and reporting requirements established by law
ensure that security is integrated within every have given OMB and federal agencies an
IT investment. This approach is designed to opportunity to develop a comprehensive, cross-
enable federal government business operations, government baseline of agency IT security
not to unnecessarily impede those functions. performance that had not been previously
available. More importantly, through the devel-
opment and use of corrective action plans, the
federal government has a uniform process to
track progress in fixing those weaknesses.
P R I O R I T Y I V
Before OMB approves funding for a system an permits agencies to more effectively and
agency must demonstrate that it has resolved efficiently enforce policies and permissions and
outstanding security issues related to the more easily install antivirus definitions and
system. Additionally, agencies must ensure that other software updates and patches across an
security has been incorporated and security entire system or network.
costs reported for every IT investment through
the federal capital planning process. OMB b. Continuously Assess Threats and Vulnerabilities
policy stipulates that specific lifecycle security
costs be identified, built into, and funded as Commercially available automated auditing and
part of each system investment. Failure to do so reporting mechanisms should be used to
results in disapproval of funding for the entire validate the effectiveness of the security controls
system. across a system and are essential to continuously
understand risks to those systems. These tools
2. Agency-Specific Processes can help in analyzing data, providing forward-
looking assessments, and alerting agencies of
The federal government must have a compre- unacceptable risks to their operations.
hensive and crosscutting approach to improving
cybersecurity. Three processes central to Federal agencies will continue to expand the use of
improving and maintaining federal cyberse- automated, enterprise-wide security assessment and
curity in the agencies are: identifying and security policy enforcement tools and actively deploy
documenting enterprise architectures; continu- threat management tools to deter attacks. The
ously assessing threats and vulnerabilities, and federal government will determine whether specific
understanding the risks they pose to agency actions are necessary (e.g., through the policy or
operations and assets; and implementing budget processes) to promote the greater use of these
security controls and remediation efforts to tools. (A/R 4-1)
reduce and manage those risks. Each agency
will be expected to create and implement this c. Implement Security Controls and Remediation
formal three-step process to achieve greater Efforts
security.
The implementation of security controls that
a. Identify and Document Enterprise Architectures maintain risk at an acceptable level can often be
accomplished in a relatively brief amount of
OMB policy requires each agency to identify time. However, the remediation of vulnerabil-
and document their enterprise architecture, ities is a much more complex challenge.
including an authoritative inventory of all Software is constantly changing and each new
operations and assets, all agency IT systems, upgrade can introduce new vulnerabilities. As a
critical business processes, and their inter- result, vulnerabilities must be assessed continu-
relationships with other organizations. This ously. Remediation often involves “patching” or
process yields a governmentwide view of critical installing pieces of software or code that are
security needs. used to update the main program. The remedi-
ation of federal systems must be planned in a
Through the budget process, the federal consistent fashion.
government will drive agency investments in
commercially available tools to improve their
architectures and system configuration.
Configuration management and control has
incidental and important benefits to security.
For example, controlling system configuration
P R I O R I T Y I V
B. ADDITIONAL GOVERNMENTWIDE
CHALLENGES The National Information
In addition, there are four specific government- Assurance Partnership (NIAP)
wide security challenges that need to be
NIAP is a U.S. Government initiative to
addressed. Each agency, as appropriate, should
meet testing, evaluation, and assessment
work with OMB to resolve these challenges.
needs of both information technology (IT)
1. Authenticate and Maintain Authorization producers and consumers. NIAP is a
for Users of Federal Systems collaboration between the National
Institute of Standards and Technology
Identifying and authenticating each system user (NIST) and the National Security Agency
is the first link in the system security chain, and (NSA) in fulfilling their respective respon-
it must take place whenever system access is sibilities under the Computer Security Act
initiated. To establish and maintain secure of 1987.
system operations, organizations must ensure
that the people on the system are who they say The partnership, originated in 1997,
they are and are doing only what they are combines the extensive security experience
authorized to do. Many authentication proce- of both agencies to promote the devel-
dures used today are inadequate. Passwords are opment of technically sound security
not being changed from the system default, are requirements for IT products and systems
often incorrectly configured, and are rarely and appropriate metrics for evaluating those
updated. products and systems. The long-term goal
of NIAP is to help increase the level of
The federal government will continue to trust consumers have in their information
promote a continuing chain of security for all systems and networks through the use of
federal employees and processes, including the cost-effective security testing, evaluation,
use, where appropriate, of biometric smart cards and assessment programs. NIAP continues
for access to buildings and computers, and to build important relationships with
authentication from the moment of computer government agencies and industry in a
log on. The benefits of such an approach are variety of areas to help meet current and
clear. By promoting multi-layered identification future IT security challenges affecting the
and authentication—the use of strong Nation’s critical information infrastructure.
passwords, smart tokens, and biometrics - the More information on the partnership can
federal government will eliminate many signif- be found at http://www.niap.nist.gov.
icant security problems that it has today.
Through the ongoing E-Authentication initiative, 2. Secure Federal Wireless Local Area
the federal government will review the need for Networks
stronger access control and authentication; explore
When using wireless technology, the federal
the extent to which all departments can employ the
government will carefully evaluate the risks
same physical and logical access control tools and
associated with using such technology for
authentication mechanisms; and consequently,
critical functions. The National Institute of
further promote consistency and interoperability.
Standards and Technology (NIST) notes that
(A/R 4-2)
wireless communications can be intercepted
and that wireless networks can also experience
denial-of-service attacks. Federal agencies
should use the NIST findings and
P R I O R I T Y I V
recommendations on wireless systems as a guide vendors to submit their product for evaluation
to the operation of wireless networks. to be further considered.
Federal agencies should consider installing systems Following this program review, the government
that continuously check for unauthorized connec- will evaluate the cost effectiveness of expanding
tions to their networks. Agency policy and the program to cover all federal agencies. If this
procedures should reflect careful consideration of proves workable, it could both improve
additional risk reduction measures, including the government security and leverage the
use of strong encryption, bi-directional authenti- government’s significant purchasing power to
cation, shielding standards and other technical influence the market and begin to improve the
security considerations, configuration management, security of all consumer information technology
intrusion detection, incident handling, and products.
computer security awareness and training
programs. (A/R 4-3) 4. Develop Specific Criteria for Independent
Security Reviews and Reviewers and
3. Improve Security in Government Certification
Outsourcing and Procurement
With the growing emphasis on security comes
Through a joint effort of OMB’s Office of the corresponding need for expert independent
Federal Procurement Policy, the Federal verification and validation of agency security
Acquisition Regulations Council, and the programs and practices. FISMA and OMB’s
Executive Branch Information Systems Security implementing guidance require that agencies’
Committee, the federal government is identi- program officials and CIOs review at least
fying ways to improve security in agency annually the status of their programs. Few
contracts and evaluating the overall federal agencies have available personnel resources to
procurement process as it relates to security. conduct such reviews, and thus they frequently
Agencies’ maintenance of security for contract for such services. Agencies and OMB
outsourced operations was cited as one of the have found that contractor security expertise
key weaknesses identified in OMB’s February varies widely from the truly expert to less than
2002 security report to Congress. acceptable. Moreover, many independent verifi-
cation and validation contractors are also in the
Additionally, the federal government will be business of providing security program imple-
conducting a comprehensive review of the National mentation services; thus, their program reviews
Information Assurance Partnership (NIAP), to may be biased toward their preferred way of
determine the extent to which it is adequately implementing security.
addressing the continuing problem of security flaws
in commercial software products. This review will The federal government will explore whether
include lessons learned from implementation of the private sector security service providers to the
Defense Department’s July 2002 policy requiring federal government should be certified as meeting
the acquisition of products reviewed under the certain minimum capabilities, including the extent
NIAP or similar evaluation processes. (A/R 4-4) to which they are adequately independent. (A/R 4-5)
Department of Defense (DOD) policy stipu- C. STATE AND LOCAL GOVERNMENTS

lates that if an evaluated product of the type
being sought is available for use, then the DOD American democracy is rooted in the precepts
component must procure the evaluated product. of federalism—a system of government in
If no evaluated product is currently available, which power is allocated between federal and
the component must require prospective state governments. This structure of overlapping
P R I O R I T Y I V
federal, state, and local governance has more have the potential for bringing unprecedented
than 87,000 different jurisdictions and provides efficiency and responsiveness from state govern-
unique opportunity and challenges for ments for their residents. Citizen confidence in
cyberspace security efforts. State and local the integrity of these systems and the data
governments, like the federal government, collected and maintained by them is essential
operate large, interconnected information for expanded use and capture of these potential
systems upon which critical government benefits.
services depend.
With an increasing dependence on integrated
States provide services that make up the “public systems, state, local, and federal agencies have
safety net” for millions of Americans and their to collectively combat cyber attacks. Sharing
families. Services include essential social information to protect systems is an important
support activities as well as critical public safety foundation for ensuring government continuity.
functions, such as law enforcement and States have adopted several mechanisms to
emergency response services. States also own facilitate the sharing of information on cyber
and operate critical infrastructure systems, such attacks and in reporting incidents.
as electric power and transmission, trans-
portation, and water systems. They play a These mechanisms are continually modified
catalytic role in bringing together the different and improved as new policy emerges and as
stakeholders that deliver critical services within technological solutions become available. In
their state to prepare for, respond to, manage, addition, states are exploring options for
and recover from a crisis. Delivering critical improving information sharing both internally
services unique to their roles and responsibilities and externally. These options include enacting
within our federalist system makes state legislation that provides additional funding and
government a critical infrastructure sector in its training for cybersecurity and forming partner-
own right. ships across state, local, and federal
governments to manage cyber threats.
Many of these critical functions carried out by
states are inexorably tied to IT—including 1. DHS will Work with State and Local
making payments to welfare recipients, Governments and Encourage them to
supporting law enforcement with electronic Consider Establishing IT Security Programs
access to criminal records, and operating state- and to Participate in ISACs with Similar
owned utility and transportation services. Governments
Preventing cyber attacks and responding
quickly when they do occur, ensures that these State and local governments are encouraged to
24/7 systems remain available and in place to establish IT security programs for their departments
provide important services that the public needs and agencies, including awareness, audits, and
and expects. Information technology systems standards; and to participate in the established
ISACs with similar governments. (A/R 4-6)
P R I O R I T Y V

International Cyberspace Security
Cooperation
America’s cyberspace is linked to that of the rest time, America must be ready to lead global
of the world. Attacks cross borders at light efforts, working with governments and industry
speed. Distinguishing between malicious alike, to secure cyberspace that is vital to the
activity originating from criminals, nation state operation of the world’s economy and markets.
actors, and terrorists in real time is difficult. Global efforts require raising awareness,
This requires America to be prepared to defend promoting stronger security standards, and
critical networks and respond to attacks in each aggressively investigating and prosecuting
case. Systems supporting this country’s critical cybercrime.
national defense and the intelligence
community must be secure, reliable, and A. ENSURING AMERICA’S NATIONAL
resilient—able to withstand attack regardless of SECURITY
the origin of attack. America must also be
prepared to respond as appropriate to attacks We face adversaries, including nation states and
against its critical infrastructure. At the same terrorists, who could launch cyber attacks or
P R I O R I T Y V
seek to exploit our systems. In peacetime 2. Improve Attack Attribution and Prevention
America’s enemies will conduct espionage Capabilities
against our government, university research
centers, and private companies. Activities would The intelligence community, DoD, and the law
likely include mapping U.S. information enforcement agencies must improve the Nation’s
systems, identifying key targets, lacing our ability to quickly attribute the source of threatening
infrastructure with “back doors” and other attacks or actions to enable timely and effective
means of access. In wartime or crisis, adver- response. Consistent with the National Security
saries may seek to intimidate by attacking Strategy, these efforts will also seek to develop
critical infrastructures and key economic capabilities to prevent attacks from reaching critical
functions or eroding public confidence in infor- systems and infrastructures. (A/R 5-2)
mation systems. They may also attempt to slow
the U.S. military response by disrupting systems 3. Improve Coordination for Responding to
of the Department of Defense (DoD), the Cyber Attacks within the United States
Intelligence Community, and other government National Security Community
organizations as well as critical infrastructures.
The United States must improve interagency
America has already experienced significant coordination between law enforcement, national
national cybersecurity events. In 1998, attackers security, and defense agencies involving cyber-based
carried out a sophisticated, tightly orchestrated attacks and espionage, ensuring that criminal
series of cyber intrusions into the computers of matters are referred, as appropriate, among those
DoD, NASA, and government research labs. agencies. The National Security Council and the
The intrusions were targeted against those Office of Homeland Security will lead a study to
organizations that conduct advanced technical ensure that appropriate mechanisms are in place.
research on national security, including atmos- (A/R 5-3)
pheric and oceanographic topics as well as
4. Reserve the Right to Respond in an
aircraft and cockpit design.
Appropriate Manner
The United States must have the capability to
When a nation, terrorist group, or other adversary
secure and defend systems and infrastructures
attacks the United States through cyberspace, the
that are deemed national security assets, and
U.S. response need not be limited to criminal prose-
develop the capability to quickly identify the
cution. The United States reserves the right to
origin of malicious activity. We must improve
respond in an appropriate manner. The United
our national security posture in cyberspace to
States will be prepared for such contingencies. (A/R
limit the ability of adversaries to conduct
5-4)
espionage or pressure the United States.
1. Strengthen Counterintelligence Efforts in

B. INTERNATIONAL COOPERATION
Cyberspace The Department of State will lead federal
efforts to enhance international cyberspace
The FBI and intelligence community should ensure
security cooperation. Key initiatives include:
a strong counterintelligence posture to counter
cyber-based intelligence collection against the 1. Work through International Organizations
United States government, and commercial and and with Industry to Facilitate and to
educational organizations. This effort must include Promote a Global “Culture of Security”
a deeper understanding of the capability and intent
of our adversaries to use cyberspace as a means for America’s interest in promoting global cyberse-
espionage. (A/R 5-1) curity extends beyond our borders. Our
P R I O R I T Y V
information infrastructure is directly linked Because most nations’ key information

with Canada, Mexico, Europe, Asia, and South infrastructures reside in private hands, the
America. The United States and world United States will seek the participation of
economy increasingly depend upon global United States industry to engage foreign
markets and multinational corporations counterparts in a peer-to-peer dialogue, with
connected via information networks. The vast the twin objectives of making an effective
majority of cyber attacks originates or passes business case for cybersecurity, and explaining
through systems abroad, crosses several borders, successful means for partnering with
and requires international investigative cooper- government on cybersecurity.
ation to be stopped.
The United States will work through appropriate
Global networks supporting critical economic international organizations and in partnership
and security operations must be secure and with industry to facilitate dialogue between foreign
reliable. Securing global cyberspace will require public and private sectors on information infra-
international cooperation to raise awareness, structure protection and promote a global “culture of
increase information sharing, promote security security.” (A/R 5-5)
standards, and investigate and prosecute those
who engage in cybercrime. The United States is 3. Promote North American Cyberspace
committed to working with nations to ensure Security
the integrity of the global information networks
that support critical economic and security The United States will work with Canada and
infrastructure. We are also ready to utilize Mexico to make North America a “Safe Cyber
government-sponsored organizations such as Zone.” We will expand programs to identify and
the Organization of Economic Cooperation secure critical common networks that underpin
and Development (OECD), G-8, the Asia telecommunications, energy, transportation,
Pacific Economic Cooperation forum (APEC), banking and finance systems, emergency services,
and the Organization of American States food, public health, and water systems. (A/R 5-6)
(OAS), and other relevant organizations to
4. Foster the Establishment of National and
facilitate global coordination on cybersecurity.
International Watch-and-Warning
In order to facilitate coordination with the
Networks to Detect and Prevent Cyber
private sector, we will also utilize such organiza-
Attacks as they Emerge
tions as the Transatlantic Business Dialogue.
The United States will urge each nation to build on
2. Develop Secure Networks
the common Y2K experience and appoint a
The United States will engage in cooperative centralized point-of-contact who can act as a
efforts to solve technical, scientific, and policy- liaison between domestic and global cybersecurity
related problems to assure the integrity of efforts. Establishing points of contact can greatly
information networks. We will encourage the enhance the international coordination and
development and adoption of international resolution of cyberspace security issues. We will also
technical standards and facilitate collaboration encourage each nation to develop its own watch-
and research among the world’s best scientists and-warning network capable of informing
and researchers. We will promote such efforts as government agencies, the public, and other countries
the OECD’s Guidelines for the Security of about impending attacks or viruses. (A/R 5-7)
Information Systems and Networks, which strive
To facilitate real-time sharing of the threat
to inculcate a “culture of security” across all
information as it comes to light, the United States
participants in the new information society.
will foster the establishment of an international
P R I O R I T Y V
network capable of receiving, assessing, and dissem- signed and supports the recently concluded
inating this information globally. Such a network Council of Europe Convention on Cybercrime,
can build on the capabilities of nongovernmental which requires countries to make cyber attacks
institutions such as the Forum of Incident Response a substantive criminal offense and to adopt
and Security Teams. (A/R 5-8) procedural and mutual assistance measures to
better combat cybercrime across international
The United States will encourage regional organi- borders.
zations, such as the APEC, EU, and OAS, to each
form or designate a committee responsible for cyber- The United States will encourage other nations to
security. Such committees would also benefit from accede to the Council of Europe Convention on
establishing parallel working groups with represen- Cybercrime or to ensure that their laws and proce-
tatives from the private sector. The United States dures are at least as comprehensive. (A/R 5-10)
will also encourage regional organizations—such as
the APEC, EU, and OAS—to establish a joint Ongoing multilateral efforts, such as those in
committee on cybersecurity with representatives the G-8, APEC, and OECD are also
from government and the private sector. (A/R 5-9) important. The United States will work to
implement agreed-upon recommendations and
5. Encourage Other Nations to Accede to the action plans that are developed in these forums.
Council of Europe Convention on Among these initiatives, the United States in
Cybercrime, or to Ensure that their Laws particular will urge countries to join the 24-
and Procedures are at Least as hour, high-tech crime contact network begun
Comprehensive within the G-8, and now expanded to the
Council of Europe membership, as well as
The United States will actively foster other countries.
international cooperation in investigating and
prosecuting cybercrime. The United States has
C O N C L U S I O N : T H E W A Y F O R W A R D
Conclusion: The Way Forward

Our reliance on cyberspace will only continue In addition, a draft version of the National
to grow in the years ahead. Cyberspace and the Strategy to Secure Cyberspace was shared with the
networks that connect to it now support our Nation for public comment. The response has
economy and provide for our national and been overwhelming.
homeland defense. This national dependency
must be managed with continuous efforts to The public-private partnerships that formed in
secure the cyber systems that control our infra- response to the President’s call have developed
structures. their own strategies to protect the parts of
cyberspace on which they rely. This unique
Securing cyberspace is a complex and evolving partnership and process was and will continue
challenge. The National Strategy to Secure to be necessary because the majority of the
Cyberspace was developed in close collaboration country’s cyber resources are controlled by
with key sectors of the economy that rely on entities outside of government. For the National
cyberspace, state and local governments, Strategy to Secure Cyberspace to work it must be a
colleges and universities, and concerned organi- plan in which a broad cross section of the
zations. Town hall meetings were held around country is both invested and committed.
the country, and fifty-three clusters of key Accordingly, the dialogue about how we secure
questions were published to spark public debate. cyberspace will continue.
C O N C L U S I O N : T H E W A Y F O R W A R D
The National Strategy to Secure Cyberspace Department therefore would coordinate and
identifies five national priorities that will help support implementation of non-federal tasks
us achieve this ambitious goal. These are: (1) a recommended in the National Strategy to Secure
national cyberspace security response system; Cyberspace.
(2) a national cyberspace security threat and
vulnerability reduction program; (3) a national Each department and agency will also be
cyberspace security awareness and training accountable for its performance on cyberse-
program; (4) securing governments’ cyberspace; curity efforts. The federal government will
and, (5) national security and international employ performance measures—and encourage
cyberspace security cooperation. These five the same for state and local governments—to
priorities will serve to prevent, deter, and evaluate the effectiveness of the cybersecurity
protect against attacks. In addition, they also programs outlined in this Strategy. These
create a process for minimizing the damage and performance measures will allow agencies to
recovering from attacks that do occur. measure their progress, make resource allocation
decisions, and adjust priorities accordingly.
The National Strategy to Secure Cyberspace is,
however, only a first step in a long-term effort Federal, state, and local governments, as well as
to secure our information infrastructures. The organizations and people all across the United
federal executive branch will use a variety of States will continue to work to improve cyber-
tools to implement this Strategy. The space security. As these strategies and plans are
Administration will work with Congress to implemented, we will begin to incrementally
craft future federal security budgets based on reduce threats and vulnerabilities.
the Strategy, providing every department and
agency involved in cybersecurity with resources Cybersecurity and personal privacy need not be
to execute its responsibilities. Each lead opposing goals. Cyberspace security programs
department and agency will plan and program must strengthen, not weaken, such protections.
to execute the initiatives assigned by the The federal government will continue to
National Strategy to Secure Cyberspace. regularly meet with privacy advocates to discuss
cybersecurity and the implementation of this
Within the federal government DHS will play a Strategy.
central role in implementing the National
Strategy to Secure Cyberspace. In addition to For the foreseeable future, two things will be
executing its assigned initiatives, the true: America will rely upon cyberspace and the
Department would also serve as the primary federal government will seek a continuing broad
federal point-of-contact for state and local partnership to develop, implement, and refine
governments, the private sector, and the the National Strategy to Secure Cyberspace.
American people on issues related to cyberspace
security. Working with the White House, the
A P P E N D I X
Actions and Recommendations (A/R)

Summary
Priority I: A National Cyberspace A/R 1-5: Infrastructure sectors are encouraged
Security Response System to establish mutual assistance programs for
cybersecurity emergencies. DoJ and the Federal
A/R 1-1: DHS will create a single point-of- Trade Commission should work with the
contact for the federal government’s interaction sectors to address barriers to such cooperation,
with industry and other partners for 24 x7 as appropriate. In addition, DHS’s Information
functions, including cyberspace analysis, Analysis and Infrastructure Protection
warning, information sharing, major incident Directorate will coordinate the development
response, and national-level recovery efforts. and regular update of voluntary joint
Private sector organizations, which have major government-industry cybersecurity contingency
contributions for those functions, are plans, including a plan for recovering Internet
encouraged to coordinate activities, as permitted functions.
by law, in order to provide a synoptic view of
the health of cyberspace on a 24 x 7 basis. A/R 1-6: DHS will raise awareness about the
removal of impediments to information sharing
A/R 1-2: As outlined in the 2003 budget, the about cybersecurity and infrastructure vulnera-
federal government will complete the instal- bilities between the public and private sectors.
lation of CWIN to key government The Department will also establish an infra-
cybersecurity-related network operation centers, structure protection program office to manage
to disseminate analysis and warning infor- the information flow, including the devel-
mation and perform crisis coordination. The opment of protocols for how to care for
federal government will also explore linking the “voluntarily submitted critical infrastructure
ISACs to CWIN. information.”
A/R 1-3: To test civilian agencies’ security A/R 1-7: Corporations are encouraged to
preparedness and contingency planning, DHS consider active involvement in industrywide
will use exercises to evaluate the impact of cyber programs to share information on IT security,
attacks on governmentwide processes. including the potential benefits of joining an
Weaknesses discovered will be included in appropriate ISAC. Colleges and universities are
agency corrective action plans and submitted to encouraged to consider establishing: (1) one or
the OMB. DHS also will explore such exercises more ISACs to deal with cyber attacks and
as a way to test the coordination of public and vulnerabilities; and, (2) an on-call point-of-
private incident management, response and contact to Internet service providers and law
recovery capabilities. enforcement officials in the event that the
school’s IT systems are discovered to be
A/R 1-4: Corporations are encouraged to launching cyber attacks.
regularly review and exercise IT continuity
plans and to consider diversity in IT service
providers as a way of mitigating risk.
A P P E N D I X
Priority II: A National Cyberspace these efforts as required for their success,
Security Threat and Vulnerability subject to other budget considerations.
Reduction Program
A/R 2-5: DHS, in coordination with DOE and
A/R 2-1: DoJ and other appropriate agencies other concerned agencies and in partnership
will develop and implement efforts to reduce with industry, will develop best practices and
cyber attacks and cyber threats through the new technology to increase security of
following means: (1) identifying ways to DCS/SCADA, to determine the most critical
improve information sharing and investigative DCS/SCADA-related sites, and to develop a
coordination within the federal, state, and local prioritized plan for short-term cybersecurity
law enforcement community working on critical improvements in those sites.
infrastructure and cyberspace security matters,
and with other agencies and the private sector; A/R 2-6: DHS will work with the National
(2) exploring means to provide sufficient inves- Infrastructure Advisory Council and private
tigative and forensic resources and training to sector organizations to develop an optimal
facilitate expeditious investigation and approach and mechanism for vulnerability
resolution of critical infrastructure incidents; disclosure.
and, (3) developing better data about victims of
cybercrime and intrusions in order to under- A/R 2-7: GSA will work with DHS on an
stand the scope of the problem and be able to improved approach to implementing a patch
track changes over time. clearinghouse for the federal government. DHS
will also share lessons learned with the private
A/R 2-2: DHS, in coordination with appro- sector and encourage the development of a
priate agencies and the private sector, will lead voluntary, industry-led, national effort to
in the development and conduct of a national develop a similar clearinghouse for other sectors
threat assessment including red teaming, blue including large enterprises.
teaming, and other methods to identify the
impact of possible attacks on a variety of A/R 2-8: The software industry is encouraged
targets. to consider promoting more secure “out-of-the-
box” installation and implementation of their
A/R 2-3: The Department of Commerce will products, including increasing: (1) user
form a task force to examine the issues related awareness of the security features in products;
to IPv6, including the appropriate role of (2) ease-of-use for security functions; and, (3)
government, international interoperability, where feasible, promotion of industry guidelines
security in transition, and costs and benefits. and best practices that support such efforts.
The task force will solicit input from potentially
impacted industry segments. A/R 2-9: DHS will establish and lead a public-
private partnership to identify cross-sectoral
A/R 2-4: DHS, in coordination with the interdependencies both cyber and physical. The
Commerce Department and appropriate partnership will develop plans to reduce related
agencies, will coordinate public-private partner- vulnerabilities in conjunction with programs
ships to encourage: (1) the adoption of proposed in the National Strategy for
improved security protocols; (2) the devel- Homeland Security. The National
opment of more secure router technology; and, Infrastructure Simulation and Analysis Center
(3) the adoption by ISPs of a “code of good in DHS will support these efforts by developing
conduct,” including cybersecurity practices and models to identify the impact of cyber and
security related cooperation. DHS will support physical interdependencies.
A P P E N D I X
A/R 2-10: DHS also will support, when erroneous code, malicious code, or trap doors
requested and as appropriate, voluntary efforts that could be introduced during development.
by owners and operators of information system
networks and network data centers to develop A/R 2-15: DHS, in coordination with OSTP
remediation and contingency plans to reduce and other agencies, as appropriate, will facilitate
the consequences of large-scale physical damage communication between the public and private
to facilities supporting such networks, and to research and the security communities, to
develop appropriate procedures for limiting ensure that emerging technologies are periodi-
access to critical facilities. cally reviewed by the appropriate body within
the National Science and Technology Council,
A/R 2-11: To meet these needs, the Director of in the context of possible homeland and cyber-
OSTP will coordinate the development, and space security implications, and relevance to the
update on an annual basis a federal government federal research agenda.
research and development agenda that includes
near-term (1-3 years), mid-term (3-5 years), Priority III: A National Cyberspace
and later (5 years out and longer) IT security Security Awareness and Training
research for Fiscal Year 2004 and beyond. Program
Existing priorities include, among others,
intrusion detection, Internet infrastructure A/R 3-1: DHS, working in coordination with
security (including protocols such as BGP and appropriate federal, state, and local entities and
DNS), application security, DoS, communica- private sector organizations, will facilitate a
tions security (including SCADA system comprehensive awareness campaign including
encryption and authentication), high-assurance audience-specific awareness materials,
systems, and secure system composition. expansion of the StaySafeOnline campaign, and
development of awards programs for those in
A/R 2-12: To optimize research efforts relative industry making significant contributions to
to those of the private sector, DHS will ensure security.
that adequate mechanisms exist for coordi-
nation of research and development among A/R 3-2: DHS, in coordination with the
academia, industry and government, and will Department of Education, will encourage and
develop new mechanisms where needed. support, where appropriate subject to budget
considerations, state, local, and private organi-
A/R 2-13: The private sector is encouraged to zations in the development of programs and
consider including in near-term research and guidelines for primary and secondary school
development priorities, programs for highly students in cybersecurity.
secure and trustworthy operating systems. If
such systems are developed and successfully A/R 3-3: Home users and small businesses can
evaluated, the federal government will, subject help the Nation secure cyberspace by securing
to budget considerations, accelerate their own connections to it. Installing firewall
procurement of such systems. software and updating it regularly, maintaining
current antivirus software, and regularly
A/R 2-14: DHS will facilitate a national updating operating systems and major applica-
public-private effort to promulgate best tions with security enhancements are actions
practices and methodologies that promote that individuals and enterprise operators can
integrity, security, and reliability in software take to help secure cyberspace. To facilitate such
code development, including processes and actions, DHS will create a public-private task
procedures that diminish the possibilities of force of private companies, organizations, and
consumer users groups to identify ways that
A P P E N D I X
providers of information technology products these important training and education

and services, and other organizations can make workforce issues.
it easier for home users and small businesses to
secure their systems. A/R 3-8: DHS, in coordination with other
agencies with cybersecurity training expertise,
A/R 3-4: Large enterprises are encouraged to will develop a coordination mechanism linking
evaluate the security of their networks that federal cybersecurity and computer forensics
impact the security of the Nation’s critical infra- training programs.
structures. Such evaluations might include: (1)
conducting audits to ensure effectiveness and A/R 3-9: DHS will encourage efforts that are
use of best practices; (2) developing continuity needed to build foundations for the devel-
plans which consider offsite staff and opment of security certification programs that
equipment; and, (3) participating in indus- will be broadly accepted by the public and
trywide information sharing and best practices private sectors. DHS and other federal agencies
dissemination. can aid these efforts by effectively articulating
the needs of the Federal IT security community.
A/R 3-5: Colleges and universities are
encouraged to secure their cyber systems by Priority IV: Securing Governments’
establishing some or all of the following as Cyberspace
appropriate: (1) one or more ISACs to deal
with cyber attacks and vulnerabilities; (2) model A/R 4-1: Federal agencies will continue to
guidelines empowering Chief Information expand the use of automated, enterprise-wide
Officers (CIOs) to address cybersecurity; (3) security assessment and security policy
one or more sets of best practices for IT enforcement tools and actively deploy threat
security; and, (4) model user awareness management tools to deter attacks. The federal
programs and materials. government will determine whether specific
actions are necessary (e.g., through the policy or
A/R 3-6: A public-private partnership should budget processes) to promote the greater use of
continue work in helping to secure the Nation’s these tools.
cyber infrastructure through participation in, as
appropriate and feasible, a technology and A/R 4-2: Through the ongoing E-
R&D gap analysis to provide input into the Authentication initiative, the federal
federal cybersecurity research agenda, coordi- government will review the need for stronger
nation on the conduct of associated research, access control and authentication; explore the
and the development and dissemination of best extent to which all departments can employ the
practices for cybersecurity. same physical and logical access control tools
and authentication mechanisms; and, conse-
A/R 3-7: DHS will implement and encourage quently, further promote consistency and
the establishment of programs to advance the interoperability.
training of cybersecurity professionals in the
United States, including coordination with A/R 4-3: Federal agencies should consider
NSF, OPM, and NSA, to identify ways to installing systems that continuously check for
leverage the existing Cyber Corps Scholarship unauthorized connections to their networks.
for Service program as well as the various Agency policy and procedures should reflect
graduate, postdoctoral, senior researcher, and careful consideration of additional risk
faculty development fellowship and traineeship reduction measures, including the use of strong
programs created by the Cyber Security encryption, bi-directional authentication,
Research and Development Act, to address shielding standards and other technical security
A P P E N D I X
considerations, configuration management, enable timely and effective response.

intrusion detection, incident handling, and Consistent with the National Security Strategy,
computer security awareness and training these efforts will also seek to develop capabil-
programs. ities to prevent attacks from reaching critical
systems and infrastructures.
A/R 4-4: Additionally, the federal government
will be conducting a comprehensive review of A/R 5-3: The United States must improve
the National Information Assurance interagency coordination between law
Partnership (NIAP), to determine the extent to enforcement, national security, and defense
which it is adequately addressing the continuing agencies involving cyber-based attacks and
problem of security flaws in commercial espionage, ensuring that criminal matters are
software products. This review will include referred, as appropriate, among those agencies.
lessons-learned from implementation of the The National Security Council and the Office
Defense Department’s July 2002 policy of Homeland Security will lead a study to
requiring the acquisition of products reviewed ensure that appropriate mechanisms are in
under the NIAP or similar evaluation processes. place.
A/R 4-5: The federal government will explore A/R 5-4: When a nation, terrorist group, or
whether private sector security service providers other adversary attacks the United States
to the federal government should be certified as through cyberspace, the U.S. response need not
meeting certain minimum capabilities, be limited to criminal prosecution. The United
including the extent to which they are States reserves the right to respond in an appro-
adequately independent. priate manner. The United States will be
prepared for such contingencies.
A/R 4-6: State and local governments are
encouraged to establish IT security programs A/R 5-5: The United States will work through
for their departments and agencies, including appropriate international organizations and in
awareness, audits, and standards; and to partic- partnership with industry to facilitate dialogue
ipate in the established ISACs with similar between foreign public and private sectors on
governments. information infrastructure protection and
promote a global “culture of security.”
International Cyberspace Security A/R 5-6: The United States will work with
Cooperation Canada and Mexico to make North America a
“Safe Cyber Zone.” We will expand programs
A/R 5-1: The FBI and intelligence community to identify and secure critical common networks
should ensure a strong counterintelligence that underpin telecommunications, energy,
posture to counter cyber-based intelligence transportation, banking and finance systems,
collection against the U.S. Government, and emergency services, food, public health, and
commercial and educational organizations. This water systems.
effort must include a deeper understanding of
the capability and intent of our adversaries to A/R 5-7: The United States will urge each
use cyberspace as a means for espionage. nation to build on the common Y2K experience
and appoint a centralized point-of-contact who
A/R 5-2: The intelligence community, DoD, can act as a liaison between domestic and global
and the law enforcement agencies must improve cybersecurity efforts. Establishing points of
the Nation’s ability to quickly attribute the contact can greatly enhance the international
source of threatening attacks or actions to coordination and resolution of cyberspace
A P P E N D I X
security issues. We will also encourage each EU, and OAS, to each form or designate a
nation to develop its own watch-and-warning committee responsible for cybersecurity. Such
network capable of informing government committees would also benefit from estab-
agencies, the public, and other countries about lishing parallel working groups with
impending attacks or viruses. representatives from the private sector. The
United States will also encourage regional
A/R 5-8: To facilitate real-time sharing of the organizations—such as the APEC, EU, and
threat information as it comes to light; the OAS—to establish a joint committee on cyber-
United States will foster the establishment of an security with representatives from government
international network capable of receiving, and the private sector.
assessing, and disseminating this information
globally. Such a network can build on the A/R 5-10: The United States will encourage
capabilities of nongovernmental institutions other nations to accede to the Council of
such as the Forum of Incident Response and Europe Convention on Cybercrime or to ensure
Security Teams. that their laws and procedures are at least as
comprehensive.
A/R 5-9: The United States will encourage
regional organizations, such as the APEC,
0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0
0 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0
0 0 1 0 1 0 1 0 0 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 11 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 1 0 0 0 1 0 1 0 1 0 0 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 11 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 1 0
1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0
1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 0 1 0
1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 1 0 1 0 1 0 0 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 11 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 1 0 1 0 1 0 0 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 11
1111 0 0 0 111 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0
1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 1 0 1 0 1 0 0 0 11 0 1 0 1 0 0 1 0 111 0 1 0 1 0 1 1111 0 0 0 111 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 0
0 11 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 1 0 1 0 1 0 0 0 11 0 1 0 1 0 1 0 11 0 1 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 11 0 1 0 1 0 1 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 1 0 1 0 1 0 0 0 11 0 1 0 1 0 0 1 0 111 0 1 0 1 0 1
0 1 0 1 0 0 1 0 0 0 111 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 11 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 1 0 1 0 1 0 0 0 11 0 1 0 1 0 1 0 11 0 1 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 11 0 1 0 1 0 1
0 0 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 1 0 1 0 1 0 0 0 11 0 1 0 1 0 0 1 0 111 0 1 0 0 1 0 1 0 0 1 0 0 0 111 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1
1 0 1 0 11 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 1 0 1 0 1 0 0 0 11 0 1 0 1 0 1 0 11 0 1 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 11 0 1 0 0 0 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 1 0 1 0 1 0 0 0 11 0 1 0 1 0 0 1 0 111 0 1 0
0 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 1 0 1 0 11 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 1 0 1 0 1 0 0 0 11 0 1 0 1 0 1 0 11 0 1 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 11 0 1 0
0 0 1 0 1 0 1 0 0 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 11 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 1 0 1 0 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 1111 0 1 0 11 0
1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0
1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 0 1 0
1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 1 0 1 0 1 0 0 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 11
1 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0
1111 0 0 0 111 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 0
1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 1 0 1 0 1 0 0 0 11 0 1 0 1 0 0 1 0 111 0 1 0 1 0 1
0 11 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 1 0 1 0 1 0 0 0 11 0 1 0 1 0 1 0 11 0 1 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 11 0 1 0 1 0 1
0 1 0 1 0 0 1 0 0 0 111 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1
0 0 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 1 0 1 0 1 0 0 0 11 0 1 0 1 0 0 1 0 111 0 1 0
1 0 1 0 11 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 1 0 1 0 1 0 0 0 11 0 1 0 1 0 1 0 11 0 1 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 11 0 1 0
1 0 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 1111 0 1 0 11 0
SECURE
0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0
0 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0
0 0 1 0 1 0 1 0 0 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 11 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 1 0
1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0
1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 0 1 0
1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 1 0 1 0 1 0 0 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 11
CYBERSPACE
1 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0
1111 0 0 0 111 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 0
1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 1 0 1 0 1 0 0 0 11 0 1 0 1 0 0 1 0 111 0 1 0 1 0 1
0 11 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 1 0 1 0 1 0 0 0 11 0 1 0 1 0 1 0 11 0 1 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 11 0 1 0 1 0 1
0 1 0 1 0 0 1 0 0 0 111 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1
0 0 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 1 0 1 0 1 0 0 0 11 0 1 0 1 0 0 1 0 111 0 1 0
1 0 1 0 11 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 1 0 1 0 1 0 0 0 11 0 1 0 1 0 1 0 11 0 1 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 11 0 1 0
1 0 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 1111 0 1 0 11 0
0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 F E B R U A R Y 2 0 0 3
0 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0
0 0 1 0 1 0 1 0 0 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 11 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 1 0
1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0
1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 0 1 0
1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 1 0 1 0 1 0 0 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 11
1 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0
1111 0 0 0 111 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 0
1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 1 0 1 0 1 0 0 0 11 0 1 0 1 0 0 1 0 111 0 1 0 1 0 1
0 11 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 1 0 1 0 1 0 0 0 11 0 1 0 1 0 1 0 11 0 1 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 11 0 1 0 1 0 1
0 1 0 1 0 0 1 0 0 0 111 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1
0 0 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 1 0 1 0 1 0 0 0 11 0 1 0 1 0 0 1 0 111 0 1 0
1 0 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 1111 0 1 0 11 0
0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0
0 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0
1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 0 1 0
1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 1 0 1 0 1 0 0 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 11
1 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 1 0 11 0 1 0 1111 0
0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 1 0 1 0 1 0 0 0 11 0 1 0 1 0 0 1 0 111 0 1 0 1 0 1 0 11 0 1 0 1 0 1
0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 1 0 1 0 1 0 0 0 11 0 1 0 1 0 1 0 11 0 1 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 11 0 1 0 1 0 1 0 1 0 1 0 0 1 0 0
0 111 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 0 1 0 1 0 11
11 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 1 0 1 0 1 0 0 0 11 0 1 0 1 0 0 1 0 111 0 1 0 1 0 1 0 11 0 1 0
1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 1 0 1 0 1 0 0 0 11 0 1 0 1 0 1 0 11 0 1 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 11 0 1 0 1 0 0 1 0 1 0 1 0
0 1 0 1 0 111 0 1 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 1111 0 1 0 11 0 0 11 0 1 0 1 0 1
0 1 0 1111 0 1 0 11 0 0 11 0 1 0 1 0 1 0 1 0 1111 0 1 0 11 0 0 11 0 1 0 1 0 1 0 1 0 1111 0 1 0 11 0 0 11 0 1 0 1 0 1 0 1 0 1111 0 1 0 11 0 0 11 0 1 0 1 0 1 0 1 0 1111 0 1 0 11 0 0 11111 0 1 0 11 0
1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 1 0 1 0 1 0 0 0 11 0 1 0 1 0 1 0 11 0 1 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 11 0 1 0 1 0 1111 0 1 0 1

Cyberspace Strategy PDF

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Cyberspace Strategy PDF

Hochgeladen von

Copyright:

Verfügbare Formate

The way business is transacted, government operates, and national defense is

Securing cyberspace is an extraordinarily difficult strategic challenge that requires a

The cornerstone of America’s cyberspace security strategy is and will remain a

Executive Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .vii

National Cyberspace Security Priorities

Conclusion: The Way Forward . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .53

the private sector, academia, and the Priority I: A National Cyberspace

I. A National Cyberspace Security 1. Establish a public-private architecture for

1. Enhance law enforcement’s capabilities

Priority III: A National Cyberspace

The National Strategy to Secure Cyberspace

The National Strategy to Secure Cyberspace 4. Improve security in government

A National Effort • Insurance;

Protecting the widely distributed assets of • Chemical;

Priority III: A National Cyberspace example by fostering a marketplace for more

Cyberspace Threats and Vulnerabilities

Reduce Vulnerabilities in the Absence Level 1, the Home User/Small Business

information security policies and programs to Level 5, Global

Roles and Responsibilites in Securing Cyberspace

Home User/Small Business ✗ ✗

Individual and National Risk

Every day in the United States individual

exist for relative measures of damage to occur

• Potential adversaries have the intent;

No single strategy can completely eliminate

ability to minimize the damage that results

Government Alone Cannot Secure The federal government could not—and,

National Policy and Guiding Principles

CRITICAL INFRASTRUCTURE LEAD AGENCIES

LEAD AGENCY SECTORS

Department of the Treasury • Banking and Finance

Environmental Protection Agency • Water

Department of Agriculture • Agriculture

Department of Defense • Defense Industrial Base

Designation of Coordinating Agencies The government will continue to support the

Priority I: A National Cyberspace

these indicators and determining their

National Cyberspace Security Response System

Analysis Warning Incident Response/

(i) Tactical analysis examines factors associated 2. Warning

Priority II: A National Cyberspace Security

Internet slowed in Chicago; a campfire in New C. DEVELOP SYSTEMS WITH FEWER

Priority III: A National Cyberspace

Priority IV: Securing Governments’

Department of Defense (DOD) policy stipu- C. STATE AND LOCAL GOVERNMENTS

Priority V: National Security and

1. Strengthen Counterintelligence Efforts in

information infrastructure is directly linked Because most nations’ key information

Conclusion: The Way Forward

Actions and Recommendations (A/R)

providers of information technology products these important training and education

considerations, configuration management, enable timely and effective response.

Das könnte Ihnen auch gefallen