Cybersecurity Strategy, Law and Policy
Part 1: Cybersecurity Strategy
This section explores the different cybersecurity priorities and strategies of the European Union, the United
States and with NATO, the North Atlantic Treaty Organization. You will learn about US national security and
cybersecurity policies, with specific regulations in health care, financial organizations, and federal agencies.
For an international perspective, review the NATO Cooperative Cyber Defense Centre of Excellence efforts to
support member nations with cyber defense initiatives.
What Is a National Cybersecurity Strategy?
A national cybersecurity strategy (NCSS) is a plan designed to improve the security and resilience of
national infrastructure and services such as roads, bridges, tunnels, water supply, sewers, electrical
grids, and telecommunications (ENISA, n.d.), "a high-level top-down approach to cybersecurity that
establishes a range of national objectives and priorities that should be achieved in a specific timeframe."
At least, that is how the European Union Agency for Network and Information Security (ENISA) defines
it. So, what is the perspective of the United States? Well, that is complicated. Let's quickly review where
the United States has been, and perhaps where it is going.
References
European Union Agency for Network and Information Security (ENISA). (n.d.). National
cybersecurity strategies. Retrieved from https://www.enisa.europa.eu/topics/national-cyber-securitystrategies
History of US Cybersecurity Strategy and Laws
On February 14, 2003, the Department of Homeland Security (DHS) released the National Strategy to
Secure Cyberspace (DHS, 2003). This strategy was a subcomponent of the larger National Strategy for
Homeland Security and was in response to the terrorist attacks of September 11, 2001.
To summarize, it offers suggestions to the private sector, academia, and citizens for how to protect
individual and organizational components that make up the informational, hardware, and software
components that are operated via the internet. This document also introduces one of the first officials
uses for the term "cyberspace."
In January 2008, the president of the United States, George W. Bush, established the Comprehensive
National Cybersecurity Initiative (CNCI). The initiative outlines US cybersecurity goals and spans multiple
federal agencies including the Department of Homeland Security (DHS), the Office of Management and
Budget (OMB), and the National Security Agency (NSA) (DHS, 2003). The details of the CNCI were kept
classified until the next president took office.
In May 2009, the Obama administration declassified parts of the CNCI (Vijayan, 2010) and accepted the
results. The next step was to strengthen the effort. In doing so, we learned that the goals of the initiative
included (White House, 2017):
1.
Establishing a front line of defense against network intrusion.
2.
Defending the United States against the full spectrum of threats through
counterintelligence.
3.
Strengthening the future cybersecurity environment through education, coordination,
and research.
In 2014, there were two national legislative efforts that were passed into law (Skeath, 2014):
1.
The Cybersecurity Enhancement Act of 2014, which allows the National Institute of
Standards and Technology (NIST) to facilitate the development of a private and publicsector set of cybersecurity best practices for critical infrastructure.
2.
The National Cybersecurity Protection Act of 2014, which codified the DHS existing
National Cybersecurity and Communication Integration Center (NCCIC). The intent of
the NCCIC is to facilitate private and public sector sharing of information security
threats, incident response, and technical assistance.
In 2015, the United States released its National Security Strategy, which discussed how cybersecurity
would be addressed domestically and internationally. For example, the strategy claims that "we are
working with the owners and operators of our Nation's critical cyber and physical infrastructure across
every sector—financial, energy, transportation, health, information technology, and more – to decrease
vulnerabilities and increase resilience" (White House, 2015).
Also in 2015, the Department of Defense (DoD) released its Cyber Strategy. The DoD Cyber Strategy
focuses on three primary missions (Department of Defense, 2015):
1.
Defend DoD networks, systems, and information
2.
Defend the US homeland and US national interests against cyberattacks of significant
consequence
3.
Provide cyber support to military operational and contingency plans
Source: US Department of Defense (n.d.). DoD's three primary cyber missions. In the public domain. Retrieved from
http://archive.defense.gov/home/features/2015/0415_cyber-strategy/
Finally, and arguably most significant, the Cybersecurity Act of 2015 was signed into law. The reason
why some argue this act was so significant was because it established a mechanism for cybersecurity
information sharing among private-sector and federal government entities (Sullivan & Cromwell, 2015).
In the context of its short history, this was a big year for cybersecurity strategy and legislation.
In 2017, President Donald Trump signed a cybersecurity executive order that outlined three key
priorities: (1) protecting federal networks, (2) updating antiquated and outdated systems, and (3)
directing all department and agency heads to work together (White House, 2017). Also, the National
Security Strategy of 2017 again touched on cybersecurity as a subcomponent of a larger national
strategy (Sulmeyer, 2017).
References
Department of Defense. (2015). The Department of Defense cyber strategy. Retrieved from
https://dod.defense.gov/News/Special-Reports/0415_Cyber-Strategy/
Department of Homeland Security (DHS). (2003). National strategy to secure cyberspace. Retrieved from
https://www.dhs.gov/national-strategy-secure-cyberspace
Sheath, C. (2014, December 12). Congress passes five cybersecurity bills. Retrieved from
https://www.insideprivacy.com/united-states/congress-passes-four-cybersecurity-bills/
Sullivan & Cromwell LLP. (2015, December 22). The Cybersecurity Act of 2015. Retrieved from
https://www.sullcrom.com/siteFiles/Publications/SC_Publication_The_Cybersecurity_Act_of_2015.pdf
Sulmeyer, M. (2017, December 19). Cybersecurity in the 2017 National Security Strategy [Blog post].
Retrieved from https://www.lawfareblog.com/cybersecurity-2017-national-security-strategy
White House. (2007). The comprehensive national cybersecurity initiative. Retrieved from
https://obamawhitehouse.archives.gov/node/233086
White House. (2015). National cybersecurity strategy. Retrieved from http://nssarchive.us/wpcontent/uploads/2015/02/2015.pdf.
White House. (2017). Presidential executive order on strengthening the cybersecurity of federal
networks and critical infrastructure. Retrieved from https://www.whitehouse.gov/presidentialactions/presidential-executive-order-strengthening-cybersecurity-federal-networks-criticalinfrastructure/
Cybersecurity Strategy vs. Regulation
If the previous section is a bit confusing, or you're left wondering "so what does it all mean," you are not
alone. In short, the United States has not been successful in establishing a comprehensive national
cybersecurity strategy—at least as compared with the European Union, which features unified
cybersecurity regulations for its members.
However, some argue that private and public-sector cybersecurity cooperation should be voluntary and
not mandatory (Boulee et al., 2013). In fact, the United States has mandated regulation only in specific
industries. Examples include:
1.
Health Insurance Portability and Accountability Act (HIPAA)
2.
Gramm-Leach-Bliley Act
3.
Homeland Security Act/Federal Information Security Management Act
Those regulations mandate that health care organizations, financial institutions, and federal agencies
protect their systems and the information in those systems. Outside of those exceptions, the executive
and legislative branch of the United States government have sided with those that believe private and
public-sector cooperation for all other organizations and entities should be voluntary.
There are pros and cons to this approach. Some contend that even with these regulations, there still
have been many breaches, so the regulations have little effect. Some of the more prominent breaches
include:
1.
Anthem medical data breach
1.
2.
Equifax data breach
1.
3.
On February 4, 2015, the personal medical data of 78.8 million people was
stolen over a period of weeks the month before the breach was discovered.
On September 7, 2017, the credit reporting agency Equifax announced that the
personal and financial data of over 140 million people had been stolen in one of
the largest breaches of data in history.
Office of Personnel Management (OPM) data breach
1.
Between 2014 and 2015, two separates but linked cyberattacks exposed the
personnel records of 21.5 million people, including those who had undergone
background checks but may not have been current or former government
employees.
matejmo/Getty Images
References
Boulee, J-P., Davis, W. W., Kantner, R. W., McDonald, K. P., Metcalf, J. C., & Paez, M. F. (2013). The
cybersecurity debate: Voluntary versus mandatory cooperation between the private sector and the
federal government. Jones Day. Retrieved from
https://www.lexology.com/library/detail.aspx?g=70a72c39-3168-45c3-9da6-5c4baadaf94b
What About the Rest of the World?
And what about the rest of the world? The NATO Cooperative Cyber Defense Centre of
Excellence maintains a holistic repository of all NATO members' national cybersecurity
strategies.
Ensuring GDPR Compliance
Portions of Ensuring GDPR Compliance are adapted from How Will the GDPR Impact Open Source
Communities? by Robin Muilwijk from Opensource.com, available under a Creative Commons
Attribution-ShareAlike 4.0 International license. UMUC has modified this work and it is available under
the original license.
Ensuring GDPR Compliance
The European Union's GDPR regulations affect how organizations need to protect personal data on a
global scale.
The GDPR brings many changes, strengthening data protection and privacy of EU persons, compared to
the previous directive, including the following requirements:
Explicit Consent
GDPR strengthens the requirements to seek consent. Users must give explicit consent using clear and
plain language. It also makes it easier for users to withdraw consent.
According to Article 4(11) of GDPR (European Commission, 2018), consent is:
"any freely given, specific, informed and unambiguous indication of his or her wishes by which the data
subject, either by a statement or by a clear affirmative action, signifies agreement to personal data
relating to them being processed"
Kaelin (2018) describes what this means, explaining that consent for the collection of personal
information must be
1.
2.
3.
4.
freely given—truly optional, with no penalty for declining data collection
specific and unambiguous—data controllers must clearly spell out the type of data to be
proceed, the reason for collection, who will be processing the data, when the processing
will take place, and the expiration date of the agreement
informed—the request cannot be embedded inside another common statement, such
as a the terms of service or privacy policies
given with clear affirmative action—consent must be opt-in rather than opt-out.
Right to Access
EU persons get expanded rights by the GDPR. One of them is the right to ask an organization if, where,
and which personal data is processed. Upon request, they should also be provided with a free copy of
this data, and in an electronic format if this data subject (e.g., EU citizen) asks for it (Muilwijk, 2018).
Right to Be Forgotten
Another right EU citizen get through the GDPR is the "right to be forgotten," also known as data erasure.
This means that subject to certain limitation, the organization will have to erase an EU citizen's data, and
possibly even stop any further processing, including by the organization's third parties.
The above three changes imply that any platform(s) software will need to comply with certain aspects of
the GDPR as well. It will need to have specific features such as obtaining and storing consent, extracting
data and providing a copy in electronic format to a data subject, and finally the means to erase specific
data about a data subject (Muilwijk, 2018).
Breach Notification
Under the GDPR, a data breach occurs whenever personal data is taken or stolen without the
authorization of the data subject. Once discovered, you should notify your affected persons within 72
hours unless the personal data breach is unlikely to result "in a risk to the rights and freedoms of natural
persons." This breach notification is mandatory under the GDPR (Muilwijk, 2018).
References
European Commission. (2018). 2018 reform of EU data protection rules.Retrieved from
https://ec.europa.eu/commission/priorities/justice-and-fundamental-rights/data-protection/2018reform-eu-data-protection-rules_en
Kaelin, M. (2018, April 12). Understand the GDPR guidelines for obtaining lawful consent to process
data.Retrieved from https://www.techrepublic.com/article/gdpr-guidelines-for-obtaining-valid-andlawful-consent-to-process-data/
Muilwijk, R. (2018, April 19). How will the GDPR impact open source communities? Available under the
Creative Commons Attribution-ShareAlike 4.0 International license. Retrieved from
https://opensource.com/article/18/4/gdpr-impact
Cybersecurity Policy
A policy is typically a document that outlines specific requirements or rules that must be met. For
example, an "acceptable use" policy would cover the rules and regulations for appropriate use of
computing facilities (SANS, n.d.).
A security policy is a statement of responsible decision makers about the protection mechanism of an
organization's crucial physical and information assets (InfoSec Institute, n.d.). The National Institutes for
Standards and Technology (NIST) Cybersecurity Framework (CSF) provides a policy framework of
computer security guidance for how private sector organizations in the United States can assess and
improve their ability to prevent, detect, and respond to cyber-attacks (NIST, 2018).
Source: N. Hanacek/National Institute of Standards and Technology. Cybersecurity Framework Version
1.1. In the public domain. Retrieved from https://www.nist.gov/cyberframeworkThis NIST CSF is
voluntary guidance based on existing standards, guidelines, and practices, for critical infrastructure
organizations to better manage and reduce cybersecurity risk (FRSecure, n.d.). It was also developed for
other organizations and industries to use as well.
References
FRSecure. (n.d.). How to use (and not use) the NIST CSF [Blog post]. Retrieved from
https://frsecure.com/blog/how-to-use-and-not-use-the-nist-csf/
InfoSec Institute. (n.d.). An introduction to cyber security policy. Retrieved from
https://resources.infosecinstitute.com/cyber-security-policy-part-1/#gref
National Institute of Standards and Technology (NIST). (2018, April). Cybersecurity framework. Retrieved
from https://www.nist.gov/cyberframework
SANS Institute. (n.d.). Information security policy templates. Retrieved from
https://www.sans.org/security-resources/policies
Assignments
You will be collaborating with your previously assigned group on this assignment. It is up to the group
members to decide how they will plan, meet, discuss, and complete the five sections of the paper.
Remember, if a member fails to complete his or her part of the work, the group is still responsible for all
sections.
Part 1: National Security Strategy and Cybersecurity
1.
After reading the National Security Strategy (2017), comment on the following.
1.
Should the United States create a separate cybersecurity strategy to be
published alongside the National Security Strategy (NSS), or do you feel the NSS
is enough? Why or why not?
2.
Consider your answer in the context of the original National Strategy to Secure
Cyberspace (2003). What is not adequately addressed in the National Security
Strategy (2017) as it relates to cybersecurity?
Part 2: Public/Private Partnerships
1.
After reading the Cybersecurity Act of 2015, address the private/public partnership with
the DHS National Cybersecurity and Communications Integration Center (NCCIC),
arguably the most important aspect of the act. The Cybersecurity Act of 2015 allows for
private and public sharing of cybersecurity threat information.
1.
What should the DHS NCCIC (public) share with private sector organizations?
What type of threat information would enable private organizations to better
secure their networks?
2.
On the flip side, what should private organizations share with the NCCIC? As it is
written, private organization sharing is completely voluntary. Should this be
mandatory? If so, what are the implications to the customers' private data?
3.
The government is not allowed to collect data on citizens. How should the act
be updated to make it better and more value-added for the public-private
partnership regarding cybersecurity?
Part 3: Private Sector Organizations
1.
Review the General Data Protection Regulation (GDPR) of the European Commission
(EU). It includes many provisions and arguably strengthens data protection for
individuals within the EU. It even includes the right to be forgotten. The United States
does not have a similar regulation. There have only been a few regulations implemented
related to US citizens' private data, which include medical and financial industries. Some
argue implementing regulation such as GDPR in the United States would hinder
innovation. They contend that the End User License Agreements (EULA) provide enough
protections and allow the citizens to make the choice of what is and is not shared.
1.
As a private sector organization, do you believe that an equivalent to GDPR
should be implemented in the United States?
Part 4: Protecting Critical Infrastructure and the Homeland
1.
The Department of Defense (DoD) Cyber Strategy 2018 discusses the protection of
critical infrastructure and the homeland.
1.
What does that mean to private organizations such as yours?
2.
If most critical infrastructure in the United States is owned by the private sector,
what responsibility does the DoD have in this regard?
3.
Some would argue US laws are outdated and thus the DoD has little authority to
assist. Others would argue US laws were purposely established such that the
private sector would defend itself and not need assistance from the military.
Obviously, for the DoD to assist, it would need the private organizations' data.
Said another way, the DoD would need your data as a private citizen/customer
of that organization. Those that believe our laws need to be updated argue
giving up privacy for protection is legitimate.
4.
Others will argue that we should not give private information of citizens to the
government for any reason. As a citizen, would you feel comfortable with this?
As a private organization, would you feel comfortable giving information that
may contain your customers' private data to the DoD?
5.
Is there a third solution (middle ground) you would propose that enables
privacy but also enables cybersecurity?
Part 5: Cybersecurity Technologies
1.
The authors of the National Security Strategy (2017) are looking to address particular
technologies that have the opportunity to revolutionize cybersecurity. They believe that
blockchain technology is a revolutionary technology that can significantly improve
cybersecurity.
1.
What would be your recommendation for how the NSS should incorporate this
technology to the public?
2.
Propose exactly what you believe should be written in the NSS. Specifically,
explain the blockchain technology in layman's terms to nontechnical people that
may be reading the NSS, give examples of how it could be used to provide
revolutionary cybersecurity, include examples of how it is being used to provide
cybersecurity solutions, and discuss what, if any policies or laws should be
established to mandate its use in specific industries.
Structure/Format
•
•
•
•
•
•
•
Use additional sources of information but also describe the concept in layman's terms.
Use visuals where appropriate.
While quality is valued over quantity, it is expected that a quality paper will result in a minimum
length of 10–15 pages.
Please APA formatting for the formatting of your paper.
Use the outline above for the structure of your paper.
Please provide a title page with Group # and members.
Please label each section that each user did. Ex
o Introduction (Steven Tharp)
Purchase answer to see full
attachment