Release of U.S. National Strategy to Secure Cyberspace

Information Note Number: IN02-006
18 September 2002

Purpose

Today, President George Bush's Administration released a draft version of the National Strategy to Secure Cyberspace. The last U.S. Cyberspace Strategy was released by the Clinton Administration in 2000. The new strategy reflects not only an administration change but also the lessons learned from September 11.

Richard Clarke, Special Advisor to the President for Cyberspace Security, has led the development of the strategy and will outline its contents at an event today at Stanford University. As a demonstration of the close Canada-U.S. cooperation in this area, Margaret Purdy, Associate Deputy Minister of National Defence with responsibility for OCIPEP, will be speaking at the release. She will emphasize the special importance of a coordinated Canada-U.S. approach to ensuring the security of our shared infrastructure and the need for global cooperation on cybersecurity issues.

The Strategy, which can be found at Securecyberspace.gov, is a "living document" involving ongoing public and private sector input. It is intended as a road map of what the government, industry and individuals must do to secure networks. The President is expected to approve the first version before the end of the year, and the President's Critical Infrastructure Protection Board (PCIPB) will periodically issue new releases of the Strategy.

Overview of the Strategy

There are two fundamental shifts that underlie the Strategy. First, everyone in the country, not just the government, must be responsible to secure their own portion of cyberspace. There is a clear message that threats to cyberspace cannot be handled exclusively by government, military and enforcement agencies. Universities, different sectors of the economy and owners of critical infrastructures such as electricity grids and telecommunications are encouraged to secure their own networks.

Second, the nation must move away from the threat paradigm to a vulnerability paradigm. Before the terrorist attacks on the U.S. last September, the government was expected to warn of encroaching threats and advise as to the best protection measures. The strategy proposes that the government's role in securing networks should not be to regulate or dictate but to "empower all Americans to secure their portions of cyberspace." The government intends to:

• educate and create awareness among users and owners of cyberspace of the risks and vulnerabilities;
• produce new and more secure technologies;
• develop a large and well-qualified cybersecurity workforce through training and education;
• foster responsibility of individuals, enterprises and sectors for security at all levels through the use of market forces, public-private partnerships, and in the last resort, through regulation and legislation;
• improve federal cybersecurity to make it a model for other sectors; and
• develop early warning and efficient sharing of information both within and between public and private sectors so that attacks are detected quickly and responded to efficiently.

The document is divided into five sections: home users and small business; large enterprise; critical sectors including government, private sector and academia; national priorities; and global issues. Each level lays out strategic goals for that set of user and highlights ongoing programs, recommendations and topics for discussion to further develop the strategic goals. There are also appended critical infrastructure sector plans for Banking and Finance, Electric, Oil and Gas, Water, Transportation (Rail), Information and Communications, and Chemicals. These plans can be found at www.ciao.gov or www.pcis.org.

The strategy also specifically recommends enhanced cooperation with Canada:

• The United States should work together with Canada and Mexico to identify and implement best practices for security of the many shared critical North American information infrastructures. (R5-3)

In brief, some other relevant recommendations for the various sections are: (reference "Summary of Recommendations in the Strategy)

• Federal government to conduct a comprehensive program performance review of the National Information Assurance Program (NIAP) with a vision to extending it to all government IT procurement. (R3-1 & 2)
• Academic institutions to establish one or more Information Sharing and Analysis Center(s) (ISAC) to deal with cyber attacks and vulnerabilities. (R3-14)
• Creation of private sector ISACs for each sector, conduct sector technology and R&D gaps analysis, and development of sector best practices. (R3-15,16 & 17)
• Internet Service Providers (ISP) to consider adopting a "code of good conduct" governing their cybersecurity practices. (R4-3).
• The Federal government to complete the installation of the Cyber Warning Information Network (CWIN) to key government and non-government cybersecurity operations centers for analysis and warning information and crisis coordination. (R4-40)
• ISPs, hardware and software vendors, IT security-related companies, computer emergency response teams, and the ISACs, together to consider establishing Cyberspace Network Operations Center (Cyberspace NOC). (R4-39)

The recommendations are not binding but will influence decisions in Congress. There are no specific recommendations for vendor or industry standards or regulations for ISPs.

Comment

The draft National Strategy to Secure Cyberspace serves as both a consolidation of cybersecurity best practices and a discussion piece for future action. It also aims to clarify the roles and responsibilities of the government, the private sector and the individual.

The immediate impact of the U.S. Strategy on Canada will be an increased focus on Canada's, and more specifically the Government of Canada's, cybersecurity approaches, policies and activities-as well as on cross-border CIP cooperation. In August 2002, the first meeting of a new Bilateral Canada-U.S. CIP Steering Committee took place in Ottawa and the two countries agreed on a framework for cooperation.

The U.S. Strategy is consistent with the Canadian government's approach to cybersecurity; in particular, awareness raising, training and education, partnership development, federal leadership, and incident coordination and management.

OCIPEP will continue to monitor the evolution of the U.S. Strategy.

Note to Readers

The Canadian Cyber Incident Response Centre (CCIRC) provides a focal point for Canada's cyber threat and vulnerability warning, analysis and response. CCIRC is responsible for assuring the resilience of national critical infrastructure through monitoring threats and coordinating a federal response to cyber security incidents of national interest. CCIRC operates in conjunction with the Government Operations Centre (GOC) within Public Safety Canada and is a key component of the government's all-hazards approach to emergency management and national security.

For general information, please contact Public Safety Canada's Public Affairs division at:

Telephone: 613-944-4875 or 1-800-830-3118
Fax: 613-998-9589
E-mail: communications@ps-sp.gc.ca