CAP Draft

Outline

Adjoa N. Amponsah

Arizona State University

Course Title: GSC 550: Capstone

Instructor: Prof. Kubiak

October 23, 2022

Outline

A. Introduction

i. The US security and prosperity highly depends on how it responds to todays’s challenges and opportunities in cyberspace.

ii. National defense, critical infrastructure, and daily lives of the US citizens rely on the interconnected information technologies.

iii. New vulnerabilities and threats have always continued to emerge throughout history, forcing the US to develop cyber strategies to address them.

iv. The U.S. cyber strategy has evolved over the years to improve its efficiency in addressing emerging cyber trends and threats.

B. This paper analyzes cyber-related strategic development within the United States’ Department of Defense (DoD) since 2000. Comment by Jeff Kubiak: You’ll actually reach beyond the DoD as the NSS is a whole-of-government document. "...strategic development of the US national approach to cybersecurity as highlighted in the National Security Strategy."

C. Body

1. The evolution of the US cyber strategy Since 2000

i. After the attack on September 11, 2001, the Bush administration developed various legislations and published numerous documents that shaped U.S. cybercrime policies (LaFree, 2022).

a. Most notably, the Homeland Security Act, which in 2003 established the Homeland Security department; the Patriot Act, which expanded the surveillance reach of the National Security Agency to fight both foreign and domestic terrorism; and the National strategy publication to secure cyberspace (House, 2002). Comment by Jeff Kubiak: Why? What did they think the threat was? That gets at the question of how cybersecurity is viewed. Who uses it and for what nefarious end.

b. The Nation’s Strategy publication on securing cyberspace required the security agencies to improve their attribution capabilities, strengthen their efforts on counterintelligence, deconflict coordination of interagency, and pronounced the U.S. to reserve the right to respond in an appropriate manner to terrorist groups, states, and any adversarial cyberattacks.

c. Although the policies changed the cyberspace posture in the U.S., it is not clear if the concerned agencies got the capacities or if it was just established as a mere legal capacity without assembling the capabilities. Comment by Jeff Kubiak: Good. Where would you look for evidence that resources were committed?

d. While on paper, the U.S. Department of Defense's cyber strategy looked clearly organized and well split; however, its operational results generated a history of mixed outcomes. In contrast, the Joint Task Force-Computer Network Operations (JTF-CNO) did well against various worms and viruses that hammered worldwide networks in the early 2000s. Comment by Jeff Kubiak: Ok, contrast to what? Citation.

ii. In May 2007, the Department of Defense discovered it was missing a substantial puzzle of cyber defense.

a. While Estonia, the US-NATO ally, was pummeled for twenty-two days straight with a politically motivated DDoS attack for transferring a Soviet-time monument to Tallinn's outskirts from its center, analysts of policies were divided into twoW. Comment by Jeff Kubiak: When? What year? 2007? Comment by Jeff Kubiak: What were the two parts? European perception and US perception. Not clear where this is going.

iii. The European side believed that the attacks were the start of cybermageddon and evidence of the hybrid warfare doctrine of Russia.

a. The Estonia incident demonstrated the stark contrast between the technical people and those responsible for articulating national security policies (Mostafa & Faragallah, 2019).

b. Shortly, the cybermageddon collapsed, and the Estonian officials admitted that they had to admit, without technical evidence, that linking Russia with the DDO attack was shaky.

c. During this time, NATO had not acknowledged cyberspace as a critical military operational domain.

iv. In 2008, the U.S. developed the Comprehensive National Cybersecurity Initiative.

a. President Bush in January 2008, signed the National Security Presidential Directive 54 (NSPD-54) and HSPD-23 (Homeland Security Presidential Directive 23) to coordinate the government in a better way and enhance the U.S. capability in deterring, protecting, detecting, classifying, attributing, monitoring, interdiction and any other approach to protect access by unauthorized people into the U.S. systems of National Security, private sector critical infrastructure systems and Federal systems (Yu et al., 2021).

b. The Department of Homeland Security was assigned the duty to defend, protect and decrease vulnerabilities of the national systems through the leadership of the department's secretary. Comment by Jeff Kubiak: Any evidence that DHS did anything new in response to this increase in tasking?

v. The Comprehensive National Cybersecurity Initiative established various cyber-related programs that mainly focused on three major objectives: creating a front-line defense against immediate threats by establishing or improving shared situational awareness of threats, network vulnerabilities, and events within the national government (Botelho et al., 2021).

a. Secondly, the U.S. counterintelligence capabilities were enhanced against the full spectrum of threats by improving supply chain security for crucial information technologies.

b. The third strategy is strengthening the cybersecurity future environment by establishing and developing strategies for deterring malicious or hostile cyberspace activities. The pentagon experienced its most substantial breach of the network to date; why scramble to transform the CNCI into practical results?

vi. The Obama administration ordered a 60-day review named "clean state" in January 2009 to evaluate the the existing policies and structures of cybersecurity.

a. The wWhite hHouse published the outcome of the review four months later, disallowing the status quo. The country's intention to demonstrate its seriousness with issues of cyber security became serious through vision and leadership.

b. The cybersecurity policy is built on the CNCI by recommending a strategy that brings together like-minded countries on various issues, including acceptable norms towards sovereign responsibility, the use of force, and territorial jurisdiction (Napetvaridze & Chochia, 2019).

c. There was a recommendation for the appointment of the cyber security policy coordinator in the White House to elevate cybersecurity-related issues. As the discussion for the cybersecurity policy review was happening, President Obama tracked the nuclear enrichment of Iran in secrecy.

d. Parallel to the White House realignment, the NSA and DoD consolidated their operations on cybersecurity in a newly established CYBERCOM, the US cyber command. The administration of Obama failed to surrender to the DSB report's calls and emphasized deterrence by de-digitalization and deterrence by denial as the U.S. international cybersecurity strategy. Comment by Jeff Kubiak: Maybe you can interview LTG Schmidle on this process as he was there at the beginning.

vii. In January 2019, when President Trump assumed office, his administration experienced significant public pressure to deal with Russia. Comment by Jeff Kubiak: A ten-year jump in your story. Nothing between 2009 and 2019?

a. The government was careful to ensure strong network systems to prevent it during important national processes like the election.

b. This administration was so passionate about establishing more advanced cybersecurity policies to fight the multi-led cybersecurity issues.

viii. In May 2021, President Biden signed the cybersecurity executive order, which outlined various cyber strategies including federal zero trust strategy, enhancing National Security Systems’ cybersecurity and a cyber security review board.

2. Subordinate Strategies’ Comparison

i. The subordinate cybersecurity strategies supporting the US national strategies share some similarities as they are different at the same time. The table below contains some similarities and differences.

Objective Comment by Jeff Kubiak: Which documents is this comparing?	Similarities	Differences
Rainforcing public-private co-operation.	All the subordinate strategies recognize that cybercrime policies should be grounded on inclusive private-public partnerships, which include civil society, business, academia, and the internet technical community.	The methods and modalities of such cooperation and consultation and the extent of detail offered in the strategies differ.
Respect for fundamental values	All the subordinate cyber security strategies strongly emphasiseemphasize respecting fundamental values like freedom of speech, privacy, and free information flow. Various subordinate strategies explicitly mention the importance of maintaining internet openness, and no strategy recommends internet modification to improve cybersecurity.	Internet openness is generally described in some strategies as a key requirement for further internet economic development.
Improving International co-operation	Most strategies express international cooperation and forming better partnerships and alliances with like-minded allies, including enhancing capacity building of third-world countries, as the key goal of the strategies.	Different strategies give little or varying detail on the approach to achieve improved international cooperation.

3. Budgetary Strategies

i. The US government has allocated $2.5 billion to the Cybersecurity and Infrastructure Security Agency, which is under the Department of Homeland Security. Comment by Jeff Kubiak: Ok, good. When did they create CISA?

ii. This is about $500 million above the budget allocated in the previous years.

iii. The funding enhances the federal infrastructure protection and delivery of services against complex cyber threats, including bolstering support capabilities like improved analytics and cloud business applications, improving capabilities of the US rescue plan, and stakeholder engagement.

iv. Due to increasing threats from Russia, the US has proposed a budget increase of $197 million by 2023 to strengthen the security systems of sensitive agencies.

v. Some targeted organizations for budgetary increases to enhance cyber security include the Federal Aviation Administration, the Coast Guard, the Treasury Department, the Department of Veterans Affairs, and the Department of Justice.

vi. The US government plans to support Ukraine with $682 million to counter Russia by enhancing cybersecurity issues, civil society resilience, and counter disinformation.

4. Connecting the Past to the Present

i. The cyber security strategies throughout history have all focused on keeping cyberspace safe and secure for all American citizens.

ii. The strategies have a strong foundation in cyber research and attract considerable budgetary investments.

iii. They are subject to continuous improvements and supported by other subordinate strategies.

5. Recommendations on Future Cyber Strategies Comment by Jeff Kubiak: Not sure you need this section. You won’t have made a solid argument for any future actions. It is sufficient for you to make some generalized comments about the evolution/maturation of US approaches to cybersecurity as part of national security.

i. The government should spearhead national efforts towards ensuring the resilience and defense of cyber threat actors that target the private sector, the US critical infrastructure, and the American people.

ii. The strategy should focus on reducing risks and strengthening the resilience of the US critical infrastructure. CISA should coordinate national efforts to protect and offer security against the US critical infrastructure risks.

iii. Relevant authorities should focus on strengthening a holistic national inclusiveness and active collaboration and sharing of information.

iv. Agencies should integrate capabilities, functions, and workforce to better deal with cyber security threats.

D. Conclusion

i. The U.S. cyber strategy has evolved over the years to improve its efficiency in addressing emerging cyber threats. Comment by Jeff Kubiak: Specifically, in what ways?

ii. The evolution is highly linked with the transition of administrations Comment by Jeff Kubiak: Ok, that's when fresh looks were made, but did the story change dramatically because of administration or because of the look being fresh?

iii. The cyber security strategies throughout history have all focused on keeping cyberspace safe and secure for all Americans and have a strong foundation in cyber research and attract considerable budgetary investments Comment by Jeff Kubiak: Ok, this is assumed as that is the government's job. But how did the government's understanding of the emerging threat change? When and how?

iv. The government should spearhead national efforts towards ensuring the resilience and defense of cyber threat actors that target the private sector, the US critical infrastructure, and the American people. Comment by Jeff Kubiak: Why resilience? Why not more defense and offense, instead of civil defense and consequence mitigation? This assertion is probably correct, but why? Is that where the cybersecurity strategy narrative is headed?

E. Referencees

Botelho, J., Proença, L., Leira, Y., Chambrone, L., Mendes, J. J., & Machado, V. (2021). Economic Burden of Periodontal Disease in Europe and the United States of America–An updated forecast.  medRxiv.

House, W. (2002). The National Security Strategy of the United States of America, setiembre de 2002.  línea: https://www. hsdl. org.

LaFree, G. (2022). In the shadow of 9/11: How the study of political extremism has reshaped criminology.  Criminology,  60(1), 5-26.

Mostafa, M., & Faragallah, O. S. (2019). Development of serious games for teaching information security courses.  IEEE Access,  7, 169293-169305.

Napetvaridze, V., & Chochia, A. (2019). Cybersecurity in the Making–Policy and Law: a Case Study of Georgia.  International & Comparative Law Review/Mezinárodní a Srovnávací Právní Revue,  19(2).

Yu, K., Guo, Z., Shen, Y., Wang, W., Lin, J. C. W., & Sato, T. (2021). Secure artificial intelligence of things for implicit group recommendations.  IEEE Internet of Things Journal,  9(4), 2698-2707.