Release of U.S. National Strategy to Secure Cyberspace


Today, President George Bush's Administration released a draft version of the
National Strategy to Secure Cyberspace. The last U.S. Cyberspace Strategy was
released by the Clinton Administration in 2000. The new strategy reflects not
only an administration change but also the lessons learned from September 11.

Richard Clarke, Special Advisor to the President for Cyberspace Security, has
led the development of the strategy and will outline its contents at an event
today at Stanford University. As a demonstration of the close Canada-U.S.
cooperation in this area, Margaret Purdy, Associate Deputy Minister of National
Defence with responsibility for OCIPEP, will be speaking at the release. She
will emphasize the special importance of a coordinated Canada-U.S. approach to
ensuring the security of our shared infrastructure and the need for global
cooperation on cybersecurity issues.

The Strategy, which can be found at, is a
"living document" involving ongoing public and private sector input. It is
intended as a road map of what the government, industry and individuals must do
to secure networks. The President is expected to approve the first version
before the end of the year, and the President's Critical Infrastructure
Protection Board (PCIPB) will periodically issue new releases of the Strategy.

Overview of the Strategy

There are two fundamental shifts that underlie the Strategy. First, everyone in
the country, not just the government, must be responsible to secure their own
portion of cyberspace. There is a clear message that threats to cyberspace
cannot be handled exclusively by government, military and enforcement agencies.
Universities, different sectors of the economy and owners of critical
infrastructures such as electricity grids and telecommunications are encouraged
to secure their own networks.

Second, the nation must move away from the threat paradigm to a vulnerability
paradigm. Before the terrorist attacks on the U.S. last September, the
government was expected to warn of encroaching threats and advise as to the best
protection measures. The strategy proposes that the government's role in
securing networks should not be to regulate or dictate but to "empower all
Americans to secure their portions of cyberspace." The government intends to:

educate and create awareness among users and owners of cyberspace of the risks
and vulnerabilities;
produce new and more secure technologies;
develop a large and well-qualified cybersecurity workforce through training and
foster responsibility of individuals, enterprises and sectors for security at
all levels through the use of market forces, public-private partnerships, and in
the last resort, through regulation and legislation;
improve federal cybersecurity to make it a model for other sectors; and
develop early warning and efficient sharing of information both within and
between public and private sectors so that attacks are detected quickly and
responded to efficiently.
The document is divided into five sections: home users and small business; large
enterprise; critical sectors including government, private sector and academia;
national priorities; and global issues. Each level lays out strategic goals for
that set of user and highlights ongoing programs, recommendations and topics for
discussion to further develop the strategic goals. There are also appended
critical infrastructure sector plans for Banking and Finance, Electric, Oil and
Gas, Water, Transportation (Rail), Information and Communications, and
Chemicals. These plans can be found at or

The strategy also specifically recommends enhanced cooperation with Canada:

The United States should work together with Canada and Mexico to identify and
implement best practices for security of the many shared critical North American
information infrastructures. (R5-3)

In brief, some other relevant recommendations for the various sections are:
(reference "Summary of Recommendations in the Strategy)

Federal government to conduct a comprehensive program performance review of the
National Information Assurance Program (NIAP) with a vision to extending it to
all government IT procurement. (R3-1 & 2)

Academic institutions to establish one or more Information Sharing and Analysis
Center(s) (ISAC) to deal with cyber attacks and vulnerabilities. (R3-14)
Creation of private sector ISACs for each sector, conduct sector technology and
R&D gaps analysis, and development of sector best practices. (R3-15,16 & 17)
Internet Service Providers (ISP) to consider adopting a "code of good conduct"
governing their cybersecurity practices. (R4-3).

The Federal government to complete the installation of the Cyber Warning
Information Network (CWIN) to key government and non-government cybersecurity
operations centers for analysis and warning information and crisis coordination.

ISPs, hardware and software vendors, IT security-related companies, computer
emergency response teams, and the ISACs, together to consider establishing
Cyberspace Network Operations Center (Cyberspace NOC). (R4-39)

The recommendations are not binding but will influence decisions in Congress.
There are no specific recommendations for vendor or industry standards or
regulations for ISPs.


The draft National Strategy to Secure Cyberspace serves as both a consolidation
of cybersecurity best practices and a discussion piece for future action. It
also aims to clarify the roles and responsibilities of the government, the
private sector and the individual.

The immediate impact of the U.S. Strategy on Canada will be an increased focus
on Canada's, and more specifically the Government of Canada's, cybersecurity
approaches, policies and activities-as well as on cross-border CIP cooperation.
In August 2002, the first meeting of a new Bilateral Canada-U.S. CIP Steering
Committee took place in Ottawa and the two countries agreed on a framework for

The U.S. Strategy is consistent with the Canadian government's approach to
cybersecurity; in particular, awareness raising, training and education,
partnership development, federal leadership, and incident coordination and

OCIPEP will continue to monitor the evolution of the U.S. Strategy.

Contact Us
For urgent matters or to report any incidents, please contact OCIPEP's Emergency
Operations Centre at:

Phone: (613) 991-7000
Fax: (613) 996-0995
Secure Fax: (613) 991-7094

For general information, please contact OCIPEP's Communications Division at:

Phone: (613) 991-7035 or 1-800-830-3118
Fax: (613) 998-9589
Web Site:

Notice to readers
Information Notes are used to draw attention to information relating to
significant threats and vulnerabilities. Information Notes may contain
information not readily available in the public domain.

The information in thisInformation Note has been drawn from a variety of
external sources. Although OCIPEP makes every effort to ensure the accuracy,
currency and reliabilityof the content, OCIPEP does not offer any guarantee in
that regard.

IWS INFOCON Mailing List
@ IWS - The Information Warfare Site

Reply via email to