President Obama releases his second National Security Strategy today. The strategy warns that "danger of disruptive and even destructive cyberattack is growing," and describes a response based on greater investment in cyber capabilities, partnering with the owners and operators of critical infrastructure, pursuing legislation through Congress, and developing cybersecurity capacity in the rest of the world.
Here, after a quick reading of the document, are some of the interesting points about the cybersecurity references:
- The strategy states that the United States is shaping international norms of behavior and "building international capacity to disrupt and investigate cyber threats." What disrupt means is unclear. It may just refer to building the capacity of states to prosecute and convict cyber criminals. It may also refer to cooperation with Government Communications Headquarters, the NSA’s British counterpart, or other intelligence agencies to exploit the computers of hackers before they launch an attack.
- Unlike the 2010 National Security Strategy, the 2015 version explicitly calls out China. The United States will "take necessary actions to protect our businesses and defend our networks against cyber theft of trade secrets for commercial gain whether by private actors or the Chinese government."
- That same sentence is noteworthy because the U.S. government is clearly stating that it has a responsibility to protect the private sector from cyber espionage.
- The strategy repeats the United States’ assertion that international law applies to cyberspace: "cybersecurity requires that long-standing norms of international behavior—to include protection of intellectual property, online freedom, and respect for civilian infrastructure—be upheld."
That’s the quick take away. We will report back if anything else comes up in National Security Advisor Susan Rice’s speech at the Brookings Institute.