sign in sign up
<<
Home , Cybersecurity standards, National security

NATIONAL CYBER STRATEGY of the of America

SEPTEMBER 2018

THE W HITE HOUSE

W A S H I N G T O N , D C

My fellow Americans:

Protecting America’s national and promoting the prosperity of the American people are my top priorities. Ensuring the security of is fundamental to both endeavors. Cyberspace is an integral component of all facets of American life, including our and defense. Yet, our private and public entities still struggle to secure their systems, and adver- saries have increased the frequency and sophistication of their malicious cyber activities. America created the Internet and shared it with the world. Now, we must make sure to secure and preserve cyberspace for future generations.

In the last 18 months, my Administration has taken action to address cyber threats. We have sanctioned malign cyber actors. We have indicted those that committed . We have publicly attributed malicious activity to the adversaries responsible and released details about the tools they employed. We have required departments and agencies to remove software vulnerable to various security risks. We have taken action to hold department and agency heads accountable for managing cybersecurity risks to the systems they control, while empowering them to provide adequate security. In addition, last year, I signed Executive Order 13800, Strengthening the Cybersecurity of Federal Networks and Critical . The work performed and reports created in response to that Executive Order laid the groundwork for this National Cyber Strategy.

With the release of this National Cyber Strategy, the United States now has its first fully articu- lated cyber strategy in 15 years. This strategy explains how my Administration will:

• Defend the homeland by protecting networks, systems, functions, and data;

• Promote American prosperity by nurturing a secure, thriving digital economy and fostering strong domestic innovation;

• Preserve and security by strengthening the ability of the United States — in concert with allies and partners — to deter and, if necessary, punish those who use cyber tools for malicious purposes; and

• Expand American influence abroad to extend the key tenets of an open, interoperable, reliable, and secure Internet.

I The National Cyber Strategy demonstrates my commitment to strengthening America’s cybersecurity capabilities and securing America from cyber threats. It is a call to action for all Americans and our great companies to take the necessary steps to enhance our national cyber- security. We will continue to lead the world in securing a prosperous cyber future.

Sincerely,

President Donald J. Trump

The September 2018

II

Table of Contents

Introduction 1 How Did We Get Here? 1 The Way Forward 2

Pillar I: Protect the American People, the Homeland, 6 and the American Way of Life 6 Secure Federal Networks and Information 6 Further Centralize Management and Oversight of Federal Cybersecurity 6 Align Risk Management and Information Technology Activities 7 Improve Federal Supply Chain Risk Management 7 Strengthen Federal Contractor Cybersecurity 7 Ensure the Leads in Best and Innovative Practices 8 Secure 8 Refine Roles and Responsibilities 8 Prioritize Actions According to Identified National Risks 8 Leverage Information and Communications Technology Providers as Cybersecurity Enablers 9 Protect our Democracy 9 Incentivize Cybersecurity Investments 9 Prioritize National Research and Development Investments 9 Improve Transportation and Maritime Cybersecurity 9 Improve Space Cybersecurity 10 Combat and Improve Incident Reporting 10 Improve Incident Reporting and Response 10 Modernize Electronic and Laws 11 Reduce Threats from Transnational Criminal Organizations in Cyberspace 11 Improve Apprehension of Criminals Located Abroad 11 Strengthen Partner Nations’ Law Enforcement Capacity to Combat Criminal Cyber Activity 11

Pillar II: Promote American Prosperity 14 Foster a Vibrant and Resilient Digital Economy 14 Incentivize an Adaptable and Secure Technology Marketplace 14 Prioritize Innovation 14 Invest in Next Generation Infrastructure 15 Promote the Free Flow of Data Across Borders 15 Maintain United States Leadership in Emerging Technologies 15

V Promote Full-Lifecycle Cybersecurity 15 Foster and Protect United States Ingenuity 16 Update Mechanisms to Review Foreign Investment and Operation in the United States 16 Maintain a Strong and Balanced Intellectual Property Protection System 16 Protect the Confidentiality and Integrity of American Ideas 16 Develop a Superior Cybersecurity Workforce 17 Build and Sustain the Talent Pipeline 17 Expand Re-Skilling and Educational Opportunities for America’s Workers 17 Enhance the Federal Cybersecurity Workforce 17 Use Executive Authority to Highlight and Reward Talent 17

Pillar III: Preserve Peace through Strength 20 Enhance Cyber Stability through Norms of Responsible State Behavior 20 Encourage Universal Adherence to Cyber Norms 20 Attribute and Deter Unacceptable Behavior in Cyberspace 21 Lead with Objective, Collaborative Intelligence 21 Impose Consequences 21 Build a Cyber Deterrence Initiative 21 Counter Malign Cyber Influence and Information Operations 21

Pillar IV: Advance American Influence 24 Promote an Open, Interoperable, Reliable, and Secure Internet 24 Protect and Promote Internet Freedom 24 Work with Like-Minded Countries, Industry, Academia, and Civil Society 25 Promote a Multi-Stakeholder Model of Internet 25 Promote Interoperable and Reliable Communications Infrastructure 25 and Internet Connectivity Promote and Maintain Markets for United States Ingenuity Worldwide 25 Build International Cyber Capacity 26 Enhance Cyber Capacity Building Efforts 26

VI

Introduction

America’s prosperity and security depend on how we respond to the opportu- nities and challenges in cyberspace. Critical infrastructure, national defense, and the daily lives of Americans rely on computer-driven and interconnected infor- mation technologies. As all facets of American life have become more dependent on a secure cyberspace, new vulnerabilities have been revealed and new threats continue to emerge. Building on the National Security Strategy and the Admin- istration’s progress over its first 18 months, the National Cyber Strategy outlines how the United States will ensure the American people continue to reap the benefits of a secure cyberspace that reflects our principles, protects our security, and promotes our prosperity.

How Did We Get Here? would be self-evident. Large parts of the world have embraced America’s vision of a shared and The rise of the Internet and the growing centrality open cyberspace for the mutual benefit of all. of cyberspace to all facets of the modern world Our competitors and adversaries, however, corresponded with the rise of the United States have taken an opposite approach. They benefit as the world’s lone superpower. For the past from the open Internet, while constricting and quarter century, the ingenuity of the American controlling their own people’s access to it, and people drove the evolution of cyberspace, and actively undermine the principles of an open in turn, cyberspace has become fundamental Internet in international forums. They hide to American wealth creation and innovation. behind notions of sovereignty while recklessly Cyberspace is an inseparable component of violating the laws of other states by engaging in America’s financial, social, government, and pernicious economic espionage and malicious political life. Meanwhile, Americans sometimes cyber activities, causing significant economic took for granted that the supremacy of the disruption and harm to individuals, commercial United States in the cyber domain would remain and non-commercial interests, and unchallenged, and that America’s vision for an across the world. They view cyberspace as an open, interoperable, reliable, and secure Internet arena where the United States’ overwhelming would inevitably become a reality. Americans , economic, and political power could believed the growth of the Internet would carry be neutralized and where the United States the universal aspirations for free expression and and its allies and partners are vulnerable. individual around the world. Americans assumed the opportunities to expand commu- Russia, , and North Korea conducted reckless nication, commerce, and free exchange of ideas cyber attacks that harmed American and inter-

1 INTRODUCTION

national businesses and our allies and partners The Administration is already taking action to without paying costs likely to deter future cyber aggressively address these threats and adjust to aggression. engaged in cyber-enabled new realities. The United States has sanctioned economic espionage and trillions of dollars of malign cyber actors and indicted those that intellectual property theft. Non-state actors have committed cybercrimes. We have publicly — including terrorists and attributed malicious activity to criminals — exploited cyber- the responsible adversaries and space to profit, recruit, propa- W released details of the tools and gandize, and attack the United infrastructure they employed. States and its allies and We have required depart- partners, with their actions DONALD J. TRUMP ments and agencies to remove often shielded by hostile SEPTEMBER 2018 software vulnerable to various states. Public and private security risks. We have taken entities have struggled to action to hold department secure their systems as adversaries increase the and agency heads accountable for managing the frequency and sophistication of their malicious cybersecurity risks to systems they control, while cyber activities. Entities across the United empowering them to provide adequate security. States have faced cybersecurity challenges in effectively identifying, protecting, and The Administration’s approach to cyberspace is ensuring resilience of their networks, systems, anchored by enduring American values, such as functions, and data as well as detecting, the belief in the power of individual liberty, free responding to, and recovering from incidents. expression, free markets, and . We retain our commitment to the promise of an open, The Way Forward interoperable, reliable, and secure Internet to strengthen and extend our values and protect and New threats and a new era of strategic compe- ensure economic security for American workers tition demand a new cyber strategy that responds and companies. The future we desire will not to new realities, reduces vulnerabilities, deters come without a renewed American commitment adversaries, and safeguards opportunities for to advance our interests across cyberspace. the American people to thrive. Securing cyber- space is fundamental to our strategy and requires The Administration recognizes that the United technical advancements and administrative States is engaged in a continuous competition efficiency across the Federal Government and against strategic adversaries, rogue states, and the private sector. The Administration also terrorist and criminal networks. Russia, China, recognizes that a purely technocratic approach Iran, and North Korea all use cyberspace as a to cyberspace is insufficient to address the means to challenge the United States, its allies, nature of the new problems we confront. The and partners, often with a recklessness they would United States must also have policy choices never consider in other domains. These adver- to impose costs if it hopes to deter malicious saries use cyber tools to undermine our economy cyber actors and prevent further escalation. and democracy, steal our intellectual property,

2 NATIONAL CYBER STRATEGY

and sow discord in our democratic processes. We well as detection of, resilience against, response are vulnerable to peacetime cyber attacks against to, and recovery from incidents; destructive, critical infrastructure, and the risk is growing disruptive, or otherwise destabilizing malicious that these countries will conduct cyber attacks cyber activities directed against United States against the United States during a crisis short interests are reduced or prevented; activity that of . These adversaries are continually devel- is contrary to responsible behavior in cyber- oping new and more effective cyber weapons. space is deterred through the imposition of costs through cyber and non-cyber means; and the This National Cyber Strategy outlines how we will United States is positioned to use cyber capabil- (1) defend the homeland by protecting networks, ities to achieve national security objectives. systems, functions, and data; (2) promote American prosperity by nurturing a secure, The articulation of the National Cyber Strategy thriving digital economy and fostering strong is organized according to the pillars of the domestic innovation; (3) preserve peace and National Security Strategy. The National Security security by strengthening the United States’ ability Council staff will coordinate with departments, — in concert with allies and partners — to deter agencies, and the Office of Management and and if necessary punish those who use cyber tools Budget (OMB) on an appropriate resource for malicious purposes; and (4) expand American plan to implement this Strategy. Depart- influence abroad to extend the key tenets of an ments and agencies will execute their missions open, interoperable, reliable, and secure Internet. informed by the following strategic guidance.

The Strategy’s success will be realized when cybersecurity vulnerabilities are effectively managed through identification and protection of networks, systems, functions, and data as

3

PILLAR I

Protect the American People, the Homeland, and the American Way of Life

rotecting the American people, the bilities, and accountability within and across American way of life, and American departments and agencies for securing Federal interests is at the forefront of the National information systems, while setting the standard PSecurity Strategy. Protecting American infor- for effective cybersecurity risk management. mation networks, whether government or As part of this effort, the Administration will private, is vital to fulfilling this objective. It will centralize some authorities within the Federal require a series of coordinated actions focused Government, enable greater cross-agency on protecting government networks, protecting visibility, improve management of our Federal critical infrastructure, and combating cybercrime. supply chain, and strengthen the security of The United States Government, private industry, United States Government contractor systems. and the public must each take immediate and decisive actions to strengthen cybersecurity, Priority Actions with each working on securing the networks FURTHER CENTRALIZE MANAGEMENT AND under their control and supporting each other as OVERSIGHT OF FEDERAL CIVILIAN CYBERSECURITY: appropriate. The Administration will act to further enable the OBJECTIVE: Manage cybersecurity risks to Department of (DHS) to secure increase the security and resilience of the Federal department and agency networks, with Nation’s information and information systems. the exception of national security systems and Department of Defense (DOD) and Intelligence Secure Federal Networks and Community (IC) systems. This includes ensuring Information DHS has appropriate access to agency infor- mation systems for cybersecurity purposes and The responsibility to secure Federal networks can take and direct action to safeguard systems — including Federal information systems and from the spectrum of risks. Under the oversight of national security systems — falls squarely on the OMB, the Administration will expand on work the Federal Government. The Administration begun under Executive Order (E.O.) 13800 to prior- will clarify the relevant authorities, responsi- itize the transition of agencies to shared services

6 PILLAR I: PROTECT THE AMERICAN PEOPLE, THE HOMELAND, AND THE AMERICAN WAY OF LIFE

and infrastructure. DHS will have appropriate better ensure the technology that the Federal visibility into those services and infrastructure Government deploys is secure and reliable. to improve United States cybersecurity posture. This includes ensuring better information We will continue to deploy centralized capabil- sharing among departments and agencies to ities, tools, and services through DHS where improve awareness of supply chain threats appropriate, and improve and reduce duplicative oversight and compliance supply chain activities with applicable laws, within the United States policies, standards, and Government, including by directives. This will likely creating a supply chain require new policies and risk assessment shared architectures that enable service. It also includes the government to better leverage innovation. addressing deficiencies in the Federal acqui- DOD and the IC will consider these activities as they sition system, such as providing more stream- work to better secure national security systems, lined authorities to exclude risky vendors, DOD systems, and IC systems, as appropriate. products, and services when justified. This effort will be synchronized with efforts to manage ALIGN RISK MANAGEMENT AND INFORMATION supply chain risk in the Nation’s infrastructure. TECHNOLOGY ACTIVITIES: E.O. 13833, Enhancing the Effectiveness of Agency Chief Information STRENGTHEN FEDERAL CONTRACTOR CYBER- Officers, empowers Chief Information Officers SECURITY: The United States cannot afford (CIOs) to more effectively leverage technology to have sensitive government information or to accomplish agency missions, cut down on systems inadequately secured by contractors. duplication, and make information technology Federal contractors provide important services (IT) investment more efficient. Department and to the United States Government and must agency leaders will empower and hold their properly secure the systems through which CIOs accountable to align cybersecurity risk they provide those services. Going forward, management decisions and IT budgeting and the Federal Government will be able to assess procurement decisions. The Administration, the security of its data by reviewing contractor through OMB and DHS, will continue to guide and risk management practices and adequately direct risk management actions across Federal testing, hunting, sensoring, and responding civilian departments and agencies, and CIOs will to incidents on contractor systems. be empowered to take a proactive leadership role with Federal departments and agencies will in assuring IT procurement decisions assign the be drafted to authorize such activities for the proper priority to securing networks and data. purpose of improving cybersecurity. Among the IMPROVE FEDERAL SUPPLY CHAIN RISK acute concerns in this area are those contractors MANAGEMENT: The Administration will integrate within the defense industrial base responsible for supply chain risk management into agency researching and developing key systems fielded procurement and risk management processes by the DOD. Further, as recommended in the in accordance with federal requirements that E.O. 13800 Report to the President on Federal IT are consistent with industry best practices to Modernization, the Administration will support

7 NATIONAL CYBER STRATEGY

adoption of consolidated acquisition strategies sector, we will collectively use a risk-management to improve cybersecurity and reduce overhead approach to mitigating vulnerabilities to raise the costs associated with using inconsistent base level of cybersecurity across critical infra- provisions across the Federal Government. It structure. We will simultaneously use a conse- will also act to ensure, where appropriate, quence-driven approach to prioritize actions that Federal contractors receive and use all that reduce the potential that the most advanced relevant and shareable threat and vulnerability adversaries could cause large-scale or long-du- information to improve their security posture. ration disruptions to critical infrastructure. We

ENSURE THE GOVERNMENT LEADS IN BEST AND will also deter malicious cyber actors by imposing INNOVATIVE PRACTICES: The Federal Government costs on them and their sponsors by leveraging a will ensure the systems it owns and operates range of tools, including but not limited to prose- meet the standards and cybersecurity best cutions and economic sanctions, as part of a practices it recommends to industry. Projects broader deterrence strategy. that receive Federal funding must meet these standards as well. The Federal Government will Priority Actions use its purchasing power to drive sector-wide improvement in products and services. The REFINE ROLES AND RESPONSIBILITIES: The Admin- Federal Government will also be a leader in istration will clarify the roles and responsibil- developing and implementing standards and ities of Federal agencies and the expectations best practices in new and emerging areas. For on the private sector related to cybersecurity example, public key is founda- risk management and incident response. Clarity tional to the secure operation of our infra- will enable proactive risk management that structure. To protect against the potential comprehensively addresses threats, vulnera- threat of quantum being able to bilities, and consequences. It will also identify break modern public key cryptography, the and existing gaps in responsibilities and Department of Commerce, through the National coordination among Federal and non-Federal Institute of Standards and Technology (NIST), incident response efforts and promote more will continue to solicit, evaluate, and standardize routine training, exercises, and coordination. quantum-resistant, public key cryptographic PRIORITIZE ACTIONS ACCORDING TO IDENTIFIED algorithms. The United States must be at the NATIONAL RISKS: The Federal Government will forefront of protecting communications by work with the private sector to manage risks to supporting rapid adoption of these forthcoming critical infrastructure at the greatest risk. The NIST standards across government infrastructure Administration will develop a comprehensive and by encouraging the Nation to do the same. understanding of national risk by identifying national critical functions and will mature Secure Critical Infrastructure our cybersecurity offerings and engagements The responsibility to secure the Nation’s critical to better manage those national risks. The infrastructure and manage its cybersecurity risk Administration will prioritize risk-reduction is shared by the private sector and the Federal activities across seven key areas: national Government. In partnership with the private security, energy and power, banking and

8 PILLAR I: PROTECT THE AMERICAN PEOPLE, THE HOMELAND, AND THE AMERICAN WAY OF LIFE

finance, health and safety, communications, protect the election infrastructure. The Federal information technology, and transportation. Government will continue to coordinate the

LEVERAGE INFORMATION AND COMMUNICATIONS development of cybersecurity standards and TECHNOLOGY PROVIDERS AS CYBERSECURITY guidance to safeguard the electoral process and ENABLERS: Information and communications the tools that deliver a secure system. In the technology (ICT) underlies every sector in event of a significant cyber incident, the Federal America. ICT providers are in a unique position Government is poised to provide threat and to detect, prevent, and mitigate risk before asset response to recover election infrastructure. it impacts their customers, and the Federal INCENTIVIZE CYBERSECURITY INVESTMENTS: Most Government must work with these providers to cybersecurity risks to critical infrastructure stem improve ICT security and resilience in a targeted from the exploitation of known vulnerabilities. and efficient manner while protecting privacy The United States Government will work with and . The United States Government private and public sector entities to promote will strengthen efforts to share information with understanding of cybersecurity risk so they make ICT providers to enable them to respond to and more informed risk-management decisions, remediate known malicious cyber activity at the invest in appropriate security measures, and network level. This will include sharing classified realize benefits from those investments. threat and vulnerability information with cleared ICT operators and downgrading information to PRIORITIZE NATIONAL RESEARCH AND DEVEL- the unclassified level as much as possible. We will OPMENT INVESTMENTS: The Federal Government promote an adaptable, sustainable, and secure will update the National Critical Infrastructure technology supply chain that supports security Security and Resilience Research and Devel- based on best practices and standards. The United opment Plan to set priorities for addressing cyber- States Government will convene stakeholders security risks to critical infrastructure. Depart- to devise cross-sector solutions to challenges ments and agencies will align their investments at the network, device, and gateway layers, and to the priorities, which will focus on building new we will encourage industry-driven certification cybersecurity approaches that use emerging regimes that ensure solutions can adapt in a technologies, improving information-sharing rapidly evolving market and threat landscape. and risk management related to cross-sector interdependencies, and building resilience PROTECT OUR DEMOCRACY: Securing our to large-scale or long-duration disruptions. democratic processes is of paramount impor- IMPROVE TRANSPORTATION AND MARITIME CYBER- tance to the United States and our democratic SECURITY: America’s economic and national allies. State and local government officials own security is built on global trade and transpor- and operate diverse election infrastructure within tation. Our ability to guarantee free and timely the United States. Therefore, when requested movement of goods, open sea and air lines we will provide technical and risk management of communications, access to oil and natural services, support training and exercising, gas, and availability of associated critical infra- maintain situational awareness of threats to this structures is vital to our economic and national sector, and improve the sharing of threat intelli- security. As these sectors have modernized, gence with those officials to better prepare and

9 NATIONAL CYBER STRATEGY

they have also become more vulnerable to cyber ation with state, local, tribal, and territorial exploitation or attack. Maritime cybersecurity government entities, play a critical role in is of particular concern because lost or delayed detecting, preventing, disrupting, and investi- shipments can result in strategic economic gating cyber threats to our Nation. The United disruptions and potential spillover effects on States is regularly the victim of malicious cyber downstream industries. Given the criticality of activity perpetrated by criminal actors, including maritime transportation to the United States and state and non-state actors and their proxies global economy and the minimal risk-reduction and terrorists using network infrastructure investments to protect against cyber exploitation in the United States and abroad. Federal law made thus far, the United States will move enforcement works to apprehend and prosecute quickly to clarify maritime cybersecurity roles offenders, disable criminal infrastructure, limit and responsibilities; promote enhanced mecha- the spread and use of nefarious cyber capabil- nisms for international coordination and infor- ities, prevent cyber criminals and their state mation sharing; and accelerate the development sponsors from profiting from their illicit activity, of next-generation cyber-resilient maritime and seize their assets. The Administration will infrastructure. The United States will assure the push to ensure that our Federal departments uninterrupted transport of goods in the face of and agencies have the necessary legal author- all threats that can hold this inherently interna- ities and resources to combat transnational tional infrastructure at risk through cyber means. cybercriminal activity, including identifying and

IMPROVE SPACE CYBERSECURITY: The United dismantling , dark markets, and other States considers unfettered access to and infrastructure used to enable cybercrime, and freedom to operate in space vital to advancing combatting economic espionage. To effectively the security, economic prosperity, and scientific deter, disrupt, and prevent cyber threats, law knowledge of the Nation. The Administration enforcement will work with private industry to is concerned about the growing cyber-related confront challenges presented by technological threats to space assets and supporting infra- barriers, such as anonymization and structure because these assets are critical to technologies, to obtain time-sensitive evidence functions such as positioning, navigation, and pursuant to appropriate legal process. Law timing (PNT); intelligence, surveillance, and enforcement actions to combat criminal cyber reconnaissance (ISR); satellite communications; activity serve as an instrument of and weather monitoring. The Administration by, among other things, deterring those activities. will enhance efforts to protect our space assets and support infrastructure from evolving cyber Priority Actions threats, and we will work with industry and IMPROVE INCIDENT REPORTING AND RESPONSE: international partners to strengthen the cyber The United States Government will continue resilience of existing and future space systems. to encourage reporting of intrusions and theft of data by all victims, especially critical infra- Combat Cybercrime and structure partners. The prompt reporting of Improve Incident Reporting cyber incidents to the Federal Government is Federal departments and agencies, in cooper- essential to an effective response, linking of

10 PILLAR I: PROTECT THE AMERICAN PEOPLE, THE HOMELAND, AND THE AMERICAN WAY OF LIFE

related incidents, identification of the perpe- and other efforts with countries to promote trators, and prevention of future incidents. cooperation with legitimate extradition requests. We will push other nations to expedite their assis- MODERNIZE ELECTRONIC SURVEILLANCE AND tance in investigations and to comply with any COMPUTER CRIME LAWS: The Administration will bilateral or multilateral agreements or obligations. work with the Congress to update electronic surveillance and computer crime statutes to STRENGTHEN PARTNER NATIONS’ LAW enhance law enforcement’s capabilities to ENFORCEMENT CAPACITY TO COMBAT CRIMINAL lawfully gather necessary evidence of criminal CYBER ACTIVITY: The United States should also activity, disrupt criminal infrastructure through aid willing partner nations to build their capacity civil injunctions, and impose appropriate to address criminal cyber activity. The borderless consequences upon malicious cyber actors. nature of cybercrime, including state-sponsored

REDUCE THREATS FROM TRANSNATIONAL and terrorist activities, requires strong inter- CRIMINAL ORGANIZATIONS IN CYBERSPACE: national law enforcement partnerships. This Computer hacking conducted by transnational cooperation requires foreign law enforcement criminal groups poses a significant threat to our agencies to have the technical capability to national security. Equipped with sizeable funds, assist United States law enforcement effectively organized criminal groups operating abroad when requested. It is therefore in the interest of employ sophisticated malicious software, spear- United States national security to continue campaigns, and other hacking tools building cybercrime-fighting capacity that — some of which rival those of nation states in facilitates stronger sophistication — to hack into sensitive financial enforcement cooperation. systems, conduct massive data breaches, spread The United States will strive to improve inter- , attack critical infrastructure, and national cooperation in investigating malicious steal intellectual property. The Administration cyber activity, including developing solutions will advocate for law enforcement to have to potential barriers to gathering and sharing effective legal tools to investigate and prosecute evidence. The United States will also lead such groups and modernized in developing interoperable and mutually statutes for use against this threat. beneficial systems to encourage efficient IMPROVE APPREHENSION OF CRIMINALS LOCATED cross-border information exchange for law ABROAD: Deterring cybercrime requires a credible enforcement purposes and reduce barriers threat that perpetrators will be identified, appre- to coordination. The Administration will urge hended, and brought to justice. However, some effective use of existing international tools like foreign nations choose not to cooperate with the United Nations Convention Against Trans- extradition requests, impose unreasonable national Organized Crime and the G7 24/7 limitations, or actively interfere in these efforts. Network Points of Contact. Finally, we will work The United States will continue to identify gaps to expand the international consensus favoring and potential mechanisms for bringing foreign- the Convention on Cybercrime of the Council based cyber criminals to justice. The United of Europe (Budapest Convention), including by States Government will also increase diplomatic supporting greater adoption of the convention.

11

PILLAR II

Promote American Prosperity

he Internet has generated tremendous Priority Actions benefits domestically and abroad, and INCENTIVIZE AN ADAPTABLE AND SECURE it helps to advance American values T TECHNOLOGY MARKETPLACE: To enhance the resil- of freedom, security, and prosperity. Along ience of cyberspace, the Administration expects with its expansion have come challenges that the technology marketplace to support and threaten our national security. The United reward the continuous development, adoption, States will demonstrate a coherent and compre- and evolution of innovative security technologies hensive approach to address these and other and processes. The Administration will work challenges to defend American national across stakeholder groups, including the private interests in this increasingly digitized world. sector and civil society, to promote best practices OBJECTIVE: Preserve United States influence and develop strategies to overcome market in the technological and the devel- barriers to the adoption of secure technologies. opment of cyberspace as an open engine of The Administration will improve awareness and economic growth, innovation, and efficiency. transparency of cybersecurity practices to build market demand for more secure products and Foster a Vibrant and services. Finally, the Administration will collab- Resilient Digital Economy orate with international partners to promote open, industry-driven standards with government Economic security is inherently tied to our support, as appropriate, and risk-based national security. As the foundations of our approaches to address cybersecurity challenges economy are becoming increasingly rooted to include platform and managed service in digital technologies, the United States approaches that lower barriers to secure practice Government will model and promote standards adoption across the breadth of the ecosystem. that protect our economic security and reinforce the vitality of the American marketplace and PRIORITIZE INNOVATION: The United States American innovation. Government will promote implementation and

14 PILLAR II: PROMOTE AMERICAN PROSPERITY

continuous updating of standards and best tions as pretexts for digital protectionism under practices that deter and prevent current and the rubric of national security. Those actions evolving threats and hazards in all domains negatively impact the competitiveness of United of the cyber ecosystem. These standards States companies. The United States will continue and practices should be outcome-oriented to lead by example and push back against unjus- and based on sound technological principles tifiable barriers to the free flow of data and digital rather than point-in-time company specifica- trade. The Administration will continue to work tions. The Administration will eliminate policy with international counterparts to promote open, barriers that inhibit a robust cybersecurity industry driven standards, innovative products, industry from developing, sharing, and building and risk-based approaches that permit global innovative capabilities to reduce cyber threats. innovation and the free flow of data while meeting the legitimate security needs of the United States. INVEST IN NEXT GENERATION INFRASTRUCTURE: The Administration will facilitate the accelerated MAINTAIN UNITED STATES LEADERSHIP IN development and rollout of next-generation EMERGING TECHNOLOGIES: The United States’ telecommunications and information communi- influence in cyberspace is linked to our techno- cations infrastructure here in the United States, logical leadership. Accordingly, the United States while using the buying power of the Federal Government will make a concerted effort to Government to incentivize the protect cutting edge technol- move towards more secure T N C S ogies, including from theft by supply chains. The United our adversaries, support those A States Government will work technologies’ maturation, and, with the private sector to facil- where possible, reduce United itate the evolution and security States companies’ barriers DONALD J. TRUMP of 5G, examine technological SEPTEMBER 2018 to market entry. The United and spectrum-based solutions, States will promote United and lay the groundwork for innovation beyond States cybersecurity innovation worldwide next-generation advancements. The United through trade-related engagement, raising States Government will examine the use of awareness of innovative American cybersecurity emerging technologies, such as artificial intelli- tools and services, exposing and countering gence and quantum computing, while addressing repressive regimes use of such tools and services risks inherent in their use and application. We to undermine , and reducing will collaborate with the private sector and civil barriers to a robust global cybersecurity market. society to understand trends in technology PROMOTE FULL-LIFECYCLE CYBERSECURITY: The advancement to maintain the United States United States Government will promote full-life- technological edge in connected technologies cycle cybersecurity, pressing for strong, default and to ensure secure practices are adopted from security settings, adaptable, upgradeable the outset. products, and other best practices built in at PROMOTE THE FREE FLOW OF DATA ACROSS the time of product delivery. We will identify a BORDERS: Countries are increasingly looking clear pathway toward an adaptable, sustainable, towards restrictive data localization and regula- and secure technology marketplace, encour-

15 NATIONAL CYBER STRATEGY

aging manufacturers to differentiate products availability of United States telecommunica- based on the quality of their security features. tions networks are essential to our economy The United States Government will promote and national security. We must be vigilant to foundational engineering practices to reduce safeguard the telecommunications networks we systemic fragility and develop designs that depend on in our everyday lives so they cannot degrade and recover effectively when success- be used or compromised by a foreign adversary fully attacked. The United States Government to harm the United States. The United States will also promote regular testing and exercising Government will balance these objectives by of the cybersecurity and resilience of products formalizing and streamlining the review of and systems during development using best Federal Communications Commission referrals practices from forward-leaning industries. This for telecommunications licenses. The United includes promotion and use of coordinated States Government will facilitate a transparent vulnerability disclosure, crowd-sourced testing, process to increase the efficiency of this review. and other innovative assessments that improve resiliency ahead of exploitation or attack. The MAINTAIN A STRONG AND BALANCED INTELLECTUAL United States Government will also evaluate how PROPERTY PROTECTION SYSTEM: Strong intel- to improve the end-to-end lifecycle for digital lectual property protections ensure continued identity management, including over-reliance on economic growth and innovation in the digital Social Security numbers. age. The United States Government has fostered and will continue to help foster a global intel- Foster and Protect United lectual property rights system that provides States Ingenuity incentives for innovation through the protection Fostering and protecting American invention and and enforcement of intellectual property rights innovation is critical to maintaining the United such as patents, trademarks, and copyrights. States’ strategic advantage in cyberspace. The The United States Government will also promote United States Government will nurture innovation protection of sensitive emerging technologies by promoting and programs that and trade secrets, and we will work to prevent drive United States competitiveness. The United adversarial nation states from gaining unfair States Government will counter predatory advantage at the expense of American research mergers and acquisitions and counter intellectual and development. property theft. We will also catalyze United States leadership in emerging technologies and promote PROTECT THE CONFIDENTIALITY AND INTEGRITY government identification and support to these OF AMERICAN IDEAS: For more than a decade, technologies, which include artificial intelligence, malicious actors have conducted cyber intru- quantum information science, and next-gener- sions into United States commercial networks, ation telecommunication infrastructure. targeting confidential business information held by American firms. Malicious cyber actors Priority Actions from other nations have stolen troves of trade UPDATE MECHANISMS TO REVIEW FOREIGN secrets, technical data, and sensitive proprietary INVESTMENT AND OPERATION IN THE UNITED internal communications. The United States STATES: The confidentiality, integrity, and Government will work against the illicit appro-

16 PILLAR II: PROMOTE AMERICAN PROSPERITY

priation of public and private sector technology opportunities to re-train into cybersecurity and technical knowledge by foreign competitors, careers. while maintaining an investor-friendly climate. ENHANCE THE FEDERAL CYBERSECURITY WORKFORCE: To improve recruitment and Develop a Superior retention of highly qualified cybersecurity profes- Cybersecurity Workforce sionals to the Federal Government, the Adminis- tration will continue to use the National Initiative A highly skilled cybersecurity workforce is a for Cybersecurity Education (NICE) Framework strategic national security advantage. The United to support policies allowing for a standardized States will fully develop the vast American talent approach for identifying, hiring, developing, and pool, while at the same time attracting the best retaining a talented cybersecurity workforce. and brightest among those abroad who share our Additionally, the Administration will explore values. appropriate options to establish distributed Priority Actions cybersecurity personnel under the management of DHS to oversee the development, management, BUILD AND SUSTAIN THE TALENT PIPELINE: and deployment of cybersecurity personnel Our peer competitors are implementing across Federal departments and agencies with workforce development programs that have the exception of DOD and the IC. The Admin- the potential to harm long-term United States istration will promote appropriate financial cybersecurity competitiveness. The United compensation for the United States Government States Government will continue to invest in workforce, as well as unique training and opera- and enhance programs that build the domestic tional opportunities to effectively recruit and talent pipeline, from primary through postsec- retain critical cybersecurity talent in light of the ondary education. The Administration will competitive private sector environment. leverage the President’s proposed merit-based USE EXECUTIVE AUTHORITY TO HIGHLIGHT reforms to ensure that the United AND REWARD TALENT: The United States States has the most competitive technology Government will promote and magnify excel- sector. This effort may require additional lence by highlighting cybersecurity educators legislation to achieve the sought after goals. and cybersecurity professionals. The United EXPAND RE-SKILLING AND EDUCATIONAL OPPOR- States Government will also leverage public- TUNITIES FOR AMERICA’S WORKERS: The Admin- private collaboration to develop and circulate istration will work with the Congress to promote the NICE Framework, which provides a and reinvigorate educational and training standardized approach for identifying cyber- opportunities to develop a robust cybersecurity security workforce gaps, while also imple- workforce. This includes expanding Federal menting actions to prepare, grow, and sustain a recruitment, training, re-skilling people from a workforce that can defend and bolster America’s broad range of backgrounds, and giving them critical infrastructure and innovation base.

17

PILLAR III

Preserve Peace through Strength

hallenges to United States security and responsible state behavior in cyberspace built economic interests, from nation states upon international law, adherence to voluntary C and other groups, which have long non-binding norms of responsible state behavior existed in the offline world are now increasingly that apply during peacetime, and the consider- occurring in cyberspace. This now-persistent ation of practical confidence building measures engagement in cyberspace is already altering the to reduce the risk of conflict stemming from strategic balance of power. This Administration malicious cyber activity. These principles should will issue transformative policies that reflect form a basis for cooperative responses to counter today’s new reality and guide the United States irresponsible state actions inconsistent with this Government towards strategic outcomes that framework. protect the American people and our way of life. Cyberspace will no longer be treated as a separate Priority Action category of policy or activity disjointed from ENCOURAGE UNIVERSAL ADHERENCE TO CYBER other elements of national power. The United NORMS: International law and voluntary States will integrate the employment of cyber non-binding norms of responsible state behavior options across every element of national power. in cyberspace provide stabilizing, security-en- OBJECTIVE: Identify, counter, disrupt, degrade, hancing standards that define acceptable and deter behavior in cyberspace that is desta- behavior to all states and promote greater bilizing and contrary to national interests, while predictability and stability in cyberspace. The preserving United States overmatch in and United States will encourage other nations through cyberspace. to publicly affirm these principles and views through enhanced outreach and engagement Enhance Cyber Stability in multilateral fora. Increased public affir- through Norms of Responsible mation by the United States and other govern- State Behavior ments will lead to accepted expectations of state behavior and thus contribute to greater The United States will promote a framework of predictability and stability in cyberspace.

20 PILLAR III: PRESERVE PEACE THROUGH STRENGTH

Attribute and Deter which we will impose consistent with our obliga- Unacceptable Behavior tions and commitments to deter future bad behavior. The Administration will conduct inter- in Cyberspace agency policy planning for the time periods As the United States continues to promote leading up to, during, and after the imposition of consensus on what constitutes responsible state consequences to ensure a timely and consistent behavior in cyberspace, we must also work to process for responding to and deterring malicious ensure that there are consequences for irrespon- cyber activities. The United States will work sible behavior that harms the United States and with partners when appropriate to impose our partners. All instruments of national power consequences against malicious cyber actors in are available to prevent, respond to, and deter response to their activities against our nation and malicious cyber activity against the United States. interests. This includes diplomatic, information, military BUILD A CYBER DETERRENCE INITIATIVE: The (both kinetic and cyber), financial, intelligence, imposition of consequences will be more public attribution, and law enforcement capabil- impactful and send a stronger message if it is ities. The United States will formalize and make carried out in concert with a broader coalition of routine how we work with like-minded partners to like-minded states. The United States will launch attribute and deter malicious cyber activities with an international Cyber Deterrence Initiative to integrated strategies that impose swift, costly, build such a coalition and develop tailored strat- and transparent consequences when malicious egies to ensure adversaries understand the conse- actors harm the United States or our partners. quences of their malicious cyber behavior. The United States will work with like-minded states Priority Actions to coordinate and support each other’s responses LEAD WITH OBJECTIVE, COLLABORATIVE INTELLI- to significant malicious cyber incidents, including GENCE: The IC will continue to lead the world in through intelligence sharing, buttressing of attri- the use of all-source cyber intelligence to drive bution claims, public statements of support for the identification and attribution of malicious responsive actions taken, and joint imposition cyber activity that threatens United States of consequences against malign actors. national interests. Objective and actionable COUNTER MALIGN CYBER INFLUENCE AND INFOR- intelligence will be shared across the United MATION OPERATIONS: The United States will use States Government and with key partners all appropriate tools of national power to expose to identify hostile foreign nation states, and and counter the flood of online malign influence non- cyber programs, intentions, and information campaigns and non-state propa- capabilities, research and development efforts, ganda and disinformation. This includes working tactics, and operational activities that will with foreign government partners as well as the inform whole-of-government responses to private sector, academia, and civil society to protect American interests at home and abroad. identify, counter, and prevent the use of digital IMPOSE CONSEQUENCES: The United States will platforms for malign foreign influence opera- develop swift and transparent consequences, tions while respecting civil rights and liberties.

21

PILLAR IV

Advance American Influence

he world looks to the United States, ries-old battles over human rights and funda- where much of the innovation for today’s mental freedoms are now playing out online. Internet originated, for leadership on a Freedoms of expression, peaceful assembly, and Tvast range of transnational cyber issues. The association, as well as privacy rights, are under United States will maintain an active interna- threat. Despite unprecedented growth, the Inter- tional leadership posture to advance American net’s economic and social potential continues influence and to address an expanding array of to be undermined by online and threats and challenges to its interests in cyber- repression. The United States stands firm on space. Collaboration with allies and partners its principles to protect and promote an open, is also essential to ensure we can continue to interoperable, reliable, and secure Internet. We benefit from the cross-border communications, will work to ensure that our approach to an open content creation, and commerce generated by the Internet is the international standard. We will open, interoperable architecture of the Internet. also work to prevent authoritarian states that view the open Internet as a political threat from OBJECTIVE: Preserve the long-term openness, transforming the free and open Internet into an interoperability, security, and reliability of the authoritarian web under their control, under Internet, which supports and is reinforced by the guise of security or countering . United States interests. Priority Actions Promote an Open, Interoperable, Reliable, and PROTECT AND PROMOTE INTERNET FREEDOM: The United States Government conceptualizes Secure Internet Internet freedom as the online exercise of human The global Internet has prompted some of rights and fundamental freedoms — such as the the greatest advancements since the indus- freedoms of expression, association, peaceful trial revolution, enabling great advances in assembly, religion or belief, and privacy rights commerce, health, communications, and other online — regardless of frontiers or medium. By national infrastructure. At the same time, centu- extension, Internet freedom also supports the free

24 PILLAR IV: ADVANCE AMERICAN INFLUENCE

flow of information online that enhances interna- Internet governance is characterized by trans- tional trade and commerce, fosters innovation, parent, bottom-up, consensus-driven processes and strengthens both national and interna- and enables governments, the private sector, civil tional security. As such, United States Internet society, academia, and the technical community freedom principles are inextricably linked to our to participate on equal footing. The United States national security. Internet freedom is also a key Government will defend the open, interoperable guiding principle with respect to other United nature of the Internet in multilateral and inter- States foreign policy issues, such as cybercrime national fora through active engagement in key and counterterrorism efforts. Given its impor- organizations, such as the Internet Corporation tance, the United States will encourage other for Assigned Names and Numbers, the Internet countries to advance Internet freedom through Governance Forum, the United Nations, and venues such as the Freedom Online Coalition, of the International Telecommunication Union. which the United States is a founding member. PROMOTE INTEROPERABLE AND RELIABLE WORK WITH LIKE-MINDED COUNTRIES, INDUSTRY, COMMUNICATIONS INFRASTRUCTURE AND ACADEMIA, AND CIVIL SOCIETY: The United INTERNET CONNECTIVITY: The United States States will continue to work with like-minded will promote communications infrastructure countries, industry, civil society, and other and Internet connectivity that is open, interop- stakeholders to advance human rights and erable, reliable, and secure. Such investment Internet freedom globally and to counter author- will provide greater opportunities for American itarian efforts to censor and influence Internet firms to compete while countering the influence development. The United States Government of statist, top-down government interventions will continue to support civil society through in areas of strategic competition. It will also integrated support for technology development, protect America’s security and commercial digital safety training, policy advocacy, and interests by strengthening United States indus- research. These programs aim to enhance the try’s competitive position in the global digital ability of individual citizens, activists, human economy. The Administration will also support rights defenders, independent journalists, civil and promote open, industry-led standards activ- society organizations, and marginalized popula- ities based on sound technological principles. tions to safely access the uncensored Internet PROMOTE AND MAINTAIN MARKETS FOR and promote Internet freedom at the local, UNITED STATES INGENUITY WORLDWIDE: American regional, national, and international levels. innovators and security professionals have PROMOTE A MULTI-STAKEHOLDER MODEL OF contributed significantly in designing products INTERNET GOVERNANCE: The United States will and services that improve our ability to commu- continue to actively participate in global efforts nicate and interact globally and that protect to ensure that the multi-stakeholder model of communications infrastructure, data, and devices Internet governance prevails against attempts worldwide. The United States will continue to create state-centric frameworks that would to promote markets for American ingenuity undermine openness and freedom, hinder overseas, including for emerging technologies innovation, and jeopardize the functionality of that can lower the cost of security. The United the Internet. The multi-stakeholder model of States will also advise on infrastructure deploy-

25 NATIONAL CYBER STRATEGY

ments, innovation, risk management, policy, and partners to implement policies and practices standards to further the global Internet’s reach which allow them to be effective partners in the and to ensure interoperability, security, and United States-led Cyber Deterrence Initiative. stability. Finally, the United States will work with international partners, government, industry, Priority Action civil society, technologists, and academics to improve the adoption and awareness of cyberse- ENHANCE CYBER CAPACITY BUILDING EFFORTS: curity best practices worldwide. Many United States allies and partners possess unique cyber capabilities that can complement Build International our own. The United States will work to Cyber Capacity strengthen the capacity and interoperability of those allies and partners to improve our ability to Capacity building equips partners to protect optimize our combined skills, resources, capabil- themselves and assist the United States in ities, and perspectives against shared threats. addressing threats that target mutual interests, Partners can also help detect, deter, and defeat while serving broader diplomatic, economic, those shared threats in cyberspace. In order for and security goals. Through cyber capacity international partners to effectively protect their building initiatives, the United States builds digital infrastructure and combat shared threats, strategic partnerships that promote cyberse- while realizing the economic and social gains curity best practices through a common vision derived from the Internet and ICTs, the United of an open, interoperable, reliable, and secure States will continue to address the building Internet that encourages investment and opens blocks for organizing national efforts on cyber- new economic markets. In addition, capacity security. We will also aggressively expand efforts building allows for additional opportunities to to share automated and actionable cyber threat share cyber threat information, enabling the information, enhance cybersecurity coordi- United States Government and our partners to nation, and promote analytical and technical better defend domestic critical infrastructure and exchanges. In addition, the United States will global supply chains, as well as focus whole-of- work to reduce the impact and influence of government cyber engagements. Our leadership transnational cybercrime and terrorist activ- in building partner cybersecurity capacity ities by partnering with and strengthening is critical to maintaining American influence the security and law enforcement capabilities against global competitors. Building partner of our partners to build their cyber capacity. cyber capacity will empower international

26

NATIONAL CYBER STRATEGY

Notes

28 NATIONAL CYBER STRATEGY

Notes

29