Evolving US Cybersecurity Policy: A Multi-stakeholder Approach

Abstract

The connectivity of information systems and networks, and the increasing usage of the Internet have opened individuals and governments to new types of vulnerabilities necessitating the rapid development of cybersecurity policy. Defining cybersecurity as the protection of information systems and networks from misuse, intentional or unintentional harm, or the degradation, destruction, or denial of services provided through the internet and related to the “Internet of Things,” this report seeks to address the question of what the US’s cybersecurity policy should be moving forward. The report seeks to answer this question by addressing the major thematic issues in US domestic and international cybersecurity policy, and focusing in on five issues that crosscut domestic and international cybersecurity policy: • There is a lack of trust between citizens, industry, and government • Cybersecurity legislation is overly broad and ambiguous • There is lack of cooperation between stakeholders • Policy implementation is weak • Discord amongst states internationally is hindering the development international cybersecurity norms, despite a demonstrated desire for such norms This report finds that the United States lacks a robust, unanimous, and coordinated framework for ensuring the safety of private, governmental, and business networks. Enhancing and building strong partnerships between industry and government should be a strategic imperative for all stakeholders. Taking into account the central issues we have identified, in order for the US to develop robust cybersecurity policy, we recommend the following: • Standardization o Establish common cyber threat assessment protocols and strong procedural and legal frameworks utilizing precise language. o Narrow existing, broad policy to foster trust and engagement between industry, states, and civil groups. • Collaboration o Work closely with existing international organizations to harmonize and balance international cybersecurity norms. o Creation of proactive, future oriented legislation by building publicprivate partnerships across multiple sectors. o Streamline the current governmental accreditation processes for innovative industry leaders. In this report we will outline existing US cybersecurity policy both domestically and internationally, identify major stakeholders on all sides of the debate and engage with each position as it relates to the others, determine gaps in the existing policy, and propose how the US can fill those gaps to further develop comprehensive and efficient cybersecurity policy. Drawing on the history of domestic legislation of cyber policy, international agreements, the perspective of key industry leaders, and the arguments of civil society groups, this report provides a holistic picture of the field in its present state and what must be improved upon.