During the last two years of the Bush administration, the senior leadership at the U.S. Department of Homeland Security (DHS) spent substantial time and effort in first helping to craft, and then attempting to implement, Homeland Security Presidential Directive 23/National Security Presidential Directive 54 (HSPD 23/NSPD 54), Cyber Security and Monitoring.
On May 29, 2009, President Obama released his Cyberspace Policy Review (the Review). The Review, conducted by the National Security Council and the Homeland Security Council, examined existing government initiatives addressing cyberspace security in order to develop a strategic framework to coordinate government action. The Review put cybersecurity on the policy agenda early in the Obama administration, and it explicitly describes cybersecurity as a global issue that calls for international cooperation: “The United States . . . needs a strategy for cybersecurity designed to shape the international environment and bring like-minded nations together on a host of issues… Only by working with international partners can the United States best address these challenges, enhance cybersecurity, and reap the full benefits of the digital age.”
On February 9, 2009, President Obama gave his National Security and Homeland Security Advisors 60 days to conduct a Cyberspace Policy Review.1 The stated purpose of this “60-Day Review” was to provide a comprehensive assessment of U.S. policies for cybersecurity.2 According to a White House press release, the review would “develop a strategic framework to ensure that U.S. Government cyber security initiatives are appropriately integrated, resourced and coordinated with Congress and the private sector.”3
The 60-Day Review was an ambitious project and, in the end, took more than 60 days to complete.4 When the final report was issued on May 29, 2009, it offered a careful assessment of the current situation and a broad vision of what the United States must accomplish to secure our digital future. This vision, however, was not fundamentally different from previous iterations of cybersecurity strategy that the U.S. government has issued over the past 12 years.
The 60-Day Review undoubtedly represents a critical step toward addressing the many challenges the United States faces in working to secure its public and private information systems. However, it is important to place this document in proper context and understand what it accomplishes and what business it leaves unfinished. Before much progress can be made in improving cybersecurity, there are some tough policy decisions that have to be made.
The 60-Day Review does not take on many of those decisions. Rather, it provides an accurate and troubling picture of what the country is up against. It offers a glimpse of the daunting but important tasks of trying to harmonize the cybersecurity programs within government, establishing an effective partnership with the private sector, and developing strong relationships with other nations to combat cyber crime. It recommends…