This report examines the substantial economic costs that malicious cyber activity imposes on the U.S. economy. Cyber threats are ever-evolving and may come from sophisticated adversaries. Due to common vulnerabilities, instances of security breaches occur across firms and in patterns that are difficult to anticipate. Importantly, cyberattacks and cyber theft impose externalities that may lead to rational underinvestment in cybersecurity by the private sector relative to the socially optimal level of investment. Firms in critical infrastructure sectors may generate especially large negative spillover effects to the wider economy. Insufficient data may impair cybersecurity efforts. Successful protection against cyber threats requires cooperation across firms and between private and public sectors.
This document describes the Vulnerabilities Equities Policy and Process for departments and agencies of the United States Government (USG) to balance equities and make determinations regarding disclosure or restriction when the USG obtains knowledge of newly discovered and not publicly known vulnerabilities in information systems and technologies. The primary focus of this policy is to prioritize the public’s interest in cybersecurity and to protect core Internet infrastructure, information systems, critical infrastructure systems, and the U.S. economy through the disclosure of vulnerabilities discovered by the USG, absent a demonstrable, overriding interest in the use of the vulnerability for lawful intelligence, law enforcement, or national security purposes.
The Joint United States-Canada Electric Grid Security and Resilience Strategy (Strategy) is a collaborative effort between the Federal Governments of the United States and Canada and is intended to strengthen the security and resilience of the U.S. and Canadian electric grid from all adversarial, technological, and natural hazards and threats. The Strategy, released concurrently with this National Electric Grid Security and Resilience Action Plan (Action Plan), details bilateral goals to address the vulnerabilities of the respective and shared electric grid infrastructure of the United States and Canada, not only as an energy security concern, but for reasons of national security. The implementation of the Strategy requires continued action of a nationwide network of governments, departments and agencies (agencies), and private sector partners. This Action Plan details the activities, deliverables, and timelines that will be undertaken primarily by U.S. Federal agencies for the United States to make progress toward the Strategy’s goals.
This Joint United States-Canada Electric Grid Security and Resilience Strategy (Strategy) is a collaborative effort between the Federal Governments of the United States and Canada and is intended to strengthen the security and resilience of the U.S. and Canadian electric grid from all adversarial, technological, and natural hazards and threats. The Strategy addresses the vulnerabilities of the two countries’ respective and shared electric grid infrastructure, not only as an energy security concern, but for reasons of national security. This joint Strategy relies on the existing strong bilateral collaboration between the United States and Canada, and reflects a joint commitment to enhance a shared approach to risk management for the electric grid. It also articulates a common vision of the future electric grid that depends on effective and expanded collaboration among those who own, operate, protect, and rely on the electric grid. Because the electric grid is complex, vital to the functioning of modern society, and dependent on other infrastructure for its function, the United States and Canada developed the Strategy under the shared principle that security and resilience require increasingly collaborative efforts and shared approaches to risk management.
AI has applications in many products, such as cars and aircraft, which are subject to regulation designed to protect the public from harm and ensure fairness in economic competition. How will the incorporation of AI into these products affect the relevant regulatory approaches? In general, the approach to regulation of AI-enabled products to protect public safety should be informed by assessment of the aspects of risk that the addition of AI may reduce alongside the aspects of risk that it may increase. If a risk falls within the bounds of an existing regulatory regime, moreover, the policy discussion should start by considering whether the existing regulations already adequately address the risk, or whether they need to be adapted to the addition of AI. Also, where regulatory responses to the addition of AI threaten to increase the cost of compliance, or slow the development or adoption of beneficial innovations, policymakers should consider how those responses could be adjusted to lower costs and barriers to innovation without adversely impacting safety or market fairness.
For decades, the federal government has provided billions of dollars in equipment to state and local law enforcement agencies (LEAs) through excess equipment transfers, asset forfeiture programs and federal grants. Particularly in the years since September 11, 2001, Congress and the Executive Branch have steadily increased spending and support for these programs, in light of legitimate concerns about the growing threat of terrorism, shrinking local budgets, and the relative ease with which some criminals are able to obtain high-powered weapons. These programs have significantly expanded over decades across multiple federal agencies without, at times, a commensurate growth in the infrastructure required to standardize procedures governing the flow of equipment from the federal government to LEAs. At the same time, training has not been institutionalized, specifically with respect to civil rights and civil liberties protections, or the safe use of equipment received through the federal government. Concerns over the lack of consistent protections have received renewed focus and attention in light of the recent unrest in Ferguson, Missouri.
The Administration is focused on protecting the innovation that drives the American economy and supports jobs in the United States. As a Nation, we create products and services that improve the world’s ability to communicate, to learn, to understand diverse cultures and beliefs, to be mobile, to live better and longer lives, to produce and consume energy efficiently and to secure food, nourishment and safety. Most of the value of this work is intangible—it lies in America’s entrepreneurial spirit, our creativity, ingenuity and insistence on progress and in creating a better life for our communities and for communities around the world. These intangible assets are often captured as intellectual property—copyrights, patents, trademarks and trade secrets, and reflect America’s advantage in the global economy.
Our national security depends on our ability to share the right information, with the right people, at the right time. This information sharing mandate requires sustained and responsible collaboration between Federal, state, local, tribal, territorial, private sector, and foreign partners. Over the last few years, we have successfully streamlined policies and processes, overcome cultural barriers, and better integrated information systems to enable information sharing. Today’s dynamic operating environment, however, challenges us to continue improving information sharing and safeguarding processes and capabilities. While innovation has enhanced our ability to share, increased sharing has created the potential for vulnerabilities requiring strengthened safeguarding practices. The 2012 National Strategy for Information Sharing and Safeguarding provides guidance for effective development, integration, and implementation of policies, processes, standards, and technologies to promote secure and responsible information sharing.
Law enforcement and government officials for decades have understood the critical importance of building relationships, based on trust, with the communities they serve. Partnerships are vital to address a range of challenges and must have as their foundation a genuine commitment on the part of law enforcement and government to address community needs and concerns, including protecting rights and public safety. In our efforts to counter violent extremism, we will rely on existing partnerships that communities have forged with Federal, State, and local government agencies. This reliance, however, must not change the nature or purpose of existing relationships. In many instances, our partnerships and related activities were not created for national security purposes but nonetheless have an indirect impact on countering violent extremism (CVE).
Presidential Policy Directive-2 (PPD-2) Implementing National Strategy for Countering Biological Threats
Presidential Policy Directive 2 is one of a number that have not previously been released. It was publicly posted to a collaboration server for U.S. military personnel complete with its National Security Council coversheet intact, providing a rare look at dissemination guidelines utilized in high-level documentation.
Throughout history, violent extremists—individuals who support or commit ideologically-motivated violence to further political goals—have promoted messages of divisiveness and justified the killing of innocents. The United States Constitution recognizes freedom of expression, even for individuals who espouse unpopular or even hateful views. But when individuals or groups choose to further their grievances or ideologies through violence, by engaging in violence themselves or by recruiting and encouraging others to do so, it becomes the collective responsibility of the U.S. Government and the American people to take a stand. In recent history, our country has faced plots by neo-Nazis and other anti-Semitic hate groups, racial supremacists, and international and domestic terrorist groups; and since the September 11 attacks, we have faced an expanded range of plots and attacks in the United States inspired or directed by al-Qa’ida and its affiliates and adherents as well as other violent extremists. Supporters of these groups and their associated ideologies come from different socioeconomic backgrounds, ethnic and religious communities, and areas of the country, making it difficult to predict where violent extremist narratives will resonate. And as history has shown, the prevalence of particular violent extremist ideologies changes over time, and new threats will undoubtedly arise in the future.
Transnational organized crime refers to those self-perpetuating associations of individuals who operate transnationally for the purpose of obtaining power, influence, monetary and/or commercial gains, wholly or in part by illegal means, while protecting their activities through a pattern of corruption and/or violence, or while protecting their illegal activities through a transnational organizational structure and the exploitation of transnational commerce or communication mechanisms. There is no single structure under which transnational organized criminals operate; they vary from hierarchies to clans, networks, and cells, and may evolve to other structures.
Digital infrastructure is increasingly the backbone of prosperous economies, vigorous research communities, strong militaries, transparent governments, and free societies. As never before, information technology is fostering transnational dialogue and facilitating the global flow of goods and services. These social and trade links have become indispensable to our daily lives. Critical life-sustaining infrastructures that deliver electricity and water, control air traffic, and support our financial system all depend on networked information systems. Governments are now able to streamline the provision of essential services through eGovernment initiatives. Social and political movements rely on the Internet to enable new and more expansive forms of organization and action. The reach of networked technology is pervasive and global. For all nations, the underlying digital infrastructure is or will soon become a national asset.
A secure cyberspace is critical to our prosperity. We use the Internet and other online environments to increase our productivity, as a platform for innovation, and as a venue in which to create new businesses. “Our digital infrastructure, therefore, is a strategic national asset, and protecting it—while safeguarding privacy and civil liberties—is a national security priority” and an economic necessity. By addressing threats in this environment, we will help individuals protect themselves in cyberspace and enable both the private sector and government to offer more services online. As a Nation, we are addressing many of the technical and policy shortcomings that have led to insecurity in cyberspace Among these shortcomings is the online authentication of people and devices: the President’s Cyberspace Policy Review established trusted identities as a cornerstone of improved cybersecurity.
On June 22, 2010, the U.S. Intellectual Property Enforcement Coordinator (IPEC) issued the Administration’s first Joint Strategic Plan on Intellectual Property Enforcement (Strategy), which was developed in coordination with many Federal agencies, including the Departments of Commerce, Health and Human Services, Homeland Security (DHS), Justice (DOJ), and State, and the U.S. Trade Representative. As part of the Strategy, the Administration undertook to review existing laws to ensure that they were effective and to identify deficiencies that could hinder enforcement. Based on that review, this White Paper identifies specific recommended legislative changes, designed to increase the effectiveness of U.S. enforcement efforts. We will, of course, continue to assess existing legislation and recommend any further changes to the law as the need arises.
Our national defense requires that sensitive information be maintained in confidence to protect our citizens, our democratic institutions, and our homeland. Protecting information critical to our nation’s security is the responsibility of each individual who is granted access to classified information. Any unauthorized disclosure of classified information is a violation of our law and compromises our national security. The recent irresponsible disclosure by WikiLeaks has resulted in significant damage to our national security. Any failure by agencies to safeguard classified information pursuant to relevant laws, including but not limited to Executive Order 13526, Classified National Security Information (December 29, 2009), is unacceptable and will not be tolerated.
Abraham, Yohannes A. Employee 40,000.00 Per Annum LEGISLATIVE ASSISTANT AND ASSISTANT TO THE HOUSE LIAISON
Abrams, Adam W. Employee 65,000.00 Per Annum WESTERN REGIONAL COMMUNICATIONS DIRECTOR
Adams, Ian H. Employee 36,000.00 Per Annum EXECUTIVE ASSISTANT TO THE DIRECTOR OF SCHEDULING AND ADVANCE
Agnew, David P. Employee 92,000.00 Per Annum DEPUTY DIRECTOR OF INTERGOVERNMENTAL AFFAIRS
Ahrens, Rebecca A. Employee 42,800.00 Per Annum OPERATOR
The President directed a 60-day, comprehensive, “clean-slate” review to assess U.S. policies and structures for cybersecurity. Cybersecurity policy includes strategy, policy, and standards regarding the security of and operations in cyberspace, and encompasses the full range of threat reduction, vulnerability reduction, deterrence, international engagement, incident response, resiliency, and recovery policies and activities, including computer network operations, information assurance, law enforcement, diplomacy, military, and intelligence missions as they relate to the security and stability of the global information and communications infrastructure. The scope does not include other information and communications policy unrelated to national security or securing the infrastructure. The review team of government cybersecurity experts engaged and received input from a broad cross-section of industry, academia, the civil liberties and privacy communities, State governments, international partners, and the Legislative and Executive Branches. This paper summarizes the review team’s conclusions and outlines the beginning of the way forward towards a reliable, resilient, trustworthy digital infrastructure for the future.