NATIONAL CYBER STRATEGY of the United States of AmericaAmerica’s prosperity and security depend on how we respond to the opportunities and challenges in cyberspace. Critical infrastructure, national defense, and the daily lives of Americans rely on computer-driven and interconnected information technologies. As all facets of American life have become more dependent on a secure cyberspace, new vulnerabilities have been revealed and new threats continue to emerge. Building on the National Security Strategy and the Administration’s progress over its first 18 months, the National Cyber Strategy outlines how the United States will ensure the American people continue to reap the benefits of a secure cyberspace that reflects our principles, protects our security, and promotes our prosperity.The articulation of the National Cyber Strategy is organized according to the pillars of the National Security Strategy. The National Security Council staff will coordinate with departments, agencies, and the Office of Management and Budget (OMB) on an appropriate resource plan to implement this Strategy. Departments and agencies will execute their missions informed by the following strategic guidance.The White HouseTWH_f290818c-bdc6-11e8-a392-450fc555896cDonald J. TrumpPresident of the United StatesNational Security CouncilNational Security Council staff will coordinate with departments, agencies, and the Office of Management and Budget (OMB) on an appropriate resource plan to implement this Strategy.Office of Management and Budget (OMB)U.S. Federal AgenciesDepartments and agencies will execute their missions informed by the following strategic guidance.A secure and prosperous America_f29085e2-bdc6-11e8-a392-450fc555896cTo outline how the United States will ensure the American people continue to reap the benefits of a secure cyberspace_f2908772-bdc6-11e8-a392-450fc555896cSecurityProsperityDemocracyInnovationIngenuityPeacePartnershipFreedomPeople, Homeland & Way of LifeProtect the American People, the Homeland, and the American Way of Life_f29088a8-bdc6-11e8-a392-450fc555896cPillar IProtecting the American people, the American way of life, and American interests is at the forefront of the National Security Strategy. Protecting American information networks, whether government or private, is vital to fulfilling this objective. It will require a series of coordinated actions focused on protecting government networks, protecting critical infrastructure, and combating cybercrime. The United States Government, private industry, and the public must each take immediate and decisive actions to strengthen cybersecurity, with each working on securing the networks under their control and supporting each other as appropriate. OBJECTIVE: Manage cybersecurity risks to increase the security and resilience of the Nation’s information and information systems.Networks & InformationSecure Federal Networks and Information_f29089d4-bdc6-11e8-a392-450fc555896cI.AThe responsibility to secure Federal networks — including Federal information systems and national security systems — falls squarely on the Federal Government. The Administration will clarify the relevant authorities, responsibilities, and accountability within and across departments and agencies for securing Federal information systems, while setting the standard for effective cybersecurity risk management. As part of this effort, the Administration will centralize some authorities within the Federal Government, enable greater cross-agency visibility, improve management of our Federal supply chain, and strengthen the security of United States Government contractor systems.Management & OversightFurther Centralize Management and Oversight of Federal Civilian Cybersecurity_f2908b00-bdc6-11e8-a392-450fc555896cI.A.iThe Administration will act to further enable the Department of Homeland Security (DHS) to secure Federal department and agency networks, with the exception of national security systems and Department of Defense (DOD) and Intelligence Community (IC) systems. This includes ensuring DHS has appropriate access to agency information systems for cybersecurity purposes and can take and direct action to safeguard systems from the spectrum of risks. Under the oversight of the OMB, the Administration will expand on work begun under Executive Order (E.O.) 13800 to prioritize the transition of agencies to shared services and infrastructure. DHS will have appropriate visibility into those services and infrastructure to improve United States cybersecurity posture. We will continue to deploy centralized capabilities, tools, and services through DHS where appropriate, and improve oversight and compliance with applicable laws, policies, standards, and directives. This will likely require new policies and architectures that enable the government to better leverage innovation. DOD and the IC will consider these activities as they work to better secure national security systems, DOD systems, and IC systems, as appropriate.ITAlign Risk Management and Information Technology Activities_f2908c2c-bdc6-11e8-a392-450fc555896cI.A.iiE.O. 13833, Enhancing the Effectiveness of Agency Chief Information Officers, empowers Chief Information Officers (CIOs) to more effectively leverage technology to accomplish agency missions, cut down on duplication, and make information technology (IT) investment more efficient. Department and agency leaders will empower and hold their CIOs accountable to align cybersecurity risk management decisions and IT budgeting and procurement decisions. The Administration, through OMB and DHS, will continue to guide and direct risk management actions across Federal civilian departments and agencies, and CIOs will be empowered to take a proactive leadership role in assuring IT procurement decisions assign the proper priority to securing networks and data. Supply ChainImprove Federal Supply Chain Risk Management_f2908d6c-bdc6-11e8-a392-450fc555896cI.A.iiiThe Administration will integrate supply chain risk management into agency procurement and risk management processes in accordance with federal requirements that are consistent with industry best practices to better ensure the technology that the Federal Government deploys is secure and reliable. This includes ensuring better information sharing among departments and agencies to improve awareness of supply chain threats and reduce duplicative supply chain activities within the United States Government, including by creating a supply chain risk assessment shared service. It also includes addressing deficiencies in the Federal acquisition system, such as providing more streamlined authorities to exclude risky vendors, products, and services when justified. This effort will be synchronized with efforts to manage supply chain risk in the Nation’s infrastructure. Federal ContractorsStrengthen Federal Contractor Cybersecurity_f2908ea2-bdc6-11e8-a392-450fc555896cI.A.ivFederal ContractorsThe United States cannot afford to have sensitive government information or systems inadequately secured by contractors. Federal contractors provide important services to the United States Government and must properly secure the systems through which they provide those services. Going forward, the Federal Government will be able to assess the security of its data by reviewing contractor risk management practices and adequately testing, hunting, sensoring, and responding to incidents on contractor systems. Contracts with Federal departments and agencies will be drafted to authorize such activities for the purpose of improving cybersecurity. Among the acute concerns in this area are those contractors within the defense industrial base responsible for researching and developing key systems fielded by the DOD. Further, as recommended in the E.O. 13800 Report to the President on Federal IT Modernization, the Administration will support adoption of consolidated acquisition strategies to improve cybersecurity and reduce overhead costs associated with using inconsistent contract provisions across the Federal Government. It will also act to ensure, where appropriate, that Federal contractors receive and use all relevant and shareable threat and vulnerability information to improve their security posture.PracticesEnsure the Government Leads in Best and Innovative Practices_f2909064-bdc6-11e8-a392-450fc555896cI.A.vThe Federal Government will ensure the systems it owns and operates meet the standards and cybersecurity best practices it recommends to industry. Projects that receive Federal funding must meet these standards as well. The Federal Government will use its purchasing power to drive sector-wide improvement in products and services. The Federal Government will also be a leader in developing and implementing standards and best practices in new and emerging areas. For example, public key cryptography is foundational to the secure operation of our infrastructure. To protect against the potential threat of quantum computers being able to break modern public key cryptography, the Department of Commerce, through the National Institute of Standards and Technology (NIST), will continue to solicit, evaluate, and standardize quantum-resistant, public key cryptographic algorithms. The United States must be at the forefront of protecting communications by supporting rapid adoption of these forthcoming NIST standards across government infrastructure and by encouraging the Nation to do the same.InfrastructureSecure Critical Infrastructure_f2909208-bdc6-11e8-a392-450fc555896cI.BThe responsibility to secure the Nation’s critical infrastructure and manage its cybersecurity risk is shared by the private sector and the Federal Government. In partnership with the private sector, we will collectively use a risk-management approach to mitigating vulnerabilities to raise the base level of cybersecurity across critical infrastructure. We will simultaneously use a consequence-driven approach to prioritize actions that reduce the potential that the most advanced adversaries could cause large-scale or long-duration disruptions to critical infrastructure. We will also deter malicious cyber actors by imposing costs on them and their sponsors by leveraging a range of tools, including but not limited to prosecutions and economic sanctions, as part of a broader deterrence strategy.Roles & ResponsibilitiesRefine Roles and Responsibilities_f290935c-bdc6-11e8-a392-450fc555896cI.B.i The Administration will clarify the roles and responsibilities of Federal agencies and the expectations on the private sector related to cybersecurity risk management and incident response. Clarity will enable proactive risk management that comprehensively addresses threats, vulnerabilities, and consequences. It will also identify and bridge existing gaps in responsibilities and coordination among Federal and non-Federal incident response efforts and promote more routine training, exercises, and coordination. PrioritizationPrioritize Actions According to Identified National Risks_f29094a6-bdc6-11e8-a392-450fc555896cI.B.iiThe Federal Government will work with the private sector to manage risks to critical infrastructure at the greatest risk. The Administration will develop a comprehensive understanding of national risk by identifying national critical functions and will mature our cybersecurity offerings and engagements to better manage those national risks. The Administration will prioritize risk-reduction activities across seven key areas: national security, energy and power, banking and finance, health and safety, communications, information technology, and transportation. ICT ProvidersLeverage Information and Communications Technology Providers as Cybersecurity Enablers_f2909780-bdc6-11e8-a392-450fc555896cI.B.iiiICT ProvidersInformation and communications technology (ICT) underlies every sector in America. ICT providers are in a unique position to detect, prevent, and mitigate risk before it impacts their customers, and the Federal Government must work with these providers to improve ICT security and resilience in a targeted and efficient manner while protecting privacy and civil liberties. The United States Government will strengthen efforts to share information with ICT providers to enable them to respond to and remediate known malicious cyber activity at the network level. This will include sharing classified threat and vulnerability information with cleared ICT operators and downgrading information to the unclassified level as much as possible. We will promote an adaptable, sustainable, and secure technology supply chain that supports security based on best practices and standards. The United States Government will convene stakeholders to devise cross-sector solutions to challenges at the network, device, and gateway layers, and we will encourage industry-driven certification regimes that ensure solutions can adapt in a rapidly evolving market and threat landscape. DemocracyProtect our Democracy_f29098ca-bdc6-11e8-a392-450fc555896cI.B.ivVotersSecuring our democratic processes is of paramount importance to the United States and our democratic allies. State and local government officials own and operate diverse election infrastructure within the United States. Therefore, when requested we will provide technical and risk management services, support training and exercising, maintain situational awareness of threats to this sector, and improve the sharing of threat intelligence with those officials to better prepare and protect the election infrastructure. The Federal Government will continue to coordinate the development of cybersecurity standards and guidance to safeguard the electoral process and the tools that deliver a secure system. In the event of a significant cyber incident, the Federal Government is poised to provide threat and asset response to recover election infrastructure.IncentivesIncentivize Cybersecurity Investments_f2909a1e-bdc6-11e8-a392-450fc555896cI.B.vMost cybersecurity risks to critical infrastructure stem from the exploitation of known vulnerabilities. The United States Government will work with private and public sector entities to promote understanding of cybersecurity risk so they make more informed risk-management decisions, invest in appropriate security measures, and realize benefits from those investments. R&DPrioritize National Research and Development Investments_f2909b9a-bdc6-11e8-a392-450fc555896cI.B.viThe Federal Government will update the National Critical Infrastructure Security and Resilience Research and Development Plan to set priorities for addressing cybersecurity risks to critical infrastructure. Departments and agencies will align their investments to the priorities, which will focus on building new cybersecurity approaches that use emerging technologies, improving information-sharing and risk management related to cross-sector interdependencies, and building resilience to large-scale or long-duration disruptions.Transportation & MaritimeImprove Transportation and Maritime Cybersecurity_f2909d02-bdc6-11e8-a392-450fc555896cI.B.viiAmerica’s economic and national security is built on global trade and transportation. Our ability to guarantee free and timely movement of goods, open sea and air lines of communications, access to oil and natural gas, and availability of associated critical infrastructures is vital to our economic and national security. As these sectors have modernized, they have also become more vulnerable to cyber exploitation or attack. Maritime cybersecurity is of particular concern because lost or delayed shipments can result in strategic economic disruptions and potential spillover effects on downstream industries. Given the criticality of maritime transportation to the United States and global economy and the minimal risk-reduction investments to protect against cyber exploitation made thus far, the United States will move quickly to clarify maritime cybersecurity roles and responsibilities; promote enhanced mechanisms for international coordination and information sharing; and accelerate the development of next-generation cyber-resilient maritime infrastructure. The United States will assure the uninterrupted transport of goods in the face of all threats that can hold this inherently international infrastructure at risk through cyber means.SpaceImprove Space Cybersecurity_f2909e6a-bdc6-11e8-a392-450fc555896cI.B.viiiThe United States considers unfettered access to and freedom to operate in space vital to advancing the security, economic prosperity, and scientific knowledge of the Nation. The Administration is concerned about the growing cyber-related threats to space assets and supporting infrastructure because these assets are critical to functions such as positioning, navigation, and timing (PNT); intelligence, surveillance, and reconnaissance (ISR); satellite communications; and weather monitoring. The Administration will enhance efforts to protect our space assets and support infrastructure from evolving cyber threats, and we will work with industry and international partners to strengthen the cyber resilience of existing and future space systems.ReportingCombat Cybercrime and Improve Incident Reporting_f2909ff0-bdc6-11e8-a392-450fc555896cI.CFederal departments and agencies, in cooperation with state, local, tribal, and territorial government entities, play a critical role in detecting, preventing, disrupting, and investigating cyber threats to our Nation. The United States is regularly the victim of malicious cyber activity perpetrated by criminal actors, including state and non-state actors and their proxies and terrorists using network infrastructure in the United States and abroad. Federal law enforcement works to apprehend and prosecute offenders, disable criminal infrastructure, limit the spread and use of nefarious cyber capabilities, prevent cyber criminals and their state sponsors from profiting from their illicit activity, and seize their assets. The Administration will push to ensure that our Federal departments and agencies have the necessary legal authorities and resources to combat transnational cybercriminal activity, including identifying and dismantling botnets, dark markets, and other infrastructure used to enable cybercrime, and combatting economic espionage. To effectively deter, disrupt, and prevent cyber threats, law enforcement will work with private industry to confront challenges presented by technological barriers, such as anonymization and encryption technologies, to obtain time-sensitive evidence pursuant to appropriate legal process. Law enforcement actions to combat criminal cyber activity serve as an instrument of national power by, among other things, deterring those activities.IncidentsImprove Incident Reporting and Response_f290a162-bdc6-11e8-a392-450fc555896cI.C.iThe United States Government will continue to encourage reporting of intrusions and theft of data by all victims, especially critical infrastructure partners. The prompt reporting of cyber incidents to the Federal Government is essential to an effective response, linking of related incidents, identification of the perpetrators, and prevention of future incidents.LawsModernize Electronic Surveillance and Computer Crime Laws_f290a2d4-bdc6-11e8-a392-450fc555896cI.C.iiThe Administration will work with the Congress to update electronic surveillance and computer crime statutes to enhance law enforcement’s capabilities to lawfully gather necessary evidence of criminal activity, disrupt criminal infrastructure through civil injunctions, and impose appropriate consequences upon malicious cyber actors. Transnational Criminal OrganizationsReduce Threats from Transnational Criminal Organizations in Cyberspace_f290a478-bdc6-11e8-a392-450fc555896cI.C.iiiComputer hacking conducted by transnational criminal groups poses a significant threat to our national security. Equipped with sizeable funds, organized criminal groups operating abroad employ sophisticated malicious software, spearphishing campaigns, and other hacking tools — some of which rival those of nation states in sophistication — to hack into sensitive financial systems, conduct massive data breaches, spread ransomware, attack critical infrastructure, and steal intellectual property. The Administration will advocate for law enforcement to have effective legal tools to investigate and prosecute such groups and modernized organized crime statutes for use against this threat. ApprehensionImprove Apprehension of Criminals Located Abroad_f290a5f4-bdc6-11e8-a392-450fc555896cI.C.ivForeign NationsDeterring cybercrime requires a credible threat that perpetrators will be identified, apprehended, and brought to justice. However, some foreign nations choose not to cooperate with extradition requests, impose unreasonable limitations, or actively interfere in these efforts. The United States will continue to identify gaps and potential mechanisms for bringing foreignbased cyber criminals to justice. The United States Government will also increase diplomatic and other efforts with countries to promote cooperation with legitimate extradition requests. We will push other nations to expedite their assistance in investigations and to comply with any bilateral or multilateral agreements or obligations.Partner NationsStrengthen Partner Nations’ Law Enforcement Capacity to Combat Criminal Cyber Activity_f290a770-bdc6-11e8-a392-450fc555896cI.C.vPartner NationsThe United States should also aid willing partner nations to build their capacity to address criminal cyber activity. The borderless nature of cybercrime, including state-sponsored and terrorist activities, requires strong international law enforcement partnerships. This cooperation requires foreign law enforcement agencies to have the technical capability to assist United States law enforcement effectively when requested. It is therefore in the interest of United States national security to continue building cybercrime-fighting capacity that facilitates stronger international law enforcement cooperation. The United States will strive to improve international cooperation in investigating malicious cyber activity, including developing solutions to potential barriers to gathering and sharing evidence. The United States will also lead in developing interoperable and mutually beneficial systems to encourage efficient cross-border information exchange for law enforcement purposes and reduce barriers to coordination. The Administration will urge effective use of existing international tools like the United Nations Convention Against Transnational Organized Crime and the G7 24/7 Network Points of Contact. Finally, we will work to expand the international consensus favoring the Convention on Cybercrime of the Council of Europe (Budapest Convention), including by supporting greater adoption of the convention. ProsperityPromote American Prosperity_f290a928-bdc6-11e8-a392-450fc555896cPillar IIThe Internet has generated tremendous benefits domestically and abroad, and it helps to advance American values of freedom, security, and prosperity. Along with its expansion have come challenges that threaten our national security. The United States will demonstrate a coherent and comprehensive approach to address these and other challenges to defend American national interests in this increasingly digitized world. OBJECTIVE: Preserve United States influence in the technological ecosystem and the development of cyberspace as an open engine of economic growth, innovation, and efficiency.Digital EconomyFoster a Vibrant and Resilient Digital Economy_f290aac2-bdc6-11e8-a392-450fc555896cII.AEconomic security is inherently tied to our national security. As the foundations of our economy are becoming increasingly rooted in digital technologies, the United States Government will model and promote standards that protect our economic security and reinforce the vitality of the American marketplace and American innovation. Technology MarketplaceIncentivize an Adaptable and Secure Technology Marketplace_f290ac66-bdc6-11e8-a392-450fc555896cII.A.iTo enhance the resilience of cyberspace, the Administration expects the technology marketplace to support and reward the continuous development, adoption, and evolution of innovative security technologies and processes. The Administration will work across stakeholder groups, including the private sector and civil society, to promote best practices and develop strategies to overcome market barriers to the adoption of secure technologies. The Administration will improve awareness and transparency of cybersecurity practices to build market demand for more secure products and services. Finally, the Administration will collaborate with international partners to promote open, industry-driven standards with government support, as appropriate, and risk-based approaches to address cybersecurity challenges to include platform and managed service approaches that lower barriers to secure practice adoption across the breadth of the ecosystem. InnovationPrioritize Innovation_f290ae28-bdc6-11e8-a392-450fc555896cII.A.iiThe United States Government will promote implementation and continuous updating of standards and best practices that deter and prevent current and evolving threats and hazards in all domains of the cyber ecosystem. These standards and practices should be outcome-oriented and based on sound technological principles rather than point-in-time company specifications. The Administration will eliminate policy barriers that inhibit a robust cybersecurity industry from developing, sharing, and building innovative capabilities to reduce cyber threats. InfrastructureInvest in Next Generation Infrastructure_f290afcc-bdc6-11e8-a392-450fc555896cII.A.iiiThe Administration will facilitate the accelerated development and rollout of next-generation telecommunications and information communications infrastructure here in the United States, while using the buying power of the Federal Government to incentivize the move towards more secure supply chains. The United States Government will work with the private sector to facilitate the evolution and security of 5G, examine technological and spectrum-based solutions, and lay the groundwork for innovation beyond next-generation advancements. The United States Government will examine the use of emerging technologies, such as artificial intelligence and quantum computing, while addressing risks inherent in their use and application. We will collaborate with the private sector and civil society to understand trends in technology advancement to maintain the United States technological edge in connected technologies and to ensure secure practices are adopted from the outset.Data FlowsPromote the Free Flow of Data Across Borders_f290b17a-bdc6-11e8-a392-450fc555896cII.A.ivCountries are increasingly looking towards restrictive data localization and regulations as pretexts for digital protectionism under the rubric of national security. Those actions negatively impact the competitiveness of United States companies. The United States will continue to lead by example and push back against unjustifiable barriers to the free flow of data and digital trade. The Administration will continue to work with international counterparts to promote open, industry driven standards, innovative products, and risk-based approaches that permit global innovation and the free flow of data while meeting the legitimate security needs of the United States. Emerging TechnologiesMaintain United States Leadership in Emerging Technologies_f290b35a-bdc6-11e8-a392-450fc555896cII.A.vThe United States’ influence in cyberspace is linked to our technological leadership. Accordingly, the United States Government will make a concerted effort to protect cutting edge technologies, including from theft by our adversaries, support those technologies’ maturation, and, where possible, reduce United States companies’ barriers to market entry. The United States will promote United States cybersecurity innovation worldwide through trade-related engagement, raising awareness of innovative American cybersecurity tools and services, exposing and countering repressive regimes use of such tools and services to undermine human rights, and reducing barriers to a robust global cybersecurity market. Cybersecurity LifecyclePromote Full-Lifecycle Cybersecurity_f290b512-bdc6-11e8-a392-450fc555896cII.A.viThe United States Government will promote full-lifecycle cybersecurity, pressing for strong, default security settings, adaptable, upgradeable products, and other best practices built in at the time of product delivery. We will identify a clear pathway toward an adaptable, sustainable, and secure technology marketplace, encouraging manufacturers to differentiate products based on the quality of their security features. The United States Government will promote foundational engineering practices to reduce systemic fragility and develop designs that degrade and recover effectively when successfully attacked. The United States Government will also promote regular testing and exercising of the cybersecurity and resilience of products and systems during development using best practices from forward-leaning industries. This includes promotion and use of coordinated vulnerability disclosure, crowd-sourced testing, and other innovative assessments that improve resiliency ahead of exploitation or attack. The United States Government will also evaluate how to improve the end-to-end lifecycle for digital identity management, including over-reliance on Social Security numbers.IngenuityFoster and Protect United States Ingenuity_f290b6de-bdc6-11e8-a392-450fc555896cII.BFostering and protecting American invention and innovation is critical to maintaining the United States’ strategic advantage in cyberspace. The United States Government will nurture innovation by promoting institutions and programs that drive United States competitiveness. The United States Government will counter predatory mergers and acquisitions and counter intellectual property theft. We will also catalyze United States leadership in emerging technologies and promote government identification and support to these technologies, which include artificial intelligence, quantum information science, and next-generation telecommunication infrastructure.Foreign Investment & OperationsUpdate Mechanisms to Review Foreign Investment and Operation in the United States_f290b968-bdc6-11e8-a392-450fc555896cII.B.iThe confidentiality, integrity, and availability of United States telecommunications networks are essential to our economy and national security. We must be vigilant to safeguard the telecommunications networks we depend on in our everyday lives so they cannot be used or compromised by a foreign adversary to harm the United States. The United States Government will balance these objectives by formalizing and streamlining the review of Federal Communications Commission referrals for telecommunications licenses. The United States Government will facilitate a transparent process to increase the efficiency of this review.IPMaintain a Strong and Balanced Intellectual Property Protection System_f290bb2a-bdc6-11e8-a392-450fc555896cII.B.iiStrong intellectual property protections ensure continued economic growth and innovation in the digital age. The United States Government has fostered and will continue to help foster a global intellectual property rights system that provides incentives for innovation through the protection and enforcement of intellectual property rights such as patents, trademarks, and copyrights. The United States Government will also promote protection of sensitive emerging technologies and trade secrets, and we will work to prevent adversarial nation states from gaining unfair advantage at the expense of American research and development.IdeasProtect the Confidentiality and Integrity of American Ideas_f290bdfa-bdc6-11e8-a392-450fc555896cII.B.iiiFor more than a decade, malicious actors have conducted cyber intrusions into United States commercial networks, targeting confidential business information held by American firms. Malicious cyber actors from other nations have stolen troves of trade secrets, technical data, and sensitive proprietary internal communications. The United States Government will work against the illicit appropriation of public and private sector technology and technical knowledge by foreign competitors, while maintaining an investor-friendly climate. Workforce DevelopmentDevelop a Superior Cybersecurity Workforce_f290c002-bdc6-11e8-a392-450fc555896cII.CCybersecurity WorkforceA highly skilled cybersecurity workforce is a strategic national security advantage. The United States will fully develop the vast American talent pool, while at the same time attracting the best and brightest among those abroad who share our values. Talent PipelineBuild and Sustain the Talent Pipeline_f290c1ce-bdc6-11e8-a392-450fc555896cII.C.iOur peer competitors are implementing workforce development programs that have the potential to harm long-term United States cybersecurity competitiveness. The United States Government will continue to invest in and enhance programs that build the domestic talent pipeline, from primary through postsecondary education. The Administration will leverage the President’s proposed merit-based immigration reforms to ensure that the United States has the most competitive technology sector. This effort may require additional legislation to achieve the sought after goals.Education & Re-SkillingExpand Re-Skilling and Educational Opportunities for America’s Workers_f290c39a-bdc6-11e8-a392-450fc555896cII.C.iiAmerica’s WorkersThe Administration will work with the Congress to promote and reinvigorate educational and training opportunities to develop a robust cybersecurity workforce. This includes expanding Federal recruitment, training, re-skilling people from a broad range of backgrounds, and giving them opportunities to re-train into cybersecurity careers.Workforce EnhancementEnhance the Federal Cybersecurity Workforce_f290c5fc-bdc6-11e8-a392-450fc555896cII.C.iiiTo improve recruitment and retention of highly qualified cybersecurity professionals to the Federal Government, the Administration will continue to use the National Initiative for Cybersecurity Education (NICE) Framework to support policies allowing for a standardized approach for identifying, hiring, developing, and retaining a talented cybersecurity workforce. Additionally, the Administration will explore appropriate options to establish distributed cybersecurity personnel under the management of DHS to oversee the development, management, and deployment of cybersecurity personnel across Federal departments and agencies with the exception of DOD and the IC. The Administration will promote appropriate financial compensation for the United States Government workforce, as well as unique training and operational opportunities to effectively recruit and retain critical cybersecurity talent in light of the competitive private sector environment.TalentUse Executive Authority to Highlight and Reward Talent_f290c868-bdc6-11e8-a392-450fc555896cII.C.ivThe United States Government will promote and magnify excellence by highlighting cybersecurity educators and cybersecurity professionals. The United States Government will also leverage publicprivate collaboration to develop and circulate the NICE Framework, which provides a standardized approach for identifying cybersecurity workforce gaps, while also implementing actions to prepare, grow, and sustain a workforce that can defend and bolster America’s critical infrastructure and innovation base.PeacePreserve Peace through Strength_f290ca5c-bdc6-11e8-a392-450fc555896cPillar IIIChallenges to United States security and economic interests, from nation states and other groups, which have long existed in the offline world are now increasingly occurring in cyberspace. This now-persistent engagement in cyberspace is already altering the strategic balance of power. This Administration will issue transformative policies that reflect today’s new reality and guide the United States Government towards strategic outcomes that protect the American people and our way of life. Cyberspace will no longer be treated as a separate category of policy or activity disjointed from other elements of national power. The United States will integrate the employment of cyber options across every element of national power. OBJECTIVE: Identify, counter, disrupt, degrade, and deter behavior in cyberspace that is destabilizing and contrary to national interests, while preserving United States overmatch in and through cyberspace.StabilityEnhance Cyber Stability through Norms of Responsible State Behavior_f290ccc8-bdc6-11e8-a392-450fc555896cIII.AThe United States will promote a framework of responsible state behavior in cyberspace built upon international law, adherence to voluntary non-binding norms of responsible state behavior that apply during peacetime, and the consideration of practical confidence building measures to reduce the risk of conflict stemming from malicious cyber activity. These principles should form a basis for cooperative responses to counter irresponsible state actions inconsistent with this framework. NormsEncourage Universal Adherence to Cyber Norms_f290cf3e-bdc6-11e8-a392-450fc555896cIII.A.iInternational law and voluntary non-binding norms of responsible state behavior in cyberspace provide stabilizing, security-enhancing standards that define acceptable behavior to all states and promote greater predictability and stability in cyberspace. The United States will encourage other nations to publicly affirm these principles and views through enhanced outreach and engagement in multilateral fora. Increased public affirmation by the United States and other governments will lead to accepted expectations of state behavior and thus contribute to greater predictability and stability in cyberspace.Attribution & DeterrenceAttribute and Deter Unacceptable Behavior in Cyberspace_f290d13c-bdc6-11e8-a392-450fc555896cIII.BAs the United States continues to promote consensus on what constitutes responsible state behavior in cyberspace, we must also work to ensure that there are consequences for irresponsible behavior that harms the United States and our partners. All instruments of national power are available to prevent, respond to, and deter malicious cyber activity against the United States. This includes diplomatic, information, military (both kinetic and cyber), financial, intelligence, public attribution, and law enforcement capabilities. The United States will formalize and make routine how we work with like-minded partners to attribute and deter malicious cyber activities with integrated strategies that impose swift, costly, and transparent consequences when malicious actors harm the United States or our partners.IntelligenceLead with Objective, Collaborative Intelligence_f290d3a8-bdc6-11e8-a392-450fc555896cIII.B.iThe IC will continue to lead the world in the use of all-source cyber intelligence to drive the identification and attribution of malicious cyber activity that threatens United States national interests. Objective and actionable intelligence will be shared across the United States Government and with key partners to identify hostile foreign nation states, and non-nation state cyber programs, intentions, capabilities, research and development efforts, tactics, and operational activities that will inform whole-of-government responses to protect American interests at home and abroad.ConsequencesImpose Consequences_f290d628-bdc6-11e8-a392-450fc555896cIII.B.iiThe United States will develop swift and transparent consequences, which we will impose consistent with our obligations and commitments to deter future bad behavior. The Administration will conduct interagency policy planning for the time periods leading up to, during, and after the imposition of consequences to ensure a timely and consistent process for responding to and deterring malicious cyber activities. The United States will work with partners when appropriate to impose consequences against malicious cyber actors in response to their activities against our nation and interests. DeterrenceBuild a Cyber Deterrence Initiative_f290d826-bdc6-11e8-a392-450fc555896cIII.B.iiiThe imposition of consequences will be more impactful and send a stronger message if it is carried out in concert with a broader coalition of like-minded states. The United States will launch an international Cyber Deterrence Initiative to build such a coalition and develop tailored strategies to ensure adversaries understand the consequences of their malicious cyber behavior. The United States will work with like-minded states to coordinate and support each other’s responses to significant malicious cyber incidents, including through intelligence sharing, buttressing of attribution claims, public statements of support for responsive actions taken, and joint imposition of consequences against malign actors. Malign InfluenceCounter Malign Cyber Influence and Information Operations_f290dab0-bdc6-11e8-a392-450fc555896cIII.B.ivThe United States will use all appropriate tools of national power to expose and counter the flood of online malign influence and information campaigns and non-state propaganda and disinformation. This includes working with foreign government partners as well as the private sector, academia, and civil society to identify, counter, and prevent the use of digital platforms for malign foreign influence operations while respecting civil rights and liberties.InfluenceAdvance American Influence_f290dce0-bdc6-11e8-a392-450fc555896cPillar IVThe world looks to the United States, where much of the innovation for today’s Internet originated, for leadership on a vast range of transnational cyber issues. The United States will maintain an active international leadership posture to advance American influence and to address an expanding array of threats and challenges to its interests in cyberspace. Collaboration with allies and partners is also essential to ensure we can continue to benefit from the cross-border communications, content creation, and commerce generated by the open, interoperable architecture of the Internet. OBJECTIVE: Preserve the long-term openness, interoperability, security, and reliability of the Internet, which supports and is reinforced by United States interests. InternetPromote an Open, Interoperable, Reliable, and Secure Internet_f290df4c-bdc6-11e8-a392-450fc555896cIV.AThe global Internet has prompted some of the greatest advancements since the industrial revolution, enabling great advances in commerce, health, communications, and other national infrastructure. At the same time, centuries-old battles over human rights and fundamental freedoms are now playing out online. Freedoms of expression, peaceful assembly, and association, as well as privacy rights, are under threat. Despite unprecedented growth, the Internet’s economic and social potential continues to be undermined by online censorship and repression. The United States stands firm on its principles to protect and promote an open, interoperable, reliable, and secure Internet. We will work to ensure that our approach to an open Internet is the international standard. We will also work to prevent authoritarian states that view the open Internet as a political threat from transforming the free and open Internet into an authoritarian web under their control, under the guise of security or countering terrorism. FreedomProtect and Promote Internet Freedom_f290e186-bdc6-11e8-a392-450fc555896cIV.A.iThe United States Government conceptualizes Internet freedom as the online exercise of human rights and fundamental freedoms — such as the freedoms of expression, association, peaceful assembly, religion or belief, and privacy rights online — regardless of frontiers or medium. By extension, Internet freedom also supports the free flow of information online that enhances international trade and commerce, fosters innovation, and strengthens both national and international security. As such, United States Internet freedom principles are inextricably linked to our national security. Internet freedom is also a key guiding principle with respect to other United States foreign policy issues, such as cybercrime and counterterrorism efforts. Given its importance, the United States will encourage other countries to advance Internet freedom through venues such as the Freedom Online Coalition, of which the United States is a founding member. PartnershipsWork with Like-Minded Countries, Industry, Academia, and Civil Society_f290e4e2-bdc6-11e8-a392-450fc555896cIV.A.iiLike-Minded CountriesIndustryAcademiaCivil SocietyThe United States will continue to work with like-minded countries, industry, civil society, and other stakeholders to advance human rights and Internet freedom globally and to counter authoritarian efforts to censor and influence Internet development. The United States Government will continue to support civil society through integrated support for technology development, digital safety training, policy advocacy, and research. These programs aim to enhance the ability of individual citizens, activists, human rights defenders, independent journalists, civil society organizations, and marginalized populations to safely access the uncensored Internet and promote Internet freedom at the local, regional, national, and international levels. GovernancePromote a Multi-Stakeholder Model of Internet Governance_f290e6f4-bdc6-11e8-a392-450fc555896cIV.A.iiiThe United States will continue to actively participate in global efforts to ensure that the multi-stakeholder model of Internet governance prevails against attempts to create state-centric frameworks that would undermine openness and freedom, hinder innovation, and jeopardize the functionality of the Internet. The multi-stakeholder model of Internet governance is characterized by transparent, bottom-up, consensus-driven processes and enables governments, the private sector, civil society, academia, and the technical community to participate on equal footing. The United States Government will defend the open, interoperable nature of the Internet in multilateral and international fora through active engagement in key organizations, such as the Internet Corporation for Assigned Names and Numbers, the Internet Governance Forum, the United Nations, and the International Telecommunication Union.Communications & ConnectivityPromote Interoperable and Reliable Communications Infrastructure and Internet Connectivity_f290e9d8-bdc6-11e8-a392-450fc555896cIV.A.ivThe United States will promote communications infrastructure and Internet connectivity that is open, interoperable, reliable, and secure. Such investment will provide greater opportunities for American firms to compete while countering the influence of statist, top-down government interventions in areas of strategic competition. It will also protect America’s security and commercial interests by strengthening United States industry’s competitive position in the global digital economy. The Administration will also support and promote open, industry-led standards activities based on sound technological principles.International MarketsPromote and Maintain Markets for United States Ingenuity Worldwide_f290ec3a-bdc6-11e8-a392-450fc555896cIV.A.vAmerican innovators and security professionals have contributed significantly in designing products and services that improve our ability to communicate and interact globally and that protect communications infrastructure, data, and devices worldwide. The United States will continue to promote markets for American ingenuity overseas, including for emerging technologies that can lower the cost of security. The United States will also advise on infrastructure deployments, innovation, risk management, policy, and standards to further the global Internet’s reach and to ensure interoperability, security, and stability. Finally, the United States will work with international partners, government, industry, civil society, technologists, and academics to improve the adoption and awareness of cybersecurity best practices worldwide. International CapacityBuild International Cyber Capacity_f290ee88-bdc6-11e8-a392-450fc555896cIV.BCapacity building equips partners to protect themselves and assist the United States in addressing threats that target mutual interests, while serving broader diplomatic, economic, and security goals. Through cyber capacity building initiatives, the United States builds strategic partnerships that promote cybersecurity best practices through a common vision of an open, interoperable, reliable, and secure Internet that encourages investment and opens new economic markets. In addition, capacity building allows for additional opportunities to share cyber threat information, enabling the United States Government and our partners to better defend domestic critical infrastructure and global supply chains, as well as focus whole-ofgovernment cyber engagements. Our leadership in building partner cybersecurity capacity is critical to maintaining American influence against global competitors. Building partner cyber capacity will empower international partners to implement policies and practices which allow them to be effective partners in the United States-led Cyber Deterrence Initiative. Capacity BuildingEnhance Cyber Capacity Building Efforts_f290f13a-bdc6-11e8-a392-450fc555896cIV.B.iMany United States allies and partners possess unique cyber capabilities that can complement our own. The United States will work to strengthen the capacity and interoperability of those allies and partners to improve our ability to optimize our combined skills, resources, capabilities, and perspectives against shared threats. Partners can also help detect, deter, and defeat those shared threats in cyberspace. In order for international partners to effectively protect their digital infrastructure and combat shared threats, while realizing the economic and social gains derived from the Internet and ICTs, the United States will continue to address the building blocks for organizing national efforts on cybersecurity. We will also aggressively expand efforts to share automated and actionable cyber threat information, enhance cybersecurity coordination, and promote analytical and technical exchanges. In addition, the United States will work to reduce the impact and influence of transnational cybercrime and terrorist activities by partnering with and strengthening the security and law enforcement capabilities of our partners to build their cyber capacity.2018-09-012018-09-21https://www.whitehouse.gov/wp-content/uploads/2018/09/National-Cyber-Strategy.pdfOwenAmburOwen.Ambur@verizon.net