Columbia International Affairs Online: Working Papers

CIAO DATE: 02/2013

Updating U.S. Federal Cybersecurity Policy and Guidance

Franklin S. Reeder, Daniel Chenok, Karen S. Evans, James Andrew Lewis, Alan Paller

October 2012

Center for Strategic and International Studies

Abstract

As the threat to the cyber infrastructure on which the federal government and the nation relies grows, the urgency of investing wisely in protection against, detecting, mitigating, and recovering from cyber events takes on increasing urgency. Our adversaries are well equipped and agile. Our defenses must be equal to the threat, and they are not. Since the 1980s, Congress and administrations of both parties have acted periodically to address that threat, through enacting laws and issuing policies and guidance. Though the underlying principles of managing and mitigating risk remain the same, the changing nature of technology and the capabilities of those who would do us harm call for a periodic review and updating of law and policy. Congress has recognized the need to update underlying statutes. Whether or not its efforts succeed, substantial improvement can be achieved by updating policies and guidance within the current statutory framework. Such changes would both improve our security posture and make more effective use of limited resources. While one might argue that more resources need to be spent on cybersecurity in the current threat environment, the fiscal situation argues for first assuring that every dollar spent on cybersecurity be spent wisely and allow for more rapid adoption of cheaper and more efficient technologies.