NATIONAL CYBER STRATEGY of the United States of AmericaAmerica’s prosperity and security depend on how we respond to the opportunitiesand challenges in cyberspace. Critical infrastructure, national defense, andthe daily lives of Americans rely on computer-driven and interconnected informationtechnologies. As all facets of American life have become more dependenton a secure cyberspace, new vulnerabilities have been revealed and new threatscontinue to emerge. Building on the National Security Strategy and the Administration’sprogress over its first 18 months, the National Cyber Strategy outlineshow the United States will ensure the American people continue to reap thebenefits of a secure cyberspace that reflects our principles, protects our security,and promotes our prosperity.The articulation of the National Cyber Strategyis organized according to the pillars of theNational Security Strategy. The National SecurityCouncil staff will coordinate with departments,agencies, and the Office of Management andBudget (OMB) on an appropriate resourceplan to implement this Strategy. Departmentsand agencies will execute their missionsinformed by the following strategic guidance.The White HouseTWH_ebd0433c-bdc6-11e8-b22c-d80cc555896cDonald J. TrumpPresident of the United StatesNational Security CouncilNational Security Council staff will coordinate with departments, agencies, and the Office of Management and Budget (OMB) on an appropriate resource plan to implement this Strategy.Office of Management and Budget (OMB)U.S. Federal AgenciesDepartments and agencies will execute their missions informed by the following strategic guidance.A secure and prosperous America_ebd046ac-bdc6-11e8-b22c-d80cc555896cTo outline how the United States will ensure the American people continue to reap the benefits of a secure cyberspace_ebd04814-bdc6-11e8-b22c-d80cc555896cSecurityProsperityDemocracyInnovationIngenuityPeacePartnershipFreedomPeople, Homeland & Way of LifeProtect the American People, the Homeland, and the American Way of Life_ebd0490e-bdc6-11e8-b22c-d80cc555896cPillar IProtecting the American people, the American way of life, and American interests is at the forefront of the NationalSecurity Strategy. Protecting American informationnetworks, whether government orprivate, is vital to fulfilling this objective. It willrequire a series of coordinated actions focusedon protecting government networks, protectingcritical infrastructure, and combating cybercrime.The United States Government, private industry,and the public must each take immediate anddecisive actions to strengthen cybersecurity,with each working on securing the networksunder their control and supporting each other asappropriate.OBJECTIVE: Manage cybersecurity risks toincrease the security and resilience of theNation’s information and information systems.Networks & InformationSecure Federal Networks and Information_ebd04a12-bdc6-11e8-b22c-d80cc555896cI.AThe responsibility to secure Federal networks— including Federal information systems andnational security systems — falls squarely onthe Federal Government. The Administrationwill clarify the relevant authorities, responsibilities,and accountability within and acrossdepartments and agencies for securing Federalinformation systems, while setting the standardfor effective cybersecurity risk management.As part of this effort, the Administration willcentralize some authorities within the FederalGovernment, enable greater cross-agencyvisibility, improve management of our Federalsupply chain, and strengthen the security ofUnited States Government contractor systems.Management & OversightFurther Centralize Management and Oversight of Federal Civilian Cybersecurity_ebd04b0c-bdc6-11e8-b22c-d80cc555896cI.A.iThe Administration will act to further enable theDepartment of Homeland Security (DHS) to secureFederal department and agency networks, withthe exception of national security systems andDepartment of Defense (DOD) and IntelligenceCommunity (IC) systems. This includes ensuringDHS has appropriate access to agency informationsystems for cybersecurity purposes andcan take and direct action to safeguard systemsfrom the spectrum of risks. Under the oversight ofthe OMB, the Administration will expand on workbegun under Executive Order (E.O.) 13800 to prioritizethe transition of agencies to shared services and infrastructure. DHS will have appropriatevisibility into those services and infrastructureto improve United States cybersecurity posture.We will continue to deploy centralized capabilities,tools, and services through DHS whereappropriate, and improveoversight and compliancewith applicable laws,policies, standards, anddirectives. This will likelyrequire new policies andarchitectures that enablethe government to better leverage innovation.DOD and the IC will consider these activities as theywork to better secure national security systems,DOD systems, and IC systems, as appropriate.ITAlign Risk Management and Information Technology Activities_ebd04c06-bdc6-11e8-b22c-d80cc555896cI.A.iiE.O. 13833, Enhancingthe Effectiveness of Agency Chief InformationOfficers, empowers Chief Information Officers(CIOs) to more effectively leverage technologyto accomplish agency missions, cut down onduplication, and make information technology(IT) investment more efficient. Department andagency leaders will empower and hold theirCIOs accountable to align cybersecurity riskmanagement decisions and IT budgeting andprocurement decisions. The Administration,through OMB and DHS, will continue to guide anddirect risk management actions across Federalcivilian departments and agencies, and CIOs willbe empowered to take a proactive leadership rolein assuring IT procurement decisions assign theproper priority to securing networks and data. Supply ChainImprove Federal Supply Chain Risk Management_ebd04d14-bdc6-11e8-b22c-d80cc555896cI.A.iiiThe Administration will integratesupply chain risk management into agencyprocurement and risk management processesin accordance with federal requirements thatare consistent with industry best practices tobetter ensure the technology that the FederalGovernment deploys is secure and reliable.This includes ensuring better informationsharing among departments and agencies toimprove awareness of supply chain threatsand reduce duplicativesupply chain activitieswithin the United StatesGovernment, including bycreating a supply chainrisk assessment sharedservice. It also includesaddressing deficiencies in the Federal acquisitionsystem, such as providing more streamlinedauthorities to exclude risky vendors,products, and services when justified. This effortwill be synchronized with efforts to managesupply chain risk in the Nation’s infrastructure. Federal ContractorsStrengthen Federal Contractor Cybersecurity_ebd04e18-bdc6-11e8-b22c-d80cc555896cI.A.ivFederal ContractorsThe United States cannot affordto have sensitive government information orsystems inadequately secured by contractors.Federal contractors provide important servicesto the United States Government and mustproperly secure the systems through whichthey provide those services. Going forward,the Federal Government will be able to assessthe security of its data by reviewing contractorrisk management practices and adequatelytesting, hunting, sensoring, and respondingto incidents on contractor systems. Contractswith Federal departments and agencies willbe drafted to authorize such activities for thepurpose of improving cybersecurity. Among theacute concerns in this area are those contractorswithin the defense industrial base responsible forresearching and developing key systems fieldedby the DOD. Further, as recommended in theE.O. 13800 Report to the President on Federal ITModernization, the Administration will support adoption of consolidated acquisition strategiesto improve cybersecurity and reduce overheadcosts associated with using inconsistent contractprovisions across the Federal Government. Itwill also act to ensure, where appropriate,that Federal contractors receive and use allrelevant and shareable threat and vulnerabilityinformation to improve their security posture.PracticesEnsure the Government Leads in Best and Innovative Practices_ebd04fc6-bdc6-11e8-b22c-d80cc555896cI.A.vThe Federal Governmentwill ensure the systems it owns and operatesmeet the standards and cybersecurity bestpractices it recommends to industry. Projectsthat receive Federal funding must meet thesestandards as well. The Federal Government willuse its purchasing power to drive sector-wideimprovement in products and services. TheFederal Government will also be a leader indeveloping and implementing standards andbest practices in new and emerging areas. Forexample, public key cryptography is foundationalto the secure operation of our infrastructure.To protect against the potentialthreat of quantum computers being able tobreak modern public key cryptography, theDepartment of Commerce, through the NationalInstitute of Standards and Technology (NIST),will continue to solicit, evaluate, and standardizequantum-resistant, public key cryptographicalgorithms. The United States must be at theforefront of protecting communications bysupporting rapid adoption of these forthcomingNIST standards across government infrastructureand by encouraging the Nation to do the same.InfrastructureSecure Critical Infrastructure_ebd050f2-bdc6-11e8-b22c-d80cc555896cI.BThe responsibility to secure the Nation’s criticalinfrastructure and manage its cybersecurity riskis shared by the private sector and the FederalGovernment. In partnership with the privatesector, we will collectively use a risk-managementapproach to mitigating vulnerabilities to raise thebase level of cybersecurity across critical infrastructure.We will simultaneously use a consequence-drivenapproach to prioritize actionsthat reduce the potential that the most advancedadversaries could cause large-scale or long-durationdisruptions to critical infrastructure. Wewill also deter malicious cyber actors by imposingcosts on them and their sponsors by leveraging arange of tools, including but not limited to prosecutionsand economic sanctions, as part of abroader deterrence strategy.Roles & ResponsibilitiesRefine Roles and Responsibilities_ebd05214-bdc6-11e8-b22c-d80cc555896cI.B.i The Administrationwill clarify the roles and responsibilitiesof Federal agencies and the expectationson the private sector related to cybersecurityrisk management and incident response. Claritywill enable proactive risk management thatcomprehensively addresses threats, vulnerabilities,and consequences. It will also identifyand bridge existing gaps in responsibilities andcoordination among Federal and non-Federalincident response efforts and promote moreroutine training, exercises, and coordination. PrioritizationPrioritize Actions According to Identified National Risks_ebd0532c-bdc6-11e8-b22c-d80cc555896cI.B.iiThe Federal Government willwork with the private sector to manage risks tocritical infrastructure at the greatest risk. TheAdministration will develop a comprehensiveunderstanding of national risk by identifyingnational critical functions and will matureour cybersecurity offerings and engagementsto better manage those national risks. TheAdministration will prioritize risk-reductionactivities across seven key areas: nationalsecurity, energy and power, banking and finance, health and safety, communications,information technology, and transportation. ICT ProvidersLeverage Information and Communications Technology Providers as Cybersecurity Enablers_ebd054da-bdc6-11e8-b22c-d80cc555896cI.B.iiiICT ProvidersInformation and communicationstechnology (ICT) underlies every sector inAmerica. ICT providers are in a unique positionto detect, prevent, and mitigate risk beforeit impacts their customers, and the FederalGovernment must work with these providers toimprove ICT security and resilience in a targetedand efficient manner while protecting privacyand civil liberties. The United States Governmentwill strengthen efforts to share information withICT providers to enable them to respond to andremediate known malicious cyber activity at thenetwork level. This will include sharing classifiedthreat and vulnerability information with clearedICT operators and downgrading information tothe unclassified level as much as possible. We willpromote an adaptable, sustainable, and securetechnology supply chain that supports securitybased on best practices and standards. The UnitedStates Government will convene stakeholdersto devise cross-sector solutions to challengesat the network, device, and gateway layers, andwe will encourage industry-driven certificationregimes that ensure solutions can adapt in arapidly evolving market and threat landscape. DemocracyProtect our Democracy_ebd0566a-bdc6-11e8-b22c-d80cc555896cI.B.ivVotersSecuring ourdemocratic processes is of paramount importanceto the United States and our democraticallies. State and local government officials ownand operate diverse election infrastructure withinthe United States. Therefore, when requestedwe will provide technical and risk managementservices, support training and exercising,maintain situational awareness of threats to thissector, and improve the sharing of threat intelligencewith those officials to better prepare andprotect the election infrastructure. The FederalGovernment will continue to coordinate thedevelopment of cybersecurity standards andguidance to safeguard the electoral process andthe tools that deliver a secure system. In theevent of a significant cyber incident, the FederalGovernment is poised to provide threat andasset response to recover election infrastructure.IncentivesIncentivize Cybersecurity Investments_ebd05796-bdc6-11e8-b22c-d80cc555896cI.B.vMostcybersecurity risks to critical infrastructure stemfrom the exploitation of known vulnerabilities.The United States Government will work withprivate and public sector entities to promoteunderstanding of cybersecurity risk so they makemore informed risk-management decisions,invest in appropriate security measures, andrealize benefits from those investments. R&DPrioritize National Research and Development Investments_ebd0593a-bdc6-11e8-b22c-d80cc555896cI.B.viThe Federal Governmentwill update the National Critical InfrastructureSecurity and Resilience Research and DevelopmentPlan to set priorities for addressing cybersecurityrisks to critical infrastructure. Departmentsand agencies will align their investmentsto the priorities, which will focus on building newcybersecurity approaches that use emergingtechnologies, improving information-sharingand risk management related to cross-sectorinterdependencies, and building resilienceto large-scale or long-duration disruptions.Transportation & MaritimeImprove Transportation and Maritime Cybersecurity_ebd05a70-bdc6-11e8-b22c-d80cc555896cI.B.viiAmerica’s economic and nationalsecurity is built on global trade and transportation.Our ability to guarantee free and timelymovement of goods, open sea and air linesof communications, access to oil and naturalgas, and availability of associated critical infrastructuresis vital to our economic and nationalsecurity. As these sectors have modernized, they have also become more vulnerable to cyberexploitation or attack. Maritime cybersecurityis of particular concern because lost or delayedshipments can result in strategic economicdisruptions and potential spillover effects ondownstream industries. Given the criticality ofmaritime transportation to the United States andglobal economy and the minimal risk-reductioninvestments to protect against cyber exploitationmade thus far, the United States will movequickly to clarify maritime cybersecurity rolesand responsibilities; promote enhanced mechanismsfor international coordination and informationsharing; and accelerate the developmentof next-generation cyber-resilient maritimeinfrastructure. The United States will assure theuninterrupted transport of goods in the face ofall threats that can hold this inherently internationalinfrastructure at risk through cyber means.SpaceImprove Space Cybersecurity_ebd05b9c-bdc6-11e8-b22c-d80cc555896cI.B.viiiThe UnitedStates considers unfettered access to andfreedom to operate in space vital to advancingthe security, economic prosperity, and scientificknowledge of the Nation. The Administrationis concerned about the growing cyber-relatedthreats to space assets and supporting infrastructurebecause these assets are critical tofunctions such as positioning, navigation, andtiming (PNT); intelligence, surveillance, andreconnaissance (ISR); satellite communications;and weather monitoring. The Administrationwill enhance efforts to protect our space assetsand support infrastructure from evolving cyberthreats, and we will work with industry andinternational partners to strengthen the cyberresilience of existing and future space systems.ReportingCombat Cybercrime and Improve Incident Reporting_ebd05cf0-bdc6-11e8-b22c-d80cc555896cI.CFederal departments and agencies, in cooperationwith state, local, tribal, and territorialgovernment entities, play a critical role indetecting, preventing, disrupting, and investigatingcyber threats to our Nation. The UnitedStates is regularly the victim of malicious cyberactivity perpetrated by criminal actors, includingstate and non-state actors and their proxiesand terrorists using network infrastructurein the United States and abroad. Federal lawenforcement works to apprehend and prosecuteoffenders, disable criminal infrastructure, limitthe spread and use of nefarious cyber capabilities,prevent cyber criminals and their statesponsors from profiting from their illicit activity,and seize their assets. The Administration willpush to ensure that our Federal departmentsand agencies have the necessary legal authoritiesand resources to combat transnationalcybercriminal activity, including identifying anddismantling botnets, dark markets, and otherinfrastructure used to enable cybercrime, andcombatting economic espionage. To effectivelydeter, disrupt, and prevent cyber threats, lawenforcement will work with private industry toconfront challenges presented by technologicalbarriers, such as anonymization and encryptiontechnologies, to obtain time-sensitive evidencepursuant to appropriate legal process. Lawenforcement actions to combat criminal cyberactivity serve as an instrument of national powerby, among other things, deterring those activities.IncidentsImprove Incident Reporting and Response_ebd05e26-bdc6-11e8-b22c-d80cc555896cI.C.iThe United States Government will continueto encourage reporting of intrusions and theftof data by all victims, especially critical infrastructurepartners. The prompt reporting ofcyber incidents to the Federal Government isessential to an effective response, linking of related incidents, identification of the perpetrators,and prevention of future incidents.LawsModernize Electronic Surveillance and Computer Crime Laws_ebd060b0-bdc6-11e8-b22c-d80cc555896cI.C.iiThe Administration willwork with the Congress to update electronicsurveillance and computer crime statutes toenhance law enforcement’s capabilities tolawfully gather necessary evidence of criminalactivity, disrupt criminal infrastructure throughcivil injunctions, and impose appropriateconsequences upon malicious cyber actors. Transnational Criminal OrganizationsReduce Threats from Transnational Criminal Organizations in Cyberspace_ebd0627c-bdc6-11e8-b22c-d80cc555896cI.C.iiiComputer hacking conducted by transnationalcriminal groups poses a significant threat to ournational security. Equipped with sizeable funds,organized criminal groups operating abroademploy sophisticated malicious software, spearphishingcampaigns, and other hacking tools— some of which rival those of nation states insophistication — to hack into sensitive financialsystems, conduct massive data breaches, spreadransomware, attack critical infrastructure, andsteal intellectual property. The Administrationwill advocate for law enforcement to haveeffective legal tools to investigate and prosecutesuch groups and modernized organized crimestatutes for use against this threat. ApprehensionImprove Apprehension of Criminals Located Abroad_ebd063c6-bdc6-11e8-b22c-d80cc555896cI.C.ivForeign NationsDeterring cybercrime requires a crediblethreat that perpetrators will be identified, apprehended,and brought to justice. However, someforeign nations choose not to cooperate withextradition requests, impose unreasonablelimitations, or actively interfere in these efforts.The United States will continue to identify gapsand potential mechanisms for bringing foreignbasedcyber criminals to justice. The UnitedStates Government will also increase diplomaticand other efforts with countries to promotecooperation with legitimate extradition requests.We will push other nations to expedite their assistancein investigations and to comply with anybilateral or multilateral agreements or obligations.Partner NationsStrengthen Partner Nations’ Law Enforcement Capacity to Combat Criminal Cyber Activity_ebd06510-bdc6-11e8-b22c-d80cc555896cI.C.vPartner NationsThe United States should alsoaid willing partner nations to build their capacityto address criminal cyber activity. The borderlessnature of cybercrime, including state-sponsoredand terrorist activities, requires strong internationallaw enforcement partnerships. Thiscooperation requires foreign law enforcementagencies to have the technical capability toassist United States law enforcement effectivelywhen requested. It is therefore in the interest ofUnited States national security to continuebuilding cybercrime-fighting capacity thatfacilitates stronger international lawenforcement cooperation.The United States will strive to improve internationalcooperation in investigating maliciouscyber activity, including developing solutionsto potential barriers to gathering and sharingevidence. The United States will also leadin developing interoperable and mutuallybeneficial systems to encourage efficientcross-border information exchange for lawenforcement purposes and reduce barriersto coordination. The Administration will urgeeffective use of existing international tools likethe United Nations Convention Against TransnationalOrganized Crime and the G7 24/7Network Points of Contact. Finally, we will workto expand the international consensus favoringthe Convention on Cybercrime of the Councilof Europe (Budapest Convention), including bysupporting greater adoption of the convention. ProsperityPromote American Prosperity_ebd06682-bdc6-11e8-b22c-d80cc555896cPillar IIThe Internet has generated tremendous benefits domestically and abroad, and it helps to advance American valuesof freedom, security, and prosperity. Alongwith its expansion have come challenges thatthreaten our national security. The UnitedStates will demonstrate a coherent and comprehensiveapproach to address these and otherchallenges to defend American nationalinterests in this increasingly digitized world.OBJECTIVE: Preserve United States influencein the technological ecosystem and the developmentof cyberspace as an open engine ofeconomic growth, innovation, and efficiency.Digital EconomyFoster a Vibrant and Resilient Digital Economy_ebd067d6-bdc6-11e8-b22c-d80cc555896cII.AEconomic security is inherently tied to ournational security. As the foundations of oureconomy are becoming increasingly rootedin digital technologies, the United StatesGovernment will model and promote standardsthat protect our economic security and reinforcethe vitality of the American marketplace andAmerican innovation. Technology MarketplaceIncentivize an Adaptable and Secure Technology Marketplace_ebd0692a-bdc6-11e8-b22c-d80cc555896cII.A.iTo enhance the resilienceof cyberspace, the Administration expectsthe technology marketplace to support andreward the continuous development, adoption,and evolution of innovative security technologiesand processes. The Administration will workacross stakeholder groups, including the privatesector and civil society, to promote best practicesand develop strategies to overcome marketbarriers to the adoption of secure technologies.The Administration will improve awareness andtransparency of cybersecurity practices to buildmarket demand for more secure products andservices. Finally, the Administration will collaboratewith international partners to promoteopen, industry-driven standards with governmentsupport, as appropriate, and risk-basedapproaches to address cybersecurity challengesto include platform and managed serviceapproaches that lower barriers to secure practiceadoption across the breadth of the ecosystem. InnovationPrioritize Innovation_ebd06aa6-bdc6-11e8-b22c-d80cc555896cII.A.iiThe United StatesGovernment will promote implementation and continuous updating of standards and bestpractices that deter and prevent current andevolving threats and hazards in all domainsof the cyber ecosystem. These standardsand practices should be outcome-orientedand based on sound technological principlesrather than point-in-time company specifications.The Administration will eliminate policybarriers that inhibit a robust cybersecurityindustry from developing, sharing, and buildinginnovative capabilities to reduce cyber threats. InfrastructureInvest in Next Generation Infrastructure_ebd06c04-bdc6-11e8-b22c-d80cc555896cII.A.iiiThe Administration will facilitate the accelerateddevelopment and rollout of next-generationtelecommunications and information communicationsinfrastructure here in the United States,while using the buying power of the FederalGovernment to incentivize themove towards more securesupply chains. The UnitedStates Government will workwith the private sector to facilitatethe evolution and securityof 5G, examine technologicaland spectrum-based solutions,and lay the groundwork for innovation beyondnext-generation advancements. The UnitedStates Government will examine the use ofemerging technologies, such as artificial intelligenceand quantum computing, while addressingrisks inherent in their use and application. Wewill collaborate with the private sector and civilsociety to understand trends in technologyadvancement to maintain the United Statestechnological edge in connected technologiesand to ensure secure practices are adopted fromthe outset.Data FlowsPromote the Free Flow of Data Across Borders_ebd06d6c-bdc6-11e8-b22c-d80cc555896cII.A.ivCountries are increasingly lookingtowards restrictive data localization and regulationsas pretexts for digital protectionism underthe rubric of national security. Those actionsnegatively impact the competitiveness of UnitedStates companies. The United States will continueto lead by example and push back against unjustifiablebarriers to the free flow of data and digitaltrade. The Administration will continue to workwith international counterparts to promote open,industry driven standards, innovative products,and risk-based approaches that permit globalinnovation and the free flow of data while meetingthe legitimate security needs of the United States. Emerging TechnologiesMaintain United States Leadership in Emerging Technologies_ebd06efc-bdc6-11e8-b22c-d80cc555896cII.A.vThe United States’influence in cyberspace is linked to our technologicalleadership. Accordingly, the United StatesGovernment will make a concerted effort toprotect cutting edge technologies,including from theft byour adversaries, support thosetechnologies’ maturation, and,where possible, reduce UnitedStates companies’ barriersto market entry. The UnitedStates will promote UnitedStates cybersecurity innovation worldwidethrough trade-related engagement, raisingawareness of innovative American cybersecuritytools and services, exposing and counteringrepressive regimes use of such tools and servicesto undermine human rights, and reducingbarriers to a robust global cybersecurity market. Cybersecurity LifecyclePromote Full-Lifecycle Cybersecurity_ebd0706e-bdc6-11e8-b22c-d80cc555896cII.A.viTheUnited States Government will promote full-lifecyclecybersecurity, pressing for strong, defaultsecurity settings, adaptable, upgradeableproducts, and other best practices built in atthe time of product delivery. We will identify aclear pathway toward an adaptable, sustainable,and secure technology marketplace, encouraging manufacturers to differentiate productsbased on the quality of their security features.The United States Government will promotefoundational engineering practices to reducesystemic fragility and develop designs thatdegrade and recover effectively when successfullyattacked. The United States Governmentwill also promote regular testing and exercisingof the cybersecurity and resilience of productsand systems during development using bestpractices from forward-leaning industries. Thisincludes promotion and use of coordinatedvulnerability disclosure, crowd-sourced testing,and other innovative assessments that improveresiliency ahead of exploitation or attack. TheUnited States Government will also evaluate howto improve the end-to-end lifecycle for digitalidentity management, including over-reliance onSocial Security numbers.IngenuityFoster and Protect United States Ingenuity_ebd071e0-bdc6-11e8-b22c-d80cc555896cII.BFostering and protecting American invention andinnovation is critical to maintaining the UnitedStates’ strategic advantage in cyberspace. TheUnited States Government will nurture innovationby promoting institutions and programs thatdrive United States competitiveness. The UnitedStates Government will counter predatorymergers and acquisitions and counter intellectualproperty theft. We will also catalyze United Statesleadership in emerging technologies and promotegovernment identification and support to thesetechnologies, which include artificial intelligence,quantum information science, and next-generationtelecommunication infrastructure.Foreign Investment & OperationsUpdate Mechanisms to Review Foreign Investment and Operation in the United States_ebd0738e-bdc6-11e8-b22c-d80cc555896cII.B.iThe confidentiality, integrity, andavailability of United States telecommunicationsnetworks are essential to our economyand national security. We must be vigilant tosafeguard the telecommunications networks wedepend on in our everyday lives so they cannotbe used or compromised by a foreign adversaryto harm the United States. The United StatesGovernment will balance these objectives byformalizing and streamlining the review ofFederal Communications Commission referralsfor telecommunications licenses. The UnitedStates Government will facilitate a transparentprocess to increase the efficiency of this review.IPMaintain a Strong and Balanced Intellectual Property Protection System_ebd07514-bdc6-11e8-b22c-d80cc555896cII.B.iiStrong intellectualproperty protections ensure continuedeconomic growth and innovation in the digitalage. The United States Government has fosteredand will continue to help foster a global intellectualproperty rights system that providesincentives for innovation through the protectionand enforcement of intellectual property rightssuch as patents, trademarks, and copyrights.The United States Government will also promoteprotection of sensitive emerging technologiesand trade secrets, and we will work to preventadversarial nation states from gaining unfairadvantage at the expense of American researchand development.IdeasProtect the Confidentiality and Integrity of American Ideas_ebd076c2-bdc6-11e8-b22c-d80cc555896cII.B.iiiFor more than a decade,malicious actors have conducted cyber intrusionsinto United States commercial networks,targeting confidential business informationheld by American firms. Malicious cyber actorsfrom other nations have stolen troves of tradesecrets, technical data, and sensitive proprietaryinternal communications. The United StatesGovernment will work against the illicit appropriation of public and private sector technologyand technical knowledge by foreign competitors,while maintaining an investor-friendly climate. Workforce DevelopmentDevelop a Superior Cybersecurity Workforce_ebd07898-bdc6-11e8-b22c-d80cc555896cII.CCybersecurity WorkforceA highly skilled cybersecurity workforce is astrategic national security advantage. The UnitedStates will fully develop the vast American talentpool, while at the same time attracting the bestand brightest among those abroad who share ourvalues. Talent PipelineBuild and Sustain the Talent Pipeline_ebd07a28-bdc6-11e8-b22c-d80cc555896cII.C.iOur peer competitors are implementingworkforce development programs that havethe potential to harm long-term United Statescybersecurity competitiveness. The UnitedStates Government will continue to invest inand enhance programs that build the domestictalent pipeline, from primary through postsecondaryeducation. The Administration willleverage the President’s proposed merit-basedimmigration reforms to ensure that the UnitedStates has the most competitive technologysector. This effort may require additionallegislation to achieve the sought after goals.Education & Re-SkillingExpand Re-Skilling and Educational Opportunities for America’s Workers_ebd07c80-bdc6-11e8-b22c-d80cc555896cII.C.iiAmerica’s WorkersThe Administrationwill work with the Congress to promoteand reinvigorate educational and trainingopportunities to develop a robust cybersecurityworkforce. This includes expanding Federalrecruitment, training, re-skilling people from abroad range of backgrounds, and giving themopportunities to re-train into cybersecuritycareers.Workforce EnhancementEnhance the Federal Cybersecurity Workforce_ebd07e88-bdc6-11e8-b22c-d80cc555896cII.C.iiiTo improve recruitment andretention of highly qualified cybersecurity professionalsto the Federal Government, the Administrationwill continue to use the National Initiativefor Cybersecurity Education (NICE) Frameworkto support policies allowing for a standardizedapproach for identifying, hiring, developing, andretaining a talented cybersecurity workforce.Additionally, the Administration will exploreappropriate options to establish distributedcybersecurity personnel under the managementof DHS to oversee the development, management,and deployment of cybersecurity personnelacross Federal departments and agencies withthe exception of DOD and the IC. The Administrationwill promote appropriate financialcompensation for the United States Governmentworkforce, as well as unique training and operationalopportunities to effectively recruit andretain critical cybersecurity talent in light of thecompetitive private sector environment.TalentUse Executive Authority to Highlight and Reward Talent_ebd08086-bdc6-11e8-b22c-d80cc555896cII.C.ivThe United StatesGovernment will promote and magnify excellenceby highlighting cybersecurity educatorsand cybersecurity professionals. The UnitedStates Government will also leverage publicprivatecollaboration to develop and circulatethe NICE Framework, which provides astandardized approach for identifying cybersecurityworkforce gaps, while also implementingactions to prepare, grow, and sustain aworkforce that can defend and bolster America’scritical infrastructure and innovation base.PeacePreserve Peace through Strength_ebd0823e-bdc6-11e8-b22c-d80cc555896cPillar IIIChallenges to United States security and economic interests, from nation states and other groups, which have longexisted in the offline world are now increasinglyoccurring in cyberspace. This now-persistentengagement in cyberspace is already altering thestrategic balance of power. This Administrationwill issue transformative policies that reflecttoday’s new reality and guide the United StatesGovernment towards strategic outcomes thatprotect the American people and our way of life.Cyberspace will no longer be treated as a separatecategory of policy or activity disjointed fromother elements of national power. The UnitedStates will integrate the employment of cyberoptions across every element of national power.OBJECTIVE: Identify, counter, disrupt, degrade,and deter behavior in cyberspace that is destabilizingand contrary to national interests, whilepreserving United States overmatch in andthrough cyberspace.StabilityEnhance Cyber Stability through Norms of Responsible State Behavior_ebd08450-bdc6-11e8-b22c-d80cc555896cIII.AThe United States will promote a framework ofresponsible state behavior in cyberspace builtupon international law, adherence to voluntarynon-binding norms of responsible state behaviorthat apply during peacetime, and the considerationof practical confidence building measuresto reduce the risk of conflict stemming frommalicious cyber activity. These principles shouldform a basis for cooperative responses to counterirresponsible state actions inconsistent with thisframework. NormsEncourage Universal Adherence to Cyber Norms_ebd08734-bdc6-11e8-b22c-d80cc555896cIII.A.iInternational law and voluntarynon-binding norms of responsible state behaviorin cyberspace provide stabilizing, security-enhancingstandards that define acceptablebehavior to all states and promote greaterpredictability and stability in cyberspace. TheUnited States will encourage other nationsto publicly affirm these principles and viewsthrough enhanced outreach and engagementin multilateral fora. Increased public affirmationby the United States and other governmentswill lead to accepted expectations ofstate behavior and thus contribute to greaterpredictability and stability in cyberspace.Attribution & DeterrenceAttribute and Deter Unacceptable Behavior in Cyberspace_ebd088f6-bdc6-11e8-b22c-d80cc555896cIII.BAs the United States continues to promoteconsensus on what constitutes responsible statebehavior in cyberspace, we must also work toensure that there are consequences for irresponsiblebehavior that harms the United States andour partners. All instruments of national powerare available to prevent, respond to, and determalicious cyber activity against the United States.This includes diplomatic, information, military(both kinetic and cyber), financial, intelligence,public attribution, and law enforcement capabilities.The United States will formalize and makeroutine how we work with like-minded partners toattribute and deter malicious cyber activities withintegrated strategies that impose swift, costly,and transparent consequences when maliciousactors harm the United States or our partners.IntelligenceLead with Objective, Collaborative Intelligence_ebd08b6c-bdc6-11e8-b22c-d80cc555896cIII.B.iThe IC will continue to lead the world inthe use of all-source cyber intelligence to drivethe identification and attribution of maliciouscyber activity that threatens United Statesnational interests. Objective and actionableintelligence will be shared across the UnitedStates Government and with key partnersto identify hostile foreign nation states, andnon-nation state cyber programs, intentions,capabilities, research and development efforts,tactics, and operational activities that willinform whole-of-government responses toprotect American interests at home and abroad.ConsequencesImpose Consequences_ebd08d42-bdc6-11e8-b22c-d80cc555896cIII.B.iiThe United States willdevelop swift and transparent consequences,which we will impose consistent with our obligationsand commitments to deter future badbehavior. The Administration will conduct interagencypolicy planning for the time periodsleading up to, during, and after the imposition ofconsequences to ensure a timely and consistentprocess for responding to and deterring maliciouscyber activities. The United States will workwith partners when appropriate to imposeconsequences against malicious cyber actors inresponse to their activities against our nation andinterests. DeterrenceBuild a Cyber Deterrence Initiative_ebd08ef0-bdc6-11e8-b22c-d80cc555896cIII.B.iiiTheimposition of consequences will be moreimpactful and send a stronger message if it iscarried out in concert with a broader coalition oflike-minded states. The United States will launchan international Cyber Deterrence Initiative tobuild such a coalition and develop tailored strategiesto ensure adversaries understand the consequencesof their malicious cyber behavior. TheUnited States will work with like-minded statesto coordinate and support each other’s responsesto significant malicious cyber incidents, includingthrough intelligence sharing, buttressing of attributionclaims, public statements of support forresponsive actions taken, and joint impositionof consequences against malign actors. Malign InfluenceCounter Malign Cyber Influence and Information Operations_ebd090d0-bdc6-11e8-b22c-d80cc555896cIII.B.ivThe United States will useall appropriate tools of national power to exposeand counter the flood of online malign influenceand information campaigns and non-state propagandaand disinformation. This includes workingwith foreign government partners as well as theprivate sector, academia, and civil society toidentify, counter, and prevent the use of digitalplatforms for malign foreign influence operationswhile respecting civil rights and liberties.InfluenceAdvance American Influence_ebd0927e-bdc6-11e8-b22c-d80cc555896cPillar IVThe world looks to the United States, where much of the innovation for today’s Internet originated, for leadership on avast range of transnational cyber issues. TheUnited States will maintain an active internationalleadership posture to advance Americaninfluence and to address an expanding array ofthreats and challenges to its interests in cyberspace.Collaboration with allies and partnersis also essential to ensure we can continue tobenefit from the cross-border communications,content creation, and commerce generated by theopen, interoperable architecture of the Internet.OBJECTIVE: Preserve the long-term openness,interoperability, security, and reliability of theInternet, which supports and is reinforced byUnited States interests. InternetPromote an Open, Interoperable, Reliable, and Secure Internet_ebd09436-bdc6-11e8-b22c-d80cc555896cIV.AThe global Internet has prompted some ofthe greatest advancements since the industrialrevolution, enabling great advances incommerce, health, communications, and othernational infrastructure. At the same time, centuries-oldbattles over human rights and fundamentalfreedoms are now playing out online.Freedoms of expression, peaceful assembly, andassociation, as well as privacy rights, are underthreat. Despite unprecedented growth, the Internet’seconomic and social potential continuesto be undermined by online censorship andrepression. The United States stands firm onits principles to protect and promote an open,interoperable, reliable, and secure Internet. Wewill work to ensure that our approach to an openInternet is the international standard. We willalso work to prevent authoritarian states thatview the open Internet as a political threat fromtransforming the free and open Internet into anauthoritarian web under their control, underthe guise of security or countering terrorism. FreedomProtect and Promote Internet Freedom_ebd0962a-bdc6-11e8-b22c-d80cc555896cIV.A.iThe United States Government conceptualizesInternet freedom as the online exercise of humanrights and fundamental freedoms — such as thefreedoms of expression, association, peacefulassembly, religion or belief, and privacy rightsonline — regardless of frontiers or medium. Byextension, Internet freedom also supports the free flow of information online that enhances internationaltrade and commerce, fosters innovation,and strengthens both national and internationalsecurity. As such, United States Internetfreedom principles are inextricably linked to ournational security. Internet freedom is also a keyguiding principle with respect to other UnitedStates foreign policy issues, such as cybercrimeand counterterrorism efforts. Given its importance,the United States will encourage othercountries to advance Internet freedom throughvenues such as the Freedom Online Coalition, ofwhich the United States is a founding member. PartnershipsWork with Like-Minded Countries, Industry, Academia, and Civil Society_ebd097e2-bdc6-11e8-b22c-d80cc555896cIV.A.iiLike-Minded CountriesIndustryAcademiaCivil SocietyThe UnitedStates will continue to work with like-mindedcountries, industry, civil society, and otherstakeholders to advance human rights andInternet freedom globally and to counter authoritarianefforts to censor and influence Internetdevelopment. The United States Governmentwill continue to support civil society throughintegrated support for technology development,digital safety training, policy advocacy, andresearch. These programs aim to enhance theability of individual citizens, activists, humanrights defenders, independent journalists, civilsociety organizations, and marginalized populationsto safely access the uncensored Internetand promote Internet freedom at the local,regional, national, and international levels. GovernancePromote a Multi-Stakeholder Model of Internet Governance_ebd099a4-bdc6-11e8-b22c-d80cc555896cIV.A.iiiThe United States willcontinue to actively participate in global effortsto ensure that the multi-stakeholder model ofInternet governance prevails against attemptsto create state-centric frameworks that wouldundermine openness and freedom, hinderinnovation, and jeopardize the functionality ofthe Internet. The multi-stakeholder model ofInternet governance is characterized by transparent,bottom-up, consensus-driven processesand enables governments, the private sector, civilsociety, academia, and the technical communityto participate on equal footing. The United StatesGovernment will defend the open, interoperablenature of the Internet in multilateral and internationalfora through active engagement in keyorganizations, such as the Internet Corporationfor Assigned Names and Numbers, the InternetGovernance Forum, the United Nations, andthe International Telecommunication Union.Communications & ConnectivityPromote Interoperable and Reliable Communications Infrastructureand Internet Connectivity_ebd09ba2-bdc6-11e8-b22c-d80cc555896cIV.A.ivThe United Stateswill promote communications infrastructureand Internet connectivity that is open, interoperable,reliable, and secure. Such investmentwill provide greater opportunities for Americanfirms to compete while countering the influenceof statist, top-down government interventionsin areas of strategic competition. It will alsoprotect America’s security and commercialinterests by strengthening United States industry’scompetitive position in the global digitaleconomy. The Administration will also supportand promote open, industry-led standards activitiesbased on sound technological principles.International MarketsPromote and Maintain Markets for United States Ingenuity Worldwide_ebd09d6e-bdc6-11e8-b22c-d80cc555896cIV.A.vAmerican innovators and security professionals havecontributed significantly in designing productsand services that improve our ability to communicateand interact globally and that protectcommunications infrastructure, data, and devicesworldwide. The United States will continueto promote markets for American ingenuityoverseas, including for emerging technologiesthat can lower the cost of security. The UnitedStates will also advise on infrastructure deployments, innovation, risk management, policy, andstandards to further the global Internet’s reachand to ensure interoperability, security, andstability. Finally, the United States will work withinternational partners, government, industry,civil society, technologists, and academics toimprove the adoption and awareness of cybersecuritybest practices worldwide. International CapacityBuild International Cyber Capacity_ebd09f3a-bdc6-11e8-b22c-d80cc555896cIV.BCapacity building equips partners to protectthemselves and assist the United States inaddressing threats that target mutual interests,while serving broader diplomatic, economic,and security goals. Through cyber capacitybuilding initiatives, the United States buildsstrategic partnerships that promote cybersecuritybest practices through a common visionof an open, interoperable, reliable, and secureInternet that encourages investment and opensnew economic markets. In addition, capacitybuilding allows for additional opportunities toshare cyber threat information, enabling theUnited States Government and our partners tobetter defend domestic critical infrastructure andglobal supply chains, as well as focus whole-ofgovernmentcyber engagements. Our leadershipin building partner cybersecurity capacityis critical to maintaining American influenceagainst global competitors. Building partnercyber capacity will empower internationalpartners to implement policies and practiceswhich allow them to be effective partners in theUnited States-led Cyber Deterrence Initiative. Capacity BuildingEnhance Cyber Capacity Building Efforts_ebd0a14c-bdc6-11e8-b22c-d80cc555896cIV.B.iMany United States allies and partners possessunique cyber capabilities that can complementour own. The United States will work tostrengthen the capacity and interoperability ofthose allies and partners to improve our ability tooptimize our combined skills, resources, capabilities,and perspectives against shared threats.Partners can also help detect, deter, and defeatthose shared threats in cyberspace. In order forinternational partners to effectively protect theirdigital infrastructure and combat shared threats,while realizing the economic and social gainsderived from the Internet and ICTs, the UnitedStates will continue to address the buildingblocks for organizing national efforts on cybersecurity.We will also aggressively expand effortsto share automated and actionable cyber threatinformation, enhance cybersecurity coordination,and promote analytical and technicalexchanges. In addition, the United States willwork to reduce the impact and influence oftransnational cybercrime and terrorist activitiesby partnering with and strengtheningthe security and law enforcement capabilitiesof our partners to build their cyber capacity.2018-09-012018-09-21https://www.whitehouse.gov/wp-content/uploads/2018/09/National-Cyber-Strategy.pdfOwenAmburOwen.Ambur@verizon.net