7

One Government’s Approach to Cyber Security Policy

7.1 U.S. Federal Cyber Security Strategy

This chapter examines the cyber security policy that has been adopted by the U.S. federal government from a strategic perspective. Prior to the early 1990s, U.S. cyber security policy was a straightforward response to the proliferation of electronic records, and has been described in Chapter 2. Here, we chronicle more recent history of federal-level cyber security issues that have prompted strategy and associated policy. The chapter explains government action in response to historical events and suggests areas that the government might consider for future action. It begins with a brief historical overview of the most significant events in the past two decades that shape today’s policy debates in Washington. While most of the events are clearly cyber-centric, some are not immediately obvious with respect to their contribution to the field of cyber security policy. We start this historical review with terrorist attacks against the United States in the early 1990s, and proceed through actions taken in subsequent administrations. The chapter concludes with general observations of strategy and policy that have been illustrated by the history.

The U.S. Federal Government’s policy attitude toward cyber security has ranged from enforcing strong standards developed by the National Institute of Standards and Technology (NIST) and the National Security Agency (NSA) to complete ignorance of the severity ...