U.S. Cyber Security PolicyElizabeth StevensDr. Gurpreet DhillonINFO – 644, CT3

What Is Cyber Security?• Subramanian (2010) defines cyber security as:• “The security of a nation’s computer and

telecommunications infrastructure as well as the data stored within the computers from outside attack” (Dhillon, 2013, p. 188).

• Cyber security includes protection of:• Hardware• Software• Information in both public and private sectors• Military• Communications networks• Electrical grids• Power plants

Circuits of Power• The history of U.S. cyber security policy is

examined through Clegg’s theory of circuits of power.

• Circuits of power “explains power relationships independent of the particular circumstances of organizations or their structure. The application of the theory leads to a complete political appraisal of the organization” (Dhillon, 2013, p. 190).

• Power circulates in three different circuits:• Episodic circuit• Social integration circuit• System integration circuit

Episodic Power• Episodic power – describes the day-to-day

interaction, work, and outcomes (p. 190); can be recognized by outcomes and actions.

• The attacks of 9/11 led to the creation of the Department of Homeland Security (DHS); 22 separate departments merged into one agency.

• The new position of Secretary of DHS would come with great political power:• Appointing responsibilities• Directing funds and resources• Implementing personnel policy• Oversight

Episodic Power cont.• Creation of DHS led to issues within Congress and

other parts of the federal government:• Committee Chairs did not want to give up their powers.• If one committee exercised power, it was resisted by other

ones.• Funds were misappropriated across different agencies

nationwide.• Richard Clarke, author of “National Plan to Secure

Cyberspace” was forced to resign.• Between 2003-2005, there was no real cyber security

strategy; lack of leadership and “turf wars” kept cyber security czars from developing cyber security strategies.• Major cyber security breaches in 2007 and 2008 affected

State Dept., DoD, DHS, NASA and the VA.

Episodic Power cont.• These breaches prompted directives HSPD 23 and

NSPD 54 that led to Comprehensive National CyberSecurity Inititative (CNCI) and the National Cyber Security Center (NCSC).

• The NSA wanted to be in charge of cyber security.• In 2009, Obama promised to develop a national

cyber security policy and appoint a federal cyber security coordinator.

• This position would be above NSA and DHS and depends on the collaboration between different organizations.

• According to Dhillon (2013), “episodic power relationships played a crucial part in the first decade of cybersecurity administration and implementation in the U.S.” (p. 197).

Social Integration• A month after 9/11, Senator Lieberman introduced

a bill to establish a DHS that had aspects of cyber security:• Maintaining a hub of cyber security experts• Sharing of information concerning cyber security in the

U.S.• Establishing cyber security standards with the FCC• Certifying national preparedness for cyber attacks

• After DHS was created, cyber security matters took a low priority

• DHS officials and loyalists to Bush, did not criticize its lacking cyber security initiatives as most of the country supported the government’s national security endeavors unquestionably.

System Integration• System integration has two subcomponents:• Production• Discipline

• The Cyber Security Enhancement Act (CSEA) of 2002 grants companies permission to release customers’ electronic info to government employees without warrants or legal documents.• Reports were exempt from Freedom of Information Act

requests• Companies providing info were free from being sued by

customers• Customers did not have to be notified that their info was

released

• Stop Online Piracy Act (SOPA) of 2012 was met with a huge public backlash; major internet companies opposed SOPA.

Conclusion• Cyber security policy was drastically affected by:• Turf wars• Executive orders• Legislative procedures• Patriotic culture• Public backlash• Major shifts in power within the federal government

• Obama’s 2013 executive order to put cyber security policy into law will design a framework for the government and the private sector to “allow intelligence to be gathered on cyber threats to privately owned critical infrastructure…so they can better protect themselves” (Dhillon, 2013, p. 202).