On May 29, 2009, the White House released the “ Cyberspace Policy Review,” which was the product of a 60-day comprehensive study conducted by the National Security Council and Homeland Security Council and led by Melissa Hathaway, acting Senior Director for Cyberspace for the National Security Council. President Obama commissioned this study in February of this year in order to assess U.S. policies and structures for cybersecurity.
There has been much commentary about the Review, but most of this commentary has ignored one of the most interesting aspects of it--the role for international entities and international outreach. Although previous U.S. government cybersecurity initiatives recognized cybersecurity as an international issue, these past initiatives were primarily inward-focused and did not contemplate much international involvement in cybersecurity policy. The Review not only recognized cybersecurity as an international issue, but also was influenced by international partners who were consulted during the 60-day study that culminated in the Review. More importantly--at least for the international business community--the Review contemplates the participation and cooperation of international partners in the formulation of cybersecurity policy. This presents a unique opportunity for international businesses to play a role in the cybersecurity policy debate and the formulation of an overall cybersecurity strategy. This is especially important as the positions taken by the United States government on these issues are likely to greatly influence and affect the rules and laws adopted by other governments and international organizations.
Like past cybersecurity initiatives, the Review properly recognized cybersecurity as an international issue. It notes that “[i]nformation and communications networks are largely owned and operated by the private sector, both nationally and internationally” and explains that this requires “[i]nternational norms . . . to establish a secure and thriving digital infrastructure." Accordingly, the Review emphasizes that the United States needs to "formulate and coordinate international cybersecurity-related positions" and to develop "a strategy for cybersecurity designed to shape the international environment.”
But the Review does much more than simply recognize the international nature of cybersecurity. The review team reached out to international partners for assistance in identifying and assessing issues relating to cybersecurity. More importantly, understanding that we must “ensure the stability and global interoperability of the Internet, while increasing security and reliability for all users,” the Review contemplates an ongoing role for members of the international community, explaining that “addressing network security issues requires a public-private partnership as well as international cooperation and norms.”
The Review highlights the need to “bring like-minded nations together on a host of issues, including acceptable norms regarding territorial jurisdiction, sovereign responsibility, and use of force.” The Review also stresses that the federal government should work with the private sector to “coordinate and expand international partnerships to address the full range of cybersecurity-related activities, policies, and opportunities associated with the information and communications infrastructure upon which U.S. businesses, government services, the U.S. military, and nations depend.” In particular, the Review notes that the federal government “should increase resources and attention dedicated to conducting outreach and building foreign capacity” and "accelerate efforts to help other countries build legal frameworks and capacity to fight cybercrime and continue efforts to promote cybersecurity practices and standards.”
That the Review contemplates such international collaboration and cooperation in formulating cybersecurity policy is an important development for the international business community. International businesses will have a unique opportunity to participate in the ongoing public policy debates concerning cybersecurity and in crafting national and international cybersecurity policies going forward.