Administration unveils cybersecurity foreign policy

Cabinet officials on Monday introduced a plan to incorporate network security into future foreign policy actions. The announcement of an international strategy for cyberspace comes one week after the White House sent Congress a legislative proposal for a sweeping overhaul of U.S. network security.

Monday's policy outlines the moves the United States must make in partnership with allies to promote compatible, secure, reliable and unfettered information exchange.

"This is a strategy that goes beyond any singular partner or agency," John Brennan, President Obama's top counterterrorism adviser, said during a formal unveiling of the framework at the White House.

Academics have long warned that poor interagency collaboration and misaligned domestic and foreign cyberspace policies are hurting U.S. efforts to, among other things, cut off financial support for terrorist groups. Nabbing the groups backing, for example, suicide bombers requires balancing national security and individual online privacy. Government officials typically must trace credit card transactions, online payments, emails and other communications to understand the target's day-to-day activities.

Officials acknowledged that the strategy is vague on specific tools, as it is not a technical document. It largely builds upon existing policies, such as the 2001 Budapest convention on cybercrime, a binding pact signed by 30 countries including the United States, Canada, Japan and South Africa. The convention provides nations with a template for drafting laws on evidence-sharing and extradition. The United States wants more countries to join the convention, or at least craft laws modeled after its rules.

The department heads said they will carry out the initiative using global standards of acceptable behavior, rather than relying on statutes.

"The development of norms for state conduct in cyberspace does not require a reinvention of customary international law, nor does it render existing international norms obsolete," the policy document stated. "We will continue to work internationally to forge consensus regarding how norms of behavior apply to cyberspace, with the understanding that an important first step in such efforts is applying the broad expectations of peaceful and just interstate conduct to cyberspace."

Earlier this year, a study by the East West Institute, a Brussels-based think tank, concluded that a global cyber treaty may be unattainable because private companies -- not nations -- control much of the Internet's infrastructure. The organization recommended instituting voluntary private sector agreements and international standards, similar to the goals the Obama administration laid out on Monday.

The strategy makes clear the United States will defend its networks from terrorists, cybercriminals or other nation states when necessary, taking care not to violate the privacy of U.S. citizens.

"Department of Defense networks are probed millions of times a day . . . cyber threats are growing more serious and more prevalent," said Defense Department Deputy Secretary William J. Lynn III. "Far greater levels of cooperation with more nations are needed if we are to stay ahead of the cyber threat."

He noted Defense has in the works a forthcoming strategy for operating in cyberspace. Currently there is no Geneva Convention for cyberwar that would protect civilians by drawing a line against, for example, attacks on hospital databases or air traffic control networks.

The framework states, "We reserve the right to use all necessary means -- diplomatic, informational, military and economic -- as appropriate and consistent with applicable international law, in order to defend our nation, our allies, our partners and our interests."

It underscores that some regions, namely Africa and the Middle East, are not part of existing organizations that have begun dealing with network security issues, such as the Association of Southeast Asian Nations, Organization for Economic Cooperation and Development, and the United Nations.

Homeland Security Secretary Janet Napolitano said, "The strategy calls for assisting international partners with capacity building, especially when it comes to developing the computer emergency readiness teams" -- a squad of security specialists that can be called in to identify the origin of attacks and mitigate potential damage from breaches.

The initiative encourages governments and businesses to jointly develop international, voluntary standards for system compatibility and security. It adds that countries should configure their networks in a way that does not interfere with internationally connected systems.

Secretary of State Hillary Clinton said, "While the Internet creates new economic opportunities, it also gives criminals new opportunities to steal personal information and intellectual property."

Attorney General Eric Holder echoed that sentiment, saying, "Unfortunately, for every technological or commercial quantum leap that we have made, criminals have kept pace." He said the strategy signals a new era of cooperation and vigilance that began with the Budapest agreement a decade ago.

Clinton stressed that the plan is not prescriptive. Her department has taken the lead on so-called Internet freedom -- the drive to stop oppressive regimes from filtering and disrupting citizens' online communications. On the subject of online censorship, the framework says states should not arbitrarily disrupt peoples' access to the Internet or other networked technologies.