National Cyber Security Strategies in the United States are largely influenced by the cybersecurity landscape of their time. Nevertheless, they often agree on broad areas of cyber that are important for the federal government to address. In this article, we cover the historical events that shaped these focus areas of cyber, strategies that converge, and gaps which the next iteration of cyber strategies can benefit from.
The United States has pioneered the use of a strategic, deliberative, and targeted approach to cybersecurity policy. Colloquially referred to as the National Cyber Security Strategies (or NCSS), these documents memorializing U.S. cyber strategy have borne different names across various administrations (see Figure 1) and outline a cohesive approach to securing the nation's cyberspace. Each strategy details high-level plans for distinct government agencies and their roles and responsibilities in executing cybersecurity initiatives. While the initial focus primarily addressed federal systems, over time the breadth of the strategies expanded to encompass critical infrastructure operated by private organizations.
Notably, cybersecurity policy in the United States has been consistently bipartisan. Consequently, from President Bush's 2003 National Strategy to Secure Cyberspace to President Biden's 2023 National Cybersecurity Strategy, each administration has built upon the efforts of its predecessors. There is a broad alignment in strategic objectives across various NCSS. Yet, the tactical goals and associated priorities have varied over time.
This article explores the catalysts driving the evolution of NCSSs, examines how their nuances affect the broader landscape of cyber policy outcomes, and discusses how lessons from previous strategies could be used to help advance an effective cybersecurity strategy for the new administration.
Before delving into the specific changes brought about by the strategies, we need to review their legal and policy foundations. The US federal government's cyber journey began with the first “cyber law” known as the Computer Fraud and Abuse Act (CFAA) of 1986. Initially intended to protect government systems from unsanctioned physical access, the CFAA evolved to prevent all forms of intentional unauthorized access to computer systems, both physical and virtual, especially after the fall-out from the Morris worm Robert Tappan Morris was the first person convicted under the then-new CFAA – one of the first malicious attacks on computer systems unleashed via the then-nascent internet.
Simultaneously, the Department of Defense began periodically releasing department-specific strategies called the National Security Strategies (NSS) in response to the Department of Defense Reorganization Act of 1986. Assignment of responsibilities for cybersecurity in federal systems came into effect through the Computer Security Act of 1987. It gave powers to the National Security Agency (NSA) to control all sensitive government computer systems while assigning the National Institute of Standards and Technology (NIST) as the security enabler for all non-sensitive, unclassified, non-military systems.
However, it was not until the 1997 National Security Strategy (NSS) of the Clinton administration that cyber concerns became intertwined with national security considerations. Referenced reports noted the use of novel digital technologies in warfare between countries. Subsequently, Clinton signed the seminal – albeit now-outmoded – Presidential Decision Directive 63 (PPD-63) to secure the nation’s critical infrastructure.
Subsequently, a series of high-profile cybersecurity incidents like the Love Bug attack, hacking of the Department of Defense and NASA by teenagers, and the Y2K panic as well as non-cyber related events like 9/11, led the Bush administration to publish the first comprehensive national cyber strategy. Known as the 2003 National Strategy to Secure the Cyberspace, it followed the 2002 Federal Information Security Modernization Act (FISMA), which mandated robust security plans for all federal systems. In contrast to FISMA, Bush's strategy addressed critical infrastructure resiliency and national security more broadly.
| President | National Security Directive |
| William Clinton (1993-2001) | Presidential Decision Directives (PDD) PDD 5, 62, 63 |
| George W. Bush (2001-2009) | National Security Presidential Directives (NSPD) NSPD 38*, 54 |
| Barrack Obama (2009-2017) | Presidential Policy Directives (PPD) PPD 20, 21, 41 |
| Donald Trump (2017-2021) | National Security Presidential Memorandum (NSPM) NSPM 13*, XX* |
| Joseph Biden (2021-2025) | National Security Memorandum (NSM) NSM X, 8, 10, 22, 25 |
In the following years, the Federal Bureau of Investigation (FBI) performed several cyber crackdowns on illegal networks, such as Operation Bot Roast I and Bot Roast II in 2007. Additionally, cyberattacks started becoming more sophisticated and targeted, like the spear phishing attack on the Office of the Secretary of Defense. The administration then released two presidential directives targeting cybersecurity – NSPD 38 in 2004 and NSPD 54 (HSPD 23) in 2008.
The Obama administration built on these directives, especially NSPD 38, and released their first strategy titled the Comprehensive National Cybersecurity Initiative (CNCI) in 2009. This era was marked by the emergence of nation state attackers termed Advanced Persistent Threats (APTs). In response, the administration further drew from NSPD 38 to create a new Presidential Policy Directive (PPD) 20 that authorized cyber surveillance and offensive capabilities for the United States government. PPD 20 is still classified but is widely available due to the Snowden leaks. This broad-scale support for cyber offense capabilities was new, and it brought along discussions of cyber norms.
Around the same time attacks, like Operation Aurora, large-scale hacking of the Office of Personnel Management, and the Target hack, among others, demonstrated the growing role of nation-states in cyberattacks. With adversarial national state actors ramping up their cyber capabilities, they increased ransomware attacks on critical infrastructure companies in the United States. These attacks underscored the importance of cyberattack attribution and highlighted the need for public-private coordination at scale.
The latter was addressed through the Cybersecurity Enhancement Act (CEA) of 2014 and the Cybersecurity Information Sharing (CISA) Act of 2015, laws enacted by Congress to promote awareness and adoption of consensus-based cyber defense best practices and sharing of cyber threat indicators and defensive measures between and among public and private entities. In addition, the Obama administration released the Cybersecurity National Action Plan (CNAP) in 2016, which allotted over 19 billion dollars to cybersecurity. This plan aimed to modernize federal infrastructure to be cyber resilient, ramp up hiring cyber talent in the government for cyber deterrence teams and improve incident response coordination.
The 40-page National Cyber Strategy released in 2018 by the Trump administration offered a robust response to the spate of several high-profile cyberattacks in 2017, including WannaCry, NotPetya, and the Equifax breach. President Trump's strategy built upon previous approaches towards securing critical infrastructure and introduced the concept of “cyber norms” addressing acceptable behavior in cyberspace and developing cyber deterrence strategies against unacceptable behavior. The Trump administration also pushed for adoption of US-based best practices and cyber defense strategies in other countries.
President Biden's 2023 National Cybersecurity Strategy had more agency-specific assignments, and its threat identification, response and mitigation measures were developed in response to multiple supply chain attacks, such as Sunburst against SolarWinds and vulnerabilities such as log4shell. The Biden administration’s strategy was more prescriptive than previous efforts, both asserting specific technical solutions – such as Software Bill of Materials (SBoMs) – as well as specific policy interventions – such as cybersecurity labeling.
Cybersecurity strategies from various Presidents have evolved over the years. However, the major themes or the “pillars” of cybersecurity strategies have largely stayed the same. The five areas common to a national cybersecurity strategy have conventionally been: 1) protecting critical infrastructure, 2) ensuring the resilience of federal systems, 3) public-private partnerships, 4) international cooperation, and 5) awareness and education.
- Protecting critical infrastructure is in many ways the primary catalyst for NCSS. PPD-63, precursor to the first NCSS, was specifically focused on critical infrastructure protection. It included telecommunications, energy, finance, transportation, water, and emergency services as key sectors and led to the establishment of Sector Risk Management Agencies (SRMAs) in the federal government as well as Sector Coordinators, i.e., Sector Coordinating Councils (SCCs) to represent the views of the private sector. For example, the Communications Sector Coordinating Council (CSCC) was set up in 2005 to work with the Department of Homeland Security, its corresponding SRMA.
- The goal behind protecting critical infrastructure was to ensure the resilience of federal systems so that there is no disruption in the government’s ability to provide services to its citizens and ensuring national security. This focus led to the creation of EINSTEIN 2 and EINSTEIN 3 programs, the former focusing on intrusion detection and the latter on intrusion prevention. In 2013, NIST published its Cyber Security Framework (CSF) 1.0, which provided different organizations with a common taxonomy for implementing cybersecurity programs.
- Given the interdependence of public and private cyber critical infrastructure in US, a third pillar of NCSS addresses public-private partnerships. One focus of this third pillar is information sharing between the public and private sector with the goal of addressing common vulnerabilities and identifying correlated attacks. This has been advanced by setting up institutions like Information Sharing and Analysis Centers (ISACs) and Cybersecurity and Infrastructure Security Agency (CISA).
- Yet, US critical infrastructure does not stand in isolation, but must exist in a broader international cyber ecosystem. Thus, a fourth pillar of the NCSS often encompasses international cooperation on cybersecurity investigations and cyber norms. Earlier administrations enabled such cooperation by signing on to agreements such as the Budapest Convention on Cybercrime. More recently, this kind of cooperation can be seen in United States’ advocacy for research exceptions to the Wassenaar Arrangement’s controls on surveillance technology.
- The fifth and final pillar tackles training and awareness for the human beings who must inevitably manage cyber technologies and be impacted by associated vulnerabilities. The United States, for example, has set up NSA Centers of Academic Excellence to train the next generation of cybersecurity professionals and created a CyberCorps program to support students who wish to receive scholarship for service.
The commonality between these five pillars has led to convergence in many cybersecurity policy efforts. For example, recognizing the important of public-private information sharing, the Clinton and Bush administrations set up ISACs, the Obama administration passed CEA, the Trump administration set up CISA, and the Biden administration passed CIRCIA.
However, over the years the nature of the threat landscape has evolved. The 1990s were dominated by hackers, in the 2000s the big challenge was consumer fraud, and the early half of the 2010s were dominated by DDoS attacks, and the latter half by ransomware. The 2020s have been dominated by APTs.
Cyber policy priorities have accordingly been adjusted in response to incidents of their time. The Bush strategy focused on the basics of cybersecurity necessary for national security. The Obama strategies looked at cyber defense responsibility distribution and offensive capabilities. The Trump 2017-2020 strategy concentrated on cyber innovation and business incentives for bolstering enterprise cybersecurity tools and protocols. More recently, the Biden strategy sought to place more cyber defense obligations on to the private sector and gave greater consideration to prescribing specific technology tools and measures.
More broadly four key differences have started to emerge. First, the strategies starting with the Trump NCSS have become more forward leaning. Emerging technology areas like Artificial Intelligence, Quantum Computing, Undersea, Space, and the Internet of Things were first introduced in the Trump and Biden strategies. Both strategies promised support for innovation in these technologies but highlighted the need for security. While Trump's strategy focused on a risk-based approach to these technologies, Biden’s approach was more regulatory and technology specific.
Second, is the question around incentives and liability. Under the Biden administration the National Security and Telecommunications Advisory Committee’s (NSTAC) report on incentives and measurements noted that the level of cybersecurity investment required to address business risk may be different from that required to address national security risks. The report recommended that the government needs to investigate incentives to bridge the gap. However, towards the tail end of the Biden administration there were multiple White House workshops to explore prescriptive measures, indicating a move away from market-based cybersecurity towards a more regulatory approach.
Third, there is an increasing acknowledgement that cybersecurity requires an ecosystem wide effort. The Trump administration’s work on cybersecurity extensions to the Wassenaar Agreement will constrain the proliferation of cyber weapons worldwide while allowing legitimate security research to continue. Trump’s NCSS also called for the creation of a Cyber Deterrence Initiative to coordinate response to cyberattacks and drive adherence to norms in cyberspace.
Finally, there is also an understanding that these strategies themselves need to be made more effective. To that end, Government Accountability Office (GAO) has outlined six desirable criteria for a national cybersecurity strategy. Different administrations have had varying degrees of coverage on these criteria.
However, GAO’s analysis notes two key problems. First, there is still a lack of widely accepted, reliable performance indicators for cybersecurity. This means that while efforts are directed toward enhancing cybersecurity, the absence of suitable, broad-based metrics makes it harder to justify budgeting for, and investing in, cyber defense capabilities – particularly with respect to preventive measures and threat intelligence capabilities that can stop attacks before they are launched. Measurement is a complex problem in the field, due to the evolving nature of threats. Second, strategies are broad in scope, with limited promises on resources and investments. According to the GAO report, it is harder to estimate how much it would cost to secure systems, especially for human resources.
In the United States, national cybersecurity strategies are the primary policy instrument for articulating the government’s priorities. As future administrations look to frame their own priorities, it may be helpful to consider what made these strategies successful, address opportunities that were previously missed to avoid potential pitfalls for the future.
- Continue building on known successes: Cybersecurity as a policy area enjoys bipartisan support. Thus, each administration has built upon the previous administration’s strategies. This has led to successful programs that have stood the test of time and been widely praised by academia, civil society, and industry. One example is the National Vulnerability Database (NVD), which is a repository of software and hardware vulnerabilities maintained by the United States government.
- Focus on outcome-oriented and risk informed policy solutions: Given the ever-evolving nature of technology and associated attacker capabilities, cyber policies need to be technology neutral and focus on the desired outcomes. The scope of the outcomes should be determined by the associated risk, which may differ based on numerous factors such as context of deployment, industry, and more. One example of this approach is the NIST Cyber Security Framework (CSF).
- Build capacity to address strategic risks: Emerging technologies, such as AI and Quantum Computing, create new and ecosystem wide risks for cybersecurity. The US has historically built capacity to address these kinds of risks by engaging in open, transparent, multistakeholder processes. US Cyber Trust Mark, for instance, is a risk-based public-private approach to address the risks imposed by IoT devices, informed by NIST’s IoT security workstreams.
As cybersecurity threats continue to evolve, it is important for policymakers to be pro-active, agile, and forward-looking, and not simply reactionary to specific events. The success of US National Cyber Security Strategies can be attributed to the focus on longer term cybersecurity outcomes that are risk informed and grounded in the five pillars or themes. Previous administrations adhered to this recipe for success with the creation of CISA, the elevation of the US Cyber Command, its negotiations on the Wassenaar Arrangement, and more. Future administrations can continue the successful legacy of NCSS by staying true to its roots.
