Practices and Political Implications of American Cybersecurity Policy since the CNCI (2008)

One may conventionally expect the United States to lack headway in its development of cybersecurity and related policymaking, particularly because the US is an advanced, constitutional democracy. However, facing the growing danger of cyber threats, the Bush Administration launched the Comprehensive National Cybersecurity Initiative (CNCI) in 2008 to systematically begin managing cybersecurity problems. The CNCI turns out to be a key document on which America's cybersecurity foundation is built, providing direction for future policy. On this note, I first look into the various features of the CNCI to conceptualize and frame US cybersecurity policy into what I call the American Cybersecurity Triad. This framework consists of the three focal dimensions of: 1. governmentwide integration; 2. technological counterintelligence; and 3. educational mobilization. This triad is used as the analytical backbone of my paper to depict the core flow of American cyber defense. I then go through each leg of the triad, discussing the main practices that have been in progress since the CNCI. The executions of each of the dimensions in the consecutive order can be represented by: 1. federal, state, local, and international efforts; 2. technical innovations and private-public partnerships; and 3. professional and nonprofessional responsibilities. I then discuss controversial issues that each leg holds, to highlight the political implications that exist within the cybersecurity domain. The fundamental implications of concern regarding the reality of American cybersecurity policy, in the serial order of the triad above, are: 1. the complexities of political processes and bureaucratic biases; 2. the conflict between security and civil rights; and 3. the complications in building workforce coordination and public consensus. My analysis of the American cybersecurity policy since the CNCI finds that the American Cybersecurity Triad and the management of its political implications are crucial in constructing a cyber-secure nation. I finally argue that a state-centric and policy-oriented approach is essential in developing a comprehensive American cybersecurity policy.