Interdependency and International Policies
Introduction
Since many countries possess critical infrastructures which are interdependent, the need for national and international cybersecurity policies and regulations remain an important aspect of maintaining effective critical infrastructures and critical information infrastructures. Therefore, cybersecurity policy and regulation in one country has a direct impact on others. For example, the United States and Canada share interdependency with critical infrastructures, policies and regulations within each country sets a direction on how to interact with the other country’s critical infrastructure. One of the most important factors is the issue of governance between nations, as well as the appropriate function of public and private entities when developing and maintaining cybersecurity policies and regulations. In the following research, the document will explore the contents of the 2014 National Institute for Standards and Technology (NIST) Cybersecurity Framework, which analyzes efforts to protect critical infrastructures from vulnerabilities in Canada, thereby effecting how the country’s critical infrastructures interacts with the United States and its policies and regulations. The research also examines national policies within the United States and Canada that have set the foundation for international policy. Although not popular politically in the United States, the research suggests that more regulation could improve security of critical infrastructures on a national and international basis as well as set a foundation for the implementation of cyber peace treaties between nations.
United States and Canada
The United States and Canada are two long-standing political and military allies who frequently support each other through executive orders signed by the President of the United States, as well as through legislation that passes through the House of Representatives and Senate. As critical infrastructures in both countries continued to develop throughout the twentieth century, the need for cybersecurity professionals to protect networks and systems managing the physical and digital properties of CIs became more important, especially when the SCADA controls responsible for managing the CIs were removed from isolated networks and placed on the internet. This innovation has made securing critical infrastructures more challenging as it has opened up SCADA controls to the same types of threat agents that attack other networks like viruses and worms that seek to compromise systems and thereby control CI properties. The interdependency between CIs in the United States and Canada make securing them a high priority in the two nations, as exploits within networks in one country’s CIs could have widespread negative affect on its population as well as have an adverse effect on the other country’s critical infrastructures. Some cybersecurity professionals view the United States and Canada as being among the most vulnerable nations to cyberattack due to their significant dependency on critical infrastructures, internet and various types of emerging technologies on the market for consumers. The interdependency between the two nations caused each country to designate specific government departments to research, monitor and respond to any threat agents affecting CIs in either country or devise and implement policies and regulations that can help each nation defend or respond against cyberattack. Therefore, policy-makers must apply the interdependency model when devising regulations that impact both nations in order to identify the areas in which security principles are most needed and carry the most impact for citizens of each nation. The creation of regulations remains a significant priority due to the two nation’s interdependency, as implementing security policy in one nation will have a direct impact on the other and could play a major role in defending either nation during instances of cyberwar.
Cyberattacks
According to many cybersecurity analysts, the United States and Canada are two of the most frequently targeted countries in the world. These attacks have a significant impact on government operations, entities within the private sector and individual technology users; they are aimed to compromise information on government and business affairs, steal valuable pieces of data like intellectual property, alter the functionality of critical infrastructures, and steal money and resources from consumers. Over the last decade, each nation has reported the types of cyberattacks that have granted unauthorized access to networks and critical infrastructures. For example, the Canadian government made it public that they suffered from a cyberattack in 2011 that caused them to disconnect the Finance Department and Treasury Board from the internet which in turn caused negative reaction to the nation’s economy due to both department’s role in ensuring confidence in the financial markets. The United States also reported that hundreds of systems at the US Department of Commerce had been forced offline on many circumstances over the last decade. Data further notes that there were more than 40 million cyberattacks globally in 2014, which is a 50% increase over the reported incidents in 2013. In order to reverse this trend the Federal governments in the U.S. and Canada have created several policies to enhance cybersecurity in both nations. One of the signature policies is the 2012 Cybersecurity Action Plan between Public Safety Canada and the Department of Homeland Security, which identified areas in which both nations can improve cybersecurity efforts relative to critical infrastructures and how to respond to instances of cyberattack. The policy also recommends measures that can promote security despite the interdependency between the two nation’s infrastructures. Certain data points highlight the need to secure interdependent CIs; for example, 2012 reports indicate that Canada exported 60 million megawatt-hours of electricity to the United States, which made up approximately 1% to 2% of the United States’ electricity consumption. The reports further indicate that the Canadian exports were particularly distributed to states in the Northeast and Midwest parts of the United States. Using data to support the need for creating national and international regulations helps to put the impact of securing the two nation’s CIs into perspective, if Canada’s electric grid were compromised then it would have a serious impact around the country as well as areas throughout the United States.
Intelligence
The authors of Securing North American Critical Infrastructure, asserts that countries and businesses would greatly benefit from the use of more surveys regarding instances of cyberattack taking place in the public and private sectors. They suspect that more cyberattacks exist in the United States and Canada, but infer that many go unreported and do not get factored into the equation when cybersecurity professionals devise strategies for mitigating or preventing cyberattacks. Therefore, the authors conclude that today’s cybersecurity professionals must go by what they consider to be “limited knowledge” when conducting research on how to develop and implement strategies to protect public and private networks and systems. Despite the limited reports available on cybersecurity efforts between the two countries, it has been recorded that more than one-third of Canadian businesses have reported instances of cyberattack in a given year. According to a 2015 survey conducted by Kaspersky Labs, Canada has been named the tenth-most attacked country globally. The survey further notes that the United States is the third-most attacked nation as of 2015. The survey described the participation of US entities from 2000 to 2008 as rising from forty-three percent to seventy percent. A 2010 report indicates that seventy-five percent of survey participants among IT executives form twenty-seven countries disclosed that they identified at least one cyberattack and around forty-one percent suggest they would list the attacks as “somewhat or highly effective”. Cyberattacks can be measured as having a significant impact on private organizations as well; reports indicate that in 2011, a data breach at Verizon caused the company to provide authorized access to more than 174 million records, which at the time was the company’s second-highest data breach since it started recording information on data breaches in 2004.Unfortunately, the company surpassed this number with another data breach in 2013.
Vulnerabilities
Even though data suggests that cyberattacks are becoming more frequent in Canada, the authors of Securing North American Infrastructure regards the country as having a drastic need to develop policies on how to respond to cyberattack, establish an environment in which the public and private sectors can collaborate on cybersecurity issues, and develop procedures in which the government can monitor traffic in order to identify and prevent cyberattacks for gaining access to sensitive information and critical infrastructures. Similarly to the United States, Canada suffers from the political element playing a role in how policy-makers devise cybersecurity policies. Sometimes the Federal government will devote resources for cybersecurity efforts and other times they will misappropriate funding. For example, a 2012 report indicated that the Canadian government appropriated a small fraction of its budget to address cybersecurity issues, 780 million dollars, but critics suggests that less than the total actually went toward agencies that can implement offensive and defensive cybersecurity strategies. The creation of cybersecurity policy has also been very difficult to occur within the United States due to the political element. A McAfee survey notes that the private and public entities that manage critical infrastructures are targeted frequently, which leads to losses of more than 700 billion dollars annually. Despite these alarming figures, both the Executive and Legislative branches of government are slow to support cybersecurity regulation as the subject remains unpopular with Democrats and Republicans. Since the Clinton administration, the Executive branch of the United States has appointed Cyber Czars who assist the Federal government and its agencies to devise and implement cybersecurity strategies. However, President Trump has yet to appoint a cybersecurity professional for the position within in his administration, which signals to those interested in establishing more national policies and regulations that the Executive branch will be unsupportive of any measures that may reach the President’s desk. This also suggests that the current President would be unlikely to significantly change cybersecurity policies through Executive Order.
Government Action
According to the author of Cyber War: The Next Threat to National Security and What to Do About It, Richard Clarke, examined three Presidential administrations in regards to their commitment and implementation of cybersecurity policies. Clarke was first appointed by President Clinton, who he applauded for creating the position but also critiqued suggesting that he could have done more to encourage Congress to develop national cybersecurity policies and regulations. Clarke also worked in the Bush administration, who he applauded for implementing offensive cybersecurity policies in order to respond to instances of cyberterrorism. Bush also created the Department of Homeland Security, which Clarke views as a significant security measure. Although Clarke did not serve in the Obama administration, he did commend the President for continuing the Bush policies relative to cybersecurity efforts; however, Clarke believes that both Bush and Obama missed the opportunity to establish stronger national and international cybersecurity policies, as well as work toward concepts like cyber peace treaties. Even though President Obama did not establish the cybersecurity policies that would appeal to professionals like Clarke, he did follow through with some measures that impact cybersecurity and critical infrastructures in particular. It is interesting to note that President Obama chose to implement cybersecurity policy through Executive Order rather than promoting a bill to send through Congress. This underscores how the political element plays a significant role in the Federal government establishing cybersecurity policy or strategy that could be viewed as restricting growth among the public and private sectors. A 2013 executive order signed by President Obama established procedures for information sharing between public and private entities within the United States, and directed the National Institute of Standards and Technology (NIST) to develop a NIST Framework to make recommendations on how to best secure critical infrastructures. NIST released the first version of the framework in 2014; it featured best practices for companies managing critical infrastructures to follow in order to secure their physical and digital properties. Supporters of the Executive Order suggest that President Obama helped the Federal government provide a useful, cost-effective approach to enhancing the protection of critical infrastructures. Critics of the Executive Order believe that the President did not go far enough with his measures, as there are no enforceable components that mandate companies within the private sector to adopt the NIST Framework. Despite the criticism, the Federal government received participation from many private companies who accepted and implemented the policies within the NIST Framework. In early 2015, the following companies implemented the NIST Framework: Intel, Apple, Walgreens and Bank of America. The NIST Framework helped private companies conduct the following cybersecurity procedures: identify, protect, detect, respond and recover. The new Federal policy also suggests procedures for private companies to reduce their exposure to threat agents. According to supporters of the policy, the NIST Framework has helped companies improve the risk management process that takes place at every organization that invests in cybersecurity, which in turn makes it more likely for cybersecurity professionals to identify or prevent threat agents from gaining unauthorized access to critical infrastructures at an early stage. Since its signing into law, the NIST Framework has become a frequently used cybersecurity policy, and it is regarded as an imperative component of any organization’s cybersecurity strategy. The NIST Framework has also been adopted by international entities likes the United Kingdom, Korea, Japan, Estonia, Israel, Germany and Australia. The authors of Securing North American Critical Infrastructure suggests that the NIST Framework should be applauded for its ability to create a standard set of procedures for defensive cybersecurity, and its sound recommendations for practices to implement by the private sector. It could be argued that the NIST Framework has made a positive impact on the United States and its private entities; however, it is also safe to assert that the NIST Framework lacks enforceable measures which could increase the implementation of the framework’s policies and thereby make a broader spectrum of private entities more secure in the process,
New Policies
Similarly, to the NIST Framework, the Canadian government has created several policies aimed at protecting the country’s critical infrastructure. Like the United States, Canada has tasked many departments with the responsibility of conducting offensive and defensive cybersecurity, Canada relies heavily on the Department of Public Safety and Emergency Preparedness Canada (PSEPC) to create and enforce policies in much the same way as the United States depends on the Department of Homeland Security (DHS). The Canadian government established the Canadian Cyber Incident Response Center (CCIRC) as a department of PSEPC in 2005. CCIRC is tasked with the responsibility of conducting cybersecurity efforts in public and private sectors networks and critical infrastructures. The department severs the following three functions: informs private and government entities on how the prepare and mitigate cyberattacks, assists government departments and private companies with forensic analysis and other cybersecurity measures, promote the sharing of information and ideas on cybersecurity between public and private entities. According to the author of Securing North American Critical Infrastructure, Canada’s CCIRC is similar to the U.S. Computer Emergency Readiness Team (US-CERT), which was created in 2003 as a department within DHS, CCIRC and US-CERT assist the Federal government and private entities with the information necessary to mitigate cyber-attacks, as well as promote best practices for ongoing cybersecurity efforts.
Funding
Even though getting cybersecurity policies through Congress remains a difficult process in the United States and Canada, each nation occasionally discovers areas in which the Federal government can appropriate funding in order to address cybersecurity issues. In 2014, the Canadian government unveiled the Cyber Security Cooperation Program (CSCP), a project managed by PSEPC. The program includes an $l.5 million grants for use over a five-year period that provides financial resources for research and development projects aimed at improving security for networks and critical infrastructures in Canada. The objective of the program is to improve standards of practice for public and private entities to implement cybersecurity measures, and provide tools that will help entities during the risk assessment process. PSEPC surveys the recipients of the grants and records how they invest the funds, and how entities are impacted by the use of the government’s resources. PSEPC releases a number of annual reports on cybersecurity, notably one with security data on Canada’s critical infrastructure. The department creates the National Strategy for Critical Infrastructure and the Action Plan for Critical Infrastructure that indicates how the government and private entities can develop and implement stronger cybersecurity measures.
Critical Infrastructures
PSEPC’s National Strategy identifies ten areas in which critical infrastructures in Canada remain vulnerable to threat agents and makes recommendations on how to mitigate and prevent cyberattacks. Since many of the Canadian critical infrastructures are owned by private corporations much like in the United States, the reports underscore the need for participation among individuals and organizations who manage CIs to adopt the government’s recommendations and constantly seek new information on cybersecurity as threat agents evolve over time. When PSEPC records information regarding threats to critical infrastructures among government and private entities the department publishes and shares the information with other organizations in order to educate them on potential threats and to also provide them with ways of mitigating particular threat agents should they arise at their organization. One signature policy by the Canadian government was established in 2010 within the PSEPC department with a document entitled Canada’s Cyber Security Strategy. This government-supported document established three objectives for cybersecurity at public and private entities in Canada: methods for securing government systems, procedures for collaborating with entities in the private sector to provide assistance with securing private networks and critical infrastructures, and help Canadian public safety officials use the internet to conduct security measures. The Canadian government supplemented this policy with an Action Plan in 2013 that instructed government agencies to collect information from public and private sources in regards to cyberattacks in order to provide data for an annual report. The government wanted the reports to identify the types of attacks organizations were experiencing as well as the methods of mitigation that helped them protect digital and physical properties. The Canadian government revised the Action Plan in 2017 to include measures on how to protect critical infrastructures. A section within the report recommends the establishment of partnerships between public and private entities, successful strategies for risk assessments on critical infrastructures, and provide methods of increasing security for the technology used to manage Cis like SCADA and PLC controls. The author of Securing North American Critical Infrastructures, does a comparative analysis of the Canadian Action Plan and the U.S.’s NIST Framework, highlighting that the objectives in each policies share many commonalities. Both policies urge private and public entities to evaluate areas of cyber risk within their organizations and identify methods of mitigating them. Both policies assert that communication between organizations plays a significant role in developing a knowledge base that can be used by entities who may experience similar threat agents on their networks. Critics of the policies suggest that the NIST Framework and Action Plan could further indicate which organizations should hold governance over executing cybersecurity strategy when it is unclear if a state or non-state actor has conducted instances of cyberwar. Despite the ambiguity present with the policies, many critics applaud the NIST Framework for its clear description on how to execute cybersecurity strategies recommended by the Federal government. Since the United States and Canada possess interdependent critical infrastructures like manufacturing, retailing, energy, IT and other sectors, the NIST Framework has become a policy in which the Canadian government decided to include within its cybersecurity strategy. Due to the popularization of the NIST Framework among countries across the international community, the Information Technology Industry Council (ITI) has endorsed the policy as the best available policy for implementing effective cybersecurity practices. Even though the policy has gained popularity, the author suggests that future revisions of the document could increase cybersecurity measures in both countries if they include cross-border and cross-sector sharing of security information. However, it may be too challenging to get such revisions to the NIST Framework and Action Plan as the political element in both countries create environments in which politicians are unlikely to support the measures. One area in which politicians may be persuaded would be the adoption of the economic model; a report by the Council on Foreign Relations (CFR) described the economic interdependency between countries in North America, pinpointing that cyberattacks on one country’s networks and critical infrastructures would create a negative economic reaction for the targeted nation, as well as any interdependent country’s economy. CFR further suggested that Canada, Mexico and the United States collaborate on creating cybersecurity measures that can protect networks and critical infrastructures in each country, with the aim of identifying potential threat agents and mitigating cyberattacks in order to prevent negative reactions taking place on any of the their economies. In the absence of such policy, many cybersecurity professionals view the adoption of the NIST Framework among other countries as the closest thing to developing international policies and regulations. If the US is to lead in the creation of stronger national and international cybersecurity policies, they could start by making revisions to the NIST Framework that include methods of sharing information and responding to cyberattacks through the establishing of a North American cyber coalition. Any revisions should provide methods of educating entities in both countries of the best practices of identifying and responding to cyberattacks, protect critical infrastructures and lay the foundation for the development of any peace treaties that could help nations prevent cyberwar in the future.
International Policies
Collaboration between the United States and Canada has included measures relative to cybersecurity, particularly policies regarding critical infrastructure management over the last few years. Even though the U.S.’s NIST Framework has been successfully adopted by several nations, Canada has made revisions to its Action Plan, entitling the new policies as Canada-United States Action Plan for Critical Infrastructure (abbreviated as Canada-U.S. Action Plan), which aims to build the resiliency of both countries in regard to their ability to protect critical infrastructures and promote cross-border communication between public and private entities on risk assessment and mitigation strategies. Canada and the United States has been collaborating on security measures for many years; however, in 2008 the countries signed the Emergency Management Cooperation agreement, which establishes the following: how each country can provide supplies and equipment during national emergencies, how to respond to incidents that threaten the security of either nation, which agencies can provide support across the border to assist the other country, makes recommendations on how Federal governments can assist the other nation across the border, promotes the sharing of information between entities in both nations, lays out specific methods each government can use to assist the other in preventing and responding to threats. This 2008 policy has set the foundation upon which the Canadian government revised existing documentation into the Canada-U.S. Action plan, which builds upon the security measures of the previous decade by including a sharper focus on protecting critical infrastructures as well public and private digital properties.
Interdependency Model
The Canada-U.S. Action plan contains several objectives concerning the protection of critical infrastructures: establish methods for monitoring components of the interdependency model between U.S. and Canada, establish cybersecurity frameworks that allow both countries to prepare and respond to instances of cyberattack by sharing communication across the border, make it more efficient for corporations in the private sector of both countries to share information across the border, sharing best practices in order to reduce the prospect of implementing duplicate cybersecurity efforts that may be a waste of time and resources, and promotes the accurate and timely sharing of communication among managers of critical infrastructure in both nations. The Canada-U.S. Action Plan features the strongest policies currently impacting the management of critical infrastructures between the two countries; it can be used as a paradigm for other nations who want to develop more effective strategies for responding to cyberattacks and protecting critical infrastructures. One of the best parts of implementing these policies concerns the government in each country investing in efforts to discover the best practices of securing interdependent critical infrastructures as well as raising awareness about common threats and how to mitigate them.
Enforced Policy
The Canada-U.S. Action Plan has a direct impact on citizens within in each nation, as the policies attempt to prevent disruptions in critical infrastructures that can cause a negative effect on energy, the economy, transportation and other interdependent CIs. The policies aim to reduce the number of internal and external threats to organizations managing CIs. Human error represents one of the most frequent vulnerabilities at public and private organizations; the policies recommend for entities to bring about awareness of specific things individuals can do to reduce the prospect of cyberattack when managing critical infrastructures. Since the Canada-U.S. Action Plan features a broad spectrum of solutions to help organizations manage digital and physical properties, it would be safe to assert that the policies are comprehensive and serve as an excellent paradigm for implementing cybersecurity policies at the Federal level. The policies recognize the importance of providing security on the border between the U.S. and Canada, as that area contains many interdependent critical infrastructures that can cause an impact to both nations. The border houses access to Canada’s electric grid, refineries, manufacturing sector, nuclear plants, transportation and refineries. Any cyberattack on these critical infrastructures on the Canadian border can have an adverse effect on sections of the United States. In order to protect interdependent critical infrastructures in the best ways possible, the Canada-U.S. Action Plan makes building the resiliency of both nations as a top priority in its cybersecurity strategy; the governments suggest increasing resiliency, or each nation’s ability to respond to and protect against cyberattack, by preparing individuals within the public and private sectors with the best standards and practices for protecting critical infrastructures as well as encouraging them to collaborate with organizations in their country and abroad. Even though the U.S. and Canada share a strong international partnership on cybersecurity, each nation has developed domestic policies that strengthen each nation’s ability to protect critical infrastructures. Canada passed the National Strategy and Action Plan for Critical Infrastructure (abbreviated as National Strategy and Action Plan) after extensive consultation with private sector organizations that manage CIs, which indicates specific procedures for responding to domestic cyberattacks on CIs. U.S. developed the National Infrastructure Protection Plan (NIPP) which promotes partnerships between the public and private sectors in order to share resources that can prevent or mitigate cyberattacks that threaten critical infrastructure; the policies have been carried out by a combination of Federal and State agencies as well as members of the private sector. According to Canada’s Department of Public Safety and Emergency Preparedness, the domestic policies in both nations possess the following three objectives: the creation of trusted partnerships, the promotion of information sharing and implementing a strategy that address the need to protect Cis from all threats including attacks on digital and physical properties. Both countries built upon their domestic policies through the creation of the Canada-U.S. Action Plan which expounds upon the national policies by addressing specific standards and practices that protect critical infrastructures across the border.
Partnerships
Canada’s Department of Public Safety and Emergency Preparedness, indicates that the Canada-U.S. Action Plan contains three objectives: the establishing of partnerships, effective information sharing and strategies for risk management. The authors of the policies believe that these three objective will better prepare the U.S. and Canada against cyberattacks to critical infrastructures. In order to address the first objective, establishing of partnerships, the Canada-U.S. Action Plan urges private and public entities in both countries to share information about cyberattacks and methods of mitigations to others in their country and abroad. In order to facilitate the building of relationships, the Canada-U.S. Action Plan promotes the activities of the Emergency Management Consultative Group (EMCG), which was first established in the 2008 Canada-U.S. Agreement on Emergency Management Cooperation. EMCG has been tasked with the responsibility of providing oversight, promoting communication between entities in Canada and the U.S., and devise new strategies for international collaboration on protecting critical infrastructures. Another way that the policies help to build relationships involves the inclusion of the various Sector Specific Agencies (SSA). The U.S.’s Federal government designates specific departments for implementing cybersecurity policies for each of the 16 critical infrastructures. Similarly, Canada creates partnerships with its Federal agencies and designate them as being directly responsible for implementing security policy at the nation’s critical infrastructures. The Canada-U.S. Action Plan also creates a virtual Critical Infrastructure Risk Analysis Cell that shares analysis, best practices and vulnerability assessments. If building relationships will be one of the best ways in which countries can increase security at interdependent critical infrastructures, then the Canada-U.S. Action Plan featuring it as 1/3 of the country’s overall approach to cybersecurity strategy may be an effective one that can be built upon for future policy-makers in both countries.
Information Sharing
The second objective, information sharing, is one of the most important parts of the overall policy. In order for the policies to work internationally, it becomes imperative to receive high participation from public and private entities in the U.S. and Canada. Information sharing helps organizations discover the best methods for securing critical infrastructures and risk assessments. The policies call on entities in both countries to share information prior to cyberattack, during instances of attack, and after in order to increase each entities ability to protect their critical infrastructures. Effective information sharing also creates new data points for analysis by entities in both nations that can help all organizations develop the best ways to respond to cyberattack. One of the most important data points involves the information surrounding previous cyberattacks that have already gone through the mitigation process. Identifying how previous cyberattacks were able to compromise networks and critical infrastructures, as well as the impact it had on the organization and citizens in their respective country, and the strategies used to mitigate the damage can significantly help organizations in the future should they be faced with the same or similar type of cyberattack. Sharing this information is key to helping organizations both domestically and internationally.
Risk Management
The last objective, risk management, concerns the specific procedures necessary to discover how cyberattacks will have an impact on critical infrastructures and the people who depends on the CI’s resources. This process involves a comprehensive analysis of the levels of interdependencies present in critical infrastructures in the U.S. and Canada, evaluate the potential risk each threat agent could have on networks and CIs, as well as implement security procedures that will mitigate cyberattacks. If the first and second objective of the policies are executed at a high level, it increases the likelihood that each country’s risk management will initiate a positive impact on both U.S. and Canada.
Need for More Policies
Even though domestic and international policies regarding the protection of critical infrastructures exist in both the U.S. and Canada, many critics of today’s cybersecurity policies would assert that each nation needs to further develop its policies especially in regards to national security. While each nation’s Federal government encourages public and private entities to record and share data on cyberattacks, some critics suggests that both countries can expand its data collection efforts on information relative to the physical and digital interdependency between both nations, in order to develop more efficient interdependency models when creating national and international policies. The collection and implementation of more accurate data regarding the security and management of critical infrastructures can assist both nations with the development of domestic and foreign policies. While most critics would agree that strengthening critical infrastructures remains one of the most important goals of any national security policy, some also view the Federal government’s responsibility as including the need to protect its nation and cybersecurity collaborators from cyberwar. In Cyber War, author Richard Clarke promotes the need for the United States to develop stronger national and international cybersecurity policies, particularly those that enhance the security of critical infrastructure, and lead in the creation of cybersecurity peace treaties that cause nations to commit to restraining from launching cyberattacks on other nation’s networks and CIs. Clarke asserts several scenarios in which the United States can prevent war using diplomacy and a broader cybersecurity strategy. The author also examines the U.S.’s capability to respond to instances of cyberwar, asserting that America has the digital resources to control an adversaries critical infrastructures, which could prevent the targeted nation from launching additional attacks. Even though it would be helpful if all nations could agree to international peace treaties, it would be difficult for one country to negotiate the policy with all others or for the United Nations to get everyone to commit. One possible area for the existence of peace treaties is for the United States to take the lead on strengthening its national policies and those with interdependent nations. For example, expanding the Canada-U.S. Action Plan to include measures on how to mitigate and prevent instances of cyberwar, along with a commitment from Canada and the U.S. to only target other nation’s network and critical infrastructure in response to attacks by state and non-state actors would be an excellent first step in helping the international community adopt stronger cybersecurity policies and peace treaties that prevent cyberwar.