IDENTIFY AND PRIORITIZE RISK:

To improve the security and resilience of our critical infrastructure, we will assess risk across six key areas:

national security, energy and power, banking and finance, health and safety, communications, and transportation. We will assess where cyberattacks could have catastrophic or cascading consequences and prioritize our protective efforts, capabilities, and defenses accordingly.

BUILD DEFENSIBLE GOVERNMENT NETWORKS:

We will use the latest commercial capabilities, shared services, and best practices to modernize our Federal information technology. We will improve our ability to provide uninterrupted and secure communications and services under all conditions.

DETER AND DISRUPT MALICIOUS CYBER ACTORS:

The Federal Government will ensure that those charged with securing critical infrastructure have the necessary authorities, information, and capabilities to prevent attacks before they affect or hold at risk U.S. critical infrastructure. The United

States will impose swift and costly consequences on foreign governments, criminals, and other actors who undertake significant malicious cyberactivities. We will work with allies and friends to expand our awareness of malicious activities. A stronger and more resilient critical infrastructure will strengthen deterrence by creating doubt in our adversaries that they can achieve their objectives.

IMPROVE INFORMATION SHARING AND SENSING:

The U.S. Government will work with our critical infrastructure partners to assess their informational needs and to reduce the barriers to information sharing, such as speed and classification levels. We will also invest in capabilities that improve the ability of the United States to attribute cyber-attacks. In accordance with the protection of civil liberties and privacy, the U.S. Government will expand collaboration with the private sector so that we can better detect and attribute attacks.

DEPLOY LAYERED DEFENSES:

Since threats transit globally, passing through communications backbones without challenge, the U.S. Government will work with the private sector to remediate known bad activities at the network level to improve the security of all customers. Malicious activity must be defeated within a network and not be passed on to its destination whenever possible.