After several years of ambiguity and debate, the U.S. Department of Defense recently published a "Cyber Strategy" and an implementing/operating organization. The U.S. Code differentiates and defines Title 10 (War) and Title 50 (Intelligence) activities. NSA operates under Title 50. The U.S. Military operates under Title 10. Organizationally, then, the NSA is empowered and will continue to engage in cyber-intelligence activities. Cyber-warfare, though, will be managed by the U.S. military Strategic Command (USSTRATCOM). U.S. Cyber Command (USCYBERCOM) has been established and encompasses a complex organization reporting to the U.S. Secretary of Defense. The Commander of USCYBERCOM will also command the NSA as Chief of Central Security Services (CHCSS). Title 10 Cyber-warfare entities include the U.S. Airforce, Navy, Marines, and Army, each with its own operations coordinating with the USCYBERCOM Integrated Cyber Center, supported by DISA, the Defense Information Systems Agency. Welcome to the government/military acronym swamp.
The U.S. Cyber Strategy is, in summary:
Defend Defense Department networks, systems, and information; this includes readiness to continue Internet operations if cyberspace access is contested.
Defend the U.S. and its interests against cyberattacks of significant consequence. This will include partnering and intelligence sharing with other government entities and commercial enterprises.
Provide integrated cyber-capabilities to support military operations and contingency plans (i.e., cyber-warfare).
For commercial enterprises, the cyber strategy only provides for threats/attacks of "significant consequence" which is defined to include loss of life, significant damage to property, serious adverse U.S. foreign policy consequences, or serious economic impact on the U.S. While there is no specific mention of serious disruption of cyberspace, we can presume that it is encompassed by "serious economic impact."
Bottom line, for now, other government agencies and commercial enterprises remain on their own to manage and mitigate threats to protect themselves from direct cyber-risks. So, business as usual. We will wait and see if the cyber strategy is extended to include intelligence gathering and alerts that will benefit all of us.