The Cybersecurity Bill of Rights is a statement of security goals or expectations—what is it that society should reasonably expect in the way of security in its information technologies, and what should technologists and organizations strive to achieve? Since many or most of today’s information technologies are not designed or implemented with the goals of the CBoR in mind, the Cybersecurity Bill of Rights also illustrates the enormous gap between what information technologies should do and what they now do. Serious efforts directed at achieving these goals would greatly decrease—but never eliminate—the security risks associated with using information technology. As importantly, the availability of information technologies designed and implemented with these goals in mind would expand the policy choices available to society about the functionality that it deserves and should expect from its technologies.
As a statement of expectations, the security provisions of the CBoR are neither absolute nor unconditional. When an information technology system or component does not embed a provision that should be provided, users have a right to know that the technology they are using does not meet that expectation so that they can act accordingly. Moreover, the way in which the provisions of the CBoR are realized for any given system will depend on many contextual factors. For example, the cybersecurity needs of an individual end user are different from those of a bank or the electric power grid.
In constructing the CBoR, the committee derived the provisions by considering four categories that are important to cybersecurity. These categories involve the following: (1) holistic systems properties relating to availability, recoverability, and control of systems; (2) traditional security properties relating to confidentiality, authentication, and authorization; (3) crosscutting properties such as safe access to information, confident invocation of important transactions, including those that will control physical devices, and knowledge of what security will be available; and (4) matters relating to jurisprudence: that is, appropriate justice for victims of cyberattack. (Some of the categories and provisions within them overlap.)
Finally, the CBoR is user-centric, but “user” should be interpreted broadly. Users include individual end users, organizations, and—most importantly—programs and system components that use (invoke or call on) other information technology systems or components. But taken together and viewed overall, the CBoR should be seen as a societal bill of rights, because the use of information technology in society has ramifications reaching far beyond a single individual or organization. Because critical societal functions depend on information technology, the security