2. October 21, 2004
U.S. National Cybersecurity
I. Cybersecurity Policy Then & Now
A. Brief History
B. Current Gov’t Actors
C. Recent Legislation (SOX, HIPPA)
II. National Strategy to Secure Cyberspace
A. Intro to the Plan
B. Critical Priorities
1. Response System
2. Threat & Vulnerability Reduction
3. Awareness & Training Program
4. Securing Gov’t. Cyberspace
5. National Security and International
Cooperation.
III. Critiques of the National Plan
IV. Discussion Activity
4. October 21, 2004
Gov’t Cybersecurity:
Then
1996:
President Clinton established the President’s Commission
on Critical Infrastructure Protection (PCCIP). “Critical
Foundations” Report.
1998:
Clinton administration issued Presidential Decision Directive
63 (PDD63). Creates :
- National Infrastructure Protection Center (NIPC) in FBI
– Critical Infrastructure Assurance Office (CIAO) in
Dept. of Commerce
2001:
After 9/11 Bush creates:
- Office of Cyberspace Security (Richard Clarke)
- President’s Critical Infrastructure Protection Board (PCIPB)
U.S. National Cybersecurity
5. October 21, 2004
Gov’t
Cybersecurity:
Now
• Nov. 2002:
• Cybersecurity duties consolidated under
DHS -> Information Analysis and Infrastructure
Protection Division (IAIP) . Exact role of
cybersecurity unclear?
• June 2003:
• National Cyber Security Division (NCSD)
created under IAIP. Headed by Amit Yoran from
Symantec, the role of the NCSD is to conducting
cyberspace analysis, issue alerts and warning,
improve information sharing, respond to major
incidents, and aid in national-level recovery efforts .
U.S. National Cybersecurity
6. October 21, 2004
Gov’t
Cybersecurity:
Now
• Sept. 2003:
• The United States-Computer Emergency
Readiness Team (US-CERT) is the United States
government coordination point for bridging public
and private sector institutions.
• Oct. 2004:
• Yoran steps down citing frustration with a
perceived lack of attention and funding given to
cybersecurity issues. He is replace by deputy Andy
Purdy and the debate over the position of
cybersecurity within DHS Continues.
U.S. National Cybersecurity
7. October 21, 2004
U.S. National Cybersecurity
Other Gov’t Actors
House:
- Select Committee on Homeland Security -> Subcommittee on
Cybersecurity, Science, Research & Development (Adam
Putnam, R-FL)
- Science Committee (Sherwood Boehlert, R-NY)
Senate:
- Committee on Government Affairs (Susan Collins, R-ME )
In Congress:
Funding is major issue.
Support is often bi-partisan
8. October 21, 2004
U.S. National Cybersecurity
Other Gov’t Actors
FBI
Dept. of Defense NSA
Secret Service
The usual suspects:
and don’t forget:
Dept. Commerce / NIST
Office of Management
And Budget (OMB)
Dept. of Treasury
SEC
and more...
DOE
FCC
9. October 21, 2004
U.S. National Cybersecurity
The Big Picture
What’s the Point?
Complex web of interactions. There are many
different government actors with their own interests
and specialties
No complete top-down organization
10. October 21, 2004
Recent Legislation:
HIPAA
Health Insurance Portability and
Accountability Act (HIPAA)
Goal:
Secure protected health information (PHI),
What it is:
- Not specific to computer security at all, but set forth
standards governing much of which is on computers.
- Insure confidentiality, integrity and availability of all
electronic protected health care information
- Comprehensive: ALL employees must be trained.
- Does not mandate specific technologies, but makes all
“covered entities” potentially subject to litigation.
U.S. National Cybersecurity
11. October 21, 2004
Recent
Legislation:
SOX
• Sarbanes-Oxley Act (SOX)
• Goal:
• Verify the integrity of financial
statements and information of
publicly traded companies.
• What it is:
• - Since information systems
support most corporate finance
systems, this translates to
requirements for maintaining
sufficient info security.
• - Threat of jail time for
executives has spurred a significant
investment in corporate info security. U.S. National Cybersecurity
12. October 21, 2004
The National
Strategy to
Secure
Cyberspace
U.S. National Cybersecurity
13. October 21, 2004
U.S. National Cybersecurity
What are critical infrastructures?
Critical Infrastructures are public and private institutions in
the following sectors:
Agriculture, food, water, public health, emergency
services, government, defense industrial base, information
and telecommunications, energy, transportation, banking
and finance, chemicals and hazardous materials, and
postal and shipping.
Essentially: What makes America tick.
14. October 21, 2004
Why
Cyberspace?
“Cyberspace is composed of hundreds of
thousands of interconnected computers,
servers, routers, switches and fiber optic
cables that allow our critical
infrastructure to work”
[ NSSC: p. vii ]
U.S. National Cybersecurity
15. October 21, 2004
What is the
Threat?
“Our primary concern is
the threat of organized
cyber attacks capable of
causing debilitating
disruption to our Nation’s
critical infrastructures,
economy, or national
security”
[ NSSC: p. viii ]
U.S. National Cybersecurity
16. October 21, 2004
What is the
Threat?
Peacetime:
- gov’t and corporate
espionage
- mapping to prepare for an
attack
Wartime:
- intimidate leaders by
attacking critical infrastructures
or eroding public confidence in
our information systems.
Is this the right threat model?
What about:
- impairing our ability to
respond
- economic war of attrition U.S. National Cybersecurity
17. October 21, 2004
Government’s Role
(part I)
“In general, the private sector is best equipped and
structured to respond to an evolving cyber-threat” [NSSC p
ix]
“federal regulation will not become a primary means of
securing cyberspace … the market itself is expected to
provide the major impetus to improve cybersecurity” [NSSC
p 15 ]
“with greater awareness of the issues, companies can
benefit from increasing their levels of cybersecurity. Greater
awareness and voluntary efforts are critical components of
the NSSC.” [NSSC p 10]
U.S. National Cybersecurity
18. October 21, 2004
Government’s
Role (part I)
Public-private partnership is the centerpiece of plan to protect
largely privately own infrastructure.
In practice:
Look at use of “encourage”, “voluntary” and “public-private” in
text of document.
19. October 21, 2004
Government’s
Role (part II)
However, Government does have a role
when:
• high costs or legal barriers cause
problems for private industry
• securing its own cyberspace
• interacting with other governments on
cybersecurity
• incentive problems leading to under
provisioning of shared resources
• raising awareness
U.S. National Cybersecurity
20. October 21, 2004
Critical Priorities for
Cyberspace Security:
I. Security Response
System
II. Threat & Vulnerability
Reduction Program
III. Awareness &
Training Program
IV. Securing
Government’s
Cyberspace
V. National Security &
International
Cooperation
U.S. National Cybersecurity
21. October 21, 2004
Priority I: Security
Response System
Goals:
1) Create an architecture for
responding to national- level
cyber incidents
a) Vulnerability analysis
b) Warning System
c) Incident Management
d) Response & Recovery
2) Encourage Cybersecurity
Information Sharing using
ISACS and other mechanisms
U.S. National Cybersecurity
22. October 21, 2004
U.S. National Cybersecurity
Priority I Initiative: US-CERT (2003)
Goal:
Coordinate defense against and response to
cyber attacks and promote information sharing.
What is does:
- CERT = Computer Emergency Readiness Team
- Contact point for industry and ISACs into the
DHS and other gov’t cybersecurity offices.
- National Cyber Alert System
- Still new, role not clearly defined
23. October 21, 2004
U.S. National Cybersecurity
Priority I Initiative: Critical
Infrastructure Info. Act of 2002
Goal:
Reduce vulnerability of current critical
infrastructure systems
What is does:
Allows the DHS to receive and protect voluntarily
submitted information about vulnerabilities or
security attacks involving privately owned critical
infrastructure. The Act protects qualifying
information from disclosure under the Freedom of
Information Act.
24. October 21, 2004
Priority II: Threat &
Vulnerability
Reduction Program
Goals:
1) Reduce Threat & Deter Malicious Actors
a) enhanced law enforcement
b) National Threat Assessment
2) Identify & Remediate Existing Vuln’s
a) Secure Mechanisms of the Internet
b) Improve SCADA systems
c) Reduce software vulnerabilities
d) Improve reliability & security of
physical infrastructure
3) Develop new, more secure technologies
U.S. National Cybersecurity
25. October 21, 2004
U.S. National Cybersecurity
Priority II Initiative :
sDNS & sBGP
Goal:
To develop and deploy new protocols that improve the
security of the Internet infrastructure.
What is does:
DHS is providing funding and working with Internet
standards bodies to help design and implement these new
protocols, which have been stalled for some time.
Adoption strategy remains a largely untackled hurdle.
26. October 21, 2004
U.S. National Cybersecurity
Priority II Initiative : Cyber Security
R&D Act (2002)
Goal:
Promote research and innovation for technologies relating
to cybersecurity and increase the number of experts in the
field.
What is does:
Dedicated more than $900 million over five years to
security research programs and creates fellowships for the
study of cybersecurity related topics.
Recent release of BAA from SRI shows technical priorities
for developing systems to reduce overall vulnerabilities.
27. October 21, 2004
Priority III: Security
Awareness and
Training Program
Goals:
1) Awareness* for home/small business,
enterprises, universities, industrial
sectors and government
2) Developing more training &
certification
program to combat a perceived
workforce deficiency.
* this means vastly different things for
different audiences
U.S. National Cybersecurity
28. October 21, 2004
Priority IV: Securing
Government’s
Cyberspace
Goals:
1) Protect the many information
systems supporting critical
services provided by the
government at the federal, state
and local levels.
2) Lead by example in federal
agencies and use procurement
power to encourage the
development of more secure
produces.
U.S. National Cybersecurity
29. October 21, 2004
Priority IV
Initiative: FISMA
• Federal Information Security
Management Act (FISMA):
• Goal:
• Strengthen federal agencies resistance to
cybersecurity attacks and lead by example.
• What is it:
• Mandates that CIO of each federal agency
develop and maintain an agency-wide information
security program that includes:
• periodic risk assessments
• security policies/plans/procedures
• security training for personnel
• periodic testing and evaluation
• incident detection, reporting & response
• plan to ensure continuity of operation (during an
attack)
U.S. National Cybersecurity
30. October 21, 2004
Priority V: National
Security & International
Cooperation
Goals:
1) Improve National Security by:
a) improving counter-intelligence and
response efforts in cyberspace within
the national security community
b) improving attribution and prevention
capabilities
c) being able to respond in an
“appropriate” manner
2) Enhance International Cooperation by:
a) reaching cybersecurity agreements with
members of existing world organizations
b) promote the adoption of cyber-crime
laws and mutual assistance provisions
across the globe.
U.S. National Cybersecurity
32. October 21, 2004
Criticisms of the National Plan
Frequently stated arguments:
1) By avoiding regulation, the plan has “no teeth” and can freely be ignored by
companies.
2) Government claims of an “information deficit” at the enterprise level are
misinformed and awareness efforts are a waste.
3) Not enough consideration has been given to the role economic incentives play
in creating cybersecurity vulnerabilities.
U.S. National Cybersecurity