U.S. Cybersecurity Policy Lecture by: Dan Wendlandt MS&E 91SI Autumn 2004 Stanford University U.S. National Cybersecurity October 21, 2004

Download Report

Transcript U.S. Cybersecurity Policy Lecture by: Dan Wendlandt MS&E 91SI Autumn 2004 Stanford University U.S. National Cybersecurity October 21, 2004

U.S. Cybersecurity
Policy
Lecture by: Dan Wendlandt
MS&E 91SI
Autumn 2004
Stanford University
U.S. National Cybersecurity
October 21, 2004
Outline:
I. Cybersecurity Policy Then & Now
A. Brief History
B. Current Gov’t Actors
C. Recent Legislation (SOX, HIPPA)
II. National Strategy to Secure Cyberspace
A. Intro to the Plan
B. Critical Priorities
1. Response System
2. Threat & Vulnerability Reduction
3. Awareness & Training Program
4. Securing Gov’t. Cyberspace
5. National Security and International
Cooperation.
III. Critiques of the National Plan
IV. Discussion Activity
U.S. National Cybersecurity
October 21, 2004
Cybersecurity Policy
Then & Now
U.S. National Cybersecurity
October 21, 2004
Gov’t Cybersecurity: Then
1996:
President Clinton established the President’s Commission on Critical
Infrastructure Protection (PCCIP). “Critical Foundations” Report.
1998:
Clinton administration issued Presidential Decision Directive 63
(PDD63). Creates :
- National Infrastructure Protection Center (NIPC) in FBI
– Critical Infrastructure Assurance Office (CIAO) in
Dept. of Commerce
2001:
After 9/11 Bush creates:
- Office of Cyberspace Security (Richard Clarke)
- President’s Critical Infrastructure Protection Board (PCIPB)
U.S. National Cybersecurity
October 21, 2004
Gov’t Cybersecurity: Now
Nov. 2002:
Cybersecurity duties consolidated under DHS ->
Information Analysis and Infrastructure Protection
Division (IAIP) . Exact role of cybersecurity
unclear?
June 2003:
National Cyber Security Division (NCSD) created
under IAIP. Headed by Amit Yoran from
Symantec, the role of the NCSD is to conducting
cyberspace analysis, issue alerts and warning,
improve information sharing, respond to major
incidents, and aid in national-level recovery
efforts .
U.S. National Cybersecurity
October 21, 2004
Gov’t Cybersecurity: Now
Sept. 2003:
The United States-Computer Emergency
Readiness Team (US-CERT) is the United States
government coordination point for bridging public
and private sector institutions.
Oct. 2004:
Yoran steps down citing frustration with a
perceived lack of attention and funding given to
cybersecurity issues. He is replace by deputy
Andy Purdy and the debate over the position of
cybersecurity within DHS Continues.
U.S. National Cybersecurity
October 21, 2004
Other Gov’t Actors
In Congress:
Funding is major issue.
Support is often bi-partisan
House:
- Select Committee on Homeland Security -> Subcommittee on
Cybersecurity, Science, Research & Development (Adam
Putnam, R-FL)
- Science Committee (Sherwood Boehlert, R-NY)
Senate:
- Committee on Government Affairs (Susan Collins, R-ME )
U.S. National Cybersecurity
October 21, 2004
Other Gov’t Actors
The usual suspects:
FBI
Secret Service
Dept. of Defense
NSA
and don’t forget:
DOE
Dept. Commerce / NIST
SEC
FCC
Dept. of Treasury
Office of Management
And Budget (OMB)
and more...
U.S. National Cybersecurity
October 21, 2004
The Big Picture
What’s the Point?
Complex web of interactions. There are many
different government actors with their own interests
and specialties
No complete top-down organization
U.S. National Cybersecurity
October 21, 2004
Recent Legislation: HIPAA
Health Insurance Portability and
Accountability Act (HIPAA)
Goal:
Secure protected health information (PHI),
What it is:
- Not specific to computer security at all, but set forth
standards governing much of which is on computers.
- Insure confidentiality, integrity and availability of all
electronic protected health care information
- Comprehensive: ALL employees must be trained.
- Does not mandate specific technologies, but makes all
“covered entities” potentially subject to litigation.
U.S. National Cybersecurity
October 21, 2004
Recent Legislation: SOX
Sarbanes-Oxley Act (SOX)
Goal:
Verify the integrity of financial statements and
information of publicly traded companies.
What it is:
- Since information systems support most corporate
finance systems, this translates to requirements for
maintaining sufficient info security.
- Threat of jail time for executives has spurred a
significant investment in corporate info security.
U.S. National Cybersecurity
October 21, 2004
The National Strategy to
Secure Cyberspace
U.S. National Cybersecurity
October 21, 2004
What are critical infrastructures?
Critical Infrastructures are public and private institutions in
the following sectors:
Agriculture, food, water, public health, emergency
services, government, defense industrial base, information
and telecommunications, energy, transportation, banking
and finance, chemicals and hazardous materials, and
postal and shipping.
Essentially: What makes America tick.
U.S. National Cybersecurity
October 21, 2004
Why Cyberspace?
“Cyberspace is composed of
hundreds of thousands of
interconnected computers, servers,
routers, switches and fiber optic
cables that allow our critical
infrastructure to work”
[ NSSC: p. vii ]
U.S. National Cybersecurity
October 21, 2004
What is the Threat?
“Our primary concern is the threat of
organized cyber attacks capable of
causing debilitating disruption to our
Nation’s critical infrastructures,
economy, or national security”
[ NSSC: p. viii ]
U.S. National Cybersecurity
October 21, 2004
The Threat in Detail
“Our primary concern is the threat of
organized cyber attacks capable of
causing debilitating disruption to our
Nation’s critical infrastructures,
economy, or national security”
[ NSSC: p. viii ]
U.S. National Cybersecurity
October 21, 2004
What is the Threat?
Peacetime:
- gov’t and corporate espionage
- mapping to prepare for an attack
Wartime:
- intimidate leaders by attacking critical
infrastructures or eroding public confidence in our
information systems.
Is this the right threat model? What about:
- impairing our ability to respond
- economic war of attrition
U.S. National Cybersecurity
October 21, 2004
Government’s Role (part I)
“In general, the private sector is best equipped and structured
to respond to an evolving cyber-threat” [NSSC p ix]
“federal regulation will not become a primary means of securing
cyberspace … the market itself is expected to provide the major
impetus to improve cybersecurity” [NSSC p 15 ]
“with greater awareness of the issues, companies can benefit
from increasing their levels of cybersecurity. Greater
awareness and voluntary efforts are critical components of the
NSSC.” [NSSC p 10]
U.S. National Cybersecurity
October 21, 2004
Government’s Role (part I)
Public-private partnership is the centerpiece
of plan to protect largely privately own
infrastructure.
In practice:
Look at use of “encourage”, “voluntary” and
“public-private” in text of document.
U.S. National Cybersecurity
October 21, 2004
Government’s Role (part II)
However, Government does have a role when:
• high costs or legal barriers cause problems for private industry
• securing its own cyberspace
• interacting with other governments on cybersecurity
• incentive problems leading to under provisioning of shared
resources
• raising awareness
U.S. National Cybersecurity
October 21, 2004
Critical Priorities for Cyberspace Security:
I. Security Response System
II. Threat & Vulnerability Reduction Program
III. Awareness & Training Program
IV. Securing Government’s Cyberspace
V. National Security & International Cooperation
U.S. National Cybersecurity
October 21, 2004
Priority I: Security Response System
Goals:
1) Create an architecture for responding to nationallevel cyber incidents
a) Vulnerability analysis
b) Warning System
c) Incident Management
d) Response & Recovery
2) Encourage Cybersecurity Information Sharing using
ISACS and other mechanisms
U.S. National Cybersecurity
October 21, 2004
Priority I Initiative: US-CERT (2003)
Goal:
Coordinate defense against and response to
cyber attacks and promote information sharing.
What is does:
- CERT = Computer Emergency Readiness Team
- Contact point for industry and ISACs into the
DHS and other gov’t cybersecurity offices.
- National Cyber Alert System
- Still new, role not clearly defined
U.S. National Cybersecurity
October 21, 2004
Priority I Initiative: Critical
Infrastructure Info. Act of 2002
Goal:
Reduce vulnerability of current critical
infrastructure systems
What is does:
Allows the DHS to receive and protect voluntarily
submitted information about vulnerabilities or
security attacks involving privately owned critical
infrastructure. The Act protects qualifying
information from disclosure under the Freedom of
Information Act.
U.S. National Cybersecurity
October 21, 2004
Priority II: Threat & Vulnerability
Reduction Program
Goals:
1) Reduce Threat & Deter Malicious Actors
a) enhanced law enforcement
b) National Threat Assessment
2) Identify & Remediate Existing Vuln’s
a) Secure Mechanisms of the Internet
b) Improve SCADA systems
c) Reduce software vulnerabilities
d) Improve reliability & security of physical
infrastructure
3) Develop new, more secure technologies
U.S. National Cybersecurity
October 21, 2004
Priority II Initiative :
sDNS & sBGP
Goal:
To develop and deploy new protocols that improve the
security of the Internet infrastructure.
What is does:
DHS is providing funding and working with Internet
standards bodies to help design and implement these new
protocols, which have been stalled for some time.
Adoption strategy remains a largely untackled hurdle.
U.S. National Cybersecurity
October 21, 2004
Priority II Initiative : Cyber Security
R&D Act (2002)
Goal:
Promote research and innovation for technologies relating
to cybersecurity and increase the number of experts in the
field.
What is does:
Dedicated more than $900 million over five years to
security research programs and creates fellowships for the
study of cybersecurity related topics.
Recent release of BAA from SRI shows technical priorities
for developing systems to reduce overall vulnerabilities.
U.S. National Cybersecurity
October 21, 2004
Priority III: Security Awareness and
Training Program
Goals:
1) Awareness* for home/small business,
enterprises, universities, industrial sectors and
government
2) Developing more training & certification
program to combat a perceived workforce
deficiency.
* this means vastly different things for different audiences
U.S. National Cybersecurity
October 21, 2004
A Short Digression…
Did you know that October is
National Cyber Security
Awareness Month?
This is Dewie, cybersecurity
mascot for the FTC’s online
safety campaign
Join “Team Dewie” at:
http://www.ftc.gov/bcp/conline/edcams/infosecurity/forkids.html
Learn More about “high impact” events during National
Cybersecurity month at:
http://www.staysafeonline.info
U.S. National Cybersecurity
October 21, 2004
Priority IV: Securing Government’s
Cyberspace
Goals:
1) Protect the many information systems
supporting critical services provided by the
government at the federal, state and local
levels.
2) Lead by example in federal agencies and
use procurement power to encourage the
development of more secure produces.
U.S. National Cybersecurity
October 21, 2004
Priority IV Initiative: FISMA
Federal Information Security Management Act (FISMA):
Goal:
Strengthen federal agencies resistance to cybersecurity attacks and lead
by example.
What is it:
Mandates that CIO of each federal agency develop and maintain an
agency-wide information security program that includes:
•
•
•
•
•
•
periodic risk assessments
security policies/plans/procedures
security training for personnel
periodic testing and evaluation
incident detection, reporting & response
plan to ensure continuity of operation (during an attack)
Yearly report to Office of Management & Budget (OMB), tied to procurement.
U.S. National Cybersecurity
October 21, 2004
Priority V: National Security &
International Cooperation
Goals:
1) Improve National Security by:
a) improving counter-intelligence and response efforts
in cyberspace within the national security community
b) improving attribution and prevention capabilities
c) being able to respond in an “appropriate” manner
2) Enhance International Cooperation by:
a) reaching cybersecurity agreements with members of
existing world organizations
b) promote the adoption of cyber-crime laws and
mutual assistance provisions across the globe.
U.S. National Cybersecurity
October 21, 2004
Critiques of the National
Plan
U.S. National Cybersecurity
October 21, 2004
Criticisms of the National Plan
Frequently stated arguments:
1) By avoiding regulation, the plan has “no teeth”
and can freely be ignored by companies.
2) Government claims of an “information deficit”
at the enterprise level are misinformed and
awareness efforts are a waste.
3) Not enough consideration has been given to
the role economic incentives play in creating
cybersecurity vulnerabilities.
U.S. National Cybersecurity
October 21, 2004
Finally: Time for
Discussion
U.S. National Cybersecurity
October 21, 2004