U.S. Cybersecurity Policy Lecture by: Dan Wendlandt MS&E 91SI Autumn 2004 Stanford University U.S. National Cybersecurity October 21, 2004
Download ReportTranscript U.S. Cybersecurity Policy Lecture by: Dan Wendlandt MS&E 91SI Autumn 2004 Stanford University U.S. National Cybersecurity October 21, 2004
U.S. Cybersecurity Policy Lecture by: Dan Wendlandt MS&E 91SI Autumn 2004 Stanford University U.S. National Cybersecurity October 21, 2004 Outline: I. Cybersecurity Policy Then & Now A. Brief History B. Current Gov’t Actors C. Recent Legislation (SOX, HIPPA) II. National Strategy to Secure Cyberspace A. Intro to the Plan B. Critical Priorities 1. Response System 2. Threat & Vulnerability Reduction 3. Awareness & Training Program 4. Securing Gov’t. Cyberspace 5. National Security and International Cooperation. III. Critiques of the National Plan IV. Discussion Activity U.S. National Cybersecurity October 21, 2004 Cybersecurity Policy Then & Now U.S. National Cybersecurity October 21, 2004 Gov’t Cybersecurity: Then 1996: President Clinton established the President’s Commission on Critical Infrastructure Protection (PCCIP). “Critical Foundations” Report. 1998: Clinton administration issued Presidential Decision Directive 63 (PDD63). Creates : - National Infrastructure Protection Center (NIPC) in FBI – Critical Infrastructure Assurance Office (CIAO) in Dept. of Commerce 2001: After 9/11 Bush creates: - Office of Cyberspace Security (Richard Clarke) - President’s Critical Infrastructure Protection Board (PCIPB) U.S. National Cybersecurity October 21, 2004 Gov’t Cybersecurity: Now Nov. 2002: Cybersecurity duties consolidated under DHS -> Information Analysis and Infrastructure Protection Division (IAIP) . Exact role of cybersecurity unclear? June 2003: National Cyber Security Division (NCSD) created under IAIP. Headed by Amit Yoran from Symantec, the role of the NCSD is to conducting cyberspace analysis, issue alerts and warning, improve information sharing, respond to major incidents, and aid in national-level recovery efforts . U.S. National Cybersecurity October 21, 2004 Gov’t Cybersecurity: Now Sept. 2003: The United States-Computer Emergency Readiness Team (US-CERT) is the United States government coordination point for bridging public and private sector institutions. Oct. 2004: Yoran steps down citing frustration with a perceived lack of attention and funding given to cybersecurity issues. He is replace by deputy Andy Purdy and the debate over the position of cybersecurity within DHS Continues. U.S. National Cybersecurity October 21, 2004 Other Gov’t Actors In Congress: Funding is major issue. Support is often bi-partisan House: - Select Committee on Homeland Security -> Subcommittee on Cybersecurity, Science, Research & Development (Adam Putnam, R-FL) - Science Committee (Sherwood Boehlert, R-NY) Senate: - Committee on Government Affairs (Susan Collins, R-ME ) U.S. National Cybersecurity October 21, 2004 Other Gov’t Actors The usual suspects: FBI Secret Service Dept. of Defense NSA and don’t forget: DOE Dept. Commerce / NIST SEC FCC Dept. of Treasury Office of Management And Budget (OMB) and more... U.S. National Cybersecurity October 21, 2004 The Big Picture What’s the Point? Complex web of interactions. There are many different government actors with their own interests and specialties No complete top-down organization U.S. National Cybersecurity October 21, 2004 Recent Legislation: HIPAA Health Insurance Portability and Accountability Act (HIPAA) Goal: Secure protected health information (PHI), What it is: - Not specific to computer security at all, but set forth standards governing much of which is on computers. - Insure confidentiality, integrity and availability of all electronic protected health care information - Comprehensive: ALL employees must be trained. - Does not mandate specific technologies, but makes all “covered entities” potentially subject to litigation. U.S. National Cybersecurity October 21, 2004 Recent Legislation: SOX Sarbanes-Oxley Act (SOX) Goal: Verify the integrity of financial statements and information of publicly traded companies. What it is: - Since information systems support most corporate finance systems, this translates to requirements for maintaining sufficient info security. - Threat of jail time for executives has spurred a significant investment in corporate info security. U.S. National Cybersecurity October 21, 2004 The National Strategy to Secure Cyberspace U.S. National Cybersecurity October 21, 2004 What are critical infrastructures? Critical Infrastructures are public and private institutions in the following sectors: Agriculture, food, water, public health, emergency services, government, defense industrial base, information and telecommunications, energy, transportation, banking and finance, chemicals and hazardous materials, and postal and shipping. Essentially: What makes America tick. U.S. National Cybersecurity October 21, 2004 Why Cyberspace? “Cyberspace is composed of hundreds of thousands of interconnected computers, servers, routers, switches and fiber optic cables that allow our critical infrastructure to work” [ NSSC: p. vii ] U.S. National Cybersecurity October 21, 2004 What is the Threat? “Our primary concern is the threat of organized cyber attacks capable of causing debilitating disruption to our Nation’s critical infrastructures, economy, or national security” [ NSSC: p. viii ] U.S. National Cybersecurity October 21, 2004 The Threat in Detail “Our primary concern is the threat of organized cyber attacks capable of causing debilitating disruption to our Nation’s critical infrastructures, economy, or national security” [ NSSC: p. viii ] U.S. National Cybersecurity October 21, 2004 What is the Threat? Peacetime: - gov’t and corporate espionage - mapping to prepare for an attack Wartime: - intimidate leaders by attacking critical infrastructures or eroding public confidence in our information systems. Is this the right threat model? What about: - impairing our ability to respond - economic war of attrition U.S. National Cybersecurity October 21, 2004 Government’s Role (part I) “In general, the private sector is best equipped and structured to respond to an evolving cyber-threat” [NSSC p ix] “federal regulation will not become a primary means of securing cyberspace … the market itself is expected to provide the major impetus to improve cybersecurity” [NSSC p 15 ] “with greater awareness of the issues, companies can benefit from increasing their levels of cybersecurity. Greater awareness and voluntary efforts are critical components of the NSSC.” [NSSC p 10] U.S. National Cybersecurity October 21, 2004 Government’s Role (part I) Public-private partnership is the centerpiece of plan to protect largely privately own infrastructure. In practice: Look at use of “encourage”, “voluntary” and “public-private” in text of document. U.S. National Cybersecurity October 21, 2004 Government’s Role (part II) However, Government does have a role when: • high costs or legal barriers cause problems for private industry • securing its own cyberspace • interacting with other governments on cybersecurity • incentive problems leading to under provisioning of shared resources • raising awareness U.S. National Cybersecurity October 21, 2004 Critical Priorities for Cyberspace Security: I. Security Response System II. Threat & Vulnerability Reduction Program III. Awareness & Training Program IV. Securing Government’s Cyberspace V. National Security & International Cooperation U.S. National Cybersecurity October 21, 2004 Priority I: Security Response System Goals: 1) Create an architecture for responding to nationallevel cyber incidents a) Vulnerability analysis b) Warning System c) Incident Management d) Response & Recovery 2) Encourage Cybersecurity Information Sharing using ISACS and other mechanisms U.S. National Cybersecurity October 21, 2004 Priority I Initiative: US-CERT (2003) Goal: Coordinate defense against and response to cyber attacks and promote information sharing. What is does: - CERT = Computer Emergency Readiness Team - Contact point for industry and ISACs into the DHS and other gov’t cybersecurity offices. - National Cyber Alert System - Still new, role not clearly defined U.S. National Cybersecurity October 21, 2004 Priority I Initiative: Critical Infrastructure Info. Act of 2002 Goal: Reduce vulnerability of current critical infrastructure systems What is does: Allows the DHS to receive and protect voluntarily submitted information about vulnerabilities or security attacks involving privately owned critical infrastructure. The Act protects qualifying information from disclosure under the Freedom of Information Act. U.S. National Cybersecurity October 21, 2004 Priority II: Threat & Vulnerability Reduction Program Goals: 1) Reduce Threat & Deter Malicious Actors a) enhanced law enforcement b) National Threat Assessment 2) Identify & Remediate Existing Vuln’s a) Secure Mechanisms of the Internet b) Improve SCADA systems c) Reduce software vulnerabilities d) Improve reliability & security of physical infrastructure 3) Develop new, more secure technologies U.S. National Cybersecurity October 21, 2004 Priority II Initiative : sDNS & sBGP Goal: To develop and deploy new protocols that improve the security of the Internet infrastructure. What is does: DHS is providing funding and working with Internet standards bodies to help design and implement these new protocols, which have been stalled for some time. Adoption strategy remains a largely untackled hurdle. U.S. National Cybersecurity October 21, 2004 Priority II Initiative : Cyber Security R&D Act (2002) Goal: Promote research and innovation for technologies relating to cybersecurity and increase the number of experts in the field. What is does: Dedicated more than $900 million over five years to security research programs and creates fellowships for the study of cybersecurity related topics. Recent release of BAA from SRI shows technical priorities for developing systems to reduce overall vulnerabilities. U.S. National Cybersecurity October 21, 2004 Priority III: Security Awareness and Training Program Goals: 1) Awareness* for home/small business, enterprises, universities, industrial sectors and government 2) Developing more training & certification program to combat a perceived workforce deficiency. * this means vastly different things for different audiences U.S. National Cybersecurity October 21, 2004 A Short Digression… Did you know that October is National Cyber Security Awareness Month? This is Dewie, cybersecurity mascot for the FTC’s online safety campaign Join “Team Dewie” at: http://www.ftc.gov/bcp/conline/edcams/infosecurity/forkids.html Learn More about “high impact” events during National Cybersecurity month at: http://www.staysafeonline.info U.S. National Cybersecurity October 21, 2004 Priority IV: Securing Government’s Cyberspace Goals: 1) Protect the many information systems supporting critical services provided by the government at the federal, state and local levels. 2) Lead by example in federal agencies and use procurement power to encourage the development of more secure produces. U.S. National Cybersecurity October 21, 2004 Priority IV Initiative: FISMA Federal Information Security Management Act (FISMA): Goal: Strengthen federal agencies resistance to cybersecurity attacks and lead by example. What is it: Mandates that CIO of each federal agency develop and maintain an agency-wide information security program that includes: • • • • • • periodic risk assessments security policies/plans/procedures security training for personnel periodic testing and evaluation incident detection, reporting & response plan to ensure continuity of operation (during an attack) Yearly report to Office of Management & Budget (OMB), tied to procurement. U.S. National Cybersecurity October 21, 2004 Priority V: National Security & International Cooperation Goals: 1) Improve National Security by: a) improving counter-intelligence and response efforts in cyberspace within the national security community b) improving attribution and prevention capabilities c) being able to respond in an “appropriate” manner 2) Enhance International Cooperation by: a) reaching cybersecurity agreements with members of existing world organizations b) promote the adoption of cyber-crime laws and mutual assistance provisions across the globe. U.S. National Cybersecurity October 21, 2004 Critiques of the National Plan U.S. National Cybersecurity October 21, 2004 Criticisms of the National Plan Frequently stated arguments: 1) By avoiding regulation, the plan has “no teeth” and can freely be ignored by companies. 2) Government claims of an “information deficit” at the enterprise level are misinformed and awareness efforts are a waste. 3) Not enough consideration has been given to the role economic incentives play in creating cybersecurity vulnerabilities. U.S. National Cybersecurity October 21, 2004 Finally: Time for Discussion U.S. National Cybersecurity October 21, 2004