National Strategy to Secure Cyberspace

1
National Strategy to Secure Cyberspace

• By Emily Fetchko
• 9/7/05

2
The Five Ws

• Who?
• Federal government
• State and local governments
• Private companies and organizations
• Individual Americans
• What?
• Cyberspace, the nervous system the control
  system of our country

3
The Five Ws, continued

• Where?
• Within the government
• Within this country
• At every computer
• All over the globe
• When?
• Starting in Fall 2002
• Why?
• Three main objectives see next slide

4
New and Significant

• New because this is the first comprehensive
  policy document about cybersecurity
• Significant because its a national policy
  document that affects numerous government
  organizations

5
Three Main Objectives

• Prevent cyber attacks against Americas critical
  infrastructures
• Reduce national vulnerability to cyber attacks
• Minimize damage and recovery time from cyber
  attacks that do occur

6
Guiding Principles

• A National Effort
• Share information with nongovernmental entities
• Protect Privacy and Civil Liberties
• Regulation and Market Forces
• Avoid broad regulations
• Accountability and Responsibility
• Designate lead governmental agencies
• Ensure flexibility
• Multi-Year Planning

7
Critical Infrastructures

• Agriculture
• Food
• Water
• Health
• Emergency services
• Government
• Defensive industrial base

• Information and telecommunications
• Energy
• Transportation
• Banking and finance
• Chemicals and hazardous materials
• Postal and shipping

8
Lead Agencies

• Department of Homeland Security
• Department of the Treasury
• Department of Health and Human Services
• Department of Energy
• Environmental Protection Agency
• Department of Agriculture
• Department of Defense

• Agriculture, Food
• Energy
• Information Telecommunications, Transportation,
  Postal Shipping, Emergency Services, Continuity
  of Government
• Water, Chemicals Hazardous Materials
• Defense Industrial Base
• Public Health, Food
• Banking and Finance

9
Coordinating Agencies

• Office of Science and Technology Policy
• Office of Management and Budget
• Department of State
• Director of Central Intelligence
• Department of Justice and Federal Bureau of
  Investigation

• Coordinate research and development
• Oversee implementation of policies and budget
• Coordinate international outreach
• Assess foreign threat
• Investigate and prosecute cybercrime

10
Cyber Attacks

• What would someone accomplish with a cyber
  attack?
• Espionage
• Mapping US control systems
• Finding key targets
• Installing backdoors
• Attacking critical infrastructures
• Causing distrust in information systems

11
Five Levels of Vulnerability

• Home User/Small Business
• every computer, every network
• Large companies
• Common targets for attack (large networks)
• Critical sectors/infrastructures
• National
• Software, hardware, protocols
• Global
• Worldwide Web

12
Increasing Threats
13
The Five Priorities

• I. A National Cyberspace Security Response System
• II. A National Cyberspace Security Threat and
  Vulnerability Reduction Program
• III. A National Cyberspace Security Awareness and
  Training Program
• IV. Securing Governments Cyberspace
• V. National Security and International Cyberspace
  Security Cooperation

14
Priority I A Security Response System

• What does a security response system do?
• Detect attacks
• Perform analyses
• Issue warnings
• Coordinate response efforts
• Restore lost services

15
Response System, continued

• Difficulties
• No central vantage point to view cyberspace
• Must protect civil liberties
• Attacks spread quickly
• Cyberspace isnt controlled by the government

16
Response System, continued

• Four components to the Response System
• Analysis
• Warning
• Incident Management
• Response/Recovery
• All of these are centered in the DHS

17
Response System, continued

• Analysis
• What kind of information to collect?
• Nature of attack
• Information compromised
• Extent of damage
• Intruders intentions
• Tools used in attack
• Vulnerabilities exploited
• Types
• Tactical (specific)
• Strategic (broader, long-term)
• Vulnerability assessment

18
Response System, continued

• Warning (A/R 1-1 and 1-2)
• Encourage industry to share information about
  internet health
• Create a single point of contact for sharing this
  information with the federal government
• Expand the Cyber Warning and Information Network
  (CWIN) to support DHS,
• Link CWIN to private ISACs (information sharing
  and analysis centers)

19
Response System, continued

• Incident Management
• The biggest task in incident management is
  linking and coordinating all of the different
  organizations in the government.
• DHS
• DOJ
• DOD
• White House
• Office of Science and Technology Policy
• Office of Management and Budget
• And more

20
Response System, continued

• Response and Recovery (A/R 1-3 to 1-5)
• All about contingency plans
• Create a process to develop them
• Exercise them
• Find weaknesses and improve them
• Encourage corporations to have them
• Develop voluntary ones to restore the Internet

21
Response System, continued

• Information Sharing
• Companies may not share vulnerability information
  because
• Fear that the government will release
  confidential, proprietary or embarrassing
  information to the public
• Fear that the competition will receive the
  information
• Unsure of how to share the information

22
Response System, continued

• Information Sharing (A/R 1-6 1-7)
• Coordinate a two-way information flow between
  government and corporations
• collect information from companies
• sanitize
• release
• Have corporations and colleges form information
  sharing groups
• Colleges and universities should team with ISPs
  and law enforcement

23
Priority II Threat and Vulnerability Reduction
Program

• Three part effort
• Reduce threats and deter malicious actors through
  effective programs to identify and punish them
• Identify and remediate those existing
  vulnerabilities that could create the most damage
  to critical systems if exploited
• Develop new systems with less vulnerabilities and
  assess emerging technologies for vulnerabilities

24
Vulnerability Reduction, continued

• Reduce Threats and Deter Malicious Actors (A/R
  2-1)
• DOJ will reduce cyber threats and attacks by
• Sharing information between federal, state and
  local law enforcement
• Providing investigative and forensic resources
  and training
• Developing data about victims of cybercrime and
  intrusions

25
Vulnerability Reduction, continued

• Reduce Threats and Deter Malicious Actors (A/R
  2-2)
• DHS will develop a national threat assessment
  including
• Red teaming (performing a penetration test
  without the knowledge of the IT staff but with
  full knowledge and permission from upper
  management)
• Blue teaming (performing a penetration test with
  the knowledge and consent of the IT staff)
• And other methods

26
Vulnerability Reduction, continued

• Identify and Remediate Existing Vulnerabilities
• Four major components
• Internet
• Digital Control Systems/Supervisory Control and
  Data Acquisition Systems (DCS/SCADA)
• Software and Hardware
• Physical Infrastructure and Interdependency

27
Vulnerability Reduction, continued

• Identify and Remediate Existing Vulnerabilities
  -Internet (A/R 2-4)
• Improve three main protocols
• IP - Investigate the issues related to IPv6 (A/R
  2-3)
• DNS - Make attacks more difficult and less
  effective
• BGP - Promote secure forms
• Promote improved internet routing to counter DoS
  attacks
• Address verification
• Out-of-band management
• A code of good conduct for ISPs

28
Vulnerability Reduction, continued

• DCS/SCADA
• Computer-based systems to remotely control
  sensitive processes and physical functions
• Used in water, transportation, chemicals, energy,
  manufacturing and more
• Use the Internet to transfer data
• Typically small and self-contained units with
  limited power supplies
• (A/R 2-5) To secure, DHS will
• Develop best practices and new technology
• Determine the most critical sites
• Develop a prioritized plan for short-term
  improvements

29
Vulnerability Reduction, continued

• Reduce and Remediate Software Vulnerabilities
  (A/R 2-6, 2-7, 2-8)
• Develop a mechanism for vulnerability disclosure
• Implement patch clearinghouses and share the
  results
• Encourage industry to make out-of-the-box
  software more secure
• How?

30
Vulnerability Reduction, continued

• Understand Infrastructure Interdependency and
  Improve Physical Security (A/R 2-9 2-10)
• Interdependencies
• Identify them
• Develop plans to reduce them
• Model the impact of them
• Physical security
• Support efforts by owners/operators to secure and
  limit access to networking centers

31
Vulnerability Reduction, continued

• Prioritize the Federal Research and Development
  Agenda (A/R 2-11 2-12)
• Coordinate and update on an annual basis a
  development agenda for near-term (1-3 years),
  mid-term (3-5 years) and later (5 years out and
  longer) IT security research
• Ensure adequate mechanisms exist for coordination
  of research between academia, industry and
  government

32
Vulnerability Reduction, continued

• Ensure Future Systems are Secure
• Encourage the private sector to research secure
  operating systems in the near-term (A/R 2-13)
• Promote best practices and methodologies for
  integrity, security and reliability in code
  development (A/R 2-14)
• Assess and Secure Emerging Systems
• Ensure emerging technologies are periodically
  reviewed by the appropriate body within the
  National Science and Technology Council (A/R 2-15)

33
Priority III Security Awareness and Training
Program

• Three main components
• Promote a national awareness program to empower
  all Americans to secure their own parts of
  cyberspace
• Foster adequate training and education programs
• Promote well-coordinated, widely recognized
  professional cybersecurity certifications

34
Awareness and Training, continued

• Awareness for All Levels of Vulnerability (A/R
  3-1 3-2)
• Comprehensive awareness program
• Expand the StaySafeOnline campaign
• Develop awards for those in industry who make
  significant contributions to security Develop of
  programs and guidelines for primary and secondary
  students

35
Awareness and Training, continued

• Specific to home users/small businesses (A/R 3-3)
• Encourage them to secure their systems
• Make it easier for them to secure their systems
• Large enterprises (A/R 3-4)
• Conduct audits regularly
• Develop continuity plans for offsite staff
  equipment
• Participate in industrywide information sharing

36
Awareness and Training, continued

• Colleges Universities (A/R 3-5)
• Form ISACs
• Empower Chief Information Officers
• Use best practices for IT security
• Develop user awareness programs
• Private sector (A/R 3-6)
• Find the gap between private and government RD
• Share research
• Develop best practices
• State and local governments are encouraged to
  invest in information security measures.

37
Awareness and Training, continued

• Training
• DHS will implement and encourage programs to
  train cybersecurity professionals including
  scholarships, fellowship and traineeship programs
  created by the Cyber Security Research and
  Development Act. (A/R 3-7)
• DHS will develop a coordination mechanism linking
  federal cybersecurity and computer forensics
  training programs. (A/R 3-8)

38
Awareness and Training, continued

• Certification
• Encourage efforts needed to develop security
  certification programs that will be broadly
  accepted by the public and private sectors. DHS
  and other agencies can aid by articulating the
  needs of the federal IT security community. (A/R
  3-9)

39
Priority IV Securing Governments Cyberspace

• In the Federal Government
• Continuously Assess Threats and Vulnerabilities
  to Federal Cyber Systems
• OMB found serious weaknesses including
• lack of senior management attention to security
• lack of performance measurement
• failure to detect and report information on
  vulnerabilities
• poor security education
• Continuously Assess Threats and Vulnerabilities
  Within Agencies
• Use automated tools to do security assessment
  (A/R 4-1)

40
Securing Government, continued

• Authenticate and Maintain Authorization for Users
  of Federal Systems (A/R 4-2)
• E-Authentication initiative
• Review the need for stronger access control
• Explore the extent to which all departments can
  employ the same physical and logical control
  tools and authentication mechanisms
• Secure Federal Wireless Local Area Networks
• Consider installing systems to monitor for
  unauthorized connections. Also consider the use
  of strong encryption, bi-directional
  authentication, shielding standards and other
  security mechanisms. (A/R 4-3)

41
Securing Government, continued

• Improve Security in Government Outsourcing and
  Procurement
• Conduct an extensive review of NIAP, the National
  Information Assurance Partnership to determine
  the extent to which it is adequately addressing
  the problem of security flaws in commercial
  software products. (A/R 4-4)
• When available, always use DOD-evaluated products
• Develop Specific Criteria for Independent
  Security Reviews
• Investigate if private sector security service
  providers need to be certified as meeting certain
  minimum capabilities. (A/R 4-5)

42
Securing Government, continued

• In State and Local Governments
• Many state and local functions are tied to IT
• Payments to welfare recipients
• Access to criminal records
• Operating state and local utility and
  transportation
• State and local governments are encouraged to
  establish IT security programs including
  awareness, audits and standards and to
  participate in ISACs. (A/R 4-6)

43
Priority V National Security and International
Cyberspace Security Cooperation

• Securing America from Outside Threats
• Small-scale attacks have already taken place
• Need to understand who has the capacity for
  larger attacks and to what extent
• Can we ever be secure from terrorists?

44
National Security, continued

• Associated Recommendations
• Strengthen Counterintelligence Efforts in
  Cyberspace (A/R 5-1)
• Improve Attack Attribution and Prevention (A/R
  5-2)
• Improve Interagency Coordination in Criminal
  Matters (A/R 5-3)
• Reserve the Right to Respond in an Appropriate
  Manner (A/R 5-4)

45
National Security, continued

• International Cooperation
• Promote a Global Culture of Security (A/R 5-5)
• Develop Secure Networks
• Promote North American Cyberspace Security (A/R
  5-6)
• Work with Canada and Mexico to make a Safe Cyber
  Zone and secure common critical networks
• Encourage Other Nations to Accede to the Council
  of Europe Convention on Cybercrime (A/R 5-10)

46
National Security, continued

• National and International Watch-and-Warning
  Networks (A/R 5-8, 5-9)
• Each nation should
• Appoint a centralized point of contract for
  cybersecurity efforts
• Develop a watch-and-warning network
• The US will facilitate a real time network to
  receive, assess and disseminate this
  informational globally.
• The US encourages regional organizations (like
  the EU) to designate a committee for
  cybersecurity.

47
Conclusion

• Extends from the home user to the global
  Worldwide Web
• Emphasizes the public-private partnership
• Long-term plan in the process of being
  implemented
• Most responsibility falls on DHS, but also
  affects many other government agencies
• Where are we now?

48
References

• The National Strategy to Secure Cyberspace
  (http//www.whitehouse.gov/pcipb/)
• Guideline on Network Security Testing
  (http//csrc.nist.gov/publications/nistpubs/800-42
  /NIST-SP800-42.pdf)