U.S. Cybersecurity Policy

1
U.S. Cybersecurity Policy

• Lecture by Dan Wendlandt
• MSE 91SI
• Autumn 2004
• Stanford University

2
OutlineI. Cybersecurity Policy Then Now A.
Brief History B. Current Govt Actors C. Recent
Legislation (SOX, HIPPA)II. National Strategy to
Secure Cyberspace A. Intro to the Plan B.
Critical Priorities 1. Response System 2.
Threat Vulnerability Reduction 3. Awareness
Training Program 4. Securing Govt.
Cyberspace 5. National Security and
International Cooperation.III. Critiques of
the National PlanIV. Discussion Activity
3
Cybersecurity Policy Then Now
4
Govt Cybersecurity Then

• 1996
• President Clinton established the Presidents
  Commission on Critical Infrastructure Protection
  (PCCIP). Critical Foundations Report.
• 1998
• Clinton administration issued Presidential
  Decision Directive 63 (PDD63). Creates
• - National Infrastructure Protection Center
  (NIPC) in FBI
• Critical Infrastructure Assurance Office
  (CIAO) in
• Dept. of Commerce
• 2001
• After 9/11 Bush creates
• Office of Cyberspace Security (Richard Clarke)
• Presidents Critical Infrastructure Protection
  Board (PCIPB)

5
Govt Cybersecurity Now

• Nov. 2002
• Cybersecurity duties consolidated under DHS -gt
  Information Analysis and Infrastructure
  Protection Division (IAIP) . Exact role of
  cybersecurity unclear?
• June 2003
• National Cyber Security Division (NCSD) created
  under IAIP. Headed by Amit Yoran from Symantec,
  the role of the NCSD is to conducting cyberspace
  analysis, issue alerts and warning, improve
  information sharing, respond to major incidents,
  and aid in national-level recovery efforts .

6
Govt Cybersecurity Now

• Sept. 2003
• The United States-Computer Emergency Readiness
  Team (US-CERT) is the United States government
  coordination point for bridging public and
  private sector institutions.
• Oct. 2004
• Yoran steps down citing frustration with a
  perceived lack of attention and funding given to
  cybersecurity issues. He is replace by deputy
  Andy Purdy and the debate over the position of
  cybersecurity within DHS Continues.

7
Other Govt Actors
In Congress Funding is major issue. Support is
often bi-partisan

• House
• - Select Committee on Homeland Security -gt
  Subcommittee on Cybersecurity, Science, Research
  Development (Adam Putnam, R-FL)
• - Science Committee (Sherwood Boehlert, R-NY)
• Senate
• - Committee on Government Affairs (Susan Collins,
  R-ME )

8
Other Govt Actors

The usual suspects
FBI
Secret Service
Dept. of Defense
NSA
and dont forget
Dept. Commerce / NIST
SEC
DOE
Office of Management And Budget (OMB)
Dept. of Treasury
FCC
and more...
9
The Big Picture

• Whats the Point?
• Complex web of interactions. There are many
  different government actors with their own
  interests and specialties
• No complete top-down organization

10
Recent Legislation HIPAA

• Health Insurance Portability and
• Accountability Act (HIPAA)
• Goal
• Secure protected health information (PHI),
• What it is
• - Not specific to computer security at all, but
  set forth standards governing much of which is on
  computers.
• - Insure confidentiality, integrity and
  availability of all electronic protected health
  care information
• - Comprehensive ALL employees must be trained.
• - Does not mandate specific technologies, but
  makes all covered entities potentially subject
  to litigation.

11
Recent Legislation SOX

• Sarbanes-Oxley Act (SOX)
• Goal
• Verify the integrity of financial statements and
  information of publicly traded companies.
• What it is
• - Since information systems support most
  corporate finance systems, this translates to
  requirements for maintaining sufficient info
  security.
• - Threat of jail time for executives has spurred
  a significant investment in corporate info
  security.

12
The National Strategy to Secure Cyberspace
13
What are critical infrastructures?
Critical Infrastructures are public and private
institutions in the following sectors Agricult
ure, food, water, public health, emergency
services, government, defense industrial base,
information and telecommunications, energy,
transportation, banking and finance, chemicals
and hazardous materials, and postal and
shipping. Essentially What makes America
tick.

14
Why Cyberspace?

• Cyberspace is composed of hundreds of thousands
  of interconnected computers, servers, routers,
  switches and fiber optic cables that allow our
  critical infrastructure to work
• NSSC p. vii

15
What is the Threat?

• Our primary concern is the threat of organized
  cyber attacks capable of causing debilitating
  disruption to our Nations critical
  infrastructures, economy, or national security
• NSSC p. viii

16
The Threat in Detail

• Our primary concern is the threat of organized
  cyber attacks capable of causing debilitating
  disruption to our Nations critical
  infrastructures, economy, or national security
• NSSC p. viii

17
What is the Threat?

• Peacetime
• - govt and corporate espionage
• - mapping to prepare for an attack
• Wartime
• - intimidate leaders by attacking critical
  infrastructures or eroding public confidence in
  our information systems.
• Is this the right threat model? What about
• - impairing our ability to respond
• - economic war of attrition

18
Governments Role (part I)

• In general, the private sector is best equipped
  and structured to respond to an evolving
  cyber-threat NSSC p ix
• federal regulation will not become a primary
  means of securing cyberspace the market itself
  is expected to provide the major impetus to
  improve cybersecurity NSSC p 15
• with greater awareness of the issues, companies
  can benefit from increasing their levels of
  cybersecurity. Greater awareness and voluntary
  efforts are critical components of the NSSC.
  NSSC p 10

19
Governments Role (part I)

• Public-private partnership is the centerpiece of
  plan to protect largely privately own
  infrastructure.
• In practice
• Look at use of encourage, voluntary and
  public-private in text of document.

20
Governments Role (part II)

• However, Government does have a role when
• high costs or legal barriers cause problems for
  private industry
• securing its own cyberspace
• interacting with other governments on
  cybersecurity
• incentive problems leading to under provisioning
  of shared resources
• raising awareness

21
Critical Priorities for Cyberspace SecurityI.
Security Response SystemII. Threat
Vulnerability Reduction ProgramIII. Awareness
Training ProgramIV. Securing Governments
CyberspaceV. National Security International
Cooperation
22
Priority I Security Response System

• Goals
• 1) Create an architecture for responding to
  national- level cyber incidents
• a) Vulnerability analysis
• b) Warning System
• c) Incident Management
• d) Response Recovery
• 2) Encourage Cybersecurity Information Sharing
  using ISACS and other mechanisms

23
Priority I Initiative US-CERT (2003)
Goal Coordinate defense against and response
to cyber attacks and promote information sharing.
What is does - CERT Computer Emergency
Readiness Team - Contact point for industry and
ISACs into the DHS and other govt cybersecurity
offices. - National Cyber Alert System - Still
new, role not clearly defined

24
Priority I Initiative Critical Infrastructure
Info. Act of 2002
Goal Reduce vulnerability of current critical
infrastructure systems What is does Allows
the DHS to receive and protect voluntarily
submitted information about vulnerabilities or
security attacks involving privately owned
critical infrastructure. The Act protects
qualifying information from disclosure under the
Freedom of Information Act.

25
Priority II Threat Vulnerability Reduction
Program

• Goals
• 1) Reduce Threat Deter Malicious Actors
• a) enhanced law enforcement
• b) National Threat Assessment
• 2) Identify Remediate Existing Vulns
• a) Secure Mechanisms of the Internet
• b) Improve SCADA systems
• c) Reduce software vulnerabilities
• d) Improve reliability security of physical
  infrastructure
• 3) Develop new, more secure technologies

26
Priority II Initiative sDNS sBGP
Goal To develop and deploy new protocols that
improve the security of the Internet
infrastructure. What is does DHS is
providing funding and working with Internet
standards bodies to help design and implement
these new protocols, which have been stalled for
some time. Adoption strategy remains a
largely untackled hurdle.

27
Priority II Initiative Cyber Security RD Act
(2002)
Goal Promote research and innovation for
technologies relating to cybersecurity and
increase the number of experts in the
field. What is does Dedicated more than
900 million over five years to security research
programs and creates fellowships for the study of
cybersecurity related topics. Recent release
of BAA from SRI shows technical priorities for
developing systems to reduce overall
vulnerabilities.

28
Priority III Security Awareness and Training
Program

• Goals
• 1) Awareness for home/small business,
  enterprises, universities, industrial sectors
  and government
• 2) Developing more training certification
• program to combat a perceived workforce
  deficiency.
• this means vastly different things for
  different audiences

29

A Short Digression Did you know that October is
National Cyber Security Awareness Month? This is
Dewie, cybersecurity mascot for the FTCs online
safety campaign Join Team Dewie at
http//www.ftc.gov/bcp/conline/edcams/infosecurity
/forkids.html Learn More about high impact
events during National Cybersecurity month
at http//www.staysafeonline.info
30
Priority IV Securing Governments Cyberspace

• Goals
• 1) Protect the many information systems
  supporting critical services provided by the
  government at the federal, state and local
  levels.
• 2) Lead by example in federal agencies and use
  procurement power to encourage the development of
  more secure produces.

31
Priority IV Initiative FISMA

• Federal Information Security Management Act
  (FISMA)
• Goal
• Strengthen federal agencies resistance to
  cybersecurity attacks and lead by example.
• What is it
• Mandates that CIO of each federal agency develop
  and maintain an agency-wide information security
  program that includes
• periodic risk assessments
• security policies/plans/procedures
• security training for personnel
• periodic testing and evaluation
• incident detection, reporting response
• plan to ensure continuity of operation (during an
  attack)
• Yearly report to Office of Management Budget
  (OMB), tied to procurement.

32
Priority V National Security International
Cooperation

• Goals
• 1) Improve National Security by
• a) improving counter-intelligence and response
  efforts in cyberspace within the national
  security community
• b) improving attribution and prevention
  capabilities
• c) being able to respond in an appropriate
  manner
• 2) Enhance International Cooperation by
• a) reaching cybersecurity agreements with
  members of existing world organizations
• b) promote the adoption of cyber-crime laws and
  mutual assistance provisions across the globe.
  

33
Critiques of the National Plan
34
Criticisms of the National Plan

• Frequently stated arguments
• By avoiding regulation, the plan has no teeth
  and can freely be ignored by companies.
• Government claims of an information deficit at
  the enterprise level are misinformed and
  awareness efforts are a waste.
• Not enough consideration has been given to the
  role economic incentives play in creating
  cybersecurity vulnerabilities.

35
Finally Time for Discussion