U.S.

Cybersecurity
Policy
Lecture by: Dan Wendlandt

MS&E 91SI
Autumn 2004
Stanford University

U.S. National Cybersecurity October 21, 2004

 Outline:
I. Cybersecurity Policy Then & Now
A. Brief History
B. Current Gov’t Actors
C. Recent Legislation (SOX, HIPPA)
II. National Strategy to Secure Cyberspace
A. Intro to the Plan
B. Critical Priorities
1. Response System
2. Threat & Vulnerability Reduction
3. Awareness & Training Program
4. Securing Gov’t. Cyberspace
5. National Security and International
Cooperation.
III. Critiques of the National Plan
IV. Discussion Activity

U.S. National Cybersecurity October 21, 2004

 Cybersecurity Policy
Then & Now

U.S. National Cybersecurity October 21, 2004

 Gov’t Cybersecurity: Then
1996:
President Clinton established the President’s Commission on Critical
Infrastructure Protection (PCCIP). “Critical Foundations” Report.

1998:
Clinton administration issued Presidential Decision Directive 63
(PDD63). Creates :
- National Infrastructure Protection Center (NIPC) in FBI
– Critical Infrastructure Assurance Office (CIAO) in
Dept. of Commerce

2001:
After 9/11 Bush creates:
- Office of Cyberspace Security (Richard Clarke)
- President’s Critical Infrastructure Protection Board (PCIPB)

U.S. National Cybersecurity October 21, 2004

 Gov’t Cybersecurity: Now

Nov. 2002:
Cybersecurity duties consolidated under DHS ->
Information Analysis and Infrastructure
Protection Division (IAIP) . Exact role of
cybersecurity unclear?

June 2003:
National Cyber Security Division (NCSD) created
under IAIP. Headed by Amit Yoran from
Symantec, the role of the NCSD is to conducting
cyberspace analysis, issue alerts and warning,
improve information sharing, respond to major
incidents, and aid in national-level recovery
efforts .

U.S. National Cybersecurity October 21, 2004

 Gov’t Cybersecurity: Now

Sept. 2003:
The United States-Computer Emergency
Readiness Team (US-CERT) is the United
States government coordination point for bridging
public and private sector institutions.

Oct. 2004:
Yoran steps down citing frustration with a
perceived lack of attention and funding given to
cybersecurity issues. He is replace by deputy
Andy Purdy and the debate over the position of
cybersecurity within DHS Continues.

U.S. National Cybersecurity October 21, 2004

 Other Gov’t Actors

In Congress:
Funding is major issue.
Support is often bi-partisan
House:
- Select Committee on Homeland Security -> Subcommittee on
Cybersecurity, Science, Research & Development (Adam
Putnam, R-FL)
- Science Committee (Sherwood Boehlert, R-NY)

Senate:
- Committee on Government Affairs (Susan Collins, R-ME )

U.S. National Cybersecurity October 21, 2004

 Other Gov’t Actors
The usual suspects:
FBI Secret Service

Dept. of Defense NSA

and don’t forget:

DOE Dept. Commerce / NIST SEC

Office of Management
FCC Dept. of Treasury
And Budget (OMB)

and more...

U.S. National Cybersecurity October 21, 2004

 The Big Picture

What’s the Point?

Complex web of interactions. There are many
different government actors with their own interests
and specialties

No complete top-down organization

U.S. National Cybersecurity October 21, 2004

 Recent Legislation: HIPAA
Health Insurance Portability and
Accountability Act (HIPAA)

Goal:
Secure protected health information (PHI),

What it is:
- Not specific to computer security at all, but set forth
standards governing much of which is on computers.
- Insure confidentiality, integrity and availability of all
electronic protected health care information
- Comprehensive: ALL employees must be trained.
- Does not mandate specific technologies, but makes all
“covered entities” potentially subject to litigation.
U.S. National Cybersecurity October 21, 2004
 Recent Legislation: SOX

Sarbanes-Oxley Act (SOX)

Goal:
Verify the integrity of financial statements and
information of publicly traded companies.

What it is:
- Since information systems support most corporate
finance systems, this translates to requirements for
maintaining sufficient info security.
- Threat of jail time for executives has spurred a
significant investment in corporate info security.
U.S. National Cybersecurity October 21, 2004
 The National Strategy to
Secure Cyberspace

U.S. National Cybersecurity October 21, 2004

 What are critical infrastructures?

Critical Infrastructures are public and private institutions in

the following sectors:

Agriculture, food, water, public health, emergency

services, government, defense industrial base, information
and telecommunications, energy, transportation, banking
and finance, chemicals and hazardous materials, and
postal and shipping.

Essentially: What makes America tick.

U.S. National Cybersecurity October 21, 2004

 Why Cyberspace?

“Cyberspace is composed of
hundreds of thousands of
interconnected computers, servers,
routers, switches and fiber optic
cables that allow our critical
infrastructure to work”

[ NSSC: p. vii ]

U.S. National Cybersecurity October 21, 2004

 What is the Threat?

“Our primary concern is the threat of

organized cyber attacks capable of
causing debilitating disruption to our
Nation’s critical infrastructures,
economy, or national security”
[ NSSC: p. viii ]

U.S. National Cybersecurity October 21, 2004

 The Threat in Detail

“Our primary concern is the threat of

organized cyber attacks capable of
causing debilitating disruption to our
Nation’s critical infrastructures,
economy, or national security”
[ NSSC: p. viii ]

U.S. National Cybersecurity October 21, 2004

 What is the Threat?

Peacetime:
- gov’t and corporate espionage
- mapping to prepare for an attack

Wartime:

- intimidate leaders by attacking critical

infrastructures or eroding public confidence in our
information systems.

Is this the right threat model? What about:

- impairing our ability to respond
- economic war of attrition
U.S. National Cybersecurity October 21, 2004
 Government’s Role (part I)

“In general, the private sector is best equipped and structured

to respond to an evolving cyber-threat” [NSSC p ix]

“federal regulation will not become a primary means of securing

cyberspace … the market itself is expected to provide the major
impetus to improve cybersecurity” [NSSC p 15 ]

“with greater awareness of the issues, companies can benefit

from increasing their levels of cybersecurity. Greater
awareness and voluntary efforts are critical components of the
NSSC.” [NSSC p 10]
U.S. National Cybersecurity October 21, 2004
 Government’s Role (part I)

Public-private partnership is the centerpiece

of plan to protect largely privately own
infrastructure.

In practice:
Look at use of “encourage”, “voluntary” and
“public-private” in text of document.

U.S. National Cybersecurity October 21, 2004

 Government’s Role (part II)
However, Government does have a role when:

• high costs or legal barriers cause problems for private industry

• securing its own cyberspace

• interacting with other governments on cybersecurity

• incentive problems leading to under provisioning of shared

resources

• raising awareness

U.S. National Cybersecurity October 21, 2004

Critical Priorities for Cyberspace Security:

I. Security Response System

II. Threat & Vulnerability Reduction Program

III. Awareness & Training Program

IV. Securing Government’s Cyberspace

V. National Security & International Cooperation

U.S. National Cybersecurity October 21, 2004

 Priority I: Security Response System

Goals:

1) Create an architecture for responding to national-

level cyber incidents
a) Vulnerability analysis
b) Warning System
c) Incident Management
d) Response & Recovery

2) Encourage Cybersecurity Information Sharing using

ISACS and other mechanisms

U.S. National Cybersecurity October 21, 2004

 Priority I Initiative: US-CERT (2003)

Goal:
Coordinate defense against and response to cyber
attacks and promote information sharing.

What is does:
- CERT = Computer Emergency Readiness Team
- Contact point for industry and ISACs into the DHS
and other gov’t cybersecurity offices.
- National Cyber Alert System
- Still new, role not clearly defined

U.S. National Cybersecurity October 21, 2004

 Priority I Initiative: Critical
Infrastructure Info. Act of 2002
Goal:
Reduce vulnerability of current critical infrastructure
systems

What is does:
Allows the DHS to receive and protect voluntarily
submitted information about vulnerabilities or
security attacks involving privately owned critical
infrastructure. The Act protects qualifying
information from disclosure under the Freedom of
Information Act.

U.S. National Cybersecurity October 21, 2004

 Priority II: Threat & Vulnerability Reduction
Program

Goals:

1) Reduce Threat & Deter Malicious Actors

a) enhanced law enforcement
b) National Threat Assessment
2) Identify & Remediate Existing Vuln’s
a) Secure Mechanisms of the Internet
b) Improve SCADA systems
c) Reduce software vulnerabilities
d) Improve reliability & security of physical
infrastructure
3) Develop new, more secure technologies

U.S. National Cybersecurity October 21, 2004

 Priority II Initiative :
sDNS & sBGP
Goal:
To develop and deploy new protocols that improve the
security of the Internet infrastructure.

What is does:

DHS is providing funding and working with Internet

standards bodies to help design and implement these new
protocols, which have been stalled for some time.

Adoption strategy remains a largely untackled hurdle.

U.S. National Cybersecurity October 21, 2004

 Priority II Initiative : Cyber Security
R&D Act (2002)
Goal:
Promote research and innovation for technologies relating
to cybersecurity and increase the number of experts in the
field.

What is does:

Dedicated more than $900 million over five years to

security research programs and creates fellowships for the
study of cybersecurity related topics.

Recent release of BAA from SRI shows technical priorities

for developing systems to reduce overall vulnerabilities.
U.S. National Cybersecurity October 21, 2004
 Priority III: Security Awareness and
Training Program
Goals:

1) Awareness* for home/small business,

enterprises, universities, industrial sectors and
government

2) Developing more training & certification

program to combat a perceived workforce
deficiency.

* this means vastly different things for different audiences

U.S. National Cybersecurity October 21, 2004

 A Short Digression…
Did you know that October is

National Cyber Security

Awareness Month?
This is Dewie, cybersecurity
mascot for the FTC’s online
safety campaign

Join “Team Dewie” at:

http://www.ftc.gov/bcp/conline/edcams/infosecurity/forkids.html
Learn More about “high impact” events during National
Cybersecurity month at:
http://www.staysafeonline.info
U.S. National Cybersecurity October 21, 2004
 Priority IV: Securing Government’s
Cyberspace
Goals:

1) Protect the many information systems

supporting critical services provided by the
government at the federal, state and local
levels.

2) Lead by example in federal agencies and

use procurement power to encourage the
development of more secure produces.
U.S. National Cybersecurity October 21, 2004
 Priority IV Initiative: FISMA
Federal Information Security Management Act (FISMA):
Goal:
Strengthen federal agencies resistance to cybersecurity attacks and lead
by example.

What is it:
Mandates that CIO of each federal agency develop and maintain an
agency-wide information security program that includes:

• periodic risk assessments

• security policies/plans/procedures
• security training for personnel
• periodic testing and evaluation
• incident detection, reporting & response
• plan to ensure continuity of operation (during an attack)

Yearly report to Office of Management & Budget (OMB), tied to procurement.

U.S. National Cybersecurity October 21, 2004
 Priority V: National Security &
International Cooperation
Goals:
1) Improve National Security by:
a) improving counter-intelligence and response
efforts in cyberspace within the national security
community
b) improving attribution and prevention capabilities
c) being able to respond in an “appropriate” manner

2) Enhance International Cooperation by:

a) reaching cybersecurity agreements with members
of existing world organizations
b) promote the adoption of cyber-crime laws and
mutual assistance provisions across the globe.

U.S. National Cybersecurity October 21, 2004

 Critiques of the National
Plan

U.S. National Cybersecurity October 21, 2004

 Criticisms of the National Plan

Frequently stated arguments:

1) By avoiding regulation, the plan has “no teeth”

and can freely be ignored by companies.
2) Government claims of an “information deficit”
at the enterprise level are misinformed and
awareness efforts are a waste.
3) Not enough consideration has been given to
the role economic incentives play in creating
cybersecurity vulnerabilities.

U.S. National Cybersecurity October 21, 2004

 Finally: Time for Discussion

U.S. National Cybersecurity October 21, 2004