CRIM 3460 Introduction to Critical Infrastructure Protection Fall 2016

Chapter 9 – Cybersecurity Policy

School of Criminology and Justice Studies University of Massachusetts Lowell

National security challenge for the 21st Century

CI Cyber attacks; latest evolution of war fighting

U.S. pursuing 2 key strategies for CI/KR cybersecurity Promoting voluntary best practices by industry

Sharing classified intel between government and private sector; must be two-way to be effective

Chapter/topic focus: Why has the U.S. adopted these particular approaches?

How do the current strategies work?

What are the odds of success?

President’s Commission on Critical Infrastructure Protection (PCCIP) in mid-1990s warned of cyber attacks as a growing problem

2012 Saudi Aramco marked the beginning

Three factors that support the

growing risk to CI/KR to cyber attacks Infrastructures are accessible

Attacks are difficult to identify

Attacks are increasingly easier to produce

Connectivity makes control systems accessible

In 2013 SECDEF warned that attacks against CI/KR could amount to be a “cyber Pearl Harbor”

Also in 2013 the Director of National Intelligence placed cyber threats against CI/KR ahead of terrorism, transnational crime and WMDs.

Sentiment shared by the industry, to include Oracle, Microsoft, Cisco, etc.

Why has the U.S. Government adopted these particular policies?

U.S. has adopted two key approaches to confronting the challenges of CI/KR cybersecurity: Promotion of voluntary best practices by the private sector

Expansion of information-sharing programs between government and the private sector

Will the laissez-faire policy (attitude of letting things take their own course, without interfering) work?

The U.S. has delegated cybersecurity concerns to the National Institute of Science and Technology NIST: NIST is implementing an iterative process or lifecycle

The lifecycle is a process, not a solution

http://www.nist.gov/cyberframework/

Cybersecurity Act of 2012 Defeated by the Senate 56-42 in 2012

Would have bolstered security of CI/KR (i.e. electrical grids)

Reticence was, in part, opposition to new regulations

Executive Order 13636, Improving Critical Infrastructure Cybersecurity, was enacted in 2013 Purpose is to increase core capabilities for our critical

infrastructure to manage cyber risk focusing on :

o Information sharing

o Privacy

o Adoption of cybersecurity practices

Federal Government to work with critical infrastructure owners/operators and state, local, tribal and territorial entities to proactively manage risk and strengthen the security and resilience

Considers all hazards that could have a debilitating impact on national security, economic stability, public health and safety, or any combination thereof

Efforts shall reduce vulnerabilities, minimize consequences, identify and disrupt threats, and hasten response and recovery efforts

First initiative directed by EO to develop framework for CI Cybersecurity Intended to apply across all CI sectors

Focused on specific sector operations and organizations

Framework focused on the 5 functional areas central to the lifecycle of cybersecurity management

Informational resources and identifies best practices

Five functional areas divided into multiple categories and subcategories that define that area of cybersecurity

Identify – Develop the organizational understanding to manage cybersecurity risk to systems, assets, data and capabilities Protect – Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services Detect – Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event Respond – Develop and implement the appropriate activities to take action regarding a detected cybersecurity event Recover – Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event

Identify First step in lifecycle for managing cybersecurity Organizations understanding of cybersecurity Identify categories

Asset management o Best practices – inventorying systems, cataloging

software, mapping data flows and external connections Business environment Governance Risk assessment Risk assessment strategy

Second initiative directed by the EO Two-way information sharing program about cyber

threats between the government and CI entities From DOD program to secure sensitive defense data Classified and unclassified info on cyber threats is

shared; “threat indicators” Data from DHS/federal, private sector and worldwide

governments interested in cybersecurity EINSTEIN feeds into ECS Commercial Service Providers (CSP)

Together, best practices and information sharing can help limit risk

U.S. Policy does not have a “silver bullet”, but “keeping the bar high” could limit the risk

Incentives (i.e. federal grants) and certification could encourage participation

Revisit DHS legislation to regulate CI/KR cybersecurity and provide liability protection for information protection

Sector specific non-DHS legislation