Chapter 9 Cybersecurity Policy
Transcript of Chapter 9 Cybersecurity Policy
CRIM 3460 Introduction to Critical Infrastructure Protection Fall 2016
Chapter 9 – Cybersecurity Policy
School of Criminology and Justice Studies University of Massachusetts Lowell
National security challenge for the 21st Century
CI Cyber attacks; latest evolution of war fighting
U.S. pursuing 2 key strategies for CI/KR cybersecurity Promoting voluntary best practices by industry
Sharing classified intel between government and private sector; must be two-way to be effective
Chapter/topic focus: Why has the U.S. adopted these particular approaches?
How do the current strategies work?
What are the odds of success?
President’s Commission on Critical Infrastructure Protection (PCCIP) in mid-1990s warned of cyber attacks as a growing problem
2012 Saudi Aramco marked the beginning
Three factors that support the
growing risk to CI/KR to cyber attacks Infrastructures are accessible
Attacks are difficult to identify
Attacks are increasingly easier to produce
Connectivity makes control systems accessible
In 2013 SECDEF warned that attacks against CI/KR could amount to be a “cyber Pearl Harbor”
Also in 2013 the Director of National Intelligence placed cyber threats against CI/KR ahead of terrorism, transnational crime and WMDs.
Sentiment shared by the industry, to include Oracle, Microsoft, Cisco, etc.
Why has the U.S. Government adopted these particular policies?
U.S. has adopted two key approaches to confronting the challenges of CI/KR cybersecurity: Promotion of voluntary best practices by the private sector
Expansion of information-sharing programs between government and the private sector
Will the laissez-faire policy (attitude of letting things take their own course, without interfering) work?
The U.S. has delegated cybersecurity concerns to the National Institute of Science and Technology NIST: NIST is implementing an iterative process or lifecycle
The lifecycle is a process, not a solution
http://www.nist.gov/cyberframework/
Cybersecurity Act of 2012 Defeated by the Senate 56-42 in 2012
Would have bolstered security of CI/KR (i.e. electrical grids)
Reticence was, in part, opposition to new regulations
Executive Order 13636, Improving Critical Infrastructure Cybersecurity, was enacted in 2013 Purpose is to increase core capabilities for our critical
infrastructure to manage cyber risk focusing on :
o Information sharing
o Privacy
o Adoption of cybersecurity practices
Federal Government to work with critical infrastructure owners/operators and state, local, tribal and territorial entities to proactively manage risk and strengthen the security and resilience
Considers all hazards that could have a debilitating impact on national security, economic stability, public health and safety, or any combination thereof
Efforts shall reduce vulnerabilities, minimize consequences, identify and disrupt threats, and hasten response and recovery efforts
First initiative directed by EO to develop framework for CI Cybersecurity Intended to apply across all CI sectors
Focused on specific sector operations and organizations
Framework focused on the 5 functional areas central to the lifecycle of cybersecurity management
Informational resources and identifies best practices
Five functional areas divided into multiple categories and subcategories that define that area of cybersecurity
Identify – Develop the organizational understanding to manage cybersecurity risk to systems, assets, data and capabilities Protect – Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services Detect – Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event Respond – Develop and implement the appropriate activities to take action regarding a detected cybersecurity event Recover – Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event
Identify First step in lifecycle for managing cybersecurity Organizations understanding of cybersecurity Identify categories
Asset management o Best practices – inventorying systems, cataloging
software, mapping data flows and external connections Business environment Governance Risk assessment Risk assessment strategy
Second initiative directed by the EO Two-way information sharing program about cyber
threats between the government and CI entities From DOD program to secure sensitive defense data Classified and unclassified info on cyber threats is
shared; “threat indicators” Data from DHS/federal, private sector and worldwide
governments interested in cybersecurity EINSTEIN feeds into ECS Commercial Service Providers (CSP)
Together, best practices and information sharing can help limit risk
U.S. Policy does not have a “silver bullet”, but “keeping the bar high” could limit the risk
Incentives (i.e. federal grants) and certification could encourage participation
Revisit DHS legislation to regulate CI/KR cybersecurity and provide liability protection for information protection
Sector specific non-DHS legislation