CIAO.0209 - July 99 - 1Critical Infrastructure Assurance Office

Protecting America’s Cyberspace:

Version 1.0 of the National Plan

Jeffrey HunkerNational Security Council

July 7, 1999

CIAO.0209 - July 99 - 2

Cyber Threat Spectrum

Info WarriorInfo Warrior

TerroristTerrorist

IndustrialEspionageIndustrialEspionage

Revenge, Retribution, Financial Gain, Institutional ChangeRevenge, Retribution, Financial Gain, Institutional Change

Reduce U.S. Decision Space, Strategic Advantage, Chaos, Target Damage

Reduce U.S. Decision Space, Strategic Advantage, Chaos, Target Damage

Monetary GainThrill, Challenge, PrestigeMonetary GainThrill, Challenge, Prestige

Thrill, ChallengeThrill, Challenge

National IntelligenceNational Intelligence

Institutional HackerInstitutional Hacker

Recreational HackerRecreational Hacker

Information for Political, Military, Economic AdvantageInformation for Political, Military, Economic Advantage

Visibility, Publicity, Chaos, Political ChangeVisibility, Publicity, Chaos, Political Change

Competitive AdvantageIntimidationCompetitive AdvantageIntimidation

Organized CrimeOrganized Crime

NationalSecurityThreats

NationalSecurityThreats

SharedThreatsSharedThreats

LocalThreatsLocal

Threats

• We know of foreign governments creating offensiveattack capabilities against US Cyber Networks

CIAO.0209 - July 99 - 3

PDD-63: National Goal

Protect Critical Infrastructures– Intentional attacks that would significantly diminish

capabilities

Action by Federal, state and local, private sector:– Federal: National security, public health and safety– State and local governments: Maintain order, essential

services– Private sector: Essential telecom, energy, financial,

transportation services

Initial Operating Capability by 2000

Final Operating Capability in 2003

CIAO.0209 - July 99 - 4

A Family of Plans

National Plan for Information Systems Protection ProgramNational Plan for Information Systems Protection Program

Assess and eliminate significant vulnerabilities to information warfare attack on America’s critical information systems in private sector and governmentAssess and eliminate significant vulnerabilities to information warfare attack on America’s critical information systems in private sector and government

Develop systems to assess, warn, isolate, respond and reconstitute essential information dependent components of economy and governmentDevelop systems to assess, warn, isolate, respond and reconstitute essential information dependent components of economy and government

Create a strong foundation for secure cyber systems including public-private partnership of systems operators and customers, sound legal footing, widespread public understanding of the importance of information assurance and security, and international cooperation

Create a strong foundation for secure cyber systems including public-private partnership of systems operators and customers, sound legal footing, widespread public understanding of the importance of information assurance and security, and international cooperation

Strong Foundations

Strong Foundations

Detect and Respond

Detect and Respond

Prepare and Prevent

Prepare and Prevent

• Non-DOD USG

Civilian Agency Protection & Gov’t Wide Initiatives

Civilian Agency Protection & Gov’t Wide Initiatives

• DOD

DoD InfrastructureProtection Plan

DoD InfrastructureProtection Plan

Different Constituencies, Shared GoalsDifferent Constituencies, Shared Goals

Federal Government’s Infrastructure Assurance Plan

Federal Government’s Infrastructure Assurance Plan

• Private Sector/State & Local Government

Framework for Critical Infrastructure

Assurance Plan

Framework for Critical Infrastructure

Assurance Plan

CIAO.0209 - July 99 - 5

New Initiatives

Supported by President’s FY 2000 Budget Request– $1.4 B

– 38% Increase from 1999

Focus On– Federal Sector a Model

– Foundations for Public-Private Partnership

CIAO.0209 - July 99 - 6

Objective: Prepare and Prevent

Program 1: Identify and Address Vulnerabilities

– Key Components for identifying vulnerabilities:• network assessment

• network analyzer software programs

• Red Team attacks

– Best Practices and Standards

– New Programs and Focus within Federal Government• Expert Review Team

CIAO.0209 - July 99 - 7

Objective: Detect and Respond

Program 2: Detect Attacks and Unauthorized Intrusions

– Multi-layered protection -- firewalls, intrusion detection monitors, enterprise-wide management systems, malicious code scanners

Program 3: Robust Law Enforcement and Intelligence Capabilities to Protect Critical Information Systems

– NIPC taking the lead

CIAO.0209 - July 99 - 8

Objective: Detect and Respond (cont’d)

Program 4: Share Attack Warnings and Information

– Computer Security Centers• DOD: JTF-CND

• Non-DOD Federal Government: FIDNET

• Industry: Computer Security Centers/ISACs

– Three Pillar System of Intrusion and Attack Detection

Program 5: System for Response, Reconstitution, and Recovery

CIAO.0209 - July 99 - 9

1

Intrusion attempt detected

Notification

2 3

4

Intrusion attempt detected

Network Center

Computer Intrusion Detection Network

CIAO.0209 - July 99 - 10

ISAC Creation: Questions

1. One or many ISACs? By Sector?

2. Role limited to warning and real-time networks’ security?

3. Government role in sponsoring, starting?

4. New institution or add function to existing entity?

5. Measures of success?

CIAO.0209 - July 99 - 11

Objective: Build Strong Foundations

Program 6: Enhance Research and Development– FY 2000 Budget Request: $508 MM

– Priorities: • large scale networks of intrusion detection monitors

• malicious code detection

• interactive multi-layered defenses for enterprise wide management

• modeling responses and interdependencies to cyberattack

CIAO.0209 - July 99 - 12

Objective: Build Strong Foundations (cont’d)

Program 7: Train and Employ Adequate Numbers of Information Security Specialists– Federal scholarship for service program

(CyberCorps)– Retraining and certifying current Federal

IT security personnel– New pay scale and incentive systems for

Federal IT personnel– INFOSECURITY Centers of Excellence in

universities– Support for additional university faculty

development

CIAO.0209 - July 99 - 13

CyberCorps

Problems: – Lack of computer systems talent nationwide– Inability of US Government to compete for talented

computer experts

Solution:– “ROTC” like programs in colleges– Stimulate colleges’ comp sci programs– Expands numbers of students in field– Trades undergraduate financial aid for commitment

to work for Federal Government upon graduation– Summer schools, internships, Institute

CIAO.0209 - July 99 - 14

Objective: Build Strong Foundations (cont’d)

Program 8: Outreach to Americans on the Need for Cyber-Security– Partnership for Critical Information Systems

Security

Program 9: Adopt Legislation and Appropriations in Support of Programs 1-8

Program 10: Ensure Full Protection of American Citizen’s Civil Liberties

CIAO.0209 - July 99 - 15

Partnership for Critical Information Security (draft)

National Awareness CampaignAimed at Corporate and IT Executives

• Action to protect Critical Information Infrastructure

• Promote Education

• Support Outreach

Participation in Partnership requires:

CIAO.0209 - July 99 - 16

Goals With Economic Sectors

Create Information Sharing and Assessment Centers for intrusion monitoring networks

Establish process to agree upon ‘Best Practices’ for computer security in each sector

Develop processes for certification of hardware, software, firmware, computer security personnel

Jointly develop Awareness and Education campaign, perhaps through a new foundation or institute

CIAO.0209 - July 99 - 17

Summary

Federal Initiatives Under Development– R&D– Cybercorps– Intrusion Detection– Reconstitution

Industry Leadership Necessary in Key Areas– Information Sharing– Best Practices/Accreditation– Education/Awareness

Evolving Threat Environment - PDD-63 In Response

CIAO.0209 - July 99 - 18

Contact Information

National Security Council

Jeffrey_A._Hunker@nsc.eop.govPhone: (202) 456-9361

Fax: (202) 456-9360

Critical Infrastructure Assurance Office

Please visit our website at:www.ciao.ncr.gov

Phone: (703) 595-9395