National Strategy to Secure Cyberspace

National Strategy to Secure Cyberspace

By Emily Fetchko

9/7/05

The Five W’s

• Who?– Federal government– State and local governments– Private companies and organizations– Individual Americans

• What?– Cyberspace, “the nervous system – the

control system of our country”

The Five W’s, continued

• Where?– Within the government– Within this country– At every computer– All over the globe

• When?– Starting in Fall 2002

• Why?– Three main objectives – see next slide

“New and Significant”

• “New” because this is the first comprehensive policy document about cybersecurity

• “Significant” because it’s a national policy document that affects numerous government organizations

Three Main Objectives

• “Prevent cyber attacks against America’s critical infrastructures”

• “Reduce national vulnerability to cyber attacks”

• “Minimize damage and recovery time from cyber attacks that do occur”

Guiding Principles• A National Effort

– Share information with nongovernmental entities

• Protect Privacy and Civil Liberties• Regulation and Market Forces

– Avoid broad regulations

• Accountability and Responsibility– Designate lead governmental agencies

• Ensure flexibility• Multi-Year Planning

Critical Infrastructures

• Agriculture• Food• Water• Health• Emergency services• Government• Defensive industrial

base

• Information and telecommunications

• Energy• Transportation• Banking and finance• Chemicals and

hazardous materials• Postal and shipping

Lead Agencies

• Department of Homeland Security

• Department of the Treasury

• Department of Health and Human Services

• Department of Energy• Environmental Protection

Agency• Department of Agriculture• Department of Defense

• Agriculture, Food• Energy• Information &

Telecommunications, Transportation, Postal & Shipping, Emergency Services, Continuity of Government

• Water, Chemicals & Hazardous Materials

• Defense Industrial Base• Public Health, Food• Banking and Finance

Coordinating Agencies

• Office of Science and Technology Policy

• Office of Management and Budget

• Department of State

• Director of Central Intelligence

• Department of Justice and Federal Bureau of Investigation

• Coordinate research and development

• Oversee implementation of policies and budget

• Coordinate international outreach

• Assess foreign threat

• Investigate and prosecute cybercrime

Cyber Attacks

• What would someone accomplish with a cyber attack?– Espionage– Mapping US control systems– Finding key targets– Installing backdoors– Attacking critical infrastructures– Causing distrust in information systems

Five Levels of Vulnerability

• Home User/Small Business – every computer, every network

• Large companies – Common targets for attack (large networks)

• Critical sectors/infrastructures

• National – Software, hardware, protocols

• Global– Worldwide Web

Increasing Threats

The Five Priorities

• I. A National Cyberspace Security Response System

• II. A National Cyberspace Security Threat and Vulnerability Reduction Program

• III. A National Cyberspace Security Awareness and Training Program

• IV. Securing Governments’ Cyberspace

• V. National Security and International Cyberspace Security Cooperation

Priority I: A Security Response System

• What does a security response system do?– Detect attacks– Perform analyses– Issue warnings– Coordinate response efforts– Restore lost services

Response System, continued

• Difficulties– No central vantage point to view cyberspace– Must protect civil liberties– Attacks spread quickly– Cyberspace isn’t controlled by the

government


• Four components to the Response System– Analysis– Warning– Incident Management– Response/Recovery

– All of these are centered in the DHS


– Analysis• What kind of information to collect?

– Nature of attack– Information compromised– Extent of damage– Intruder’s intentions– Tools used in attack– Vulnerabilities exploited

• Types– Tactical (“specific”)– Strategic (“broader”, “long-term”)– Vulnerability assessment


• Warning (A/R 1-1 and 1-2)– Encourage industry to share information

about internet health– Create a single point of contact for sharing

this information with the federal government– Expand the Cyber Warning and Information

Network (CWIN) to support DHS, – Link CWIN to private ISACs (information

sharing and analysis centers)


• Incident Management– The biggest task in incident management is

linking and coordinating all of the different organizations in the government.

• DHS• DOJ• DOD• White House• Office of Science and Technology Policy• Office of Management and Budget• And more


• Response and Recovery (A/R 1-3 to 1-5)– All about contingency plans

– Create a process to develop them– Exercise them– Find weaknesses and improve them– Encourage corporations to have them– Develop voluntary ones to restore the Internet


• Information Sharing– Companies may not share vulnerability

information because:• Fear that the government will release confidential,

proprietary or embarrassing information to the public

• Fear that the competition will receive the information

• Unsure of how to share the information


• Information Sharing (A/R 1-6 & 1-7)– Coordinate a two-way information flow

between government and corporations• collect information from companies• sanitize • release

– Have corporations and colleges form information sharing groups

– Colleges and universities should team with ISPs and law enforcement

Priority II: Threat and Vulnerability Reduction Program

• Three part effort– Reduce threats and deter malicious actors

through effective programs to identify and punish them

– Identify and remediate those existing vulnerabilities that could create the most damage to critical systems if exploited

– Develop new systems with less vulnerabilities and assess emerging technologies for vulnerabilities

Vulnerability Reduction, continued

• Reduce Threats and Deter Malicious Actors (A/R 2-1)– DOJ will reduce cyber threats and attacks by:

• Sharing information between federal, state and local law enforcement

• Providing investigative and forensic resources and training

• Developing data about victims of cybercrime and intrusions


• Reduce Threats and Deter Malicious Actors (A/R 2-2)– DHS will develop a national threat

assessment including:• Red teaming (“performing a penetration test

without the knowledge of the IT staff but with full knowledge and permission from upper management”)

• Blue teaming (“performing a penetration test with the knowledge and consent of the IT staff”)

• And other methods


• Identify and Remediate Existing Vulnerabilities – Four major components

• Internet• Digital Control Systems/Supervisory Control and

Data Acquisition Systems (DCS/SCADA)• Software and Hardware• Physical Infrastructure and Interdependency

Vulnerability Reduction, continued• Identify and Remediate Existing

Vulnerabilities -Internet (A/R 2-4)– Improve three main protocols

• IP - Investigate the issues related to IPv6 (A/R 2-3)• DNS - Make attacks more difficult and less

effective• BGP - Promote secure forms

– Promote improved internet routing to counter DoS attacks

• Address verification• Out-of-band management

– A “code of good conduct” for ISPs


• DCS/SCADA – Computer-based systems to remotely control

sensitive processes and physical functions– Used in water, transportation, chemicals, energy,

manufacturing and more– Use the Internet to transfer data– Typically small and self-contained units with limited

power supplies

• (A/R 2-5) To secure, DHS will– Develop best practices and new technology– Determine the most critical sites– Develop a prioritized plan for short-term

improvements


• Reduce and Remediate Software Vulnerabilities (A/R 2-6, 2-7, 2-8)– Develop a mechanism for vulnerability

disclosure – Implement patch clearinghouses and share

the results– Encourage industry to make out-of-the-box

software more secure• How?


• Understand Infrastructure Interdependency and Improve Physical Security (A/R 2-9 & 2-10)– Interdependencies

• Identify them• Develop plans to reduce them• Model the impact of them

– Physical security• Support efforts by owners/operators to secure and

limit access to networking centers


• Prioritize the Federal Research and Development Agenda (A/R 2-11 & 2-12)– Coordinate and update on an annual basis a

development agenda for near-term (1-3 years), mid-term (3-5 years) and later (5 years out and longer) IT security research

– Ensure adequate mechanisms exist for coordination of research between academia, industry and government


– Ensure Future Systems are Secure• Encourage the private sector to research secure

operating systems in the near-term (A/R 2-13)• Promote best practices and methodologies for

integrity, security and reliability in code development (A/R 2-14)

– Assess and Secure Emerging Systems• Ensure emerging technologies are periodically

reviewed by the appropriate body within the National Science and Technology Council (A/R 2-15)

Priority III: Security Awareness and Training Program

• Three main components:– Promote a national awareness program to

empower all Americans to secure their own parts of cyberspace

– Foster adequate training and education programs

– Promote well-coordinated, widely recognized professional cybersecurity certifications

Awareness and Training, continued

• Awareness for All Levels of Vulnerability (A/R 3-1 & 3-2)– Comprehensive awareness program– Expand the StaySafeOnline campaign– Develop awards for those in industry who

make significant contributions to security Develop of programs and guidelines for primary and secondary students


– Specific to home users/small businesses (A/R 3-3)

• Encourage them to secure their systems• Make it easier for them to secure their systems

– Large enterprises (A/R 3-4)• Conduct audits regularly• Develop continuity plans for offsite staff &

equipment• Participate in industrywide information sharing


– Colleges & Universities (A/R 3-5)• Form ISACs• Empower Chief Information Officers• Use best practices for IT security• Develop user awareness programs

– Private sector (A/R 3-6)• Find the gap between private and government

R&D• Share research• Develop best practices

– State and local governments are encouraged to invest in information security measures.


• Training– DHS will implement and encourage programs

to train cybersecurity professionals including scholarships, fellowship and traineeship programs created by the Cyber Security Research and Development Act. (A/R 3-7)

– DHS will develop a coordination mechanism linking federal cybersecurity and computer forensics training programs. (A/R 3-8)


• Certification– Encourage efforts needed to develop security

certification programs that will be broadly accepted by the public and private sectors. DHS and other agencies can aid by articulating the needs of the federal IT security community. (A/R 3-9)

Priority IV: Securing Governments’ Cyberspace

• In the Federal Government– Continuously Assess Threats and

Vulnerabilities to Federal Cyber Systems• OMB found serious weaknesses including:

– lack of senior management attention to security– lack of performance measurement– failure to detect and report information on vulnerabilities– poor security education

– Continuously Assess Threats and Vulnerabilities Within Agencies

• Use automated tools to do security assessment (A/R 4-1)

Securing Government, continued– Authenticate and Maintain Authorization for

Users of Federal Systems (A/R 4-2)• E-Authentication initiative• Review the need for stronger access control• Explore the extent to which all departments can

employ the same physical and logical control tools and authentication mechanisms

– Secure Federal Wireless Local Area Networks• Consider installing systems to monitor for

unauthorized connections. Also consider the use of strong encryption, bi-directional authentication, shielding standards and other security mechanisms. (A/R 4-3)

Securing Government, continued– Improve Security in Government Outsourcing

and Procurement• Conduct an extensive review of NIAP, the National

Information Assurance Partnership to determine the extent to which it is adequately addressing the problem of security flaws in commercial software products. (A/R 4-4)

• When available, always use DOD-evaluated products

– Develop Specific Criteria for Independent Security Reviews

• Investigate if private sector security service providers need to be certified as meeting certain minimum capabilities. (A/R 4-5)

Securing Government, continued

• In State and Local Governments– Many state and local functions are tied to IT

• Payments to welfare recipients• Access to criminal records• Operating state and local utility and transportation

– State and local governments are encouraged to establish IT security programs including awareness, audits and standards and to participate in ISACs. (A/R 4-6)

Priority V: National Security and International Cyberspace Security

Cooperation

• Securing America from Outside Threats– Small-scale attacks have already taken place– Need to understand who has the capacity for

larger attacks and to what extent

– Can we ever be secure from terrorists?

National Security, continued

• Associated Recommendations:– Strengthen Counterintelligence Efforts in

Cyberspace (A/R 5-1)– Improve Attack Attribution and Prevention

(A/R 5-2)– Improve Interagency Coordination in Criminal

Matters (A/R 5-3)– Reserve the Right to Respond in an

Appropriate Manner (A/R 5-4)


• International Cooperation– Promote a Global “Culture of Security” (A/R 5-

5)– Develop Secure Networks– Promote North American Cyberspace Security

(A/R 5-6)• Work with Canada and Mexico to make a “Safe

Cyber Zone” and secure common critical networks

– Encourage Other Nations to Accede to the Council of Europe Convention on Cybercrime (A/R 5-10)


– National and International Watch-and-Warning Networks (A/R 5-8, 5-9)

• Each nation should: – Appoint a centralized point of contract for cybersecurity

efforts– Develop a watch-and-warning network

• The US will facilitate a real time network to receive, assess and disseminate this informational globally.

• The US encourages regional organizations (like the EU) to designate a committee for cybersecurity.

Conclusion

• Extends from the home user to the global Worldwide Web

• Emphasizes the public-private partnership

• Long-term plan in the process of being implemented

• Most responsibility falls on DHS, but also affects many other government agencies

• Where are we now?

References

• The National Strategy to Secure Cyberspace (http://www.whitehouse.gov/pcipb/)

• Guideline on Network Security Testing (http://csrc.nist.gov/publications/nistpubs/800-42/NIST-SP800-42.pdf)

http://www.whitehouse.gov/pcipb/

http://csrc.nist.gov/publications/nistpubs/800-42/NIST-SP800-42.pdf

http://csrc.nist.gov/publications/nistpubs/800-42/NIST-SP800-42.pdf

National Strategy to Secure Cyberspace

Documents

Transcript of National Strategy to Secure Cyberspace