Cyber Strategies for a World at War

OPEN SOURCE AGGREGATION & ANALYSIS

The Highlighter: Securing Cyberspace for the 44th Presidency – Part V

A Report of the CSIS Commission on Cybersecurity for the 44th Presidency

Part V includes highlights of:

  • Section 4 – Regulate for Cybersecurity

——————————————————————————————————————————————
CSWW is not affiliated with CSIS or the commission that produced this report. The use of “we,” “our,” “us,” etc., throughout the highlights of this report refers to the members of the CSIS Commission and not to CSWW.
——————————————————————————————————————————————

The Highlights:

4
Regulate for Cybersecurity

Recommendations

  • The president should task the NOC to work with appropriate regulatory agencies to develop and issue standards and guidance for securing critical cyber infrastructure, which those agencies would then apply in their own regulations.
  • The NOC should work with the appropriate regulatory agencies and with the National Institute of Standards and Technology (NIST) to develop regulations for industrial control systems (ICS). The government could reinforce regulation by making the development of secure control systems an element of any economic stimulus package…
  • The NOC should immediately determine the extent to which government-owned critical infrastructures are secure from cyber attack…
  • The president should direct the NOC and the federal Chief Information Officers Council, working with industry, to develop and implement security guidelines for the procurement of IT products (with software as the first priority).
  • The president should task the National Security Agency (NSA) and NIST, working with international partners, to reform the National Information Assurance Partnership (NIAP).
  • The president should take steps to increase the use of secure Internet protocols. The president should direct OMB and the NOC to develop mandatory requirements for agencies to contract only with telecommunications carriers that use secure Internet protocols.

It is undeniable that an appropriate level of cybersecurity cannot be achieved without regulation, as market forces alone will never provide the level of security necessary to achieve national security objectives. The reason for this is that those who participate in the marketplace are necessarily constrained by economic forces: they must make a product priced low enough to be successful, they must meet the demands of a wide range of customers (not just governments), and they must ensure profitability. In this environment, companies have little incentive to spend on national defense, as they cannot fully recover their costs.

The role of regulation in cybersecurity has been contested since the drafting in 2003 of the first National Strategy to Secure Cyberspace. That strategy stated that “federal regulation will not become a primary means of securing cyberspace” and that “the market will provide the major impetus.”

We believe it is time to change this. In no other area of national security do we depend on private, voluntary efforts. Companies have little incentive to spend on national defense as they bear all of the cost but do not reap all of the return. National defense is a public good. We should not expect companies, which must earn a profit to survive, to supply this public good in adequate amounts.

We believe that cyberspace cannot be secured without regulation. The intent of such regulation is to increase transparency and improve resiliency and reliability in the delivery of services critical to cyberspace. We propose four sets of regulations: (a) the development of shared standards and best practices for cybersecurity in the three critical cyber-infrastructure sectors (ICT, finance, and energy) to improve performance and increase transparency, (b) the creation of new regulations that apply to supervisory control and data acquisition (SCADA) and other ICSs, (c) changes to federal acquisitions rules to drive security in products and services, (d) mandatory authentication of identity using robust credentials for critical infrastructure sectors…

The next administration should revisit the issue of regulation for cybersecurity and make two significant changes. First, industry and government should identify the level of security that markets will naturally provide.

To get the right regulations, we focus on two key points: the objective of any regulation, and how it is developed. Consistent with national security needs, the intent of any regulatory regime should be to improve security, transparency, reliability, and resiliency. This important because some attacks can be prevented but some cannot, and, in the latter case, it is important that response and reconstitution of critical infrastructures happen quickly.

The U.S. response to the Y2K experience suggests what this new approach could look like, one where a cooperative relationship between government and the private sector would replace command and control. The Y2K had to elements: The first was a government effort to educate, to cooperate in developing responses, and to lead by example. The second was a government mandate, through Securities and Exchange Commission (SEC) regulations, for publicly traded companies to report on the steps they had taken to secure their networks and their operations from disruptions.

A new approach would combine the flexibility of the private sector in identifying best practices with the enforcement strength of the government in ensuring compliance. In this model, the existing regulatory agencies for telecommunications, finance, and energy would oversee a consultative process during which their industries would establish best practices for cybersecurity suited to their field. The agencies would embed these best practices in a regulatory and compliance framework and ensure that companies meet them. Government should set goals; industry should determine how best to accomplish these goals. Government should then ensure compliance.

The still developing relationship between North American Electric Reliability Corporation (NERC) and Federal Energy Regulatory Commission (FERC) demonstrates how this kind of regulation could work. Under the framework established by the Federal Power Act, the electric reliability organization (currently NERC) is responsible for proposing, for the review and approval of the FERC, reliability standards for the electric grid.

Regulation is not a panacea and, if improperly implemented, can actually make matters worse by creating a false sense of security and creating incentives for the wrong behaviors (FISMA, for example, as currently drafted, creates incentives for document reviews rather for improving network security). But we think the next administration should apply the reinforced NERC-FERC model to other sectors. Beginning with existing best practices and standards for cybersecurity, the government could apply a regulatory requirement to secure networks adequately and oversee compliance with those new requirements.

This is where the NOC can play an important role, one that no agency currently plays. Our belief is that the NOC should provide oversight and coordination among regulatory agencies when it comes to cybersecurity, and the NOC could call attention to situations where regulation was inadequate. It would work with the regulatory agencies to issue standards and guidance defining adequacy in cybersecurity. It could assess both the adequacy of cyber security regulations and their implementation. It would review cybersecurity regulations to increase transparency and harmonization among cyber regulations and regulatory agencies so that companies that work across sectors would not be subject to conflicting regulatory regimes. As part of this task, the NOC would assume the Clinger-Cohen authorities currently exercised by OMB for “standards, guidelines, and associated methods and techniques for computer systems.”

The NOC would not have the authority to direct an independent regulatory agency to change its regulations, but if it judged them inadequate (or if an agency refused to provide information), it could call the inadequacy to the attention of the president.

The presidential directive establishing the NOC should include a requirement for the appropriate regulatory agencies to report to the NOC and for the NOC to report to the president annually on the status and adequacy of agencies’ cyber regulations.

SCADA and Industrial Control Systems

One important and atypical area for cyberspace regulations involves industrial control systems (ICS), including supervisory control and data acquisition (SCADA) systems…

We believe that current efforts to secure these critical systems are unfocused and do not specifically target the unique aspects of ICS. The environment for ICS cybersecurity is similar to mainstream IT security 15 years ago—in a formative stage. Changing this will require many actions, including education, standards setting, and research. We believe that some regulation will be necessary.

Use Acquisitions to Increase Cybersecurity

We recommend that the federal government require that the use of IT products it buys be securely configured when they are delivered.

NSA found that inappropriate or incorrect security configurations (most often caused by configuration errors at the local base level) were responsible for 80 percent of Air Force vulnerabilities.

To solve this problem, government and industry must engage on developing preconfigured security features for the federal marketplace designed for user needs and capabilities.

Government can use its procurement process to require that providers of IT products and systems are accountable and to certify that they have adhered to security and configuration guidelines. A further objective would be to examine the usefulness of open standards for addressing IT security problems in ways that both public and private-sector organizations can implement.

One precedent for this recommendation is the Federal Desktop Core Configuration (FDCC), an element of the CNCI. The FDCC is an OMB mandate that requires all federal agencies to standardize the configuration of settings on operating systems and for applications that run on those systems. The FDCC is aimed at strengthening federal IT security by reducing opportunities for hackers to access and exploit government computer systems.

To oversee the development and implementation of the security guidelines, we recommend that the NOC and OMB use the Chief Information Officers Council to undertake the development of standard security guidelines, settings, or specifications and to coordinate incorporation of those guidelines, settings, and specifications into government-wide contracting strategies (Smart Buy, GSA schedule, and Federal Acquisition Regulation, for example).

Configuration requirements can be reinforced by reforming the current practice for assessing security in hardware and software using the NIAP—a joint effort of NIST and NSA.

Improving the NIAP process means moving from a post-facto review of documentation to processes that provide guidance and incentives to vendors to improve the security of their products in the design phase and in the methods for building secure IT systems from these products.

Acquire Secure Internet Services

While there is general agreement that more secure Internet protocols should be deployed, there has not been sufficient demand to lead Internet infrastructure providers to invest in them.

Federal acquisitions can remedy the lack of demand for secure protocols. Federal acquisitions can create incentives. The federal government is one of the largest purchasers of telecommunications services in the world. Federal acquisitions mandates could rapidly drive the market and provide benefits beyond the federal government. The United States can use this power as an incentive to move to a more secure Internet.

————————————————————————————————————————-

Coming soon…

The Highlighter: Securing Cyberspace for the 44th Presidency – Part VI

Section 5 – Identity Management for Cybersecurity

————————————————————————————————————————-

Read the full CSIS report
About The Highlighter
The Highlighter: Securing Cyberspace for the 44th Presidency – Part I
The Highlighter: Security Cyberspace for the 44th Presidency – Part II
The Highlighter: Securing Cyberspace for the 44th Presidency – Part III
The Highlighter: Securing Cyberspace for the 44th Presidency – Part V

Advertisements

Filed under: Analysis, Biography, Business, cyber security, cyber war, Doctrine, government, History, Intelligence Community, Internet, Life, Military, News, Policy, Politics, Strategy, Technology, Terrorism, The Highlighter, Training, War, , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

One Response

  1. […] jason36 wrote an interesting post today onHere’s a quick excerpt A Report of the CSIS Commission on Cybersecurity for the 44th Presidency […]

    Like

Join the Discussion

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Reader Survey


ADVERTISEMENT

In May 2013, Glenn Greenwald set out for Hong Kong to meet an anonymous source who claimed to have astonishing evidence of pervasive government spying and insisted on communicating only through heavily encrypted channels. That source turned out to be the twenty-nine-year-old NSA contractor Edward Snowden, and his revelations about the agency's widespread, systemic overreach proved to be some of the most explosive and consequential news in recent history, triggering a fierce debate over national security and information privacy... [MORE]


ADVERTISEMENT

In Cybersecurity and CyberWar: What Everyone Needs to Know®, New York Times best-selling author P. W. Singer and noted cyber expert Allan Friedman team up to provide the kind of easy-to-read, yet deeply informative resource book that has been missing on this crucial issue of 21st century life. Written in a lively, accessible style, filled with engaging stories and illustrative anecdotes, the book is structured around the key question areas of cyberspace and its security: how it all works, why it all matters, and what can we do... [MORE]


ADVERTISEMENT

Dispatched by M to investigate the mysterious disappearance of MI6’s Jamaica station chief, Bond was expecting a holiday in the sun. But when he discovers a deadly centipede placed in his hotel room, the vacation is over.

On this island, all suspicious activity leads inexorably to Dr. Julius No, a reclusive megalomaniac with steel pincers for hands. To find out what the good doctor is hiding, 007 must enlist the aid of local fisherman Quarrel and alluring beachcomber Honeychile Rider. Together they will combat a local legend the natives call “the Dragon,” before Bond alone must face the most punishing test of all: an obstacle course—designed by the sadistic Dr. No himself—that measures the limits of the human body’s capacity for agony.

The text in this edition has been restored by the Fleming family company Ian Fleming Publications, to reflect the work as it was originally published... [MORE]



 
The Art of Attention

© 2016 PROSOCHĒ. All Rights Reserved.
Fair Use Policy ҩ Terms of Service ҩ Privacy Policy ҩ Contact

Cyber Threat Assessment

 


ADVERTISEMENT

In this New York Times bestselling investigation, Ted Koppel reveals that a major cyberattack on America’s power grid is not only possible but likely, that it would be devastating, and that the United States is shockingly unprepared... [MORE]


ADVERTISEMENT

As cyber-attacks dominate front-page news, as hackers join terrorists on the list of global threats, and as top generals warn of a coming cyber war, few books are more timely and enlightening than Dark Territory: The Secret History of Cyber War, by Slate columnist and Pulitzer Prize–winning journalist Fred Kaplan... [MORE]


ADVERTISEMENT

ADVERTISEMENT

Support CSWW

Please help improve CSWW by providing us with your comments, concerns, and questions at our FEEDBACK page.

Editor, CSWW

Kurt Brindley is a retired U.S. Navy Senior Chief who specialized in the fields of tele-communications and C4SRI systems Upon retirement from the navy, he spent nearly a decade as a defense industry consultant. He now writes full time... [MORE]


ADVERTISEMENT

Now in development for film by 20th Century Fox, award-winning CyberStorm depicts, in realistic and sometimes terrifying detail, what a full scale cyber attack against present-day New York City might look like from the perspective of one family trying to survive it... [MORE]