NH!ISAC"ADVISORY"201.13" NATIONAL"CRITICAL"INFRASTRUCTURE"RESILIENCE"ANALYSIS"REPORT""

Transcription

1 National(Health#ISAC#(NH!ISAC) GlobalInstituteforCybersecurity+Research7GlobalSituationalAwarenessCenter NASA SpaceLifeSciencesLaboratory KennedySpaceCenter,FL NH!ISACADVISORY NATIONALCRITICALINFRASTRUCTURERESILIENCEANALYSISREPORT FederalCybersecurityAction2009toPresent NationalCriticalInfrastructureInformationSharing&AnalysisCenters(ISACs) NationalHealthcare&PublicHealthCybersecurityResilience Date: February23,2013 To: NH7ISACMembers NationalHealthSectorCoordinatingCouncil(SCC) NationalHealthcare&PublicHealthCriticalInfrastructureOwners+Operators Title: NationalCriticalInfrastructureResilience Introduction* Thefederalgovernment scybersecurityroleincludesbothsecuringfederalsystemsandassistingin protectingnon7federalsystems.identifiedfederalagencies,knownassector7specificagencies,have responsibilities for protection of their respective national critical infrastructure by writing a protectionplan(annexestothenationalinfrastructureprotectionplan). Theover7arching consultativeprocess referencedinthefebruary12,2013presidentialexecutive Order13636andPresidentialPolicyDirectivePPD721encompasses: Federal Sector7Specific Agencies (SSAs) working in concert with the Critical Infrastructure Partnership Advisory Council; Sector Coordinating Councils (Government Coordinating Councils andprivatesectorcoordinatingcouncils);criticalinfrastructureownersandoperators(private7 sector CIleadershipand eachcriticalinfrastructure srecognized privatesector7led Information Sharing & Analysis Center ISAC); other relevant agencies; State, local, territorial and tribal governments,universitiesandoutsideexperts; Withcloseto90%ofthenation scriticalinfrastructuresownedandoperatedbytheprivatesector, critical infrastructure owners and operators and their respective private sector7led ISAC as the operationalandtacticalarm,havealeadershipresponsibilityandleading definingvoice toenable nationalcybersecuritycriticalinfrastructureprotection,workingincollaborationwithgovernment. NationalHealthISAC(NH7ISAC) February2013.AllRightsReserved.! 1

2 National(Health#ISAC#(NH!ISAC) GlobalInstituteforCybersecurity+Research7GlobalSituationalAwarenessCenter NASA SpaceLifeSciencesLaboratory KennedySpaceCenter,FL Thereare50+statutescurrentlyaddressingcybersecurityeitherdirectlyorindirectly,butthereisno comprehensivecybersecurityframework legislationthat encompasseshowthegovernmentassists the private sector with national cybersecurity critical infrastructure protection efforts including informationsharingwiththerequiredprivacyandcivillibertiesprotections. The following report provides an overview of cybersecurity Presidential and Congressional Actions frommarch2009topresent,thenation sprivate7sectorledinformationsharing&analysiscenters (ISACs)infrastructure,NationalHealthcare&PublicHealthCybersecurityResilience(aninitiativeled bythehealthcareandpublichealthsectorincollaborationwithgovernment seebelow),andan analysisofpresidentialexecutiveorder13636andpresidentialpolicydirective(ppd721). NationalHealthcareandPublicHealthCybersecurityResponseSystem(HPH!CRS) National Healthcare and Public Health Cybersecurity First Responder (HPH!CFR) Program (AnnualTraining/Certification) NationalHealthcareandPublicHealthCybersecurityEducationFramework(HPH!CEF) * * NationalHealthISAC(NH7ISAC) February2013.AllRightsReserved.! 2

3 National(Health#ISAC#(NH!ISAC) GlobalInstituteforCybersecurity+Research7GlobalSituationalAwarenessCenter NASA SpaceLifeSciencesLaboratory KennedySpaceCenter,FL FEDERAL*CYBERSECURITY*ACTION*2009*TO*PRESENT* Overview:**2009*A*2012* March* 20097PresidentObamareleasedtheCyberspacePolicyReviewdeclaringtheNation s digital infrastructures (cyberspace) as a key strategic national asset and national security priority.( ThePresident scyberspacepolicyreviewidentifiedten(10)near7termactionstosupportthe cybersecuritystrategy: 1. Appoint a cybersecurity policy official responsible for coordinating the Nation s cybersecuritypoliciesandactivities. 2. PrepareforthePresident sapprovalanupdatedstrategytosecuretheinformationand communicationsinfrastructure. 3. Designate cybersecurity as one of the President s key management priorities and establishperformancemetrics. 4. DesignateprivacyandcivillibertiesofficialtotheNSCCybersecurityDirectorate. 5. Conductinteragency7clearedlegalanalysesofprioritycybersecurity7relatedissues. 6. Initiateanationalawarenessandeducationcampaigntopromotecybersecurity 7. Develop an international cybersecurity policy framework and strengthen our internationalpartnerships. 8. Prepareacybersecurityincidentresponseplanandinitiateadialogtoenhancepublic7 privatepartnerships. 9. Develop a framework for research and development strategies that focus on game7 changing technologies that have the potential to enhance the security, reliability, resilienceandtrustworthinessofdigitalinfrastructure. 10. Build a cybersecurity7based identity management vision and strategy, leveraging privacy7enhancingtechnologiesforthenation. KeyDocuments Someofthekeydocumentsguidingeffortsinclude: Draft@National@Strategy@for@Trusted@Identities@in@Cyberspace@ The@Comprehensive@National@Cybersecurity@Initiative@ International@Strategy@for@Cyberspace@ The@Cyberspace@Policy@Review@ NationalHealthISAC(NH7ISAC) February2013.AllRightsReserved.! 3

4 National(Health#ISAC#(NH!ISAC) GlobalInstituteforCybersecurity+Research7GlobalSituationalAwarenessCenter NASA SpaceLifeSciencesLaboratory KennedySpaceCenter,FL to strengthen the security and resilience of the United States by implementing a national preparedness system identifying and supporting core preparedness capabilities Prevention, Protection,Mitigation,ResponseandRecovery.@@ issued@ by@ the@ President@ of@ the@ United@ States@ with@ the@ advice@ and@ consent@ of@ the@ National@ Security@Council.@@The@National@Security@Council@(NSC)@is@the@principal@forum@for@Presidential@ consideration@of@foreign@policy@issues@and@national@security@matters.@@pursuant@to@policy@review@ directives,@ the@ NSC@ gathers@ facts@ and@ views@ of@ appropriate@ Government@ agencies,@ conducts@ analyses,@ determines@ alternatives@ and@ presents@ policy@ choices@ to@ the@ President@ for@ decision.@@ The@President s@decisions@are@announced@by@decision@directives.@@ May* 12,* TheObamaAdministrationtransmittedacybersecurity@legislative@proposal to Capitol Hill in response to Congress call for assistance on how best to address national cybersecurityneeds.@ 2011*and*2012 Unsuccessfullegislationincludes,butisnotlimitedto: (S.3414)@ The@Cybersecurity@Act@of@2012H@ Improve public/private cybersecurity sector risk assessments, infrastructure identification, private sector leading practice adoption, incentive7basedvoluntarycybersecurityprogramforciownersandoperators. (H.R.@ 2096)@ Cybersecurity@ Enhancement@ Act@ of@ 2011 Direct specified federal agencies to developandupdatethefederalcybersecurityr&dandtechnicalstandardsstrategicplan. (H.R.@ 3834)@ Advancing@ American s@ Networking@ and@ Information@ Technology@ Research@ and@ Development@Act@of@2012 R&Dinnetworkingandinformationtechnology,includingbut notlimitedtosecurity.amendhighperformancecomputingact.@ (H.R.@4257)@Federal@Information@Security@Amendments@Act@of@2012 FISMAreform. (H.R.@3523)@Cyber@Intelligence@Sharing@and@Protection@Act@(CISPA)7Informationsharingand coordination,includingsharingofclassifiedinformation.passedbythehouse,butstalledin thesenateunderthreatofpresidentialvetoandfromgrass7rootsprotestscitingthebillasa threattointernetprivacyandcivilliberties. NationalHealthISAC(NH7ISAC) February2013.AllRightsReserved.! 4

5 National(Health#ISAC#(NH!ISAC) GlobalInstituteforCybersecurity+Research7GlobalSituationalAwarenessCenter NASA SpaceLifeSciencesLaboratory KennedySpaceCenter,FL Amendthefederalcriminalcodeto providecriminalpenaltiesforintentionalfailurestoproviderequirednoticesofasecurity breachinvolvingsensitivepersonallyidentifiableinformation(specifiedelectronicordigital information). Amendthefederalcriminalcodetomake fraudinconnectionwiththeunauthorizedaccessofpersonallyidentifiableinformation(in electronicordigitalform)apredicateforinstitutingaprosecutionforracketeering. IT Authorize private entities to employ countermeasures and use cybersecurity systems to obtain, identify or possess cyber threat information on its own networksorthenetworksofanotherentitywithsuchentity authorization Promote and Enhance Cybersecurity and Information Sharing Effectiveness and addressing DHS role in CI protection (risk assessments, technologydevelopment,mitigation,awareness/outreach). Overview:**2013** * PresidentialPolicyDirectivePPD!21andExecutiveOrder With legislative failure to successfully pass any effective cybersecurity legislation to support national critical infrastructure protection in 2011 or 2012, on February 12, 2013, the President issuedpresidential@policy@directive@(ppdh21)oncriticalinfrastructuresecurityandresilienceand Presidential@Executive@Order@13636.Contentandanalysisareprovidedlaterinthisreport. Presidential* Executive* An@ official@ document@ issued@ by@ the@ President@ of@ the@ United@ States,@ the@ head@ of@ the@ Executive@ Branch,@ through@ which@ operations@ of@ the@ Federal@ Government@are@managed.@ The113 th Congress The 113 th Congress was sworn in on January 3, Provided below is an overview of the Legislative Congressional Cybersecurity Caucus, Committees and current pending cybersecurity legislation. US*House*of*Representatives*Congressional*Cybersecurity*Caucus Co7Chairs:CongressmanJimLangevin(RI7D)andCongressmanMikeT.McCaul(TX7R) Congressman Langevin and Congressman McCaul founded the first7ever Congressional Cybersecurity Caucus in September As Co7Chairs of the CSIS Commission on Cybersecurityforthe44 th Presidency,theyareactivelyengagedinidentifyingchallengesand NationalHealthISAC(NH7ISAC) February2013.AllRightsReserved.! 5

6 National(Health#ISAC#(NH!ISAC) GlobalInstituteforCybersecurity+Research7GlobalSituationalAwarenessCenter NASA SpaceLifeSciencesLaboratory KennedySpaceCenter,FL making recommendations for the Administration and providing opportunities for more membersofcongresstoengageinthediscussions.whilecongressplaysakeyroleinthe future of cybersecurity policy, the overlap of committee jurisdictions can divide the attentionandfocusofcongressontheseissues.congressmanlangevinandmccaulhope thatthiscaucuswillhelpraiseawarenessandprovideaforumformembersrepresenting differentcommitteesofjurisdictiontodiscussthechallengesinsecuringcyberspace. House*Oversight*and*Government*Reform*Committee* Chair:RepresentativeDarrellE.Issa(RCA749) RankingMember:RepresentativeElijahCummings(DMD77) RepublicanSite: TheHouseOversightandGovernmentReformCommitteeexiststosecuretwofundamental principles.first,americanshavearighttoknowthatthemoneywashingtontakesfrom themiswellspent.andsecond,americansdeserveanefficient,effectivegovernmentthat works for them. The duty on the Oversight and Government Reform Committee is to protecttheserights. The Committee s solemn responsibility is to hold government accountable to taxpayers. They work in partnership with citizen7watchdogs, to deliver the facts to the American peopleandbringgenuinereformtothefederalbureaucracy. The Committee has legislative jurisdiction over the District of Columbia, the government procurementprocess,federalpersonnelsystems,thepostalserviceandothermatters.its primaryresponsibilityisoversightofvirtuallyeverythingthegovernmentdoesfromnational securitytohomelandsecuritygrants,fromfederalworkforcepoliciestoregulatoryreform andreorganizationauthority,andfrominformationtechnologyprocurementsatindividual agenciestogovernment7widesecuritystandards. Subcommittees: Federal Workforce; Government Organization; Health Care & D.C.; NationalSecurity;RegulatoryAffairs;T.A.R.P,&FinancialResources DemocraticSite: CommitteeJurisdiction:TheCommitteeonOversightandGovernmentReformisthemain investigative committee in the U.S. House of Representatives. It has the authority to investigate the subjects within the Committee s legislative jurisdiction as well as any matter withinthejurisdictionoftheotherstandinghousecommittee. NationalHealthISAC(NH7ISAC) February2013.AllRightsReserved.! 6

7 National(Health#ISAC#(NH!ISAC) GlobalInstituteforCybersecurity+Research7GlobalSituationalAwarenessCenter NASA SpaceLifeSciencesLaboratory KennedySpaceCenter,FL Subcommittees: Federal Workforce / US Postal Service and Labor Policy, Government Organization, Efficiency and Financial Management; Health Care, District of Columbia, Census and the National Archives; National Security, Homeland Defense and Foreign Operations; Regulatory Affairs, Stimulus Oversight and Government Spending; T.A.R.P, Financial Services and Bailouts of Public and Private Programs; Technology, Information Policy,IntergovernmentalRelationsandProcurementReform. Committee*on*Homeland*Security* RepublicanSite: Chair RepresentativeMichaelMcCaul(R7TX) CommitteeDescription:Republican Establishedin2002toprovideCongressionaloversightforUSDHSandbetterprotect Americansagainstapossibleterroristattack. Subcommittees: Border and Maritime Security; Counterterrorism and Intelligence; Cybersecurity, Infrastructure Protection and Security Technologies; Emergency Preparedness, Response and Communications; Oversight and Management Efficiency; TransportationSecurity Issues:9/11Trials/GuantanamoDetainees;BorderSecurity;ChemicalFacilitySecurity Counterterrorism;Cybersecurity;FirstResponderCommunications InformationSharing andstateandlocalfusioncenters;maritimesecurity;oversightofdhsmanagement; Passenger and Cargo Aviation Security; Preparedness for and Response to Terrorist Attacks and Natural Disasters; Risk7Based Grant Funding; Surface Transportation Security;WeaponsofMassDestruction RankingMember:Rep.BennieG.Thompson(D7MS) CommitteeDescription Democratic CreatedbytheUSHouseofRepresentativesin2002intheaftermathofSeptember11, 2001 to provide Congressional oversight to US DHS and better protect the American peopleagainstapossibleterroristattack. Subcommittees: Border and Maritime Security; Counterterrorism and Intelligence; Cybersecurity, Infrastructure Protection and Security Technologies; Emergency Preparedness, Response and Communications; Oversight and Management Efficiency; TransportationSecurity Issues: Transportation Security; Border and Port Security; Critical Infrastructure Protection Cybersecurity and Science and Technology; Emergency Preparedness NationalHealthISAC(NH7ISAC) February2013.AllRightsReserved.! 7

8 National(Health#ISAC#(NH!ISAC) GlobalInstituteforCybersecurity+Research7GlobalSituationalAwarenessCenter NASA SpaceLifeSciencesLaboratory KennedySpaceCenter,FL Emerging Threats; Intelligence and Information Sharing; Investigations; Management andprocurement;privacy,civilrightsandcivilliberties Homeland*Security*&*Governmental*Affairs*(GSGA)* Chairman:SenatorThomasR.Carper RankingMember:SenatorTomCoburn Committee Description: Chief oversight committee of the U.S. Senate. The Committee has 5 subcommittees that examine issues ranging from the federal Civil Service,tothegovernment sfinancialmanagementtohowgovernmenthelpscommunities recoverfromcatastrophes. Subcommittees: Permanent Subcommittee on Investigations; Oversight of Government Management; Federal Financial Management; Disaster Recovery and Intergovernmental Affairs;ContractingOversight. Permanent*Select*Committee*on*Intelligence Chairman:CongressmanMikeRogers RankingMember:CongressmanDutchRuppersberger Committee Description: The Committee is the House s primary panel responsible for authorizingthefundingforandoverseeingtheexecutionoftheintelligenceactivitiesofthe USgovernment. Subcommittees:Oversight;TechnicalandTacticalIntelligence;Terrorism,HUMINT,Analysis andcounterintelligence 2013CurrentPendingBills Withover1,381billsintroducedasofFebruary20,2013(the113 th LegislativeSession),the billsbelowrepresentintroducedcybersecuritylegislationtodate. (H.R.624)*Cyber*Intelligence*Sharing*and*Protection*Act*(CISPA)7HouseIntelligencePanel Leaders reintroduced and referred to the House Committee the identical bill (H.R. 3523) from2012onfebruary13,2013.asoffebruary20,2013,thesummaryforh.r.624hasnot beenreceived. (H.R.756)*To*Advance*Cybersecurity*Research,*Development*and*Technical*Standards,*and* for* Other* Purposes Bipartisan legislation to improve communication and collaboration between the private sector and the federal government. Introduced to the House and referredtothehousecommitteeonscience,spaceandtechnologyonfebruary15,2013. NationalHealthISAC(NH7ISAC) February2013.AllRightsReserved.! 8

9 National(Health#ISAC#(NH!ISAC) GlobalInstituteforCybersecurity+Research7GlobalSituationalAwarenessCenter NASA SpaceLifeSciencesLaboratory KennedySpaceCenter,FL (S.21)*Cybersecurity*and*American*Cyber*Competitiveness*Act*of*2013 IntroducedJanuary 22,2013,readtwiceandreferredtotheCommitteeonHomelandSecurityandGovernment Affairs. Calls for enactment of bipartisan legislation to improve communication and collaboration between the private sector and the federal government to secure the US against cyber attack and enhance the competitiveness of the US and create jobs in the informationtechnologyindustry,andprotectandidentitiesandsensitiveinformationofus citizensandbusinesses. (H.Res.57) ThesummaryforHouseResolution577ExpressingthesenseoftheHouseof Representatives that in order to continue aggressive growth in the Nation s telecommunicationsandtechnologyindustries,theunitedstatesgovernmentshould Get OutoftheWayandStayoutoftheWay hasnotbeenreceivedasoffebruary20,2013. (H.R.86)*Cybersecurity*Education*Enhancement*Act*of*20137ReferredtotheSubcommittee oncybersecurity,infrastructureprotectionandsecuritytechnologiesonfebruary12,2013. Directs the Secretary of Homeland Security to establish, in conjunction with the National Science Foundation, a program to award grants to institutions of higher education for cybersecurity professional development programs, associate cybersecurity degree programs, and the purchase of equipment to provide training in cybersecurity for professionaldevelopmentofdegreeprograms. MovingForward Implementationofcapabilitiestomovefromareactivetoanationalproactivecybersecuritystance requiresnotonlyeffectivelegislationsupportingprivate7sectordefinedimplementationofsecurity standardsandprotectionpolicies,butalsorequirescontinuallyassessingourcurrentenvironments acrossallcriticalinfrastructuresfromsectorandcross7sectorthreatandvulnerabilityimpacts.this includes two7way security intelligence information sharing, countermeasure solutions, incident response,leadingpracticeandeducation. Beingevervigilant7lookingandmovingforward,workingtogetherinatrustedpublicandprivate sectorcollaborativepartnershipisparamount. NationalHealthISAC(NH7ISAC) February2013.AllRightsReserved.! 9

10 National(Health#ISAC#(NH!ISAC) GlobalInstituteforCybersecurity+Research7GlobalSituationalAwarenessCenter NASA SpaceLifeSciencesLaboratory KennedySpaceCenter,FL NATIONAL*HEALTHCARE*&*PUBLIC*HEALTH*CYBERSECURITY*RESILIENCE* NationalHealthcareandPublicHealthCybersecurityResponseSystem(HPH7CRS) NationalHealthcareandPublicHealthCybersecurityFirstResponderProgram(HPH7CFR) NationalHealthcareandPublicHealthCybersecurityEducationFramework(HPH7CEF) The nation s healthcare and public health critical infrastructure (CI) has moved forward to build a trustedcollaborativepartnershipunitinghealthsectorciownersandoperatorswithothernational criticalinfrastructuresandorganizationssupportingthehealthsector.ledbythehealthsector,this isaccomplishedincollaborationandcooperationwiththenationalcouncilofisacs,representingall nationalcriticalinfrastructures,thehealthsectorcoordinatingcouncil(scc),andgovernment(hhs, DHS,NIST,andstate,local,tribalandterritorialgovernments. EnablingNationalHealthcareandPublicHealthCriticalInfrastructureResilience ToenableNationalHealthcareandPublicHealthCriticalInfrastructureresilience,ledbythenation s healthcareandpublichealthsectorincooperationwithgovernment,thenationalhealthisac(nh7 ISAC)leadsdevelopmentandimplementationof: TheNationalHealthcareandPublicHealthCybersecurityResponseSystem(HPH!CRS) HPH!CRS represents a nationwide all7hazards cybersecurity incident response system supporting prevention,protection,mitigation,responseandrecovery.itiscoordinatedwithinthenation shealth sector, across other critical infrastructures and aligned to state, local, tribal and territorial (SLTT) emergencyoperationsandfederalemergencysupportfunctions(esfs). HPH!CRS is supported via a public/private partnership from NH7ISAC headquarters at the Global Institute for Cybersecurity + Research, Global Situational Awareness Center, NASA/Kennedy Space Center. National healthcare and public health cybersecurity response incorporates NH7ISAC 24/7 physical and cyber (all7hazards) security situational awareness intelligence, two7way information sharing, countermeasure solutions, incident response, leading practice and education in a collaborativepartnershipwiththenationalcouncilofisacs,usdepartmentofhomelandsecurity, IntelligenceAgencies,NIST,HHS,andsupportingtechnologyandsecurityorganizations. HPH!CRSincludesimplementationoftheNationalHealthcare&PublicHealthCyberFirstResponder (HPH7CFR)Program.HealthsectorCIownersandoperatorsandorganizationssupportingthehealth sectoraredesignatingindividualstobeannuallytrainedandcertifiedas NationalHPHCybersecurity FirstResponders(HPH7CRF). The National Healthcare and Public Health Cybersecurity Council has been established. It is comprisedofnationwidehealthcareandpublichealthstakeholderstoleadhph7crsimplementation. State7levelbriefingworkshopsarebeingheldacrossthenation. NationalHealthISAC(NH7ISAC) February2013.AllRightsReserved.! 10

11 National(Health#ISAC#(NH!ISAC) GlobalInstituteforCybersecurity+Research7GlobalSituationalAwarenessCenter NASA SpaceLifeSciencesLaboratory KennedySpaceCenter,FL NationalHPHCybersecurityEducationProgram(HPH!CEF) ApillarofthesystemisimplementationoftheNationalHealthcareandPublicHealthCybersecurity Education Program. Leveraging the NIST National Initiative for Cybersecurity Education (NICE) Frameworkasthefoundationalbaseline,healthsector7specific role7based cybersecurityfunctions, responsibilities, tasks, competencies and job descriptions are being defined and supported by education,trainingandcertificationprograms. GlobalInstituteforCybersecurity+Research(GICSR)andNASA/KennedySpaceCenter Centerfor LifeCycleDesign(CfLCD) HeadquarteredattheGICSRGlobalSituationalAwarenessCenteratKennedySpaceCenter,NH7ISAC works in partnership with GICSR to address security issues and challenges via their collaborative partnership with NASA s Center for Lifecycle Design (CflCD). NASA s Center for Lifecycle Design (CflCD)advancesexpandingandstrengtheningsecuredesignanddevelopmentconcepts/tools,and leverages modeling and simulation of critical infrastructure high7risk, safety7critical, cybersecurity systems,andsupportseducationandexperientiallearninginitiatives. TheNationalHealthISAC(NH!ISAC) TheNH7ISACisthenation shealthcareandpublichealthcriticalinfrastructureinformationsharing& AnalysisCenter.NH7ISAC,privatesector7ledandanon7profitorganizationisrecognized,asallcritical infrastructures ISACs, by their respective Federal Sector7Specific Agency (SSA), Sector Coordinating Council(SCC),IntelligenceAgencies,NationalCouncilofISACs,andCriticalInfrastructureOwnersand Operators. TheNationalCouncilofISACs(NCIDirectorate) The NCI Directorate is comprised of member representatives of all national critical infrastructure ISACs.NCI smissionistoadvancethephysicalandcybersecurityofthecriticalinfrastructuresof North America by establishing and maintaining a forum and framework for valuable interaction between and among the ISACs, supporting sector and cross7sector intelligence, and working in collaboration with governments, representing national critical infrastructure operational components. NationalCriticalInfrastructureISACsInfrastructure NationalCouncilofISACs CommunicationsISAC,DefenseIndustrialBase(DIB),ElectricSectorISAC, EmergencyManagementResponseISAC(EMR7ISAC),FinancialServicesISAC(FS7ISAC) NationalHealthISAC(NH7ISAC),InformationTechnology(IT7ISAC), MaritimeISAC,Multi7StateISAC,EI(NuclearEnergyInstitute), PublicTransportationISAC(PT7ISAC),RealEstateISAC(RE7ISAC), Research&EducationNetworkingISAC(REN7ISAC),SupplyChainISAC(SC7ISAC), SurfaceTransportationISAC(ST7ISAC),MotorCoachISAC,WaterISAC,AviationISAC(Forming) NationalHealthISAC(NH7ISAC) February2013.AllRightsReserved.! 11

12 National(Health#ISAC#(NH!ISAC) GlobalInstituteforCybersecurity+Research7GlobalSituationalAwarenessCenter NASA SpaceLifeSciencesLaboratory KennedySpaceCenter,FL ANALYSIS PRESIDENTIALEXECUTIVEORDER13636ANDPRESIDENTIALPOLICYDIRECTIVEPPD!21 The issuance of Presidential Directive PPD721 and Executive Order to increase and improve national critical infrastructure cybersecurity resilience is a tremendous step forward. It serves to raise awareness and brings together the public and private sectors to proactively address cybersecurityissuesandchallenges. Both orders are inter7related. The Presidential Directive provides the framework for addressing a public/privatepartnership.theexecutiveorderfocusesonfederalagencyoperations, settingout specific programs, roles, responsibilities and activities for federal agencies to improve support of criticalinfrastructureprotection. To provide insight and defining voice opportunities for the health sector to support cybersecurity critical infrastructure resilience, the National Health ISAC (NH7ISAC) has conducted an analysis of boththeexecutiveorderandpresidentialdirectiveandtheirimpacttothenation shealthcareand PublicHealthCriticalInfrastructure. AsCEO/ExecutiveDirectoroftheNationalHealthISACforthenation shealthcareandpublichealth critical infrastructure, and as Chair of the Health Sector Coordinating Council (SCC) Cybersecurity LegislationCommittee,Iampleasedtoprovidethefollowingreport. NationalHealthISAC(NH7ISAC) February2013.AllRightsReserved.! 12

13 National(Health#ISAC#(NH!ISAC) GlobalInstituteforCybersecurity+Research7GlobalSituationalAwarenessCenter NASA SpaceLifeSciencesLaboratory KennedySpaceCenter,FL Section1.Policy EXECUTIVEORDER13636 FEBRUARY13,2013 IMPROVINGCRITICALINFRASTRUCTURECYBERSECURITY Repeated cyber intrusions into critical infrastructure demonstrate the need for improved cybersecurity.thecyberthreattocriticalinfrastructurecontinuestogrowandrepresentsoneofthe mostseriousnationalsecuritychallengeswemustconfront.thenationalandeconomicsecurityof theunitedstatesdependsonthereliablefunctioningofthenation'scriticalinfrastructureintheface of such threats. It is the policy of the United States to enhance the security and resilience of the Nation's critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy,andcivilliberties.wecanachievethesegoalsthroughapartnershipwiththeownersand operatorsofcriticalinfrastructuretoimprovecybersecurityinformationsharingandcollaboratively developandimplementrisk7basedstandards. Section2.CriticalInfrastructure Asusedinthisorder,thetermcriticalinfrastructuremeanssystemsandassets,whetherphysicalor virtual, so vital to the United States that the incapacity or destruction of such systems and assets wouldhaveadebilitatingimpactonsecurity,nationaleconomicsecurity,nationalpublichealthor safety,oranycombinationofthosematters. The@Executive@Order@lays@a@foundation@to@build@a@collaborative@Cybersecurity@Framework@with@private@ sector@ critical@ infrastructure@ (CI)@ owners@ and@ operators@ and@ experts@ to@ share@ information@ on@ cyber@ attacks@ and@ threats@ between@ the@ federal@ government@ and@ the@ private@ sector,@ and@ to@ define@ and@ implement@standards.@@ Close@to@90%@of@national@critical@infrastructures@(CI)@are@owned@and@operated@by@the@private@sector.@An@ Executive@ Order@ is@ written@ to@ manage@ government@ executive@ branch@ agency@ Private@ sector@ CI@ owners@ and@ operators,@ working@ through@ their@ respective@ ISAC@ and@ Sector@ Coordinating@ Council@(SCC)@have@a@leading@ implement@ and@ improve@ CI@ cybersecurity@ goals,@ standards,@ policies,@ legislation@ and@ NationalHealthISAC(NH7ISAC) February2013.AllRightsReserved.! 13

14 National(Health#ISAC#(NH!ISAC) GlobalInstituteforCybersecurity+Research7GlobalSituationalAwarenessCenter NASA SpaceLifeSciencesLaboratory KennedySpaceCenter,FL The*cyber*threat*to*our*Nation s*critical*infrastructures*must*be*approached*from*an* AllAHazards * (Physical* and* Cyber)* Security* perspective.**these* are* no* longer* two* separate* environments,* as* cyber*infrastructures*provide*the*foundation*to*provision*and*mange*physical*security.@@ hurricanes,@tornadoes,@earthquakes,@fires,@asteroids@(satellite@or@earth)@or@terrorism,@as@well@as@cyberh generated@impacts@from@cyber@warfare,@organized@crime,@individual@criminals@or@corporate@insiders.@@@ Technology@infrastructures@and@the@data@that@resides@within@them@are@the@foundation@of@all@of@our@ National@Critical@Infrastructures.@ To@achieve@the@goals@of@enhancing@the@security@and@resilience@of@the@Nation s@critical@infrastructures@ privatehsector@ cyber@ environments@ must@ be@ maintained@ to@ encourage@ efficiency,@ innovation@ and@ economic@ prosperity@ while@ promoting@ safety,@ security,@ business@ confidentiality,@ privacy@ and@ civil@ Alignment@ of@ cybersecurity@ prevention,@ protection,@ mitigation,@ response@ and@ recovery@ protocols@must@be@integrated@and@aligned@to@established@government@emergency@preparedness@and@ operations@ protocols@ including@ the@ Federal@ Emergency@ Support@ Functions@ (ESF)@ structure@ for@ each@ critical@infrastructure@(not@only@to@esf@function@#2@for@communications).@ ESFs,@ as@ part@ of@ the@ National@ Response@ Framework@ provide@ the@ structure@ for@ coordinating@ Federal@ interagency@support@for@federal@response@to@an@incident.@they@are@mechanisms@for@grouping@functions@ most@frequently@used@to@provide@federal@support@to@states@and@federalhtohfederal@support,@both@for@ declared@disasters@and@emergencies@under@the@stafford@act@and@for@nonhstafford@act@incidents.@ The@following@FEMA@chart@summarizes@Stafford@Act@support@to@States:@@@ NationalHealthISAC(NH7ISAC) February2013.AllRightsReserved.! 14

15 National(Health#ISAC#(NH!ISAC) GlobalInstituteforCybersecurity+Research7GlobalSituationalAwarenessCenter NASA SpaceLifeSciencesLaboratory KennedySpaceCenter,FL @ @ @ @ @ NationalHealthISAC(NH7ISAC) February2013.AllRightsReserved.! 15

16 National(Health#ISAC#(NH!ISAC) GlobalInstituteforCybersecurity+Research7GlobalSituationalAwarenessCenter NASA SpaceLifeSciencesLaboratory KennedySpaceCenter,FL Section3.PolicyCoordination Policycoordination,guidance,disputeresolution,andperiodicin7progressreviewsforthefunctions and programs described and assigned herein shall be provided through the interagency process established in Presidential Policy Directive71* of February 13, 2009 (Organization of the National SecurityCouncilSystem),oranysuccessor. * *Presidential*Policy*Directive*A1,*February*13,*2009* *Organization*of*the*National*Security*Council@ requiring@presidential@determination.@@nsc:@ Advises@and@assists@the@President@in@integrating@all@aspects@of@national@security@policy@as@it@ the@national@economic@council.@ President s@ principal@ means@ for@ coordinating@ executive@ departments@ and@ agencies@ in@ the@ development@and@implementation@of@national@security@policy.@ Members:@President,@ViceHPresident,@Secretary@of@State,@Secretary@of@Defense,@Secretary@of@ Energy,@ Secretary@ of@ the@ Treasury,@ Attorney@ General,@ Secretary@ of@ Homeland@ Security,@ Representative@of@the@US@to@the@United@Nations,@Assistant@to@the@President@and@President s@ Chief@ of@ Staff,@ Assistant@ to@ the@ President@ for@ National@ Security@ Affairs@ (National@ Security@ The@ Director@ of@ National@ Intelligence@ and@ Chairman@ of@ the@ Joint@ Chiefs@ of@ Staff@ attend@as@statutory@advisors.@@ NSC@Meeting@Attendees:@@President Invited@to@NSC@meetings.@@Assistant@to@the@ Secretary. For international economic Secretary@ of@ Commerce,@ US@ Trade@ Representative,@Assistant@to@the@President@for@Economic@Policy@and@Chair@of@the@Council@of@ to@the@president@for@homeland@security@and@counterhterrorism.@@for*science*and*technology* related* Director@ of@ the@ Office@ of@ Science@ and@ Technology@ Policy.@ Executive@ department,@agency@heads@and@other@senior@officials@are@invited@to@attend,@as@appropriate.@ NSC@meets@regularly@and@as@required.@@National@Security@Advisor,@at@the@President s@direction@and@in@ consultation@with@nsc@members@determines@the@agenda,@records@actions@and@presidential@decisions.@ affecting@national@security.@ (including@interagency@policy@committees).@ensures@that@issues@being@brought@before@the@hsc/pc@or@ NSC@ have@ been@ properly@ analyzed@ and@ prepared@ for@ Focuses@ on@ significant@ attention@ on@ NationalHealthISAC(NH7ISAC) February2013.AllRightsReserved.! 16

17 National(Health#ISAC#(NH!ISAC) GlobalInstituteforCybersecurity+Research7GlobalSituationalAwarenessCenter NASA SpaceLifeSciencesLaboratory KennedySpaceCenter,FL @ Periodic@ reviews@ of@ Administration s@ major@ foreign@ policy@ initiatives.@@ Responsible@for@dayHtoHday@crisis@management,@reporting@to@the@National@Security@Council.@@ Interagency*Policy*Committees*(NSC/IPCs) Management@of@the@development@and@implementation@ of@national@security@policies@by@multiple@agencies@of@the@us@are@accomplished@by@the@nsc@interagency@ Policy@ NSC/IPCs@ conduct@ the@ main@ dayhtohday@ interagency@ coordination@ of@ national@ security@policy.@@provide@policy@analysis@for@consideration@by@the@more@senior@committees@and@ensure@ timely@responses@to@decisions@made@by@the@president.@@ Section4.CybersecurityInformationSharing (a)itisthepolicyoftheunitedstatesgovernmenttoincreasethevolume,timeliness,andqualityof cyber threat information shared with U.S. private sector entities so that these entities may better protectanddefendthemselvesagainstcyberthreats.within120daysofthedateofthisorder,the AttorneyGeneral,theSecretaryofHomelandSecurity(theSecretary),andtheDirectorofNational Intelligenceshalleachissueinstructionsconsistentwiththeirauthoritiesandwiththerequirements ofsection12(c)ofthisordertoensurethetimelyproductionofunclassifiedreportsofcyberthreats totheu.s.homelandthatidentifyaspecifictargetedentity.theinstructionsshalladdresstheneed toprotectintelligenceandlawenforcementsources,methods,operations,andinvestigations. (b)thesecretaryandtheattorneygeneral,incoordinationwiththedirectorofnationalintelligence, shallestablishaprocessthatrapidlydisseminatesthereportsproducedpursuanttosection4(a)of thisordertothetargetedentity.suchprocessshallalso,consistentwiththeneedtoprotectnational securityinformation,includethedisseminationofclassifiedreportstocriticalinfrastructureentities authorized to receive them. The Secretary and the Attorney General, in coordination with the DirectorofNationalIntelligence,shallestablishasystemfortrackingtheproduction,dissemination, anddispositionofthesereports. (c) To assist the owners and operators of critical infrastructure in protecting their systems from unauthorized access, exploitation, or harm, the Secretary, consistent with 6 U.S.C. 143 and in collaborationwiththesecretaryofdefense,shall,within120daysofthedateofthisorder,establish procedures to expand the Enhanced Cybersecurity Services program to all critical infrastructure sectors.thisvoluntaryinformation7sharingprogramwillprovideclassifiedcyberthreatandtechnical informationfromthegovernmenttoeligiblecriticalinfrastructurecompaniesorcommercialservice providersthatoffersecurityservicestocriticalinfrastructure. (d) The Secretary, as the Executive Agent for the Classified National Security Information Program created under Executive Order of August 18, 2010 (Classified National Security Information ProgramforState,Local,Tribal,andPrivateSectorEntities),shallexpeditetheprocessingofsecurity clearances to appropriate personnel employed by critical infrastructure owners and operators, prioritizingthecriticalinfrastructureidentifiedinsection9ofthisorder. (e)inordertomaximizetheutilityofcyberthreatinformationsharingwiththeprivatesector,the Secretary shall expand the use of programs that bring private sector subject7matter experts into Federalserviceonatemporarybasis.Thesesubjectmatterexpertsshouldprovideadviceregarding NationalHealthISAC(NH7ISAC) February2013.AllRightsReserved.! 17

18 National(Health#ISAC#(NH!ISAC) GlobalInstituteforCybersecurity+Research7GlobalSituationalAwarenessCenter NASA SpaceLifeSciencesLaboratory KennedySpaceCenter,FL the content, structure, and types of information most useful to critical infrastructure owners and operatorsinreducingandmitigatingcyberrisks @ (120@ days@ from@ EO@ issuance),@ the@ US@ Attorney@ General,@ Secretary@ of@ Homeland@ Security,@and@the@Director@of@National@Intelligence@are@required@to@issue@instructions@to@ensure@timely@ production@ of@ unclassified@ reports@ of@ cyber@ threats@ to@ the@ US@ homeland@ that@ identify@ a@ specific@ Instructions@ will@ protect@ intelligence@ and@ law@ enforcement@ sources,@ methods,@ operations@and@investigations.@@ Note:@@Federal@agencies@are@required@the@law@to@report@all@incidents@to@the@United@States@Computer@ Emergency@Readiness@Team@(USHCERT).@@ Per@ guidelines@ in@ the@ National@ Infrastructure@ Plan@ (NIPP)@ and@ NIST@ Security@ Incident@ Response@ standards,@ critical@ infrastructure@ owners@ and@ operators@ are@ encouraged@ to@ report@ threats@ and@ incidents@to@their@respective@sectorhspecific@isac.@@in@addition@to@isacs@providing@advice@and@additional@ resources@to@successfully@respond@to@a@threat@or@incident,@reporting@and@information@sharing@is@critical@ to@enable@sector@and@crosshsector@impact@and@countermeasure@solution@analysis@and@response.@@this@is@ the@only@way@to@move@from@a@reactive@to@proactive@cybersecurity@stance.@@@ All@ critical@ infrastructure@ ISACs@ are@ sectorhled@ and@ coordinate@ critical@ infrastructure@ threat@ and@ vulnerability@incident@response@24/7@via@the@national@council@of@isacs@working@in@collaboration@with@ government.@ Improving@ the@ sharing@ of@ classified@ and@ technical@ information@ from@ the@ government@ enables@expanded@and@trusted@intelligence@information@sharing.@ ISACs@enable@realHtime@twoHway@actionable@intelligence@sector@and@crossHsector@information@sharing,@ serving@ as@ the@ tactical@ and@ operational@ arm@ conducting@ 24/7@ allhhazards@ threat@ and@ vulnerability@ intelligence@ and@ response@ analysis@ in@ collaboration@ and@ coordination@ with@ the@ US@ Department@ of@ Homeland@ Security@ National@ Cybersecurity@ and@ Communications@ Integration@ Center@ (NCCIC),@ USH CERT,@ intelligence@ agencies,@ federal@ SectorHSpecific@ Agencies@ (SSAs)@ and@ security@ and@ technology@ expert@ directly@ with@ their@ respective@ critical@ infrastructure@ owners@ and@ operators@ and@ technology@ partners,@ ISACs,@ frequently@ identify@ threats@ and@ vulnerabilities@ prior@ to@ government@intelligence@agency@sources.@@@ As@defined@by@the@National@Infrastructure@Protection@Plan@(NIPP),@ ISACs@are@privatelyHled@sectorH specific@organizations@advancing@physical@and@cyber@security@critical@infrastructure@and@key@resources@ NationalHealthISAC(NH7ISAC) February2013.AllRightsReserved.! 18

19 National(Health#ISAC#(NH!ISAC) GlobalInstituteforCybersecurity+Research7GlobalSituationalAwarenessCenter NASA SpaceLifeSciencesLaboratory threats@and@vulnerabilities@they@face@on@a@daily@basis@and@the@associated@risks.@@ also@ to@ dedicated@ of@ skilled@ analysts@ the@ nation healthcare@ timely@ capabilities@ cyber@ is@an@essential@step@and@will@help@support@ensuring@appropriate@investments@to@achieve@ci@resilience.@ need@ include@ and@ analysis,@ by@ National@ of@ for@ allhhazards@ and@ security@ impacts@ threat@ information@analyzed@and@coordinated@per@nist*computer*security*incident*handling*guide*(special* Publication*800A61,*Revision*2* threat@and@incident@reporting.@@@ s@information@sharing@&@analysis@ trusted@introducer,@as@represented@in@nist@standard@800h61.@@ NIST*800A61,*Revision*2* *Table*4.1*Coordination*Relationships* Category:**TeamAtoATeam* organizations@collaborate@with@their@peers@during@any@phase@of@the@incident@handling@life@cycle.@@ organizations@ in@ type@ relationship@ usually@ without@ authority@over@each@other@and@choose@to@share@information,@pool@resources@and@reuse@knowledge@ Information* tactical@and@technical@(e.g.,@technical@indicators@or@compromise,@suggested@remediation@actions)@ as@part@of@the@preparation@phase.@ Category:*TeamAtoACoordinating*Team* team@ exist@ an@ incident@ response@and@management@such@as@ushcert@or@an@isac.@@this@type@of@relationships@may@include@ well@ the@ that@ coordinating@ will@ timely@ useful@ coordinating@ frequently@ tactical,@ information@as@well@as@information@regarding@threats,@vulnerabilities@and@risks@to@the@community@ NationalHealthISAC(NH7ISAC) February2013.AllRightsReserved.! 19

20 National(Health#ISAC#(NH!ISAC) GlobalInstituteforCybersecurity+Research7GlobalSituationalAwarenessCenter NASA SpaceLifeSciencesLaboratory KennedySpaceCenter,FL @ coordinating@ may@ need@ impact@ attention.@ Category:**Coordinating*TeamAtoACoordinating*Team* exist@ share@ relating@ cross@ incidents@ may@ coordinating@ act@ behalf@ their@ community@ organizations@ share@ on@ nature@ scope@ cross@ incidents@ reusable@mitigation@strategies@to@assist@in@interhcommunity@response.@ type@ information@ by@ teams@ their@ often@ of@ summaries@ steady@ operations,@ punctuated@ by@ the@ exchange@ of@ tactical,@ technical@ details,@ response@ plans,@ and@ impact@ or@ risk@ Section5.PrivacyandCivilLibertiesProtections (a) Agencies shall coordinate their activities under this order with their senior agency officials for privacyandcivillibertiesandensurethatprivacyandcivillibertiesprotectionsareincorporatedinto suchactivities.suchprotectionsshallbebaseduponthefairinformationpracticeprinciplesandother privacyandcivillibertiespolicies,principles,andframeworksastheyapplytoeachagency'sactivities. (b)thechiefprivacyofficerandtheofficerforcivilrightsandcivillibertiesofthedepartmentof HomelandSecurity(DHS)shallassesstheprivacyandcivillibertiesrisksofthefunctionsandprograms undertakenbydhsascalledforinthisorderandshallrecommendtothesecretarywaystominimize ormitigatesuchrisks,inapubliclyavailablereport,tobereleasedwithin1yearofthedateofthis order.senioragencyprivacyandcivillibertiesofficialsforotheragenciesengagedinactivitiesunder thisordershallconductassessmentsoftheiragencyactivitiesandprovidethoseassessmentstodhs for consideration and inclusion in the report. The report shall be reviewed on an annual basis and revisedasnecessary.thereportmaycontainaclassifiedannexifnecessary.assessmentsshallinclude evaluation of activities against the Fair Information Practice Principles and other applicable privacy andcivillibertiespolicies,principles,andframeworks.agenciesshallconsiderreportassessmentsand recommendationsinimplementingprivacyandcivillibertiesprotectionsforagencyactivities. (c)inproducingthereportrequiredundersubsection(b)ofthissection,thechiefprivacyofficerand theofficerforcivilrightsandcivillibertiesofdhsshallconsultwiththeprivacyandcivilliberties OversightBoardandcoordinatewiththeOfficeofManagementandBudget(OMB). (d)informationsubmittedvoluntarilyinaccordancewith6u.s.c.133byprivateentitiesunderthis ordershallbeprotectedfromdisclosuretothefullestextentpermittedbylaw. NationalHealthISAC(NH7ISAC) February2013.AllRightsReserved.! 20