Update on U.S. Critical Infrastructure and Cybersecurity Initiatives Presented to Information Security Now! Seminar Helsinki, Finland May 8, 2013 MARK E. SMITH Assistant Director International Security Programs Office of the Under Secretary of Defense (Policy) Defense Technology Security Administration
International Security Programs Functions Establish national and DOD policies on foreign disclosure of classified military information and materiel Administer the interagency National Military Information Disclosure Policy Committee (NDPC) Evaluate capability of foreign governments and international organizations to provide protection Negotiate general and industrial security agreements Monitor security arrangements for security assistance/arms cooperation programs Establish policy on Foreign Government visits and personnel assignments Implement NATO security policy within the U.S. Government Liaison with foreign government security officials
Former Secretary of State Clinton and Finnish Foreign Minister Tuomioja Signing U.S.-Finland General Security of Information Agreement June 27, 2012
Critical Infrastructure and Cyber security Ten Rules for Cyber Security (Eneken Tikk, 2011) Territoriality Duty of Care Early Warning Access to Information Criminality Self-Defense Mandate Responsibility Cooperation Data Protection
Finland, EU and U.S. Strategies On January 24, 2013, Finland adapted its Cyber Security Strategy and strategic guidelines Identify/define cyber threats Create collaborative model between authorities & other actors Improve situation awareness through increased info sharing Maintain/improve abilities to detect and identify cyber disturbances Ensure police have sufficient capabilities to prevent, expose and solve cybercrime Finnish Defense Forces will create a cyber defense capability Strength through collaboration Improve cyber expertise and awareness of all societal actors
Finland, EU and U.S. Strategies February 7, 2013: European Commission launched its cybersecurity strategy for the European Union Objective is to increase technical and organizational capabilities and preparedness to manage risks and address security incidents in network and information systems Proposed Directive on Network and Information Security Obligation for operators of critical network infrastructure to report security incidents to competent national authorities
Finland, EU and U.S. Strategies On February 12, 2013, the Office of the President issued Executive Order 13636, Improving Critical Infrastructure Cybersecurity and Presidential Policy Directive (PPD) 21, Critical Infrastructure Security and Resilience.
Finland, EU and U.S. Strategies Proclaims the policy of the U.S is to, enhance the security and resilience of the Nation s critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties. Achievement of goals through partnership with the owners and operators of critical infrastructure to improve cybersecurity information sharing and collaboratively develop and implement riskbased standards
Finland, EU and U.S. Strategies Focus on the following initiatives: Enhanced information sharing between intelligence community, federal executive agencies and private CIS operators on emerging and targeted entities; Expansion of the Enhanced Cybersecurity Services program to provide classified information regarding threat and technical information to eligible CIS companies and commercial service providers of security services to CIS and; A voluntary Cybersecurity Framework of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks to CIS
Finland, EU and U.S. Strategies As a result of the voluntary nature of the Framework, the E.O. mandates both incentives designed to promote participation in the Framework, and; a comprehensive review of cybersecurity-related regulations and government contracting standards in order to achieve harmony and standardization within existing procurement requirements, and merits of incorporating security standards into acquisition planning and contract administration
Focus on Critical Infrastructure PPD-21 identifies 16 critical infrastructure sectors: Chemical, Commercial Facilities, Communications, Critical Manufacturing, Dams, Defense Industrial Base, Emergency Services, Energy; Financial, Food and Agriculture, Government Facilities, Healthcare and Public Health, Information Technology, Nuclear Reactors, Materials and Waste, Transportation and Water/Wastewater Systems
Focus on Critical Infrastructure A key piece of the Executive Order requires federal agencies overseeing critical infrastructure areas to identify organizations, "where a cybersecurity incident could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security." Upon annual review, such entities will then be designated as part of the U.S. critical infrastructure.
Focus on Critical Infrastructure Endeavor is a shared responsibility among Federal, state, local, tribal and territorial entities, public and private owners and operators of CIS Federal Government must also manage its own in terms of security and resilience for the continuity of national essential functions, and organize itself to better partner with CIS owners and operators The Federal Government shall also engage with international partners toward strengthening domestic CIS located outside of the U.S. on which the nation depends
PPD-21: Three Strategic Imperatives Refine and Clarify Functional Relationships across the Federal Government Enable Efficient information Exchange by Identifying Baseline Data and Systems Requirements for the Federal Government Implement an Integration and Analysis Function to Inform Planning and Operational Decisions regarding CIS Aid in prioritizing assets Anticipate interdependencies Recommend security and resilience measures before, during and after an event Support incident management and restoration efforts
Role and Obligations of the Department of Defense The Under Secretary of Defense (Policy) serves as the Principal Staff Assistant to the Secretary of Defense on risk management of Defense Critical Infrastructure (DCI) Establishes policy for promoting DCI Program information sharing with other federal departments and agencies, State, local, regional, territorial and tribal entities, intergovernmental organizations, the private sector and foreign countries Manages the sector-specific agency requirements for the national Defense Industrial Base sector Serves as principal DoD representative for DCI Program-related matters with Congress, Executive Office
Role and Obligations of the Department of Defense DoD Cyber Command Fully operational in 2010, charged with pulling together existing cyberspace resources, creating synergy and synchronizing war-fighting effects to defend the information security environment. USCYBERCOM is subordinate to U. S. Strategic Command (USSTRATCOM) Directs activities to operate and defend the Department of Defense information networks and, when directed, conducts full-spectrum military cyberspace operations (in accordance with all applicable laws and regulations) Defensive Strategy - Rests on five pillars: treat cyber as a domain; employ more active defenses; support the Department of Homeland Security in protecting critical infrastructure networks; practice collective defense with allies and international partners; and reduce the advantages attackers have on the Internet
The Future Many milestones and deadlines associated with any PPD or Executive Order 120 day, 150 day, 180 day, 240 days, 2 years Means as of today, all analysis, capability, implementation, planning, policy coordination, public hearing, dispute resolution and inprogress reviews are still a work in progress amongst Executive Branch agencies and affected public and private sector THIS IS NORMAL All toward the greater good in considering options to streamline processes for collaboration and information exchange, meet the needs of individual sectors, and provide a focused and disciplined approach toward CIS owners and operators
In the meantime Multinational Industrial Security Working Group (MISWG) Ad Hoc Working Group 8 (Cyber Best Practices) Created to devise a primer on best practices to address cyber threats, vulnerabilities and countermeasures Take into consideration those elements of information technology and cybersecurity that directly apply to cooperative programs and contracts between MISWG nations Limit scope to industrial security and application of national practices, and to assist those member nations possessing a less robust approach to cybersecurity
Summary (Pros) The Ten Rules are alive and well and embodied in part by current policies and strategies on both sides of the Atlantic Similarities amongst Finland, EU and U.S. pertaining to participation, collaboration, information sharing, and awareness Collaboration Information Sharing Incentive-based considerations to promote participation National Critical Infrastructure Security and Resilience R&D Plan
Summary (Challenges) Promoting safety, security, business confidentiality, privacy, and civil liberties Inherent challenges requiring salesmanship, trust-building, or at the very least, coexistence At odds with the threat, and state, proxy and independent actors who do not share similar concerns Standards, standards, standards Already concerns voiced regarding rigorous requirements At odds with what IT and business management strategies regarding efficiencies, system design and strategic information sharing Nothing beats awareness and basic best practices always a daily battle
Open Forum