Secure Data Centers For America A SOLUTION TO

Similar documents
Confrontation or Collaboration?

COUNTERINTELLIGENCE. Protecting Key Assets: A Corporate Counterintelligence Guide

WRITTEN TESTIMONY OF

Appendix A: Gap Analysis Spreadsheet. Competency and Skill List. Critical Thinking

DHS, National Cyber Security Division Overview

A Detailed Strategy for Managing Corporation Cyber War Security

The Senior Executive s Role in Cybersecurity. By: Andrew Serwin and Ron Plesco.

Cyber Incident Annex. Cooperating Agencies: Coordinating Agencies:

High Level Cyber Security Assessment 2/1/2012. Assessor: J. Doe

STATEMENT BY DAVID DEVRIES PRINCIPAL DEPUTY DEPARTMENT OF DEFENSE CHIEF INFORMATION OFFICER BEFORE THE

ENISA s Study on the Evolving Threat Landscape. European Network and Information Security Agency

GAO CRITICAL INFRASTRUCTURE PROTECTION. Significant Challenges in Developing Analysis, Warning, and Response Capabilities.

NATIONAL STRATEGY FOR GLOBAL SUPPLY CHAIN SECURITY

Cybersecurity: Mission integration to protect your assets

Keynote: FBI Wednesday, February 4 noon 1:10 p.m.

How To Write A National Cybersecurity Act

Dr. Starnes E. Walker Founding Director, Cybersecurity Initiative (302)

Cyber Incident Annex. Federal Coordinating Agencies. Coordinating Agencies. ITS-Information Technology Systems

CYBER SECURITY AND CYBER DEFENCE IN THE EUROPEAN UNION OPPORTUNITIES, SYNERGIES AND CHALLENGES

CyberSecurity Solutions. Delivering

NATIONAL CYBERSECURITY STRATEGIES: AUSTRALIA AND CANADA

Statement for the Record. Richard Bejtlich. Chief Security Strategist. FireEye, Inc. Before the. U.S. House of Representatives

Issue Paper. Wargaming Homeland Security and Army Reserve Component Issues. By Professor Michael Pasquarett

Cybersecurity on a Global Scale

Legislative Language

Cyber Threat Intelligence and Incident Coordination Center (C 3 ) Protecting the Healthcare Industry from Cyber Attacks

CENTRE FOR STRATEGIC CYBERSPACE + SECURITY SCIENCE LEADERSHIP. RESEARCH. DEFENCE.

Everything You Wanted to Know about DISA STIGs but were Afraid to Ask

The FBI Cyber Program. Bauer Advising Symposium //UNCLASSIFIED

Developing a robust cyber security governance framework 16 April 2015

Preventing and Defending Against Cyber Attacks November 2010

One Hundred Twelfth Congress of the United States of America

Statement of Gil Vega. Associate Chief Information Officer for Cybersecurity and Chief Information Security Officer. U.S. Department of Energy

DETECT. LEARN. ADAPT. DEFEND. WIN EVERY ATTACK.

GAO. IT SUPPLY CHAIN Additional Efforts Needed by National Security- Related Agencies to Address Risks

Middle Class Economics: Cybersecurity Updated August 7, 2015

Industrial Cyber Security Risk Manager. Proactively Monitor, Measure and Manage Cyber Security Risk

JOINT EXPLANATORY STATEMENT TO ACCOMPANY THE CYBERSECURITY ACT OF 2015

The Comprehensive National Cybersecurity Initiative

DIVISION N CYBERSECURITY ACT OF 2015

Survey of Cyber Security Frameworks

How To Audit The Mint'S Information Technology

Cyber Adversary Characterization. Know thy enemy!

Advanced Threat Protection with Dell SecureWorks Security Services

Cyber Information-Sharing Models: An Overview

A Community Position paper on. Law of CyberWar. Paul Shaw. 12 October Author note

Chairman Johnson, Ranking Member Carper, and Members of the committee:

STATEMENT OF MR. THOMAS ATKIN ACTING ASSISTANT SECRETARY OF DEFENSE FOR HOMELAND DEFENSE AND GLOBAL SECURITY OFFICE OF THE SECRETARY OF DEFENSE;

Trends Concerning Cyberspace

Developing a Mature Security Operations Center

FBI AND CYBER SECURITY

U.S. Department of Energy Office of Inspector General Office of Audits & Inspections. Evaluation Report

Cyberterror. Cyberspace computer-mediated communication systems has become a battleground between states and terrorists, and among nation states.

Testimony of Matthew Rhoades Director Cyberspace & Security Program Truman National Security Project & Center for National Policy

STATEMENT OF JOSEPH M. DEMAREST, JR. ASSISTANT DIRECTOR CYBER DIVISION FEDERAL BUREAU OF INVESTIGATION

Defending Against Data Beaches: Internal Controls for Cybersecurity

The Importance of Cybersecurity Monitoring for Utilities

2 Gabi Siboni, 1 Senior Research Fellow and Director,

Subject: Critical Infrastructure Identification, Prioritization, and Protection

Actions and Recommendations (A/R) Summary

December 17, 2003 Homeland Security Presidential Directive/Hspd-7

Hanh Do, Director, Information System Audit Division, GAA. SUBJECT: Review of HUD s Information Technology Contingency Planning and Preparedness

Federal Bureau of Investigation. Los Angeles Field Office Computer Crime Squad

WORLDWIDE SECURITY PROTECTION

C ETS C/ETS: CYBER INTELLIGENCE + ENTERPRISE SOLUTIONS CSCSS / ENTERPRISE TECHNOLOGY + SECURITY

Corporate Spying An Overview

Defense Security Service

Managing SSL Certificates with Ease

The Geospatial Approach to Cybersecurity: An Executive Overview. An Esri White Paper January 2014

Cybersecurity Delivering Confidence in the Cyber Domain

GOOD SECURITY IS A GROUP EFFORT

DEPARTMENT OF DEFENSE 6000 DEFENSE PENTAGON WASHINGTON, D.C

State of Security Survey GLOBAL FINDINGS

DEPARMTMENT OF HOMELAND SECURITY AUTHORIZATION BILL FOR FY 2008 AND FY 2009 SECTION-BY-SECTION

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections

How To Manage A Network Security Risk

Combatting the Biggest Cyber Threats to the Financial Services Industry. A White Paper Presented by: Lockheed Martin Corporation

GAO. INFORMATION SECURITY Persistent Weaknesses Highlight Need for Further Improvement

Thomas J. Schlagel Chief Information Officer, BNL

Preparing Millennials to Lead in Cyberspace

Transcription:

Secure Data Centers For America A SOLUTION TO A HOMELAND & NATIONAL SECURITY THREAT AGAINST CRITICAL INFRASTRUCTURE AND KEY RESOURCES IN STATE AND LOCAL GOVERNMENTS By Ralph R. Zerbonia and Universe Central Corporation NOTE: This was part of a project planning document I wrote in December 2006 and began using to try and launch a project to attack the problem discussed. It is the text and notes from the selected items in the table of contents, essentially the definition of the problem, our suggested solution and project steps with early preliminary budget figures. I have removed certain portions relating to the partners (of the project) at the time and the letters of support we received in pursuing the concept. In short, due to what is referred to as local control I discovered that the project was untenable and it became defunct without my personal involvement. This document is available only as a warning for what may be. Times have changed since it was written and some very fine work has been done. I am no longer up to date on the subject, though I keep an eye out. I believe that in coming days we will find this threat to be actuated as it already has been, to an even greater Lex Luthor extent, by pirates, terrorists, crooks and countries. Ralph R. Zerbonia 12/30/08, 02/19/09

Contents The Problem Definition of the Solution Next steps Generic budget information This document was prepared by Ralph R. Zerbonia. Document and contents remain the property of Ralph R. Zerbonia, and may not be reproduced in any manner. Intellectual Property owned by Ralph R. Zerbonia and Universe Central Corporation. Secure Data Centers For America and SDC and Secure Data Centers For America and SDC stylized logos are trademarks of Universe Central Corporation in the United States and other countries. All other names are trademarks or registered trademarks of their respective holders. The information in this document is subject to change without notice. Printed in the U.S.A. 2007 Universe Central Corporation The Problem Local government computer operations are under attack on a multiplicity of fronts populated by criminals, terrorists and nation/states. In 2006 the rate of attacks and probes on [business and] government networked computer systems grew at an alarming rate. 1 Equally alarming is the increase in probes and attacks not detected in a timely or effective manner. These incidences are measured only by after-the-fact discovery and reporting. Indicators for this type of activity rose throughout 2006. 2 It is axiomatic that there are yet-to-be discovered occurrences of these silent attacks and that their numbers also increased, continuing to always accumulate and grow. Analysis shows an organized intent to these probes and attacks, with foreign nation/state 3 involvement and complicity. 4 There is ample evidence of foreign intelligence/defense agency s aimed at national security and homeland security assets. 5 One measure, detailed in a U.S. 1 Pentagon: Efforts to steal U.S. tech rising 1/03/07 Reuters 2 Brian Krebs, 12/27/2006 Cybercrooks Deliver Trouble Washington Post 3 Annual Report To Congress Military Power of the People s Republic of China 2006 Office of the Secretary of Defense, Department of Defense page 35. 4 Lisa Myers & the NBC Investigative Unit 11/20/06 U.S. worries about Chinese espionage MSNBC.com 5 Technology Collection Trends in the U.S. Defense Industry 2006 Report published by the U.S. Defense Security Service Counterintelligence Office

Pentagon report reveals that over 88% of the occurrences originated from five interconnected regions: East Asia, the Pacific, Near East, Eurasia and South Asia. The whole of Africa and the Western Hemisphere, (not including the United States) accounted for the remaining 11.5 percent. 6 A common and ever-increasing form of computer network/server attacks is the probe. As their name suggests, probe attacks covertly seek out vulnerabilities and weaknesses, points-for-attack in a hosted (networked) system. Automated for unlimited usability, yet designed to remain undetected while carrying out a reconnaissance mission, these probes will continue to report back weaknesses and potential vulnerabilities, cataloguing these points-for-attack, for use by the attacker when they choose. It is hard to overstate the ominous significance and potential-to-harm of such probe attacks. 7 With the virtually unlimited computing resources available to foreign powers, these probe attacks become not just a highly developed intelligence tool but also a military weapon. 8 With infinite automated pre-programmed patience, a probe secretly and silently catalogs critical and non-critical vulnerabilities for a day in the future, when the assembled catalog becomes a target list. This target list can be exploited in any number of ways, efficiently betraying any and all of the discovered vulnerabilities, individually and custom designed to wreak maximum havoc, even in timed conjunction with other (physical, economic, political, criminal, etc.) launched attacks. 9 10 Of the over 74,000 local government entities in the United States, very few have adequate equipment and personnel budgets to secure themselves in any adequate way. Even more important, almost none have the knowledge and expertise to defend their operations against the nation/state probe attacks. 6 Ibid 7 Ben Worthen, 10/1/05 The Sky Really Is Falling Interview with Ed Lazowska Co-chair of the President s Information Technology Advisory Committee published in CIO Magazine 8 David C. Gompert, Autumn 1998, National Security in the Information Age Naval War College Review 9 Ibid 10 Lt. General Kenneth Minihan, Director, National Security Agency, November 1998, Defending the Nation Against Cyber Attack USIA Electronic Journal

The U.S. Dept. of Homeland Security has designated these local government operations as 11 12 Critical Infrastructure and Key Resources. These local government units run everything in daily life from water supply to emergency response to real property financial records to justice and penal systems. While there are many sensitive areas within the workflow of local government that are highly vulnerable, there are also greater risks when one considers the possibility of the disruption of that daily life within the context of other simultaneous attacks against the nation. Most of the solutions proposed for this area of homeland security have centered on the protection of data alone. We suggest that is not sufficient in an increasingly electronic society: there must be a more complete protection of the local government system, its applications, hardware and software as well as the data itself, in real time, and with no downtime. Consider that each and every computer that has Internet access, or phone line access, or comes in contact with another computer that has any such access is immediately vulnerable to manipulation of varying degrees by criminal and political nation/state enemies. This threat includes not just the data, but the operating systems, application software, and hardware. Because of low local funding availability/priority, lack of high-level cybersecurity expertise and lack of physical and operational security and expertise, local government critical infrastructure and key resources are vulnerable and are in clear and present danger. The source of the danger is such (nation/state 13 ), that the local government entities are inevitably unable to fashion any credible defense. Definition of the solution: Against nation/state level of attacks there must be a nation/state level of cyberdefense. The solution is to create a set of secure data centers, utilizing existing full security and information technology best practices from the IT industry, with federal level oversight and 11 As a Critical Infrastructure Sector, from a U.S. Department of Homeland Security publication: 2003, THE NATIONAL STRATEGY FOR PHYSICAL PROTECTION OF CRITICAL INFRSTARUCTURES AND KEY ASSETS. 12 National Infrastructure Protection Plan 2006 U.S. Dept. of Homeland Security 13 Annual Report To Congress Military Power of the People s Republic of China 2006 Office of the Secretary of Defense, Department of Defense

protection. This integrates well with Federal Homeland Security goals and objectives for local and state government. Secure Data Centers for America, a non-profit government services corporation, will develop secure data centers for local government entities and their computer operations providing high level secure hosting and the provision of security oversight. Federal and state involvement in cybersecurity protection and defense will be fully integrated, providing the economy of knowledge currently unavailable. This proposal seeks to consolidate local government server room operations into these centers, using the economies of scale and scope now available to provide the same/better information technology services and an increased security quality, at a lesser cost than local governments are currently paying. As this nation/state level of cyberdefense is primarily knowledge and best practices oriented and already is an existing process for many federal government information system defense systems, it is without a need for scale, and can be easily provided and used, to identified and enabled systems without additional effort or cost other than those incurred in its original creation. This means that if you consolidate the (74,000) local government units computer server room operations) into a much smaller order number (10) of service delivery centers, you can use the already available and superior federal knowledge to create and maintain cyberdefense for the whole. This plan would assist the U.S. Department of Homeland Security in the performance of several key goals of The National Strategy to Secure Cyberspace, especially those covered under Priority IV Section C State and Local Governments. 14 The Dept. of Homeland Security has been charged with providing a focal point for federal outreach to state, local, and nongovernmental organizations. 15 The mission of this program is consistent with and integrates into the five National Priorities of the Federal program. 16 Additionally this project assists in the achievement of goals and objectives stated in 2006 Homeland Security National Infrastructure Protection Plan The business model is to utilize existing federal/state grants to build the secure data centers and bring the operating plan to where a critical mass of local government communities then begin paying a consortium-like fee for service to cover all costs. It is expected that such fee for service 14 The National Strategy To Secure Cyberspace February 2003 U.S. Department of Homeland Security 15 Ibid Page x. Executive Summary 16 Ibid Page x. Executive Summary

will be less than what the local government is currently paying for similar service even without the added benefit of high level effective security. The initial steps would involve the creation of two secure data centers, the number of centers expanding with local government integration up to an including virtually all local government server room operations and server based operations. It is currently estimated that several thousand local technology jobs will be created at each location, with an annual pay range of $40- $50,000.00 annually, with benefits and ongoing skill training. Next steps: Phase 1 - Acquire funding to deliver a full project proposal document. The project requires funding to produce a project proposal document describing the plan and approach of the project as well as the detailed roles of the major partners and contractors to the project: Inclusive of merit evaluation, development of business models, project management plan to carry out the planning process and a description of phases and deliverable of the overall project and its ongoing operations as well as planning for development of process and procedure. Phase 2 - Acquire funding to deliver project specification and bid documents; Upon delivery of Phase 1, the project can proceed to the development of detailed engineering and specifications, operational processes and procedures, and necessary bid documentation. Inclusive of an Overall Project Plan, design specifications and bid process documentation for: Best Practices Management Plan, Service Levels Documentation, project management process, knowledge management plan and process, and Evaluation process plan, IT Operations documentation, Security, Physical Infrastructure, Staffing, Administration, Command and Control and integration with existing federal Homeland Security planning/operations. Phase 3 - Acquire funding to build initial two centers in two separated locations.

The initial proposal is to build two geographically separated secure data centers. The project headquarters and 1 st site is proposed to be located in northeast Ohio. The Ohio Supercomputer Center provides this northeast Ohio location with multiple 2 nd location possibilities as they have direct connections with other supercomputer centers. It is anticipated that each secure data center will be in partnership with a supercomputer center. Each facility will require large sites with adequate space for security provisioning. Additionally, sites with water and/or other non-traditional power generation potentials are favored. Generic budget information Phase 1 Development of project definition and planning documents, project proposal documents, overall project and operational plan, a clearer estimate of Phase 2 & 3 costs - $175,000 - $325,000. Phase 2.a Project Specifications & Bid Documents including full security and data center engineering - estimated - $1,500,000. - $2,250,000. Engineering and documentation for multiple areas of secure data center construction. Phase 2.b Operations process and procedures specifications and budget estimates including staffing and organization parameters - estimated - $1,000,000. - $2,000,000. Best Practices management, Operations management, process and procedure. Phase 3 Build initial two secure data centers in two separated geographical areas to delivered specifications - estimated - $400,000,000. - $500,000,000. Land, bricks, security, equipment, construction and initial startup.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information