Toward a Safer and More Secure Cyberspace (2007) / Chapter Skim
Currently Skimming:
Appendix B Cybersecurity Reports and Policy: The Recent Past
Appendix B Cybersecurity Reports and Policy: The Recent Past
Pages 264-305
The Chapter Skim interface presents what we've algorithmically identified as the most significant single chunk of text within every page in the chapter.
Select key terms on the right to highlight them within pages of the chapter.
From page 264... ...
First, there are 1 The Congressional Research Service issued the report Computer Security: A Summary of Selected Federal Laws, executive orders, and Presidential directives on April 16, 2004; the report outlines the major roles and responsibilities assigned various federal agencies in the area of computer security. See http://www.fas.org/irp/crs/RL32357.pdf.
|
From page 265... ...
This survey does not focus on activity under way that aims to further international cooperation. However, considerable efforts are under way at the regional intergovernmental and international governmental levels.2 2 See,for example, Delphine Nain, Neal Donaghy, and Seymour Goodman, "The International Landscape of Cyber Security," Chapter 9 in Detmar W
|
From page 266... ...
The Cybersecurity Research and Development Act of 2002 called for significantly increasing federal investment in computer and network security research and development to improve vulnerability assessment and technological and systems solutions, to expand and improve the pool of information security professionals, and to improve information sharing and collaboration among industry, government, and academic research projects. The National Science Foundation (NSF)
|
From page 267... ...
: "Critical Infrastructure Identification, Prioritization, and Protection," issued in December 2003, aims to establish "a national policy for Federal departments and agencies to identify and prioritize United States critical infrastructure and key resources and to protect them from terrorist attack."9 The directive makes DHS responsible for coordinating overall efforts aimed at enhancing and protecting critical infrastructure, including cyber infrastructure. As part of that responsibility, DHS is required to create a National Plan for 6 Federal Information Security Management Act of 2002, Sec.
|
From page 268... ...
11 Department of Homeland Security and Office of Science and Technology Policy, "The National Plan for Research and Development in Support of Critical Infrastructure Protection," 2005; available at http://www.dhs.gov/interweb/assetlibrary/ST_2004_NCIP_RD_Plan FINALApr05.pdf.
|
From page 269... ...
The North American Electric Reliability Corporation (NERC) -- a voluntary industry group composed of electrical utilities -- which sought the provisions specified in the act, was certified by the FERC as the ERO on July 20, 2006.13 B.3 IDENTIFYING EXPOSURES, BEST PRACTICES, AND PROCEDURES A number of recent reports have addressed continuing cybersecurity exposures of critical infrastructures.
|
From page 270... ...
These include "the limitations of current security technologies in securing control systems, the perception that securing control systems may not be economically justifiable and conflicting priorities within organizations regarding the security of control systems." The GAO report identifies the need for greater collaboration and coordination among government agencies and with the private sector. It recommends that DHS implement the responsibilities outlined in the national Strategy to Secure Cyberspace, specifically calling on DHS to "develop and implement a strategy for coordinating with the private sector and other government agencies to improve control system security, including an approach for coordinating the various ongoing efforts to secure control systems."15 In April 2004 NIAC issued the report Best Practices for Government to enhance the Security of national Critical Infrastructures.16 The report notes how much convergence there is between physical and information infrastructures and indicates the need to view security as including both physical and cyber issues.
|
From page 271... ...
In May 2004, the GAO issued its second study, Technology Assessment: Cybersecurity for Critical Infrastructure Protection, in which it found that available cybersecurity technologies were not being deployed to their full extent, while continued R&D was needed for additional technology. The report identified three broad categories of actions that the federal government can undertake to increase the use of cybersecurity technologies: 18 • elp critical infrastructures determine their cybersecurity needs, H such as developing a national critical infrastructure protection (CIP)
|
From page 272... ...
Office of the Inspector General -- ePA needs to determine what Barriers Prevent water Systems from Securing Known Supervisory Control and data Acquisition (SCAdA) Vulnerabilities -- issued January 2005, identified several reasons why vulnerabilities have not been addressed:20 • urrent technological limitations may impede implementing secu C rity measures.
|
From page 273... ...
It notes that "none of them are likely to be widely adopted in the absence of sufficient economic incentives for cybersecurity." The CRS report also notes concerns about the effectiveness of market forces to provide adequate cybersecurity and the narrow scope of the policy activity in contrast with the apparent need for broad policy actions as called for in the 2003 national Strategy to Secure Cyberspace and similar documents. It also identifies the response to the year-2000 computer problem and federal safety and environmental regulations as models for possible federal action to promote cybersecurity, and further notes that the federal government might do the following: • ncourage the widespread adoption of cybersecurity standards E and best practices, • Leverage the procurement power of the federal government, • Make the reporting of incidents mandatory, • Use product liability actions to promote attention to cybersecurity, • Facilitate the development of cybersecurity insurance, and • Strengthen federal cybersecurity programs in DHS and elsewhere.
|
From page 274... ...
One shortcoming specifically identified in this 2006 GAO report regarding coordination is the continuing lack of an R&D roadmap called for in the national Strategy to Secure Cyberspace. (A call for input as a first step to creating such a roadmap was made in April 2006 by the Interagency Working Group on Cyber Security and Information Assurance.
|
From page 275... ...
org/globalizationreport. 25 Department of Homeland Security, Press Release, "DHS Launches Protected Critical Infrastructure Information Program to Enhance Homeland Security, Facilitate Information Sharing," Washington, D.C., February 18, 2004; available at http://www.dhs.gov/xnews/ releases/press_release_0350.shtm.
|
From page 276... ...
The ISAC Council was created in 2003 "to advance the physical and cyber security of the critical infrastructures of North America by establishing and maintaining a framework for valuable interaction between and among the ISACs and with government."28 A 2004 white paper from the ISAC Council sought to describe the degree of penetration that each ISAC has had into the infrastructure of the United States.29 The white paper noted that penetration varied widely from sector to sector, with overall participation at approximately 65 percent of the U.S. private infrastructure.
|
From page 277... ...
cybersecurity improve T ment goals has been recognized, as has the need for a perva sive trustworthy Internetworking environment to support critical applications; • here is a growing realization that achieving a trustworthy Internet T for these applications may well require a new paradigm, or archi tecture; hence the reference to trustworthy Internetworking; • he recently formed Department of Homeland Security has taken T responsibility for cybersecurity, and Congress has become increas ingly interested in this area; and • he National Science Foundation and DHS are focusing research T resources on cybersecurity. The ATI workshop Report states that the "full sustainable potential for scalable and pervasive information technologies cannot be achieved until the architectural framework broadly adopted in pervasive market driven applications, also functions as the underlying framework for critical applications driven by needs of national and domestic security."33 It recommended the development of a collaborative research organization based at a consortium of universities to serve as a "safe place where competing companies can meet with university researchers and set commonalities" 31 Accelerating Trustworthy Internetworking (ATI)
|
From page 278... ...
Three major industry alliance groups have formed since the release of the 2003 national Strategy to Secure Cyberspace, which emphasized the importance of private-sector participation in improving cybersecurity through the adoption and diffusion of cybersecurity technology. The three groups are the National Cyber Security Partnership (NCSP)
|
From page 279... ...
Among other things, the Alliance tracks proposed legislation related to cybersecurity issues -- for example, spyware, phishing, identity theft, and privacy. B.4.3 Private-Sector Support for Cybersecurity Research in Academia A number of private-sector companies have supported cybersecurity academic research.
|
From page 280... ...
I3P identifies as its primary role the coordinating of a national cybersecurity R&D program; helping to build bridges between academia, industry, and government; and reaching out to government and industry so as to foster collaboration and information sharing and to overcome historical, legal, and cultural problems that have prevented some research organizations from working together. I3P issued its Cyber Security Research and development Agenda in January 2003, stating that it sought to "help meet a welldocumented need for improved research and development to protect the Nation's information infrastructure against catastrophic failures." This report, which defines an R&D agenda for cybersecurity and says that the agenda will continue to evolve as required, identifies eight areas as underserved and ripe for new or additional R&D:42 41 National Research Council, making the nation Safer: The Role of Science and Technology in Countering Terrorism, The National Academies Press, Washington, D.C., 2002.
|
From page 281... ...
The President's National Security Telecommunications Advisory Committee (NSTAC) 43 held a series of Research and Development Exchange Workshops in 2003,44 2004,45 and 2006.46 The R&D Exchange Workshops are part of what NSTAC sees as its evolving mission, to offer advice to the government on how to protect the information infrastructure from threats and vulnerabilities that might ultimately jeopardize the country's national and economic security.47 NSTAC is part of the National Communication System (NCS)
|
From page 282... ...
. • need to examine interdependencies between critical infrastructures, A especially the implications of the intersection between telecommuni cations and electric power.
|
From page 283... ...
held the conference "Grand Research Challenges in Information Security and Assurance."51 Grand Research Challenges seek to inspire creative thinking and vision. As specific examples, CRA cites future research that might emerge from factors such as pervasive networking and mobility; increasing volumes of data; smaller, cheaper embedded computing; and a growing population of user-centric services.
|
From page 284... ...
issued a report to the president entitled Cyber Security: A Crisis of Prioritization (hereafter, "the PITAC report") .55 The committee was established to provide "the President, Congress, and the Federal agencies involved in Networking and Information Technology Research and Development (NITRD)
|
From page 285... ...
. The PITAC report offers 10 priority areas for increased research focus: authentication technologies; secure fundamental protocols; secure software engineering and software assurance; holistic system security; monitoring and detection; mitigation and recovery methodologies; cyber forensics; modeling and testbeds; metrics, benchmarks, and best practices; and nontechnology issues (psychological, societal, institutional, legal, and economic)
|
From page 286... ...
The IRC provides its membership with a community-wide forum for discussing critical information security issues, conveying the research needs of their respective communities, and describing current research initiatives and proposed courses of action for future research investments. Further information on the IRC is available at http://www.
|
From page 287... ...
2. Address cyber security and information assurance R&D needs that are unique to critical infrastructures.
|
From page 288... ...
4. Cyber Security and Information Assurance Characterization and Assess ment, including software quality assessment and fault characterization; detection of vulnerabilities and malicious code; standards; metrics; software testing and assessment tools; risk-based decision making; and critical infrastructure dependencies and interdependencies.
|
From page 289... ...
8. Social dimensions of Cyber Security and Information Assurance, includ ing trust in the Internet; and privacy.
|
From page 290... ...
8. Develop and apply new metrics to assess cyber security and informa tion assurance.
|
From page 291... ...
NSF's Cyber Trust program is dedicated to supporting basic cybersecurity research. It has funded a number of center-scale research efforts of limited scope and duration to provide support for specific focus areas.
|
From page 292... ...
Thus, cybersecurity research must encompass a broad range of IT disciplines -- hardware, networking, and so on. A trustworthy system should aim to be secure by design, but it should also be able to detect, prevent, and survive attacks.
|
From page 293... ...
It also authorizes appropriations for research.69 The Cyber Trust program is the centerpiece of NSF's support for cybersecurity research, although the program has not been funded to the fully authorized level.70 The Cyber Trust program was established in response to the Cybersecurity Act to provide a focal point for cybersecurity activity at NSF. Since 2004, the Cyber Trust program has awarded more than 100 research grants, including the funding of several center-scale cybersecurity research efforts.
|
From page 294... ...
In addition to awards to eligible individuals, the Cybersecurity Research and Development Act calls for NSF to establish computer and network security research centers to "generate innovative approaches to computer and network security by conducting cutting-edge, multidisciplinary research." The act authorizes center-scale appropriations for FY 2003 through FY 2007, although center-scale awards were eliminated in the FY 2006 solicitation.73 Center-scale awards are typically 5-year grants, with annual funding ranging from $1.5 million to $4 million. Each center-scale project involves researchers from multiple universities addressing multidisciplinary aspects of each project.
|
From page 295... ...
The solutions created are expected to be adaptable for use in other critical infrastructure systems." Both DOE and DHS will collaborate to fund and manage this center. 77 A major cybersecurity research project funded outside the auspices of the NSF Cyber Trust program is the Team for Research in Ubiquitous Secure Technology (TRUST)
|
From page 296... ...
These programs focused on a number of security aspects, including retrofitting security and survivability technology for legacy systems, intrusion detection and response, survivability in the face of attack, high-assurance operating system construction, the composing of trustworthy systems from less trustworthy components, and secure collaboration allowing data sharing and communication over a network. DARPA expanded its information security investment in 1999.
|
From page 297... ...
In the 2 years since the PITAC report was issued, the committee has seen no evidence to suggest a significant change in DARPA's approach to cybersecurity research. The extent to which DARPA emphasizes classified and short-term 80 President's Information Technology Advisory Committee, Cyber Security: A Crisis of Prioritization, National Coordination Office for Information Technology Research and Development, Washington D.C., February 2005, p.
|
From page 298... ...
The national Strategy to Secure Cyberspace gave DHS the lead role in cybersecurity, calling on it to become the Center of Excellence for response, vulnerability reduction, training and awareness, and securing government cyberspace.82 DHS created the National Cyber Security Division (NCSD) under the department's National Protection and Programs Directorate in June 2003 in response to the national Strategy requirements.83 NCSD has three operating branches: U.S.
|
From page 299... ...
The position was filled for the first time in September 2006. 85 Background for the discussion of cybersecurity research missions of the Department of Homeland Security is drawn from presentations given by Douglas Maughan, DHS, to the committee on July 27, 2004, and presentations given at the HSARPA Cyber Security Research and Development Bidder's Conference held on September 23, 2004, in Arlington, Va.
|
From page 300... ...
B.6.4.4 National Institute of Standards and Technology The Cybersecurity Research and Development Act specifies the role of the National Institute of Standards and Technology in cybersecurity research.90 The Computer Security Division -- one of eight divisions in the Information Technology Laboratory -- is the focal point at NIST for 88 Homeland Security Advanced Research Projects Agency (HSARPA) Broad Agency Announcement (BAA)
|
From page 301... ...
The statement "Cybersecurity Research and Development" by Arden Bement, Jr., NIST Technology Administration, before the U.S. House Committee on Science, May 14, 2003, provides additional background information for this section.
|
From page 302... ...
In 2001 NIST provided nine research grants under its Critical Infrastructure Protection Grants Program. Funding for this program was not reauthorized, although the Cybersecurity Research and Development Act calls for the establishment and support of research fellowships.
|
From page 303... ...
Wolf, Director of Information Assurance, National Security Agency, before the House Select Committee on Homeland Security, Subcommittee on Cybersecurity, Science and Research and Development, hearing titled "Cybersecurity -- Getting It Right," July 22, 2003; available at http://www.globalsecurity.org/security/library/ congress/2003_h/030722-wolf.doc. 101 The discussion of National Security Agency support for cybersecurity research is drawn from the presentation to the committee by Grant Wagner, NSA Information Assurance Research Group, on July 27, 2004.
|
From page 304... ...
, and Air Force Research Laboratory through its Air Force Office of Scientific Research (AFOSR) all support cybersecurity research related to their intelligence and military missions.
|
From page 305... ...
Aspects of dependability include safety critical reliability, software safety, high security, high integrity, and continuous operation."106 105 National Science and Technology Council, Federal Plan for Cyber Security, 2006, p.
|
Key Terms
This material may be derived from roughly machine-read images, and so is provided only to facilitate research.
More
information on Chapter Skim is available.