SlideShare ist ein Scribd-Unternehmen logo

Introduction to National Critical Infrastructure Cyber Security: Background and Perspectives

Als PPTX, PDF herunterladen
Jack Whitsitt
Jack Whitsitt

Given at SOURCE Boston 2013, this presentation is one of the only places you will find the conceptual and policy underpinnings of U.S. national cyber security and critical infrastructure protection efforts and information about the recent White House Cyber Executive Order

News & Politik
1 von 55
Cyber Momentum Understanding & Leveraging the National Cyber Security Policy Debate Jack Whitsitt | sintixerr@gmail.com | @sintixerr | http://sintixerr.wordpress.com Vice President of REDACTED at Energysec | http://www.energysec.org
About me… • Broad Background – Lived in a little hacker compound as a kid – Started with Open Source development (Rubicon03) – MSSP:IDS, Data Viz, Anomaly Detection Designer – Enterprise Security Architecture – ICS-CERT (INL) – Fed with Nationally-scoped cyber responsibilities • Now – Non-profit Community Builder & Facilitator – Focus on Electric Sector
Why this talk? • Deluge of Debates and Discussion – Media Hype, Political Wedge, Money Fountain, Actual Problem – No Culturally Accepted Vision • Today’s Keynote: Geer/Thieme/Corman • Laws & Mandates on Books, but poorly understood – Have you ever tried to READ any of it? – Even the people doing it don’t always get it • Serious Barriers – Grab bag of security ideas, no structure – Players not always informed of “State of Play” – Different culture groups (“Product Developers” – Kim) • Opportunity – To cause more problems or…to stop losing – Will be lost without wide engagement and forward motion • Not a History Lesson: Google for details – Meant to frame – or lens – a more productive dialogue
Why should you care? • It could be fun – You get to learn a new problem space – National Cyber Security is only distantly and tangentially related to “computer security” as you know it – Doesn’t mean hacking isn’t involved – It just means you have to think bigger • This will effect you – Not explicitly: Culturally & Scope Creep – “National Security State” (Geer/Thieme)
First Some Obviousness But it’s leading somewhere…
Obviousness: Customers • Citizens • Individual Businesses • Industries • National Infrastructure • Government infrastructure • National Cohesion Overlap.
Obviousness: CTVs • Contestable Threat Vectors (CTV): – Provide defendable space between “bad guys” and targets – Imply that there is a space that is *not* the target that must be traversed beforehand – “Domains” is used too often IMO • Historically… – Earth – Air – Water – Space (for some value of historically)
Obviousness: Responsibilities Government “Security” apparatus responsibilities heavily influenced by geography • The military protects national sovereignty outside the U.S. • DHS protects national cohesion; operates on U.S. as a whole • FBI specific aspects of internal U.S. interests • State & Local government organizations
Obviousness: Along Came A Cyber • “Cyberspace” comes along; screws things up – Cyber Assets: Targets AND part of a CTV – “Customers of Protection” now own a CTV – Geographic Protection Schemes break – Opaque by Default • But can have consequences in other CTVs – So we can’t ignore old physical policy mechanisms – “National Guard” example • “Critical Infrastructure” here but can be used with a lens to provide other views
Object Oriented Policymaking Creating a Lens
Cybersecurity has natural parenthetical Scopes EVIL GOOD! I want to steal hazardous materials! Ok, we’ll attack Traffic Light Controls and make trucks stop! Metasploit to the rescue! Boss Bob Cyber Planning Bob Hacker Bob I want to keep making $123 a day! Let’s make sure IT enables $123/day CEO Jim IT Architect Jim IDS to the Rescue! Security Jim “Technology”
“Object Oriented Policy Making” • Failure to scope cyber topics appropriately – Wrong parentheticals • Grab Bag Problem – Good ideas scattered everywhere – neither related nor consistently relatable • Cyber security as a practice domain can be treated like a large algorithm • A simple protocol stack will help us get the right view into that algorithm • If we don’t have a common view, we our code won’t execute
Maybe too detailed? Start smaller.
Simple Risk Management Lifecycle Scoping is not defined. This is a mistake, even at a high level. (Yes, this is/was in use nationally  )
More helpful: Linked Lifecycles Risks FROM Systems (Cyber) Risks TO Systems (Cyber)
Risks From Cyber / Risks To Cyber • “Risks from” • Business & Non-Cyber • Long view • Evaluated regularly • Frames “Risks to” and makes actionable • “Risks to” • Technical & Implementation • Dynamic, Rapidly Changing • Should be reevaluated often • Context provided by “Risks From” • Linked Lifecycles allow alignment of strategy and tactics while de-conflicting perspectives • Allows strategy to influence ground action and, where pertinent, vice versa Helpful to understand government’s activity (Even if they don’t always)
A Cyber Management Protocol Stack • All layers depend on the ones above and below for success • Provides common terms • Structures & Enables discussion • Allows narrow focus in problem areas • Highlights completeness • Will use this later
A Cyber Management Protocol Stack • National Security Assurance – Assure Nation will continue; Diplomacy; Military • Business Environment – Define Common Business Outcome Goals for Cyber security; Describe Environment; Create Common Lexicon • Capability Management – Evaluate capabilities against organizational goals; prioritize resources and investments; adjust capabilities in response to ops data • Control Management – Evaluate conceptual application of best practices, standards, • Operations & Testing – Compare conceptual control placement to actual configurations and threats
Now that we have a lens… National Underpinnings of Critical Infrastructure and Key Resources (CIKR) Protection
Primary Documents: HSPD-7/NIPP • “Homeland Security Presidential Directive-7” – Bush. Builds on earlier directive from Clinton – Assigns Critical Infrastructure Protection to DHS • National Infrastructure Protection Plan (NIPP) – DHS Plan for Implementation of HSPD-7 • “All” Critical Infrastructure, not just Cyber – Most of the people traditionally involved are *not* cyber – This isn’t entirely wrong, but causes public disconnect • They do require cyber-specific actions from DHS – Confusing. One of the reasons for the EO • http://www.dhs.gov/homeland-security-presidential-directive-7 • http://www.dhs.gov/national-infrastructure-protection-plan
HSPD-7 Policy Statement “It is the policy of the United States to enhance the protection of our Nation's critical infrastructure and key resources against terrorist acts that could: • Cause catastrophic health effects or mass casualties comparable to those from the use of a weapon of mass destruction; • Impair Federal departments and agencies' abilities to perform essential missions, or to ensure the public's health and safety; • Undermine State and local government capacities to maintain order and to deliver minimum essential public services; • Damage the private sector's capability to ensure the orderly functioning of the economy and delivery of essential services; • Have a negative effect on the economy through the cascading disruption of other critical infrastructure and key resources; or • Undermine the public's morale and confidence in our national economic and political institutions.”
HSPD-7 Policy Statement RealSpeak Summary: The U.S. will protect the infrastructure supporting National Cohesion” in Partnership with Industry Experience says: • “Protect” doesn’t have to be active • “Protect” really means “Assure Security” • “Assurance” starts with measuring and only continues to protecting *if* the measurements fail • Industry: Hint. Hint. Hint.
Primary HSPD-7/NIPP Goals • Identify Critical Infrastructure • Prioritize Infrastructure • Protect • Report on Progress • This means: Create specific plans to, in voluntary cooperation with industry, implement the NIPP Risk Management Lifecycle and report annually
Dividing Ownership • US Government (HSPD-7/NIPP) splits Critical Infrastructure responsibilities into 16 “Sectors” • Each “Sector” is assigned a “Sector Specific Agency” (“SSA”) • Assignments are done at a a Department level – Some departments assign SSA responsibilities to sub- organizations (e.g. DHS assigning Transportation to TSA) Chemical: DHS Financial Services: Treasury Commercial Facilities: DHS Food and Agriculture:Agg/HHS Communications: DHS Government Facilities: DHS/GSA Critical Manufacturing: DHS Healthcare and Public Health: HHS Dams: DHS Information Technology: DHS Defense Industrial Base: DOD Nuclear: DHS Emergency Services: DHS Transportation Systems: TSA/DOT Energy: DOE Water and Wastewater Systems: EPA
Sector Specific Agency Responsibilities Encourage organizations with information to share with those who need it and encourage development of sector information sharing programs and mechanisms Promote education, training, and awareness within the sector in coordination with other government and private sector partners Identify, prioritize, coordinate federal CCIP activities in sector Appraise congress of sector's current status and progress in reducing risk and implementing the NIPP Increase integration of cyber security efforts with other all hazards protection and response programs Develop and implement sector risk management program and framework and use to determine risk priorities of sector and coordinate risk assessment and management programs Support Ad-Hoc DHS data calls Promote cyber awareness of owners and operators and program level guidance for CIKR protection The DHS “Infrastructure Protection” (IP) organization is responsible for coordinating all of the sectors and assuring the NIPP is being implemented. (This can and has been problematic)
“Public/Private Partnership” • Formal Term, Formal Constructs – Used in many contexts • Foundation of Critical Infrastructure Protection in the US • “Voluntary”, “Public” – (Limited? Trust issues) • Alternative is/has been Regulation • “Weight of Government Burnout” problems • This is important
HSPD-7/NIPP Partnership Model •The primary organizational structure for coordinating critical infrastructure efforts and activities. •Facilitates integration of all partners into planning & ops activities •Ensure a collaborative approach to critical infrastructure protection. •The SCCs and corresponding GCCs work in tandem to create a coordinated national framework for Critical Infrastructure protection and resiliency within and across sectors.
Sector Coordinating Councils (SCC’s) • The principal entities for CIKR owners and operators within a sector to coordinate with the government • Include a broad base of owners, operators, associations, and other entities • Principal private sector policy coordination and planning entities • Participate in planning efforts related to reporting for the NIPP • For information sharing and response, often rely on ISACs and other non-SSA entities • Problem: This is probably the first time you’re hearing this (also: industry vs citizens)
Government Coordinating Councils (GCC’s) • The government counterpart for each SCC to enable interagency and cross-jurisdictional coordination within a sector • Includes representatives from various levels of government (Federal, State, local, or tribal) as appropriate • Co-chaired by a representative from the designated SSA and DHS IP (This causes some issues) • Coordinates with and supports the efforts of the SCC to plan, implement, and execute the Nation’s CIKR protection mission. • Provides interagency strategic communications, discussion, and coordination at the sector level • Participates in NIPP planning efforts
What is “CIPAC”? • DHS Construct: Critical Infrastructure Partnership Advisory Council • Provides a legal framework for SCC and GCC members to engage in joint CIKR protection-related activities • Operational mechanism of National Infrastructure Protection Plan (NIPP) • Provides membership to agencies across all levels of government and the private sector, including membership representing almost 50 percent of the Gross National Product of the United States. • Allows members of Sector Coordinating Councils (SCC) and Government Coordinating Councils (GCC) to engage in cross-Sector, cross-government coordination. • Key activities of the CIPAC include information sharing, national planning, and program implementation
CIPAC: Good & Bad • Good – No FACA, Not owned by government – Managed Engagement – **Must** Have SCC co-chair • Bad – Control issues (SSA’s don’t always like it) – Trust Issues (Northwest Rail story)
CIPAC Examples • Industrial Control Systems Joint Working Group (ICSJWG) • Cross Sector Cyber Security Working Group (CSCSWG) • Transportation Systems Sector Cybersecurity Working Group (TSSCWG)
What about “real” cyber? • NCCIC • ICS-CERT • CISCP • NLE/Cyberstorm • US-CERT • ISACs
Aside: Government “Information Sharing” • “Incident Response” organizations are often regarded as “Information Sharing” ones – Must not forget distinction – Missions may conflict and impact sharing • FBI, Military, and the Intel Community also have potentially conflicting missions • No Pot of Gold at the end of the Classification Rainbow • Information often classified due to sources and means, not content • Actionable REQUIRES bi-directional sharing
HSPD-7 & NIPP Environment Public/Priva te Partnership Resource Coordination Sector Coordinating Councils (Industry) Government Coordinating Councils Government Cyber-Specific Operations CIPAC CRADA/ PCII Fed to Fed
New Policies • Cyber Executive Order: – Aimed at Gov, Not You: Mom reigning in kids – Cyber was already supposed to have been being handled (as we’ve seen) – Attempts to rectify these barriers while keeping in tact most of the fundamental structures already in place. – Heavy focus on “Harmonizing Cyber Efforts”  Awesome • Presidential Policy Directive (PPD-21) – Not Cyber specific – update to HSPD-7 – Important • CISPA – Very narrowly focused on information sharing • Others. Let’s discuss?
PPD-21 Three strategic imperatives shall drive the Federal approach to strengthen critical infrastructure security and resilience: 1) Refine and clarify functional relationships across the Federal Government • Federal functions related to critical infrastructure security and resilience shall be clarified • There shall be two national critical infrastructure centers operated by DHS – one for physical infrastructure and another for cyber infrastructure. 2) Enable effective information exchange by identifying baseline data and systems requirements for the Federal Government; and • Enable efficient information exchange through the identification of requirements for data and information formats and accessibility, system interoperability, and redundant systems and alternate capabilities should there be a disruption in the primary systems. 3) Implement an integration and analysis function to inform planning and operations decisions regarding critical infrastructure. • Shall include the capability to collate, assess, and integrate vulnerability and consequence information with threat streams and hazard information
Whitehouse Cyber Executive Order Main Thrusts: – Improve Information Sharing – Use business-function driven risk analysis to determine priorities – Create a framework of standards for reducing risks from cyber security issues to critical infrastructure – Engage industry to the greatest extent possible, and assure privacy and civil liberties are embedded in the entire process. White HouseDHS/SSA’s
Executive Order: Section Analysis 1. – 3. Fluff 4. Cybersecurity Information Sharing 5. Privacy and Civil Liberties Protections 6. Consultative Process 7. Baseline Framework to Reduce Cyber Risk to Critical Infrastructure 8. Voluntary Critical Infrastructure Cybersecurity Program 9. Identification of Critical Infrastructure at Greatest Risk 10. Adoption of Framework (Read: Potential Regulation)
Executive Order: Concerns • Could this infringe on individual freedoms? – “Not any more than before” • Do we have any guarantee of transparency? – So far: Chaotic Good • The government wants my data? – Yes. Because they need your data to make theirs actionable for you. But that’s not “the point” • Why so obtuse? – Right ideas. Poor Messaging. – Married Couple Analogy • I don’t want the government in my space – They just need to “assure” their mission – It is possible for industry to keep interference to a minimum • No faith in government agility to get it right – Crickets. Real Problem. Will impact success. • Should it have been so broad? – Built into the EO is a process to focus it. It’s actually at the right level • Isn't this just a political goad? – Not just. Smart people have worked on it. Useful (Possibly). • This preempts legislation or ignored existing work – No • Why is this a DHS issue? – National cohesion IS DHS’s mission – cyber just a part. There is no “singularly cyber” mission. Others have other takes on cyber mission • What about regulation? – This situation might have gotten a little better, more dynamic
Executive Order: NIST Framework This is so amorphous yet so crucial, I’m mostly just going to talk to y’all about it “Framework to Achieve DHS specified Performance Goals” Industry Driven “All Inclusive” Standards vs Standards Some Vision Lost in Translation EO Performance Goals Balance Rails, Quality Assurance, Soylent Cyber is People!
Executive Order Status So far • DHS has something like 25ish deliverables to the White House – Insane timelines – Has formed working groups • Some internal, some public – One is “Cyber Dependent Infrastructure Identification Working Group” (CDIIWG) • Responsible for Executive Order Section 9 – Most of DHS’s deliverables do not *require* industry engagement • Informed by it via SSA’s and scheduled industry meetings
NIST Framework Status So far • NIST has to manage Industry Input into Framework – Kick-off meeting already, 700+ attendees plus webinar – Next one in Pittsburgh 5/29-5/31 • No announced registration mechanism – Put out RFI out and received responses • All over the board • This could be better • We need better rails
CISPA • An executive order cannot change already legislative assigned federal responsibilities • CISPA handles legal aspects of: – Remove legal barriers to information sharing – Addressing specific problems associated with industry cybersecurity needing to intersect with the intelligence community. • My experience as a Fed was that barriers CISPA attempts to do away with were ones often cited by Industry Reps as what they needed. • Intent legit, but details? …
Overheard…but wrong • Talks about “which ports are/aren't open” being the type of focus of the NIST framework • Refers interchangeably to home cyber and critical infrastructure; • Mistakes “compliance” standards with “interoperability” • “Obama bypassed congress & signed the Cyber Security Executive Order. Meaning there is no privacy. We now have a dictator, boys and girls.” • “Obama passed a secret cyber order – he embargoed it from the press”
Time for a Real World Example Using the Lens to create a View
Government Tools • CARMA: A Risk Management Approach • CRR: A Cyber Resiliency Model • CSET: A Cyber Evaluation Tool • ES-C2M2: A Maturity Model • RMP: A Risk Management Approach • NIST Cyber Framework: Standards • Executive Order: Better Cybersecurity
This year I had the following discussion with a critical infrastructure sector: Them: “which one of those should industry use or get involved with.” Me: “All of them” Them: “But we don’t have time, what's the best?” Me: “But they do different things!” Them: “It doesn’t look like it…” What. The. Hell. Wait! We have a protocol stack…
Clearly, the question made no sense when you look at a structured perspective – they all suit different needs. The model showed the types of needs, how they fit together, and provided a common reference for “Cyber Security”
(A bit about those tools…) • CARMA – DHS Cybersecurity And Risk Management Approach – Sector-wide model of business-function and value chain driven risks – Ties business models and cyber infrastructure – No individual business details – Being used in Executive Order process to determine performance goals for NIST Framework • ES-C2M2/CRR – Electric Sector Capability Maturity Model / DHS Cybersecurity Resilience Model – Both look evaluate business maturity and progression in capability domains – Neither provides performance goals or context – Management link between strategy and execution • RMP – DOE Risk Management Process – Slots both into the risk management domain and overlaps everything • DHS CSET – DHS Control Systems Evaluation Tool: Control Catalogue Application Evaluation • Tallinn Manual – Not a gov doc – academic even if NATO – but speaks to international law
National Cyber Security is about Structured, Clear Comms Closing Thoughts
Leveraging Dialogue • Define the Space • Control Language (0-day example) • Manage Perception • Make Like Eminem • Treat the Government Like a Computer
Off the rails discussions.. – Cyber war • The Earlier Rainbow Diagram Helps – Regulation • Views – Sector Progress & Reporting (Gov & Media) • Grab Bag again – NIST Framework • No algorithm (problem statement) MUST improve the quality of the dialogue
More Advice & Truisms 1. Actors are often irrational (thanks @selenakyle) 2. Guys with Guns aren’t Generals 3. Cyber security is a human QA problem 4. Our businesses are both targets and part of a CTV 5. Winning needs more than holding a line; improve the world 6. Momentum needs rails, so be clear; use a protocol stack 7. Corollary: We will not accomplish anything with a multitude of voices. Use common model to create a common voice 8. The government *must* fix a Cyber Commons Tragedy 9. The government is not omniscient; don't treat it like it is 10. Corollary: Resources are limited; don’t keep 911 busy 11. Do you really want the gov in your ops? 12. What we’re doing isn’t working. (Yet?)
Discussion… • Now that we have a common framing and have critical infrastructure policy underpinnings… – Concerns? – Questions? – Advice? – Corrections? – Derision? • Also, Discuss? – “DevOps at a National Level” – “Personal Liberty” / “Rights” THANK YOU  Jack Whitsitt | sintixerr@gmail.com | http://sintixerr.wordpress.com Energysec | http://energysec.org

Empfohlen

Effective Cybersecurity Communication Skills
Effective Cybersecurity Communication SkillsEffective Cybersecurity Communication Skills
Effective Cybersecurity Communication SkillsJack Whitsitt
 
NIST Cybersecurity Framework Background and Review | Jack Whitsitt
NIST Cybersecurity Framework Background and Review | Jack WhitsittNIST Cybersecurity Framework Background and Review | Jack Whitsitt
NIST Cybersecurity Framework Background and Review | Jack WhitsittJack Whitsitt
 
Yours Anecdotally: Developing a Cybersecurity Problem Space
Yours Anecdotally: Developing a Cybersecurity Problem SpaceYours Anecdotally: Developing a Cybersecurity Problem Space
Yours Anecdotally: Developing a Cybersecurity Problem SpaceJack Whitsitt
 
Cyber Critical Infrastructure Framework Panel
Cyber Critical Infrastructure Framework PanelCyber Critical Infrastructure Framework Panel
Cyber Critical Infrastructure Framework PanelPaul Di Gangi
 
The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020
The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020
The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020Jessica Graf
 
Insight Session with Dr. Daniel Gerstein, Deputy Under Secretary, S&T, DHS
Insight Session with Dr. Daniel Gerstein, Deputy Under Secretary, S&T, DHSInsight Session with Dr. Daniel Gerstein, Deputy Under Secretary, S&T, DHS
Insight Session with Dr. Daniel Gerstein, Deputy Under Secretary, S&T, DHSGovernment Technology and Services Coalition
 
DBryant-Cybersecurity Challenge
DBryant-Cybersecurity ChallengeDBryant-Cybersecurity Challenge
DBryant-Cybersecurity Challengemsdee3362
 
Sean McCloskey: How do we Strengthen the Public-Private Partnership to Mitiga...
Sean McCloskey: How do we Strengthen the Public-Private Partnership to Mitiga...Sean McCloskey: How do we Strengthen the Public-Private Partnership to Mitiga...
Sean McCloskey: How do we Strengthen the Public-Private Partnership to Mitiga...Government Technology and Services Coalition
 

Empfohlen

Effective Cybersecurity Communication Skills
Effective Cybersecurity Communication SkillsEffective Cybersecurity Communication Skills
Effective Cybersecurity Communication SkillsJack Whitsitt
 
NIST Cybersecurity Framework Background and Review | Jack Whitsitt
NIST Cybersecurity Framework Background and Review | Jack WhitsittNIST Cybersecurity Framework Background and Review | Jack Whitsitt
NIST Cybersecurity Framework Background and Review | Jack WhitsittJack Whitsitt
 
Yours Anecdotally: Developing a Cybersecurity Problem Space
Yours Anecdotally: Developing a Cybersecurity Problem SpaceYours Anecdotally: Developing a Cybersecurity Problem Space
Yours Anecdotally: Developing a Cybersecurity Problem SpaceJack Whitsitt
 
Cyber Critical Infrastructure Framework Panel
Cyber Critical Infrastructure Framework PanelCyber Critical Infrastructure Framework Panel
Cyber Critical Infrastructure Framework PanelPaul Di Gangi
 
The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020
The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020
The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020Jessica Graf
 
Insight Session with Dr. Daniel Gerstein, Deputy Under Secretary, S&T, DHS
Insight Session with Dr. Daniel Gerstein, Deputy Under Secretary, S&T, DHSInsight Session with Dr. Daniel Gerstein, Deputy Under Secretary, S&T, DHS
Insight Session with Dr. Daniel Gerstein, Deputy Under Secretary, S&T, DHSGovernment Technology and Services Coalition
 
DBryant-Cybersecurity Challenge
DBryant-Cybersecurity ChallengeDBryant-Cybersecurity Challenge
DBryant-Cybersecurity Challengemsdee3362
 
Sean McCloskey: How do we Strengthen the Public-Private Partnership to Mitiga...
Sean McCloskey: How do we Strengthen the Public-Private Partnership to Mitiga...Sean McCloskey: How do we Strengthen the Public-Private Partnership to Mitiga...
Sean McCloskey: How do we Strengthen the Public-Private Partnership to Mitiga...Government Technology and Services Coalition
 
Improving cyber-security through acquisition
Improving cyber-security through acquisitionImproving cyber-security through acquisition
Improving cyber-security through acquisitionChristopher Dorobek
 
IDC Best Practices in Private Sector Cyber Security
IDC Best Practices in Private Sector Cyber SecurityIDC Best Practices in Private Sector Cyber Security
IDC Best Practices in Private Sector Cyber Securityinside-BigData.com
 
2015 KSU So You Want To Be in Cyber Security
2015 KSU So You Want To Be in Cyber Security2015 KSU So You Want To Be in Cyber Security
2015 KSU So You Want To Be in Cyber SecurityPhil Agcaoili
 
A Look at Cyber Insurance -- A Corporate Perspective
A Look at Cyber Insurance -- A Corporate PerspectiveA Look at Cyber Insurance -- A Corporate Perspective
A Look at Cyber Insurance -- A Corporate PerspectiveDawn Yankeelov
 
Best_of_Breed_3-24-2015_How_to_Achieve_ABAC_Today copy
Best_of_Breed_3-24-2015_How_to_Achieve_ABAC_Today copyBest_of_Breed_3-24-2015_How_to_Achieve_ABAC_Today copy
Best_of_Breed_3-24-2015_How_to_Achieve_ABAC_Today copyStephanie McVitty
 
A Guide to Disaster Preparedness for Businesses
A Guide to Disaster Preparedness for BusinessesA Guide to Disaster Preparedness for Businesses
A Guide to Disaster Preparedness for BusinessesAdvanced Imaging Solutions & Pinnacle
 
Aceds 2015 Cyberseucity and the Legal Profession - NYC - April 7, 2015
Aceds 2015 Cyberseucity and the Legal Profession - NYC - April 7, 2015Aceds 2015 Cyberseucity and the Legal Profession - NYC - April 7, 2015
Aceds 2015 Cyberseucity and the Legal Profession - NYC - April 7, 2015Joe Bartolo
 
Professor Martin Gill, Director, Perpetuity Research
Professor Martin Gill, Director, Perpetuity Research Professor Martin Gill, Director, Perpetuity Research
Professor Martin Gill, Director, Perpetuity Research CSSaunders
 
Aprio cybersecurity and board information
Aprio cybersecurity and board informationAprio cybersecurity and board information
Aprio cybersecurity and board informationAprio
 
Why Executives Underinvest In Cybersecurity
Why Executives Underinvest In CybersecurityWhy Executives Underinvest In Cybersecurity
Why Executives Underinvest In CybersecurityHackerOne
 
Working with Law Enforcement on Cyber Security Strategies
Working with Law Enforcement on Cyber Security StrategiesWorking with Law Enforcement on Cyber Security Strategies
Working with Law Enforcement on Cyber Security StrategiesMeg Weber
 
Cyber Security Agenda for 45th President
Cyber Security Agenda for 45th PresidentCyber Security Agenda for 45th President
Cyber Security Agenda for 45th PresidentInternet Law Center
 
Capstone Team Report -The Vicious Circle of Smart Grid Security
Capstone Team Report -The Vicious Circle of Smart Grid SecurityCapstone Team Report -The Vicious Circle of Smart Grid Security
Capstone Team Report -The Vicious Circle of Smart Grid Securityreuben_mathew
 
Olaf Kolkman - FIRST Keynote on Collaborative Security
Olaf Kolkman - FIRST Keynote on Collaborative SecurityOlaf Kolkman - FIRST Keynote on Collaborative Security
Olaf Kolkman - FIRST Keynote on Collaborative SecurityInternet Technology Matters (Internet Society)
 
BCC 2009 - NSTC
BCC 2009 - NSTCBCC 2009 - NSTC
BCC 2009 - NSTCDuane Blackburn
 
DBryant-Cybersecurity Challenge
DBryant-Cybersecurity ChallengeDBryant-Cybersecurity Challenge
DBryant-Cybersecurity Challengemsdee3362
 
Case Study: The Role of Human Error in Information Security
Case Study: The Role of Human Error in Information SecurityCase Study: The Role of Human Error in Information Security
Case Study: The Role of Human Error in Information SecurityPECB
 
What CIOs and CFOs Need to Know About Cyber Security
What CIOs and CFOs Need to Know About Cyber SecurityWhat CIOs and CFOs Need to Know About Cyber Security
What CIOs and CFOs Need to Know About Cyber SecurityPhil Agcaoili
 
Fdic ffiec cyber_security_assessments
Fdic ffiec cyber_security_assessmentsFdic ffiec cyber_security_assessments
Fdic ffiec cyber_security_assessmentsKen M. Shaurette
 
Think Cyber Think Resilience | William Barker | March 2016
Think Cyber Think Resilience | William Barker | March 2016Think Cyber Think Resilience | William Barker | March 2016
Think Cyber Think Resilience | William Barker | March 2016Anna Fenston
 
Event: George Washington University -- National Security Threat Convergence: ...
Event: George Washington University -- National Security Threat Convergence: ...Event: George Washington University -- National Security Threat Convergence: ...
Event: George Washington University -- National Security Threat Convergence: ...Chuck Brooks
 
Jack Whitsitt - Yours, Anecdotally
Jack Whitsitt - Yours, AnecdotallyJack Whitsitt - Yours, Anecdotally
Jack Whitsitt - Yours, AnecdotallyEnergySec
 

Weitere ähnliche Inhalte

Was ist angesagt?

Improving cyber-security through acquisition
Improving cyber-security through acquisitionImproving cyber-security through acquisition
Improving cyber-security through acquisitionChristopher Dorobek
 
IDC Best Practices in Private Sector Cyber Security
IDC Best Practices in Private Sector Cyber SecurityIDC Best Practices in Private Sector Cyber Security
IDC Best Practices in Private Sector Cyber Securityinside-BigData.com
 
2015 KSU So You Want To Be in Cyber Security
2015 KSU So You Want To Be in Cyber Security2015 KSU So You Want To Be in Cyber Security
2015 KSU So You Want To Be in Cyber SecurityPhil Agcaoili
 
A Look at Cyber Insurance -- A Corporate Perspective
A Look at Cyber Insurance -- A Corporate PerspectiveA Look at Cyber Insurance -- A Corporate Perspective
A Look at Cyber Insurance -- A Corporate PerspectiveDawn Yankeelov
 
Best_of_Breed_3-24-2015_How_to_Achieve_ABAC_Today copy
Best_of_Breed_3-24-2015_How_to_Achieve_ABAC_Today copyBest_of_Breed_3-24-2015_How_to_Achieve_ABAC_Today copy
Best_of_Breed_3-24-2015_How_to_Achieve_ABAC_Today copyStephanie McVitty
 
Aceds 2015 Cyberseucity and the Legal Profession - NYC - April 7, 2015
Aceds 2015 Cyberseucity and the Legal Profession - NYC - April 7, 2015Aceds 2015 Cyberseucity and the Legal Profession - NYC - April 7, 2015
Aceds 2015 Cyberseucity and the Legal Profession - NYC - April 7, 2015Joe Bartolo
 
Professor Martin Gill, Director, Perpetuity Research
Professor Martin Gill, Director, Perpetuity Research Professor Martin Gill, Director, Perpetuity Research
Professor Martin Gill, Director, Perpetuity Research CSSaunders
 
Aprio cybersecurity and board information
Aprio cybersecurity and board informationAprio cybersecurity and board information
Aprio cybersecurity and board informationAprio
 
Why Executives Underinvest In Cybersecurity
Why Executives Underinvest In CybersecurityWhy Executives Underinvest In Cybersecurity
Why Executives Underinvest In CybersecurityHackerOne
 
Working with Law Enforcement on Cyber Security Strategies
Working with Law Enforcement on Cyber Security StrategiesWorking with Law Enforcement on Cyber Security Strategies
Working with Law Enforcement on Cyber Security StrategiesMeg Weber
 
Cyber Security Agenda for 45th President
Cyber Security Agenda for 45th PresidentCyber Security Agenda for 45th President
Cyber Security Agenda for 45th PresidentInternet Law Center
 
Capstone Team Report -The Vicious Circle of Smart Grid Security
Capstone Team Report -The Vicious Circle of Smart Grid SecurityCapstone Team Report -The Vicious Circle of Smart Grid Security
Capstone Team Report -The Vicious Circle of Smart Grid Securityreuben_mathew
 
DBryant-Cybersecurity Challenge
DBryant-Cybersecurity ChallengeDBryant-Cybersecurity Challenge
DBryant-Cybersecurity Challengemsdee3362
 
Case Study: The Role of Human Error in Information Security
Case Study: The Role of Human Error in Information SecurityCase Study: The Role of Human Error in Information Security
Case Study: The Role of Human Error in Information SecurityPECB
 
What CIOs and CFOs Need to Know About Cyber Security
What CIOs and CFOs Need to Know About Cyber SecurityWhat CIOs and CFOs Need to Know About Cyber Security
What CIOs and CFOs Need to Know About Cyber SecurityPhil Agcaoili
 
Fdic ffiec cyber_security_assessments
Fdic ffiec cyber_security_assessmentsFdic ffiec cyber_security_assessments
Fdic ffiec cyber_security_assessmentsKen M. Shaurette
 
Think Cyber Think Resilience | William Barker | March 2016
Think Cyber Think Resilience | William Barker | March 2016Think Cyber Think Resilience | William Barker | March 2016
Think Cyber Think Resilience | William Barker | March 2016Anna Fenston
 

Was ist angesagt? (20)

Improving cyber-security through acquisition
Improving cyber-security through acquisitionImproving cyber-security through acquisition
Improving cyber-security through acquisition
 
IDC Best Practices in Private Sector Cyber Security
IDC Best Practices in Private Sector Cyber SecurityIDC Best Practices in Private Sector Cyber Security
IDC Best Practices in Private Sector Cyber Security
 
2015 KSU So You Want To Be in Cyber Security
2015 KSU So You Want To Be in Cyber Security2015 KSU So You Want To Be in Cyber Security
2015 KSU So You Want To Be in Cyber Security
 
A Look at Cyber Insurance -- A Corporate Perspective
A Look at Cyber Insurance -- A Corporate PerspectiveA Look at Cyber Insurance -- A Corporate Perspective
A Look at Cyber Insurance -- A Corporate Perspective
 
Best_of_Breed_3-24-2015_How_to_Achieve_ABAC_Today copy
Best_of_Breed_3-24-2015_How_to_Achieve_ABAC_Today copyBest_of_Breed_3-24-2015_How_to_Achieve_ABAC_Today copy
Best_of_Breed_3-24-2015_How_to_Achieve_ABAC_Today copy
 
A Guide to Disaster Preparedness for Businesses
A Guide to Disaster Preparedness for BusinessesA Guide to Disaster Preparedness for Businesses
A Guide to Disaster Preparedness for Businesses
 
Aceds 2015 Cyberseucity and the Legal Profession - NYC - April 7, 2015
Aceds 2015 Cyberseucity and the Legal Profession - NYC - April 7, 2015Aceds 2015 Cyberseucity and the Legal Profession - NYC - April 7, 2015
Aceds 2015 Cyberseucity and the Legal Profession - NYC - April 7, 2015
 
Professor Martin Gill, Director, Perpetuity Research
Professor Martin Gill, Director, Perpetuity Research Professor Martin Gill, Director, Perpetuity Research
Professor Martin Gill, Director, Perpetuity Research
 
Aprio cybersecurity and board information
Aprio cybersecurity and board informationAprio cybersecurity and board information
Aprio cybersecurity and board information
 
Why Executives Underinvest In Cybersecurity
Why Executives Underinvest In CybersecurityWhy Executives Underinvest In Cybersecurity
Why Executives Underinvest In Cybersecurity
 
Working with Law Enforcement on Cyber Security Strategies
Working with Law Enforcement on Cyber Security StrategiesWorking with Law Enforcement on Cyber Security Strategies
Working with Law Enforcement on Cyber Security Strategies
 
Cyber Security Agenda for 45th President
Cyber Security Agenda for 45th PresidentCyber Security Agenda for 45th President
Cyber Security Agenda for 45th President
 
Capstone Team Report -The Vicious Circle of Smart Grid Security
Capstone Team Report -The Vicious Circle of Smart Grid SecurityCapstone Team Report -The Vicious Circle of Smart Grid Security
Capstone Team Report -The Vicious Circle of Smart Grid Security
 
Olaf Kolkman - FIRST Keynote on Collaborative Security
Olaf Kolkman - FIRST Keynote on Collaborative SecurityOlaf Kolkman - FIRST Keynote on Collaborative Security
Olaf Kolkman - FIRST Keynote on Collaborative Security
 
BCC 2009 - NSTC
BCC 2009 - NSTCBCC 2009 - NSTC
BCC 2009 - NSTC
 
DBryant-Cybersecurity Challenge
DBryant-Cybersecurity ChallengeDBryant-Cybersecurity Challenge
DBryant-Cybersecurity Challenge
 
Case Study: The Role of Human Error in Information Security
Case Study: The Role of Human Error in Information SecurityCase Study: The Role of Human Error in Information Security
Case Study: The Role of Human Error in Information Security
 
What CIOs and CFOs Need to Know About Cyber Security
What CIOs and CFOs Need to Know About Cyber SecurityWhat CIOs and CFOs Need to Know About Cyber Security
What CIOs and CFOs Need to Know About Cyber Security
 
Fdic ffiec cyber_security_assessments
Fdic ffiec cyber_security_assessmentsFdic ffiec cyber_security_assessments
Fdic ffiec cyber_security_assessments
 
Think Cyber Think Resilience | William Barker | March 2016
Think Cyber Think Resilience | William Barker | March 2016Think Cyber Think Resilience | William Barker | March 2016
Think Cyber Think Resilience | William Barker | March 2016
 

Ähnlich wie Introduction to National Critical Infrastructure Cyber Security: Background and Perspectives

Event: George Washington University -- National Security Threat Convergence: ...
Event: George Washington University -- National Security Threat Convergence: ...Event: George Washington University -- National Security Threat Convergence: ...
Event: George Washington University -- National Security Threat Convergence: ...Chuck Brooks
 
Jack Whitsitt - Yours, Anecdotally
Jack Whitsitt - Yours, AnecdotallyJack Whitsitt - Yours, Anecdotally
Jack Whitsitt - Yours, AnecdotallyEnergySec
 
WA State Cyber Response
WA State Cyber ResponseWA State Cyber Response
WA State Cyber ResponseEmily2014
 
Cyber Security: Threat and Prevention
Cyber Security: Threat and PreventionCyber Security: Threat and Prevention
Cyber Security: Threat and Preventionfmi_igf
 
Cyber threat enterprise leadership required march 2014
Cyber threat enterprise leadership required march 2014Cyber threat enterprise leadership required march 2014
Cyber threat enterprise leadership required march 2014Peter ODell
 
What Should We Do about Cyber Attacks?
What Should We Do about Cyber Attacks?What Should We Do about Cyber Attacks?
What Should We Do about Cyber Attacks?Mercatus Center
 
Clinton- Cyber IRT Balto 10_2012
Clinton- Cyber IRT Balto 10_2012Clinton- Cyber IRT Balto 10_2012
Clinton- Cyber IRT Balto 10_2012Don Grauel
 
Security, Vulnerability & Redundancy in MN Broadband Infrastrcuture
Security, Vulnerability & Redundancy in MN Broadband InfrastrcutureSecurity, Vulnerability & Redundancy in MN Broadband Infrastrcuture
Security, Vulnerability & Redundancy in MN Broadband InfrastrcutureAnn Treacy
 
Why your Information Security MUST mesh with your Business Continuity Program
Why your Information Security MUST mesh with your Business Continuity ProgramWhy your Information Security MUST mesh with your Business Continuity Program
Why your Information Security MUST mesh with your Business Continuity ProgramPECB
 
BSides Delhi-2018 Keynote by Pukhraj Singh (Politics & Power in Cybersecurity)
BSides Delhi-2018 Keynote by Pukhraj Singh (Politics & Power in Cybersecurity)BSides Delhi-2018 Keynote by Pukhraj Singh (Politics & Power in Cybersecurity)
BSides Delhi-2018 Keynote by Pukhraj Singh (Politics & Power in Cybersecurity)Pukhraj Singh
 
2018 OPM Cybersecurity Career Day - Protect & Defend
2018 OPM Cybersecurity Career Day - Protect & Defend2018 OPM Cybersecurity Career Day - Protect & Defend
2018 OPM Cybersecurity Career Day - Protect & DefendBrian Andrzejewski
 
Cybersecurity Strategies - time for the next generation
Cybersecurity Strategies - time for the next generationCybersecurity Strategies - time for the next generation
Cybersecurity Strategies - time for the next generationHinne Hettema
 
CYBER SECURITY and DATA PRIVACY 2022_How to Build and Implement your Company'...
CYBER SECURITY and DATA PRIVACY 2022_How to Build and Implement your Company'...CYBER SECURITY and DATA PRIVACY 2022_How to Build and Implement your Company'...
CYBER SECURITY and DATA PRIVACY 2022_How to Build and Implement your Company'...Financial Poise
 
Hunting for cyber threats targeting weapon systems
Hunting for cyber threats targeting weapon systemsHunting for cyber threats targeting weapon systems
Hunting for cyber threats targeting weapon systemsFidelis Cybersecurity
 
CERT Australia Update, by Scott Brown [APNIC 38 / Network Abuse BoF]
CERT Australia Update, by Scott Brown [APNIC 38 / Network Abuse BoF]CERT Australia Update, by Scott Brown [APNIC 38 / Network Abuse BoF]
CERT Australia Update, by Scott Brown [APNIC 38 / Network Abuse BoF]APNIC
 
What could kill NSTIC? A friendly threat assessment in 3 parts.
What could kill NSTIC? A friendly threat assessment in 3 parts.What could kill NSTIC? A friendly threat assessment in 3 parts.
What could kill NSTIC? A friendly threat assessment in 3 parts.Phil Wolff
 
Dhs cybersecurity-roadmap
Dhs cybersecurity-roadmapDhs cybersecurity-roadmap
Dhs cybersecurity-roadmapAjay Ohri
 
Cyber Security - Maintaining Operational Control of Critical Services
Cyber Security - Maintaining Operational Control of Critical ServicesCyber Security - Maintaining Operational Control of Critical Services
Cyber Security - Maintaining Operational Control of Critical ServicesDave Reeves
 
Tripwire Energy Working Group: Keynote w/Patrick Miller
Tripwire Energy Working Group: Keynote w/Patrick Miller Tripwire Energy Working Group: Keynote w/Patrick Miller
Tripwire Energy Working Group: Keynote w/Patrick Miller Tripwire
 

Ähnlich wie Introduction to National Critical Infrastructure Cyber Security: Background and Perspectives (20)

Event: George Washington University -- National Security Threat Convergence: ...
Event: George Washington University -- National Security Threat Convergence: ...Event: George Washington University -- National Security Threat Convergence: ...
Event: George Washington University -- National Security Threat Convergence: ...
 
Jack Whitsitt - Yours, Anecdotally
Jack Whitsitt - Yours, AnecdotallyJack Whitsitt - Yours, Anecdotally
Jack Whitsitt - Yours, Anecdotally
 
WA State Cyber Response
WA State Cyber ResponseWA State Cyber Response
WA State Cyber Response
 
Cyber Security: Threat and Prevention
Cyber Security: Threat and PreventionCyber Security: Threat and Prevention
Cyber Security: Threat and Prevention
 
Cyber threat enterprise leadership required march 2014
Cyber threat enterprise leadership required march 2014Cyber threat enterprise leadership required march 2014
Cyber threat enterprise leadership required march 2014
 
What Should We Do about Cyber Attacks?
What Should We Do about Cyber Attacks?What Should We Do about Cyber Attacks?
What Should We Do about Cyber Attacks?
 
Clinton- Cyber IRT Balto 10_2012
Clinton- Cyber IRT Balto 10_2012Clinton- Cyber IRT Balto 10_2012
Clinton- Cyber IRT Balto 10_2012
 
S fahey
S faheyS fahey
S fahey
 
Security, Vulnerability & Redundancy in MN Broadband Infrastrcuture
Security, Vulnerability & Redundancy in MN Broadband InfrastrcutureSecurity, Vulnerability & Redundancy in MN Broadband Infrastrcuture
Security, Vulnerability & Redundancy in MN Broadband Infrastrcuture
 
Why your Information Security MUST mesh with your Business Continuity Program
Why your Information Security MUST mesh with your Business Continuity ProgramWhy your Information Security MUST mesh with your Business Continuity Program
Why your Information Security MUST mesh with your Business Continuity Program
 
BSides Delhi-2018 Keynote by Pukhraj Singh (Politics & Power in Cybersecurity)
BSides Delhi-2018 Keynote by Pukhraj Singh (Politics & Power in Cybersecurity)BSides Delhi-2018 Keynote by Pukhraj Singh (Politics & Power in Cybersecurity)
BSides Delhi-2018 Keynote by Pukhraj Singh (Politics & Power in Cybersecurity)
 
2018 OPM Cybersecurity Career Day - Protect & Defend
2018 OPM Cybersecurity Career Day - Protect & Defend2018 OPM Cybersecurity Career Day - Protect & Defend
2018 OPM Cybersecurity Career Day - Protect & Defend
 
Cybersecurity Strategies - time for the next generation
Cybersecurity Strategies - time for the next generationCybersecurity Strategies - time for the next generation
Cybersecurity Strategies - time for the next generation
 
CYBER SECURITY and DATA PRIVACY 2022_How to Build and Implement your Company'...
CYBER SECURITY and DATA PRIVACY 2022_How to Build and Implement your Company'...CYBER SECURITY and DATA PRIVACY 2022_How to Build and Implement your Company'...
CYBER SECURITY and DATA PRIVACY 2022_How to Build and Implement your Company'...
 
Hunting for cyber threats targeting weapon systems
Hunting for cyber threats targeting weapon systemsHunting for cyber threats targeting weapon systems
Hunting for cyber threats targeting weapon systems
 
CERT Australia Update, by Scott Brown [APNIC 38 / Network Abuse BoF]
CERT Australia Update, by Scott Brown [APNIC 38 / Network Abuse BoF]CERT Australia Update, by Scott Brown [APNIC 38 / Network Abuse BoF]
CERT Australia Update, by Scott Brown [APNIC 38 / Network Abuse BoF]
 
What could kill NSTIC? A friendly threat assessment in 3 parts.
What could kill NSTIC? A friendly threat assessment in 3 parts.What could kill NSTIC? A friendly threat assessment in 3 parts.
What could kill NSTIC? A friendly threat assessment in 3 parts.
 
Dhs cybersecurity-roadmap
Dhs cybersecurity-roadmapDhs cybersecurity-roadmap
Dhs cybersecurity-roadmap
 
Cyber Security - Maintaining Operational Control of Critical Services
Cyber Security - Maintaining Operational Control of Critical ServicesCyber Security - Maintaining Operational Control of Critical Services
Cyber Security - Maintaining Operational Control of Critical Services
 
Tripwire Energy Working Group: Keynote w/Patrick Miller
Tripwire Energy Working Group: Keynote w/Patrick Miller Tripwire Energy Working Group: Keynote w/Patrick Miller
Tripwire Energy Working Group: Keynote w/Patrick Miller
 

Kürzlich hochgeladen

Rohan Jaitley: Central Gov't Standing Counsel for Justice
Rohan Jaitley: Central Gov't Standing Counsel for JusticeRohan Jaitley: Central Gov't Standing Counsel for Justice
Rohan Jaitley: Central Gov't Standing Counsel for JusticeAbdulGhani778830
 
complaint-ECI-PM-media-1-Chandru.pdfra;;prfk
complaint-ECI-PM-media-1-Chandru.pdfra;;prfkcomplaint-ECI-PM-media-1-Chandru.pdfra;;prfk
complaint-ECI-PM-media-1-Chandru.pdfra;;prfkbhavenpr
 
Experience the Future of the Web3 Gaming Trend
Experience the Future of the Web3 Gaming TrendExperience the Future of the Web3 Gaming Trend
Experience the Future of the Web3 Gaming TrendFabwelt
 
16042024_First India Newspaper Jaipur.pdf
16042024_First India Newspaper Jaipur.pdf16042024_First India Newspaper Jaipur.pdf
16042024_First India Newspaper Jaipur.pdfFIRST INDIA
 
IndiaWest: Your Trusted Source for Today's Global News
IndiaWest: Your Trusted Source for Today's Global NewsIndiaWest: Your Trusted Source for Today's Global News
IndiaWest: Your Trusted Source for Today's Global NewsIndiaWest2
 
VIP Girls Available Call or WhatsApp 9711199012
VIP Girls Available Call or WhatsApp 9711199012VIP Girls Available Call or WhatsApp 9711199012
VIP Girls Available Call or WhatsApp 9711199012ankitnayak356677
 
Global Terrorism and its types and prevention ppt.
Global Terrorism and its types and prevention ppt.Global Terrorism and its types and prevention ppt.
Global Terrorism and its types and prevention ppt.NaveedKhaskheli1
 
57 Bidens Annihilation Nation Policy.pdf
57 Bidens Annihilation Nation Policy.pdf57 Bidens Annihilation Nation Policy.pdf
57 Bidens Annihilation Nation Policy.pdfGerald Furnkranz
 
Manipur-Book-Final-2-compressed.pdfsal'rpk
Manipur-Book-Final-2-compressed.pdfsal'rpkManipur-Book-Final-2-compressed.pdfsal'rpk
Manipur-Book-Final-2-compressed.pdfsal'rpkbhavenpr
 
Quiz for Heritage Indian including all the rounds
Quiz for Heritage Indian including all the roundsQuiz for Heritage Indian including all the rounds
Quiz for Heritage Indian including all the roundsnaxymaxyy
 

Kürzlich hochgeladen (10)

Rohan Jaitley: Central Gov't Standing Counsel for Justice
Rohan Jaitley: Central Gov't Standing Counsel for JusticeRohan Jaitley: Central Gov't Standing Counsel for Justice
Rohan Jaitley: Central Gov't Standing Counsel for Justice
 
complaint-ECI-PM-media-1-Chandru.pdfra;;prfk
complaint-ECI-PM-media-1-Chandru.pdfra;;prfkcomplaint-ECI-PM-media-1-Chandru.pdfra;;prfk
complaint-ECI-PM-media-1-Chandru.pdfra;;prfk
 
Experience the Future of the Web3 Gaming Trend
Experience the Future of the Web3 Gaming TrendExperience the Future of the Web3 Gaming Trend
Experience the Future of the Web3 Gaming Trend
 
16042024_First India Newspaper Jaipur.pdf
16042024_First India Newspaper Jaipur.pdf16042024_First India Newspaper Jaipur.pdf
16042024_First India Newspaper Jaipur.pdf
 
IndiaWest: Your Trusted Source for Today's Global News
IndiaWest: Your Trusted Source for Today's Global NewsIndiaWest: Your Trusted Source for Today's Global News
IndiaWest: Your Trusted Source for Today's Global News
 
VIP Girls Available Call or WhatsApp 9711199012
VIP Girls Available Call or WhatsApp 9711199012VIP Girls Available Call or WhatsApp 9711199012
VIP Girls Available Call or WhatsApp 9711199012
 
Global Terrorism and its types and prevention ppt.
Global Terrorism and its types and prevention ppt.Global Terrorism and its types and prevention ppt.
Global Terrorism and its types and prevention ppt.
 
57 Bidens Annihilation Nation Policy.pdf
57 Bidens Annihilation Nation Policy.pdf57 Bidens Annihilation Nation Policy.pdf
57 Bidens Annihilation Nation Policy.pdf
 
Manipur-Book-Final-2-compressed.pdfsal'rpk
Manipur-Book-Final-2-compressed.pdfsal'rpkManipur-Book-Final-2-compressed.pdfsal'rpk
Manipur-Book-Final-2-compressed.pdfsal'rpk
 
Quiz for Heritage Indian including all the rounds
Quiz for Heritage Indian including all the roundsQuiz for Heritage Indian including all the rounds
Quiz for Heritage Indian including all the rounds
 

Introduction to National Critical Infrastructure Cyber Security: Background and Perspectives

  • 1. Cyber Momentum Understanding & Leveraging the National Cyber Security Policy Debate Jack Whitsitt | sintixerr@gmail.com | @sintixerr | http://sintixerr.wordpress.com Vice President of REDACTED at Energysec | http://www.energysec.org
  • 2. About me… • Broad Background – Lived in a little hacker compound as a kid – Started with Open Source development (Rubicon03) – MSSP:IDS, Data Viz, Anomaly Detection Designer – Enterprise Security Architecture – ICS-CERT (INL) – Fed with Nationally-scoped cyber responsibilities • Now – Non-profit Community Builder & Facilitator – Focus on Electric Sector
  • 3. Why this talk? • Deluge of Debates and Discussion – Media Hype, Political Wedge, Money Fountain, Actual Problem – No Culturally Accepted Vision • Today’s Keynote: Geer/Thieme/Corman • Laws & Mandates on Books, but poorly understood – Have you ever tried to READ any of it? – Even the people doing it don’t always get it • Serious Barriers – Grab bag of security ideas, no structure – Players not always informed of “State of Play” – Different culture groups (“Product Developers” – Kim) • Opportunity – To cause more problems or…to stop losing – Will be lost without wide engagement and forward motion • Not a History Lesson: Google for details – Meant to frame – or lens – a more productive dialogue
  • 4. Why should you care? • It could be fun – You get to learn a new problem space – National Cyber Security is only distantly and tangentially related to “computer security” as you know it – Doesn’t mean hacking isn’t involved – It just means you have to think bigger • This will effect you – Not explicitly: Culturally & Scope Creep – “National Security State” (Geer/Thieme)
  • 5. First Some Obviousness But it’s leading somewhere…
  • 6. Obviousness: Customers • Citizens • Individual Businesses • Industries • National Infrastructure • Government infrastructure • National Cohesion Overlap.
  • 7. Obviousness: CTVs • Contestable Threat Vectors (CTV): – Provide defendable space between “bad guys” and targets – Imply that there is a space that is *not* the target that must be traversed beforehand – “Domains” is used too often IMO • Historically… – Earth – Air – Water – Space (for some value of historically)
  • 8. Obviousness: Responsibilities Government “Security” apparatus responsibilities heavily influenced by geography • The military protects national sovereignty outside the U.S. • DHS protects national cohesion; operates on U.S. as a whole • FBI specific aspects of internal U.S. interests • State & Local government organizations
  • 9. Obviousness: Along Came A Cyber • “Cyberspace” comes along; screws things up – Cyber Assets: Targets AND part of a CTV – “Customers of Protection” now own a CTV – Geographic Protection Schemes break – Opaque by Default • But can have consequences in other CTVs – So we can’t ignore old physical policy mechanisms – “National Guard” example • “Critical Infrastructure” here but can be used with a lens to provide other views
  • 11. Cybersecurity has natural parenthetical Scopes EVIL GOOD! I want to steal hazardous materials! Ok, we’ll attack Traffic Light Controls and make trucks stop! Metasploit to the rescue! Boss Bob Cyber Planning Bob Hacker Bob I want to keep making $123 a day! Let’s make sure IT enables $123/day CEO Jim IT Architect Jim IDS to the Rescue! Security Jim “Technology”
  • 12. “Object Oriented Policy Making” • Failure to scope cyber topics appropriately – Wrong parentheticals • Grab Bag Problem – Good ideas scattered everywhere – neither related nor consistently relatable • Cyber security as a practice domain can be treated like a large algorithm • A simple protocol stack will help us get the right view into that algorithm • If we don’t have a common view, we our code won’t execute
  • 13. Maybe too detailed? Start smaller.
  • 14. Simple Risk Management Lifecycle Scoping is not defined. This is a mistake, even at a high level. (Yes, this is/was in use nationally  )
  • 15. More helpful: Linked Lifecycles Risks FROM Systems (Cyber) Risks TO Systems (Cyber)
  • 16. Risks From Cyber / Risks To Cyber • “Risks from” • Business & Non-Cyber • Long view • Evaluated regularly • Frames “Risks to” and makes actionable • “Risks to” • Technical & Implementation • Dynamic, Rapidly Changing • Should be reevaluated often • Context provided by “Risks From” • Linked Lifecycles allow alignment of strategy and tactics while de-conflicting perspectives • Allows strategy to influence ground action and, where pertinent, vice versa Helpful to understand government’s activity (Even if they don’t always)
  • 17. A Cyber Management Protocol Stack • All layers depend on the ones above and below for success • Provides common terms • Structures & Enables discussion • Allows narrow focus in problem areas • Highlights completeness • Will use this later
  • 18. A Cyber Management Protocol Stack • National Security Assurance – Assure Nation will continue; Diplomacy; Military • Business Environment – Define Common Business Outcome Goals for Cyber security; Describe Environment; Create Common Lexicon • Capability Management – Evaluate capabilities against organizational goals; prioritize resources and investments; adjust capabilities in response to ops data • Control Management – Evaluate conceptual application of best practices, standards, • Operations & Testing – Compare conceptual control placement to actual configurations and threats
  • 19. Now that we have a lens… National Underpinnings of Critical Infrastructure and Key Resources (CIKR) Protection
  • 20. Primary Documents: HSPD-7/NIPP • “Homeland Security Presidential Directive-7” – Bush. Builds on earlier directive from Clinton – Assigns Critical Infrastructure Protection to DHS • National Infrastructure Protection Plan (NIPP) – DHS Plan for Implementation of HSPD-7 • “All” Critical Infrastructure, not just Cyber – Most of the people traditionally involved are *not* cyber – This isn’t entirely wrong, but causes public disconnect • They do require cyber-specific actions from DHS – Confusing. One of the reasons for the EO • http://www.dhs.gov/homeland-security-presidential-directive-7 • http://www.dhs.gov/national-infrastructure-protection-plan
  • 21. HSPD-7 Policy Statement “It is the policy of the United States to enhance the protection of our Nation's critical infrastructure and key resources against terrorist acts that could: • Cause catastrophic health effects or mass casualties comparable to those from the use of a weapon of mass destruction; • Impair Federal departments and agencies' abilities to perform essential missions, or to ensure the public's health and safety; • Undermine State and local government capacities to maintain order and to deliver minimum essential public services; • Damage the private sector's capability to ensure the orderly functioning of the economy and delivery of essential services; • Have a negative effect on the economy through the cascading disruption of other critical infrastructure and key resources; or • Undermine the public's morale and confidence in our national economic and political institutions.”
  • 22. HSPD-7 Policy Statement RealSpeak Summary: The U.S. will protect the infrastructure supporting National Cohesion” in Partnership with Industry Experience says: • “Protect” doesn’t have to be active • “Protect” really means “Assure Security” • “Assurance” starts with measuring and only continues to protecting *if* the measurements fail • Industry: Hint. Hint. Hint.
  • 23. Primary HSPD-7/NIPP Goals • Identify Critical Infrastructure • Prioritize Infrastructure • Protect • Report on Progress • This means: Create specific plans to, in voluntary cooperation with industry, implement the NIPP Risk Management Lifecycle and report annually
  • 24. Dividing Ownership • US Government (HSPD-7/NIPP) splits Critical Infrastructure responsibilities into 16 “Sectors” • Each “Sector” is assigned a “Sector Specific Agency” (“SSA”) • Assignments are done at a a Department level – Some departments assign SSA responsibilities to sub- organizations (e.g. DHS assigning Transportation to TSA) Chemical: DHS Financial Services: Treasury Commercial Facilities: DHS Food and Agriculture:Agg/HHS Communications: DHS Government Facilities: DHS/GSA Critical Manufacturing: DHS Healthcare and Public Health: HHS Dams: DHS Information Technology: DHS Defense Industrial Base: DOD Nuclear: DHS Emergency Services: DHS Transportation Systems: TSA/DOT Energy: DOE Water and Wastewater Systems: EPA
  • 25. Sector Specific Agency Responsibilities Encourage organizations with information to share with those who need it and encourage development of sector information sharing programs and mechanisms Promote education, training, and awareness within the sector in coordination with other government and private sector partners Identify, prioritize, coordinate federal CCIP activities in sector Appraise congress of sector's current status and progress in reducing risk and implementing the NIPP Increase integration of cyber security efforts with other all hazards protection and response programs Develop and implement sector risk management program and framework and use to determine risk priorities of sector and coordinate risk assessment and management programs Support Ad-Hoc DHS data calls Promote cyber awareness of owners and operators and program level guidance for CIKR protection The DHS “Infrastructure Protection” (IP) organization is responsible for coordinating all of the sectors and assuring the NIPP is being implemented. (This can and has been problematic)
  • 26. “Public/Private Partnership” • Formal Term, Formal Constructs – Used in many contexts • Foundation of Critical Infrastructure Protection in the US • “Voluntary”, “Public” – (Limited? Trust issues) • Alternative is/has been Regulation • “Weight of Government Burnout” problems • This is important
  • 27. HSPD-7/NIPP Partnership Model •The primary organizational structure for coordinating critical infrastructure efforts and activities. •Facilitates integration of all partners into planning & ops activities •Ensure a collaborative approach to critical infrastructure protection. •The SCCs and corresponding GCCs work in tandem to create a coordinated national framework for Critical Infrastructure protection and resiliency within and across sectors.
  • 28. Sector Coordinating Councils (SCC’s) • The principal entities for CIKR owners and operators within a sector to coordinate with the government • Include a broad base of owners, operators, associations, and other entities • Principal private sector policy coordination and planning entities • Participate in planning efforts related to reporting for the NIPP • For information sharing and response, often rely on ISACs and other non-SSA entities • Problem: This is probably the first time you’re hearing this (also: industry vs citizens)
  • 29. Government Coordinating Councils (GCC’s) • The government counterpart for each SCC to enable interagency and cross-jurisdictional coordination within a sector • Includes representatives from various levels of government (Federal, State, local, or tribal) as appropriate • Co-chaired by a representative from the designated SSA and DHS IP (This causes some issues) • Coordinates with and supports the efforts of the SCC to plan, implement, and execute the Nation’s CIKR protection mission. • Provides interagency strategic communications, discussion, and coordination at the sector level • Participates in NIPP planning efforts
  • 30. What is “CIPAC”? • DHS Construct: Critical Infrastructure Partnership Advisory Council • Provides a legal framework for SCC and GCC members to engage in joint CIKR protection-related activities • Operational mechanism of National Infrastructure Protection Plan (NIPP) • Provides membership to agencies across all levels of government and the private sector, including membership representing almost 50 percent of the Gross National Product of the United States. • Allows members of Sector Coordinating Councils (SCC) and Government Coordinating Councils (GCC) to engage in cross-Sector, cross-government coordination. • Key activities of the CIPAC include information sharing, national planning, and program implementation
  • 31. CIPAC: Good & Bad • Good – No FACA, Not owned by government – Managed Engagement – **Must** Have SCC co-chair • Bad – Control issues (SSA’s don’t always like it) – Trust Issues (Northwest Rail story)
  • 32. CIPAC Examples • Industrial Control Systems Joint Working Group (ICSJWG) • Cross Sector Cyber Security Working Group (CSCSWG) • Transportation Systems Sector Cybersecurity Working Group (TSSCWG)
  • 33. What about “real” cyber? • NCCIC • ICS-CERT • CISCP • NLE/Cyberstorm • US-CERT • ISACs
  • 34. Aside: Government “Information Sharing” • “Incident Response” organizations are often regarded as “Information Sharing” ones – Must not forget distinction – Missions may conflict and impact sharing • FBI, Military, and the Intel Community also have potentially conflicting missions • No Pot of Gold at the end of the Classification Rainbow • Information often classified due to sources and means, not content • Actionable REQUIRES bi-directional sharing
  • 35. HSPD-7 & NIPP Environment Public/Priva te Partnership Resource Coordination Sector Coordinating Councils (Industry) Government Coordinating Councils Government Cyber-Specific Operations CIPAC CRADA/ PCII Fed to Fed
  • 36. New Policies • Cyber Executive Order: – Aimed at Gov, Not You: Mom reigning in kids – Cyber was already supposed to have been being handled (as we’ve seen) – Attempts to rectify these barriers while keeping in tact most of the fundamental structures already in place. – Heavy focus on “Harmonizing Cyber Efforts”  Awesome • Presidential Policy Directive (PPD-21) – Not Cyber specific – update to HSPD-7 – Important • CISPA – Very narrowly focused on information sharing • Others. Let’s discuss?
  • 37. PPD-21 Three strategic imperatives shall drive the Federal approach to strengthen critical infrastructure security and resilience: 1) Refine and clarify functional relationships across the Federal Government • Federal functions related to critical infrastructure security and resilience shall be clarified • There shall be two national critical infrastructure centers operated by DHS – one for physical infrastructure and another for cyber infrastructure. 2) Enable effective information exchange by identifying baseline data and systems requirements for the Federal Government; and • Enable efficient information exchange through the identification of requirements for data and information formats and accessibility, system interoperability, and redundant systems and alternate capabilities should there be a disruption in the primary systems. 3) Implement an integration and analysis function to inform planning and operations decisions regarding critical infrastructure. • Shall include the capability to collate, assess, and integrate vulnerability and consequence information with threat streams and hazard information
  • 38. Whitehouse Cyber Executive Order Main Thrusts: – Improve Information Sharing – Use business-function driven risk analysis to determine priorities – Create a framework of standards for reducing risks from cyber security issues to critical infrastructure – Engage industry to the greatest extent possible, and assure privacy and civil liberties are embedded in the entire process. White HouseDHS/SSA’s
  • 39. Executive Order: Section Analysis 1. – 3. Fluff 4. Cybersecurity Information Sharing 5. Privacy and Civil Liberties Protections 6. Consultative Process 7. Baseline Framework to Reduce Cyber Risk to Critical Infrastructure 8. Voluntary Critical Infrastructure Cybersecurity Program 9. Identification of Critical Infrastructure at Greatest Risk 10. Adoption of Framework (Read: Potential Regulation)
  • 40. Executive Order: Concerns • Could this infringe on individual freedoms? – “Not any more than before” • Do we have any guarantee of transparency? – So far: Chaotic Good • The government wants my data? – Yes. Because they need your data to make theirs actionable for you. But that’s not “the point” • Why so obtuse? – Right ideas. Poor Messaging. – Married Couple Analogy • I don’t want the government in my space – They just need to “assure” their mission – It is possible for industry to keep interference to a minimum • No faith in government agility to get it right – Crickets. Real Problem. Will impact success. • Should it have been so broad? – Built into the EO is a process to focus it. It’s actually at the right level • Isn't this just a political goad? – Not just. Smart people have worked on it. Useful (Possibly). • This preempts legislation or ignored existing work – No • Why is this a DHS issue? – National cohesion IS DHS’s mission – cyber just a part. There is no “singularly cyber” mission. Others have other takes on cyber mission • What about regulation? – This situation might have gotten a little better, more dynamic
  • 41. Executive Order: NIST Framework This is so amorphous yet so crucial, I’m mostly just going to talk to y’all about it “Framework to Achieve DHS specified Performance Goals” Industry Driven “All Inclusive” Standards vs Standards Some Vision Lost in Translation EO Performance Goals Balance Rails, Quality Assurance, Soylent Cyber is People!
  • 42. Executive Order Status So far • DHS has something like 25ish deliverables to the White House – Insane timelines – Has formed working groups • Some internal, some public – One is “Cyber Dependent Infrastructure Identification Working Group” (CDIIWG) • Responsible for Executive Order Section 9 – Most of DHS’s deliverables do not *require* industry engagement • Informed by it via SSA’s and scheduled industry meetings
  • 43. NIST Framework Status So far • NIST has to manage Industry Input into Framework – Kick-off meeting already, 700+ attendees plus webinar – Next one in Pittsburgh 5/29-5/31 • No announced registration mechanism – Put out RFI out and received responses • All over the board • This could be better • We need better rails
  • 44. CISPA • An executive order cannot change already legislative assigned federal responsibilities • CISPA handles legal aspects of: – Remove legal barriers to information sharing – Addressing specific problems associated with industry cybersecurity needing to intersect with the intelligence community. • My experience as a Fed was that barriers CISPA attempts to do away with were ones often cited by Industry Reps as what they needed. • Intent legit, but details? …
  • 45. Overheard…but wrong • Talks about “which ports are/aren't open” being the type of focus of the NIST framework • Refers interchangeably to home cyber and critical infrastructure; • Mistakes “compliance” standards with “interoperability” • “Obama bypassed congress & signed the Cyber Security Executive Order. Meaning there is no privacy. We now have a dictator, boys and girls.” • “Obama passed a secret cyber order – he embargoed it from the press”
  • 46. Time for a Real World Example Using the Lens to create a View
  • 47. Government Tools • CARMA: A Risk Management Approach • CRR: A Cyber Resiliency Model • CSET: A Cyber Evaluation Tool • ES-C2M2: A Maturity Model • RMP: A Risk Management Approach • NIST Cyber Framework: Standards • Executive Order: Better Cybersecurity
  • 48. This year I had the following discussion with a critical infrastructure sector: Them: “which one of those should industry use or get involved with.” Me: “All of them” Them: “But we don’t have time, what's the best?” Me: “But they do different things!” Them: “It doesn’t look like it…” What. The. Hell. Wait! We have a protocol stack…
  • 49. Clearly, the question made no sense when you look at a structured perspective – they all suit different needs. The model showed the types of needs, how they fit together, and provided a common reference for “Cyber Security”
  • 50. (A bit about those tools…) • CARMA – DHS Cybersecurity And Risk Management Approach – Sector-wide model of business-function and value chain driven risks – Ties business models and cyber infrastructure – No individual business details – Being used in Executive Order process to determine performance goals for NIST Framework • ES-C2M2/CRR – Electric Sector Capability Maturity Model / DHS Cybersecurity Resilience Model – Both look evaluate business maturity and progression in capability domains – Neither provides performance goals or context – Management link between strategy and execution • RMP – DOE Risk Management Process – Slots both into the risk management domain and overlaps everything • DHS CSET – DHS Control Systems Evaluation Tool: Control Catalogue Application Evaluation • Tallinn Manual – Not a gov doc – academic even if NATO – but speaks to international law
  • 51. National Cyber Security is about Structured, Clear Comms Closing Thoughts
  • 52. Leveraging Dialogue • Define the Space • Control Language (0-day example) • Manage Perception • Make Like Eminem • Treat the Government Like a Computer
  • 53. Off the rails discussions.. – Cyber war • The Earlier Rainbow Diagram Helps – Regulation • Views – Sector Progress & Reporting (Gov & Media) • Grab Bag again – NIST Framework • No algorithm (problem statement) MUST improve the quality of the dialogue
  • 54. More Advice & Truisms 1. Actors are often irrational (thanks @selenakyle) 2. Guys with Guns aren’t Generals 3. Cyber security is a human QA problem 4. Our businesses are both targets and part of a CTV 5. Winning needs more than holding a line; improve the world 6. Momentum needs rails, so be clear; use a protocol stack 7. Corollary: We will not accomplish anything with a multitude of voices. Use common model to create a common voice 8. The government *must* fix a Cyber Commons Tragedy 9. The government is not omniscient; don't treat it like it is 10. Corollary: Resources are limited; don’t keep 911 busy 11. Do you really want the gov in your ops? 12. What we’re doing isn’t working. (Yet?)
  • 55. Discussion… • Now that we have a common framing and have critical infrastructure policy underpinnings… – Concerns? – Questions? – Advice? – Corrections? – Derision? • Also, Discuss? – “DevOps at a National Level” – “Personal Liberty” / “Rights” THANK YOU  Jack Whitsitt | sintixerr@gmail.com | http://sintixerr.wordpress.com Energysec | http://energysec.org

Hinweis der Redaktion

  1. Cyber ….why is cyber so visible? News, failures, money (congress!), sexy, responsibilitiesToday going to focus on gov involvement what it’s good for (or not), offer some advice, etc…can extrapolate to media and self and etc6. What are some simple things to know ahead of time that I might not already?There are laws, mandates, and programs on the books now and have been for years.  This includes strategic planning, incident response, information sharing, and engagement.major players in industry have been actively engaged in the dialogue so far – even if you haven't nec been aware of it. There have been certain cultural, process, political, perception, legal, and conceptual barriers to progress despite existing work and engagement.  The Executive Order attempts to rectify these barriers while keeping in tact most of the fundamental structures already in place.I'm not here to teach, rather to frame…or to lens…the topic in a way that improves dialogue at the second half of this talk and when we leave here. …thereby enhancing our ability to work together on this collective problemSo, first we need to talk a bit about what the government interest is. Keep in mind, some of this will seem obvious, but sometimes primary colors are the best to start with
  2. So, that said, the primary colors here start with identifying what is being (or should be) protectedFor these purposes, I think in terms of: Customers (or citizens, but they're customers of the gov), Individual Businesses, National Infrastructure, Government infrastructure, and National Cohesion.Customers: Soft & Hard interests (economic/free speech vs safety/mobility..etc)Individual Businesses: There are also collective interests, but here Im calling out individual sets of prioritiesGov Infrastructure: Sort of a peer in this case to individual businessesNational Cohesion: The ability for the nation to function. This includes stable and safe markets, the ability to conduct business, freedom of mobility, manufacturing, water supply, coordinated responses to threats, etc
  3. So, that said, the primary colors here start with identifying what is being (or should be) protectedFor these purposes, I think in terms of: Customers (or citizens, but theyre customers of the gov), Individual Businesses, National Infrastructure, Government infrastructure, and National Cohesion.Customers: Soft & Hard interests (economic/free speech vs safety/mobility..etc)Individual Businesses: There are also collective interests, but here Im calling out individual sets of prioritiesGov Infrastructure: Sort of a peer in this case to individual businessesNational Cohesion: The ability for the nation to function. This includes stable and safe markets, the ability to conduct business, freedom of mobility, manufacturing, water supply, coordinated responses to threats, etc
  4. Generally…and I know this is a ROUGH generalization, responsibilities for security break out something like this:The military protects national sovereignty DHS protects national cohesionFBI protects customers and business through a prosecute/convict missionState & Local government organizations (and Natl Guard) focus on providing geographically related supportIn all cases, contestable threat vectors (ie “geography”) define when where & how these groups operate.
  5. But then we add cyber.
  6. Even though we’re talking responsibilities, not code, still need a protocol stack because…Stick figure diagramSo let’s move beyond primary color type stuff (and I know I havent been using only primary colors in the deck, everything is always a shade of something else 
  7. Sneak Peak at Risk Rainbows
  8. Basic risk lifecycle…mention this is official….but will get to it
  9. Two-tier risk lifecycle diagram
  10. Basic 5-tier diagram (series will be after nipp, partnership, etc)…at the end “ok, now we’ve got some reference space…lets look at old guiding policies to critical infrastructure, then we’ll talk updates…then we’ll look at what you might have heard…and then we can move into discussion/advice…comments…etc
  11. Basic 5-tier diagram (series will be after nipp, partnership, etc)…at the end “ok, now we’ve got some reference space…lets look at old guiding policies to critical infrastructure, then we’ll talk updates…then we’ll look at what you might have heard…and then we can move into discussion/advice…comments…etc
  12. DHS shall protect crit infrastructure, (explain the interest here…assurance of protection would be a better word…this is DHS…so they're on the hook for COHESION here, not your businesses…protecting individual points not their mission, but the ability of US to operate. In other words, they need to assure certain consequences don’t occur – whether you do it or they do it…and consequences are nationally catastrophic (hard or soft)
  13. identify prioritize, report: Formal Risk Mgt Lifecycle…resp for getting sectors to implement…and SSP/SAR
  14. There shall be sectors
  15. There shall be agencies supporting sector specific stuff: interesting because other regulation from some agencies and other agency-specific (non DHS mechanisms). More in a bit
  16. identify prioritize, report: Formal Risk Mgt Lifecycle…resp for getting sectors to implement…and SSP/SAR
  17. Will use partnership: Regulation vsformal pub/priv partnership …incentives…why you don’t hear a lot of this dialogue. Partnerships been going on for a long time, but not for public discourse – protects industry (not classified tho)
  18. identify prioritize, report: Formal Risk Mgt Lifecycle…resp for getting sectors to implement…and SSP/SAR
  19. Info about ops orgsOther Players: Ops/Intel/TechSec: NCCIC, ICS-CERT, CISCP (and subsequent slide-single)…Exercises (Cyberstorm, NLE),
  20. A note about info sharing (from grid lined paper)
  21. Our joint SSA/Industry strategy used this model (when I was a fed): Raise awareness, in order to gain participation in pub/priv partnerships, to develop the context, for improving ops & sharing (DHS, industry, whoever), in a sustainable wayBut not every SSA is the same, and this was only philosophical guidance
  22. 1. What is the Executive Order and why was it issued?This is a two prong answer. First, obviously it was absolutely a political goad to congress to write legislation and to poke at the Republicans. However, more importantly, it is also potentially a very valuable order that was seriously thought through and that will be used.Think of it like a mother (the White House) telling kids (DHS, SSA’s) to “clean up the house”.  Based on existing house rules (overarching critical infrastructure directives/laws), she expects it will be done and goes off to handle other things.She comes back to find out that the kids of swept once or twice then went on to xbox, pushed stuff under the bed, or made more of a mess of the toy box trying to clean it than it was before.Mom comes back and says “Ok, I left you to your own devices, here are the specific ways – again within the larger context of house rules – you are going to clean up. In the case of cyber security, the White House has said: You – DHS and SSAs and everyone else – are going to remove barriers to information sharing, work with our customers (industry) to build some coherent approach to solving the problem to our satisfaction  – some standard way of organizing the whole mess, and you’re each (especially you SSA’s!) are going to create explicit privacy and civil rights protections or else you fail.
  23. Sec. 4.  Cybersecurity Information Sharing. a) The US Government will pass more (unclassified) information than they already are, and from more sources, to the private sector faster so that they (industry) can better protect themselves. b) More about the rapid dissemination of these reports, but now mentions the ability to disseminate limited classified reports c)The government will enhance a new program (previously announced) to provide classified threat and technical information to qualified critical infrastructure companies (including commercial service providers who work with critical infrastructure) d) The intel community will speed up processing of security clearances for private sector companies with critical infrastructure e)Since actually becoming a fed is hard, and because not everyone wants to, there are initiatives going on – and which the EO directs to be hurried/expanded – to allow private citizen subject matter experts to come under temporary serviceSec. 5.  Privacy and Civil Liberties Protections.a) Agencies already have privacy/civil liberty offices and procedures in place. They must make sure any action they take in regard to the EO is done using those offices and procedures. b) DHS must make formally sure on a recurring bases that 5a) is indeed happening c) When DHS reports on this, it will consult with OMB (to provide another layer of oversight) d)Private entity information will be protected by the most protective interpretation of the lawSec. 6.  Consultative Process The government will engage with private sector stakeholders on all aspects of the EO and will utilize mechanisms that already exist and are currently being used to collaborate with industry on cyber security and critical infrastructure – particularly those outlined in HSPD-7 and DHS’s National Infrastructure Protection Plan Sec. 7.  Baseline Framework to Reduce Cyber Risk to Critical Infrastructure.a) NIST will lead the development of a framework to reduce risks to critical infrastructure from cyber systems.  The framework speaks to the process of reducing risk.  The framework is intended to make sure business efforts, policy efforts, and technical efforts are aligned and working together.  The framework will incorporate existing standards and best practices as much as possible (clarification: NIST has said here that they mean interoperability/common frame of reference type standards, not performance or measurability focused standards. Ie, the intent of the standards is to help everyone work together.)b) The framework is *process focused* and intended to deal with the fact that this is the real world; it’s goal is to work collectively to figure out the best ways to reduce risk – the process is the focus, not the results. “The journey is the destination”.  The framework will include ways to measure how well organizations are participating in the process.c) The framework will explicitly include ways to protect business interests and civil libertiesd1) This process will be as inclusive as possible. Government required to show up to the table and government required to engage industry as much as industry is willing to participate.d2) The government will provide outcome goals for the framework based on critical determinations made in section 9 (the intricacies of this are a bit out of scope of this review. Suffice it to say that there is already existing work here being done and existing processes already in use that will most likely be used to fulfill this requirement.). This is assigned to the heads of relevant agencies, which means its a performance criteria for those individuals, which means it will get done.e) a preliminary version of the framework will be done in 240 days, final in a yearf) The process of engagement and validity of approaches will be reviewed regularly for appropriateness in addressing cyber securitySec. 8.  Voluntary Critical Infrastructure Cybersecurity Program.a) There will be a program (outreach & engagement?) to encourage private sector adopting the framework processb) The agencies already on the hook for industry engagement for critical infrastructure (sector specific agencies – SSAs – under HSPD-7 and the National Infrastructure Protection Plan – NIPP) will use their existing mechanisms (like CIPAC) to reach out to industry on a sector by sector basis and address sector specific risks and concernsc)The Sector Specific Agencies will let the president know annually how this is all going – is industry participating or no?d)the government will try and create additional value for industry to participatee) The government will try and figure out how – or if it even makes sense – for the government to adjust its procurement and contracts to use/fit in with the frameworkSec. 9.  Identification of Critical Infrastructure at Greatest Risk.a) Within 150 days, DHS will determine, based on potential national consequences from a cyber attack, what infrastructure is critical.  This speaks to a consultative process (as described in section 6) that the government will use to identify what the framework and the rest of the Order is aimed at. I’ve been working within one industry for some time using a version of the process that will be used here. The process uses business-function driven risk analysis to determine priorities: Critical Functions->Value Chain->Supporting Cyber Infrastructure->Program level vulnerabilities->Scenarios to be protected against. Ish.b) The sector specific agencies will, in line with their existing role, provide DHS with enough information to make these determinations. The EO assigned this to the heads of the sector specific agencies, in particular, and so it is a performance criteria for them. This tends to mean it will get done.c) Owners and operators of critical infrastructure will be confidentially notified of their status as critical infrastructure and there will be a mechanism for them to ask to be reconsideredSec. 10. Adoption of Framework (Read: Potential Regulation)a) Agencies who can currently regulate will look at any new information provided by the preliminary framework and determine if the way they are currently handling regulation is sufficient based on framework identified risks (my note here: TSA has, in the past, declined to regulate because industry was actively participating already. This directive does not make future regulation a given).b)If current regulation isn’t sufficient, regulatory agencies will propose actions.c)within two years, agencies will work with owners and operators to determine if any new regulation is ineffective or excessively burdensome and will make recommendations for relief/changesd) DHS will help out any agencies who don’t have the technical cyber qualifications to do this effectivelye) Regulatory agencies that aren’t sector specific agencies should consult with everyone and get on board, tooSec. 11. Definitions (Speaks for itself. Read these without translation)(a) “Agency” means any authorityof the United States that is an “agency” under 44 U.S.C.3502(1), other than those considered to be independentregulatory agencies, as defined in 44 U.S.C. 3502(5).(b) “Critical Infrastructure Partnership Advisory Council”means the council established by DHS under 6 U.S.C. 451 tofacilitate effective interaction and coordination of criticalinfrastructure protection activities among the FederalGovernment; the private sector; and State, local, territorial,and tribal governments.(c) “Fair Information Practice Principles” means the eightprinciples set forth in Appendix A of the National Strategy forTrusted Identities in Cyberspace.(d) “Independent regulatory agency” has the meaning giventhe term in 44 U.S.C. 3502(5).(e) “Sector Coordinating Council” means a private sectorcoordinating council composed of representatives of owners andoperators within a particular sector of critical infrastructureestablished by the National Infrastructure Protection Plan orany successor.(f) “Sector-Specific Agency” has the meaning given theterm in Presidential Policy Directive-21 of February 12, 2013(Critical Infrastructure Security and Resilience), or anysuccessor.
  24. 3. Could this in any way infringe on individual freedoms if misinterpreted?The short answer is “not any more than before”. DHS messaging is that privacy and liberty assurance is one of the three primary focuses of the EO. The Executive Order relies on existing government privacy and civil liberties mechanisms and embeds them throughout the order. Whether or not you think those mechanisms were sufficient is one question, but the EO doesn’t make them worse or better.10. What guarantee do we have to transparency in any of this?Workshops kick off in April.  NIST has questions to industry on its website and will be reaching out further (more proactively than “on the website”) in the near future. If you read my earlier NIST post, you’ll see transparency and participation are core, not tangential, tenets here and are one of the things that will (or is intended to at least) distinguish this from past efforts. Further, if you have been on any of the DHS calls with industry, every single conversation revolves around getting more and better industry involvement. They are very serious about it.  Finally, in my own work with some of this (which is tangentially related), transparency and engagement have been priorities I’ve seen.11. Indeed it’s written with the basis that Government will continue to be the determining data librarian for cyber threats.Over and Over and Over industry tells gov “we need better threat info”.  Most of EO not dealing with the framework is written to that end – it primarily deals with pushing data TO the private sector because they have requested it. However, post-order messaging has (correctly) been: Look, we don’t have a classified pot of information at the end of the rainbow that’s going to save the day. Industry, you guys know about yourselves way more than we do – or you should.  If you don’t share, that’s fine, but we can’t help you unless you help us to do it.I don’t like the disproportionate focus on Information Sharing. I think it’s a waste of time, but we collectively have created this stupid beast. I might be a red herring, but it’s our collective red herring.This deserves a longer treatment than a couple of sentences, so come see me talk about it at SOURCE Boston12. Why is the Cyber EO so obtuse? And while the PPD adds context – it’s clear that we require more (and more) clarityMuch of the obtuseness is because a) some is to be defined later by b) federal agencies who will get very clear direction from those in the WH charged with implementing the EO within the context of c) existing language on the books and in response to d) specific beefs from industry and dialogue failures in the past. What most people lack is the appropriate context from which to interpret it, since most people are not critical infrastructure owners and operators or feds who have been engaged in the discussion. Much of the insight I'm trying to provide here isn’t direct experience with the EO itself, but the cultural language which has developed in the civilian space on the topic of critical infrastructure protection over the past several years.  It’s not understood well outside of Washington, but those it is speaking to understand it.  This is a huge problem and one I’ll try to address in Boston13. Is this more of the government telling private sector they’re coming?Gov’t is already there: HSPD-7, NIPP, SSA’s, CIPAC, CSCSWG, CNCI, NCCIC, foobar.   Regulatory capability already there: TSA, DOE(NERC CIP), etc. This EO speaks to and sorts out this *existing* stuff in one prong and tries to sort out information sharing barriers in another prong (barriers which, right or wrong – mostly wrong – industry has cited over and over and over as the reason their cyber sucks)14. Why do we have any faith that Government has the agility and consistency to get it right this time?We don’t. but, the way the framework components are laid out, we have an interesting opportunity to force it to work by the order’s focus on creating real consensus business-driven requirements. In particular, I believe cyber security is a quality assurance problem over unbounded time driven from business priorities and is almost 100% a human-centric problem.  There might be space here for that conceptual shift to occur.  More on that later, possibly in Boston15. Should the Cyber EO have been so broad? Look at the “Designated Critical Infrastructure Sectors and Sector-Specific Agencies” list in the PPD.Don’t forget that the PPD is based on years old definitions and, more importantly, is an all-hazards list primarily focused on physical attacks. In large enough scale, most things are critical in the terms of the broader discussion.The trick is, for cyber, determining what within those spaces is critical. It’s a different functional discussion – as this is all laid out – than which sectors are critical. That’s handled in a process – a version of which I’ve been facilitating at a sector level for the past year – that is designed to base decisions on business driven threat scenarios.  It’s not perfect, but it’s a huge improvement from past methodologies.16. If and only if (IFF) the Cyber EO was really meant to get action to answer these questions – then it should not have been issued so broadly, so politically charged, and otherwise tied to SOTU the way it was.Agree. It’s over-politicized – but that gets into questions of its effectiveness and clarity in the current political and cultural environment, and that’s out of scope here.17. Why not leverage the bodies of work existing up-front?Because the process of engagement in finding and applying those existing bodies of work is the key element of this part of the EO, not the outcomes themselves. It’s an attempt to build in continuous flexibility and applicability in changing environments and compared to differing and dynamic priorities.  Think “it’s not the destination but the journey” here and add on “and the requirement to iterate through multiple journeys as a lifestyle”. The mechanism NIST and the collective gov builds to continuously engage industry in the development and adaptation of the framework are where our real opportunities to make this valuable come in – but we need to work together coherently. More in this in Boston.Also see this document from NIST: http://www.nist.gov/itl/cyberframework.cfm18. What makes this a compelling DHS issue instead of economic development, science, or other component of Government?Because the EO can only really address already existing legislatively assigned authorities. This EO is a goad for further legislation, and that might change the agency assigned responsibilities. That said, I actually agree this should be a DHS issue – no other agency has the type of broader mission required to effectively coordinate cybersecurity in the broad terms it requires – NSA would be one of the worst choices, since their core mandates are, in many cases, only of use in terms of focused support.  Think correlation with physical and geographically dispersed response and coordination.  The FBI, similarly, would be a terrible choice since their mandate is “prosecute and convict”.19. What about regulation of industry?There are a number of agencies who *already have* regulatory authority over private sector critical cyber infrastructure – some have used it, some haven’t. The EO asks that they use the new processes in the EO to reevaluate whether they should regulate and how if they don’t now and the effectiveness of any regulation if it’s already in place. Every two years, the government is required to check with industry to make sure any regulation is a) effective and b) not too burdensome.  In my opinion (based on work with some of the processes which will be used),  this is much less likely to result in additional regulation than is suspected. (This is because the processes attempt to be more empirical and data-informed than the more speculative and subjective attempts in the past.)20. Why haven’t I heard about any of this and why does it not resonate with me?So much of this has been driven by lobbyists and industry associations….unfortunate in many cases…but almost impossible to get substantive input from more fair representation.  The reasoning behind this is something I’ll cover in Boston and it’s something we need to culturally change together – and we can.
  25. 4. What will the “Framework” described be? Based on comments from NIST: The framework will includewhatever will achieve effective cyber: processes, technologies, architectures, concepts, specifications, etc.  It is intended to be layered and include broad principles, common practices, and sector specific realities.The role of NIST is to support the industry development of the framework.  The government will depend on the actions of the private sector after sharing, up front, performance goals. NIST is being engaged because it has experience gathering lots and lots of input, but this will NOT be a typical NIST thing.The aim of the framework approach is to enhance adaptability, with cost and impact to economics of business being an integrated explicit part of the conversation.Additional benefit is that, by increasing interoperability of requirements, concepts, expectations, etc, baseline security can be driven to market/products (my comment: which has been a vendor/industry complaint often voiced)Moreover, a goal of the EO – both in context of information sharing and the framework – is harmonization of efforts (this was repeated extensively and resonated with my experience in the dialogue) – particularly nby the federal government (which, again, has been a substantial private industry complaint).5. Standards? What is meant by standards? That sounds scary!Not as much as you’d think. Based on comments from NIST: Generally, common basis of comparison…some are performance…but some are norms to promote collective collaborative action. These latter are developed by industry and what the EO is referring to. In other words, the Framework of Standards is meant less to be comparative and more to allow everyone and everything to be working together.  (Jack’s note: I’ve said for years there should be a Chinese menu of options selectable by environment and risk, this looks like it might be going down that path).
  26. Bring it all together with several slides using 5 tiered model