Tweet This Post
Comment by William R. Cumming
May 1, 2015 @ 7:32 am
Well another FFF! My focus today is on CIP [critical infrastructure protection]! Imagine the situation in Baltimore if no lighting and collapse of energy grid? BTW there actually are definitions and distinctions in the US Code of the terms “riots” and “civil disorders”! Wondering when the comprehensive treatise will appear on the history of both in the USA. The events transpiring in NYC in 1966 and 1977 might be worth a mention.
So first point out again John Motef’s excellent review of the history of CIP in his 2/14/14 CRS report RL 30153 which Steve Aftergood has posted at:
Suggest you read the whole report but here are some brief keys: 1. Footnote 16; 2. pages 16 and 17; 3. discussion of legislation; and note extract set forth below:
“In the absence of new legislation, the Obama Administration issued Executive Order 13636, Improving Critical Infrastructure Cybersecurity, in February 2013. The Executive Order focused primarily on information sharing and the development of a cybersecurity framework for critical infrastructure. In regard to information sharing, the Executive Order instructed the Attorney
General, the Secretary of Homeland Security, and the Director of National Intelligence to “ensure the timely production of unclassified reports of cyber threats to the U.S. homeland that identify specific targeted entities,” and to rapidly disseminate those reports to the targeted entity. The Executive Order also expanded the Enhanced Cybersecurity Services program to all critical
infrastructure sectors. The Enhanced Cybersecurity Services program shares federal classified cybersecurity threat and technical information with infrastructure network service providers which the service providers can use when monitoring the network traffic of their critical
My explanation of the grade of F for DHS will follow for those interested.
Comment by Claire Rubin
May 1, 2015 @ 8:09 am
See new report on topic of CI by Steve Flynn:
May 1, 2015 @ 8:11 am
CORRECTION: Here is the right URL for that report
May 1, 2015 @ 8:20 am
The CRS report cited above gives more than adequate history. But I will supplement that with some personal comments of my own.
Many have argued that PROCESS IS POLICY in Washington. To some extent I agree. But as the CRS report infers and documents issuance of policy guidance often fails in the implementation.
Tracing the changes in policy and organization and matching the two up in CIP is very difficult.
E.g., I would argue that the unloved and untended to Executive Order 12656 issued November 23, 1988 [after the 1988 Presidential election] was a rudimentary CIP document.
But it relied largely on physical security as the basic protective concept. Disclosure I attended and particpated in 8 of the dozen or so meetings chaired by NSC staff in producing the drafts. One fun item watching as the DoJ reps argued successfully that DoJ should not be the lead agency for domestic terrorism. And not only did DoJ avoid the lead but no department or agency assigned it.
Then in 1992 a law enacted which was delegated to OMB and OMB given the lead for COMPUTER SECURITY.
It awaited the PCCIP report in fall 1997 to stress CYBERSECURITY!
May 1, 2015 @ 8:34 am
E.O. 12656, as amended nominally hands out EMERGENCY ASSIGNMENTS to the Department and agencies. N.B. that no Congressional Committee nor GAO has ever reviewed that E.O. in a hearing or report and I argue many of the assignments [really delegations from the President] cannot be accomplished by those delegated authority] nor are they budgeted for.
MOST DEPARTMENTS AND AGENCIES VIEW EMERGENCY PREPAREDNESS AS NOT AS IMPORTANT AS THEIR DAY JOBS. IMO OF COURSE.
May 1, 2015 @ 8:41 am
Again the review of CRS of PD-63 in the report excellent. Again disclosure–I attended five of nine drafting sessions at NSC for FEMA. The star of those sessions was Michael Vatis of DoJ. And the OSTP reps.
Note that the Chief Technology Officer position for the Executive Branch is housed in OSTP [WH office of science and technology policy]. The current incumbent of that position is Megan Smith formerly of Google. I believe she is the fifth incumbent of that position.
N.B. A CYBER CZAR promised many times but clueless as to existence of that position or its past and current incumbents if it exists.
May 1, 2015 @ 1:51 pm
There is a fundamental flaw in cyber security in that most of losses, costs, and expenses imposed on users because developers have little interest in security. It would be better if the liability regime imposed some costs on developers. IMO of course.
Are there any academic [law review articles] on liability issues in the cyber world?
What are the documented costs and benefits of the 21st Century’s “connectedness”? Or are all costs and benefits yet to be documented?
Related in my mind is what are the costs and benefits to humans of atomic and nuclear weapns?
May 2, 2015 @ 6:53 am
The private cyber world pretends that the US federal government has little to do with its security, development, operations, or maintenance, or at least that is my opinion. I have frequently mentioned in commenting on this blog that again IMO the Y2K effort was the world’s largest PREPAREDNESS effort ever outside of formal warfare.
Remember the so-called DOT COM bubble? The FEMA legal opinion declining to participate in that effort is on the FAS/FEMA page and IMO in error and not followed. What do we know about that effort? Well one largely undocumented effort was conducted by the US Federal Reserve, outside of DoD and its minions, the largest defender of the nation-state known as the USA again IMO. It is believed that the FED injected over $300B into the US economy as part of the Y2K PREPAREDNESS effort. The federal EXECUTIVE BRANCH by its collective decision to scrap its legacy systems if possible to buy new Y2K compliant sytems did its part to stimulate the bubble. And of course DoD helped out in its purchasing.
BTW it appears that DHS has spent over $150B since its creation on IT. Exactly how successful that immense effort was and is is largely unknown. A 1992 statute created the position of CIO [chief information officer] throughout federal organizations with the reporting relationship of that officer directly to the head of the department or agency in keeping with the private corporate world’s equivalent. That key position both in government and the private sector has largely failed in its goal of more effective use of information to accomplish the organizations goals whether profit-making or not.
Almost out of embarassment of the riches conferred on the IT sector by the Y2K effort that effort remains largely undocumented.
May 2, 2015 @ 7:07 am
Okay here are some quick and dirty fixes!
1. Spell out in each government budget amounts spent on physical security, including physical security of computers and computer systems as a subset.
2. Spell out in each government budget amounts spent on computer security and cyber security.
3. Spell out for each new hardware and software product amounts spent on security it its development before marketing for sale. This could be done under the CONSUMER PROTECTION ACTS of the various states. And all federal purchases of hardware and software of IT products by the federal government could only be done after a full analysis of the security of the new hardware or system so that vulnerabilities could be fully assessed.
4. Federal and/or licensing of computer security experts should be accomplished. The end result would be to track those who might be co-opted into nefarious activity. After all we do that for other activities do we not that can do less economic or real-world damage to our world. BTW OMB Circular A-130 requires that those with access in the federal government to sensitive computer systems be under special access controls.
5. A permanent JOINT CONGRESSIONAL COMMITTEE on cyber security should be established with a wide-ranging jurisdiction over federal IT efforts and in particular security.
May 2, 2015 @ 7:14 am
The purpose of budgeting for CIP is to promote disclosure first of amounts dedicated to protection and second to prioritize expenditures based on risk. Perhaps a RESILIENCE budget for each federal organization?
May 2, 2015 @ 1:17 pm
Perhaps an Internet fee for security?
RSS feed for comments on this post.
Mail (will not be published) (required)
XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>
Template adapted from Blue Horizon, designed by Kaushal Sheth.