Advanced search    Help

Clear all search criteria

Only 2/3! You are seeing results from the Public Collection, not the complete Full Collection. Sign in to search everything (see eligibility).

• Cybersecurity: Cyber Crime Protection Security Act (S. 2111)--A Legal Analysis [March 12, 2012]

  Show summary     Open resource [pdf]     (open full abstract)

  "The Cyber Crime Protection Security Act (S. 2111) would enhance the criminal penalties for the cyber crimes outlawed in the Computer Fraud and Abuse Act (CFAA). Those offenses include espionage, hacking, fraud, destruction, password trafficking, and extortion committed against computers and computer networks. S. 2111 contains some of the enhancements approved by the Senate Judiciary Committee when it reported the Personal Data Privacy and Security Act (S. 1151), S.Rept. 112-91 (2011). The bill would (1) establish a three-year mandatory minimum term of imprisonment for aggravated damage to a critical infrastructure computer; (2) streamline and increase the maximum penalties for the cyber crimes proscribed in CFAA; (3) authorize the confiscation of real property used to facilitate the commission of such cyber offenses and permit forfeiture of real and personal property generated by, or used to facilitate the commission of, such an offense, under either civil or criminal forfeiture procedures; (4) add such cyber crimes to the racketeering (RICO) predicate offense list, permitting some victims to sue for treble damages and attorneys' fees; (5) increase the types of password equivalents covered by the trafficking offense and the scope of federal jurisdiction over the crime; (6) confirm that conspiracies to commit one of the CFAA offenses carry the same penalties as the underlying crimes; and (7) provide that a cyber crime prosecution under CFAA could not be grounded exclusively on the failure to comply with a term of service agreement or similar breach of contract or agreement, apparently in response to prosecution theory espoused in 'Drew'. With the exception of this last limitation on prosecutions, the Justice Department has endorsed the proposals found in S. 2111. The bill has been placed on the Senate calendar. As of this date, S. 2111 has no House counterpart."

  Library of Congress. Congressional Research Service

  Doyle, Charles

  2012-03-12
• Continuous Diagnostics and Mitigation Program Asset Management - What is on the Network?

  Show summary     Open resource [pdf]     (open full abstract)

  From the Document: "The Cybersecurity and Infrastructure Security Agency's Continuous Diagnostics and Mitigation (CDM) Program is a dynamic approach to fortifying the cybersecurity of government networks and systems. The CDM Program provides cybersecurity tools, integration services, and dashboards to participating agencies to help them improve their respective security postures. The CDM Program ultimately reduces the threat surface and improves federal cybersecurity response through four capability areas: Asset Management, Identity and Access Management, Network Security Management, and Data Protection Management. The Asset Management capability is aimed at providing agencies with a centralized overview of their network devices and the risks associated with such devices. Asset Management enables an agency to maintain and improve its cyber hygiene through five capabilities: hardware asset management (HWAM), software asset management (SWAM), configuration settings management (CSM), vulnerability management (VUL), and enterprise mobility management (EMM). Asset Management is the foundation of a strong cybersecurity strategy--it allows agencies to supervise network assets as they are being configured and deployed on the network, which ensures the assets are properly configured and that vulnerabilities have been identified and remediated. CDM's automated asset management tools have been deployed to federal civilian agencies since 2014. These tools continue to be important today as shadow Information Technology (IT) (i.e., hardware/software that is on the network but is managed outside of, and without the knowledge of, the primary IT department) at agencies continue to expand."

  United States. Cybersecurity & Infrastructure Security Agency

  2021-05-26
• Russian State-Sponsored Cyber Actors Gain Network Access by Exploiting Default Multifactor Authentication Protocols and 'PrintNightmare' Vulnerability

  Show summary     Open resource [pdf]     (open full abstract)

  From the Summary: "The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint Cybersecurity Advisory (CSA) to warn organizations that Russian state-sponsored cyber actors have gained network access through exploitation of default MFA [Multifactor Authentication] protocols and a known vulnerability. As early as May 2021, Russian state-sponsored cyber actors took advantage of a misconfigured account set to default MFA protocols at a non-governmental organization (NGO), allowing them to enroll a new device for MFA and access the victim network. The actors then exploited a critical Windows Print Spooler vulnerability, 'PrintNightmare' (CVE [Common Vulnerabilities and Exposures]-2021-34527) to run arbitrary code with system privileges. Russian state-sponsored cyber actors successfully exploited the vulnerability while targeting an NGO using Cisco's Duo MFA, enabling access to cloud and email accounts for document exfiltration. This advisory provides observed tactics, techniques, and procedures, indicators of compromise (IOCs), and recommendations to protect against Russian state-sponsored malicious cyber activity."

  United States. Cybersecurity & Infrastructure Security Agency

  2022-03-15
• Final Audit Report Review of Treasury's Critical Infrastructure Protection Program

  Show summary     Open resource [pdf]     (open full abstract)

  "This memorandum transmits our Final Report on the Review of the Critical Infrastructure Protection Program. This audit was identified as a priority area in the Office of Inspector General's (OIG) Annual Audit Plan for Fiscal Year 2000. For this audit, we evaluated the progress made by the Department of the Treasury (Treasury), and its offices and bureaus, in implementing its Critical Infrastructure Protection Program for protecting its cyber-based systems. We included three findings and three recommendations to assist Treasury in the implementation of Presidential Decision Directive (PDD) 63. Overall, our review found that Treasury is making reasonable progress towards fulfilling the cyber-related requirements of PDD 63 and the National Plan for Information Systems Protection Version 1.0, Invitation to a Dialogue (National Plan). However, improvements could be made to assist Treasury in fully implementing PDD 63 and to meet the deadlines imposed by the National Plan and PDD 63. Specifically, we noted that funding and resources to implement PDD 63 are inadequate and implementation oversight can be made more effective. In addition, Treasury needs to identify its critical infrastructure assets. A lack of detailed knowledge of Treasury-wide system assets may be viewed as a Federal Manager's Financial Integrity Act material weakness."

  United States. Department of the Treasury. Office of Inspector General

  2000-12-14
• Department of Homeland Security Appropriations for 2009, Part 3: Hearings Before a Subcommittee of the Committee on Appropriations, House of Representatives, One Hundred Tenth Congress, Second Session, Subcommittee on Homeland Security, April 1, April 2, March 5, and March 6, 2008

  Show summary     Open resource [pdf]     (open full abstract)

  This document contains official Government Printing Office (GPO) transcripts from four different hearings before the House Homeland Security Subcommittee of the Committee on Appropriations. Hearings include: "Addressing the Challenges of Protecting the Nation's Physical and Cyber Infrastructure" held on April 1, 2008; "Border Security Programs and Operations-Challenges and Priorities," held on March 6, 2008; "Cargo Container and Supply Chain Security," held on April 2, 2008; and "Coast Guard 2009 Budget on Maritime Safety, Security, and Environmental Protection," held on March 5, 2008. From the opening statement of David E. Price for April 1, 2008: "Today, we are going to be discussing the Department's approach to protecting our nation's critical infrastructure, physical assets, such as ports, chemical plants, and nuclear facilities, as well as the servers and computer networks that make up the cyber infrastructure upon which our society increasingly relies." The March 6 "Border Security" hearing focuses on how to achieve Congressional border security objectives including securing land borders with international cooperation and a limited budget. The April 2 "Cargo Container" hearing examines: "the challenges and priorities facing our Nation to secure containers, cargo, and the supply chain from radiological and nuclear attacks." The "Coast Guard" hearing held on March 5, 2008 offers testimony on the "Coast Guard's 2009 budget request and its impact on the Coast Guard's maritime, safety, security, and environmental protection missions." Statements, letters, and materials submitted for the record include those of the following (some appear at more than one hearing, but are only listed once): April 1, 2008 "Addressing the Challenges" hearing: Robert Jamison, Robert Stephan, Gregory Garcia, Harold Rogers, John Carter, and David E. Price; March 6, 2008 "Border Security" hearing: W. Ralph Basham, Robert A. Mocny, Richard M. Stana, Jerry Lewis, Kay Granger, John Peterson, and Chet Edwards; April 2, 2008 "Cargo Container" hearing: Stephen Flynn, Chris Koch and John Culberson; March 5, 2008 "Coast Guard" hearing: Thad W. Allen, John P. Hutton, Robert Aderholt, Sam Farr, Lucille Roybal-Allard, Nita Lowey, Vayl S. Oxford, Jayson P. Ahern, and Stephen L. Caldwell.

  United States. Government Printing Office

  2008
• Improving the Cybersecurity of Cyber-Physical Systems Through Behavioral Game Theory and Model Checking in Practice and in Education

  Show summary     Open resource [pdf]     (open full abstract)

  "This dissertation presents automated methods based on behavioral game theory and model checking to improve the cybersecurity of cyber-physical systems (CPSs) and advocates teaching certain foundational principles of these methods to cybersecurity students. First, it encodes behavioral game theory's concept of level-k reasoning into an integer linear program that models a newly defined security Colonel Blotto game. This approach is designed to achieve an efficient allocation of scarce protection resources by anticipating attack allocations. A human subjects experiment based on a CPS infrastructure demonstrates its effectiveness. Next, it rigorously defines the term adversarial thinking, one of cybersecurity education's most important and elusive learning objectives, but for which no proper definition exists. It spells out what it means to 'think like a hacker' by examining the characteristic thought processes of hackers through the lens of Sternberg's triarchic theory of intelligence. Next, a classroom experiment demonstrates that teaching basic game theory concepts to cybersecurity students significantly improves their strategic reasoning abilities. Finally, this dissertation applies the SPIN model checker to an electric power protection system and demonstrates a straightforward and effective technique for rigorously characterizing the degree of fault tolerance of complex CPSs, a key step in improving their defensive posture."

  Air Force Institute of Technology (U.S.)

  Hamman, Seth T.

  2016-09
• Recommendations to the President on Deterring Adversaries and Better Protecting the American People from Cyber Threats

  Show summary     Open resource [pdf]     (open full abstract)

  "During the past two decades, almost every aspect of life in the United States has become dependent upon sophisticated networked information systems with global reach and power. Increasingly, malicious cyber actors are learning to exploit these dependencies to steal from Americans, disrupt their lives, and create insecurity domestically and instability internationally. The United States has resolved to take clear and unequivocal actions, partnering with friends and allies when possible, to safeguard cyberspace and the benefits it offers. Recognizing the urgency of this and other cyber policy challenges, Executive Order 13800, Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, calls for a report 'on the Nation's strategic options for deterring adversaries and better protecting the American people from cyber threats.' This report suggests a new U.S. vision to help guide efforts to deter adversaries and better protect the American people from cyber threats and recommends follow-on work aimed at advancing these efforts; the following unclassified overview touches on these efforts in brief, which have been ongoing."

  United States. Department of State

  2018-05-31
• Readout of Acting Secretary Beers' Trip to New York [October 21, 2013]

  Show summary     Open resource [pdf]     (open full abstract)

  On October 21, 2013, the Department of Homeland Security issued the following press release: "Acting Secretary of Homeland Security Rand Beers today traveled to New York City to discuss the Department of Homeland Security's (DHS) work with private sector partners to increase cybersecurity, protect critical infrastructure and make the public less vulnerable to cyber crimes. Acting Secretary Beers began his day with a visit to the NASDAQ MarketSite in Times Square where he rang the Opening Bell alongside private sector partners. Acting Secretary Beers and National Protection and Programs Directorate Deputy Under Secretary for Cybersecurity Phyllis Schneck also delivered remarks and participated in a discussion with business leaders on cybersecurity, as part of National Cyber Security Awareness Month. National Cyber Security Awareness Month engages public and private sector stakeholders -- especially the public -- to create a safe, secure, and resilient cyber environment."

  United States. Department of Homeland Security. Press Office

  2013-10-21
• Federal Government and Small Businesses: Promoting Greater Information Sharing for Stronger Cybersecurity, Hearing Before the Committee on Small Business, United States House of Representatives, One Hundred Fifteenth Congress, First Session, November 15, 2017

  Show summary     Open resource [pdf]     (open full abstract)

  This is from the November 15, 2017 hearing "Federal Government and Small Businesses: Promoting Greater Information Sharing for Stronger Cybersecurity," held before the Committee on Small Business. From the opening statement of Steve Chabot: "Advances in information technology, IT, have helped small businesses rapidly increase their productivity, enter new markets that were once out of reach, and offer consumers new and innovative services and products. However, IT has advanced so quickly that it has been difficult to keep pace with the ever-growing cyber threats. Cybercriminals and foreign bad actors have more opportunities than ever to steal intellectual property, consumer data, and hold small business IT systems hostage for financial gain. In 2016 alone, the United States Department of Justice recorded nearly 300,000 cybersecurity complaints. Our Committee's examinations of these increasing concerns have revealed that federal agencies are making a serious effort to better coordinate and dis-tribute cybersecurity resources directly to small businesses. How-ever, there are still challenges to ensuring that small businesses are as protected as possible from cyber attacks. One of the major hurdles continues to be the lack of information sharing between public and private sectors. Information sharing is a fundamental component for a strong and effective cybersecurity defense, not just for small businesses, but for America's network as a whole. The federal government must make every effort possible to ensure that small businesses have both the resources and the confidence they need to actively engage with the federal agencies tasked with protecting our critical infrastructure." Statements, letters, and materials submitted for the record include those of the following: Rob Arnold, Ola Sage, Morgan Reed, and Thomas Gann.

  United States. Government Publishing Office

  2018
• H. R. 3359: Cybersecurity and Infrastructure Security Agency Act of 2018

  Show summary     Open resource [pdf]     (open full abstract)

  This amendment was signed into law by President Trump on November 16, 2018. From the text of the legislation: "The National Protection and Programs Directorate of the Department shall, on and after the date of the enactment of this subtitle, be known as the 'Cybersecurity and Infrastructure Security Agency'" The duties of this new agency shall include: ''(A) furnishing cybersecurity technical assistance to entities affected by cybersecurity risks to protect assets, mitigate vulnerabilities, and reduce impacts of cyber incidents; (B) identifying other entities that may be at risk of an incident and assessing risk to the same or similar vulnerabilities; (C) assessing potential cybersecurity risks to a sector or region, including potential cascading effects, and developing courses of action to mitigate such risks; (D) facilitating information sharing and operational coordination with threat response; and (E) providing guidance on how best to utilize Federal resources and capabilities in a timely, effective manner to speed recovery from cybersecurity risks."

  United States. Government Publishing Office

  2018-01-03
• 2019 Annual Report: NIST/ITL Cybersecurity Program

  Show summary     Open resource [pdf]     (open full abstract)

  From the Abstract: "During Fiscal Year 2019 (FY 2019), from October 1, 2018 through September 30, 2019, the NIST [National Institute of Standards and Technology] Information Technology Laboratory (ITL) Cybersecurity and Privacy Program successfully responded to numerous challenges and opportunities in security and privacy. This annual report highlights the FY 2019 research agenda and activities for the ITL Cybersecurity and Privacy Program, including: the ongoing participation and development of international standards; the enhancement of privacy and security risk management models, including those for the protection of controlled unclassified information (CUI), systems engineering and cyber resiliency, supply chains, and mobile technologies; the continued advancement of cryptographic technologies, including updates to Federal Information Processing Standard (FIPS) Publication 140-3, 'Security Requirements for Cryptographic Modules', and preparation for post-quantum cryptographic methods; and improved infrastructure protection in areas such as zero trust architectures and advanced networking security. NIST maintained a strong focus on supporting small and medium-sized businesses (SMBs), including updates to the Small Business Cybersecurity Corner website to make resources easier to find and use, and drawing on contributed cybersecurity resources and feedback received from federal partners and the public."

  National Institute of Standards and Technology (U.S.)

  O'Reilly, Patrick J.; Rigopoulos, Kristina

  2020-08
• Critical Infrastructure Protection: Establishing Effective Information Sharing with Infrastructure Sectors, Statement of Robert F. Dacey, Director, Information Security Issues, Testimony before the Subcommittee on Cybersecurity, Science, and Research & Development and Infrastructure and Border Security, Select Committee on Homeland Security, House of Representatives

  Show summary     Open resource [pdf]     (open full abstract)

  Critical Infrastructure Protection (CIP) activities that are called for in federal policy and law are intended to enhance the security of the cyber and physical public and private infrastructures that are essential to our nation's security, economic security, and public health and safety. As our reliance on these infrastructures increases, so do the potential threats and attacks that could disrupt critical systems and operations. Effective information-sharing partnerships between industry sectors and government can contribute to CIP efforts. Federal policy has encouraged the voluntary creation of Information Sharing and Analysis Centers ISACs) to facilitate the private sector's participation in CIP by serving as mechanisms for gathering and analyzing information and sharing it among the infrastructure sectors and between the private sector and government. This testimony discusses the management and operational structures used by ISACs, federal efforts to interact with and support the ISACs, and challenges to and successful practices for ISACs' establishment, operation, and partnerships with the federal government.

  United States. General Accounting Office

  2004-04-21
• Infrastructure Investment and Jobs Act (IIJA): Drinking Water and Wastewater Infrastructure [Updated January 4, 2022]

  Show summary     Open resource [pdf]     (open full abstract)

  From the Summary: "In recent years, multiple events have increased attention to the condition of the nation's local drinking water and wastewater infrastructure, and the financial challenges that communities confront in maintaining, repairing, or replacing aging water infrastructure. The U.S. Environmental Protection Agency (EPA) estimates that the capital cost of wastewater and drinking water infrastructure needed to meet federal water quality and safety requirements and public health objectives exceeds $744 billion over a 20-year period. Congressional interest in expanding federal funding for local drinking water and wastewater infrastructure has also increased in recent years. [...] This report discusses the drinking water and wastewater infrastructure provisions in IIJA [Infrastructure Investment and Jobs Act]. Drinking water and wastewater-relevant provisions of the act include the following: [1] Emergency supplemental appropriations to the SRF [State Revolving Fund] programs, which represent a substantial increase over recent regular appropriations for these programs; in particular, the level of DWSRF [Drinking Water State Revolving Fund] appropriations average $6.14 billion per fiscal year, nearly six times the level of recent DWSRF annual appropriations; the majority of the supplemental funding for the DWSRF program are dedicated to lead line replacement. [2] Nearly half of the supplemental funding for the SRF programs is directed to principal forgiveness or grants, in contrast to subsidized loans, the traditional instrument of the SRF programs. [3] Supplemental appropriations to address emerging contaminants: $4 billion for the DWSRF program and $1 billion for the CWSRF [Clean Water State Revolving Fund] program over five fiscal years. [4] Authority for EPA to establish multiple new grant programs to address a range of specific objectives, including assistance to specific communities, improvements in resilience to natural hazards and cybersecurity vulnerabilities, among others. [5] Modifications in funding authority and eligibility to several existing EPA funding programs, including the SRF programs and grant programs that address specific concerns, including affordability."

  Library of Congress. Congressional Research Service

  Humphreys, Elena H.; Ramseur, Jonathan L.

  2022-01-04
• DON CIP: A Comprehensive Solution to Improve Cyber and Physical Security of DON Critical Assets

  Show summary     Open resource [pdf]     (open full abstract)

  "A primary goal of the Department of the Navy Information Management/Information Technology (IM/IT) Strategic Plan is 'providing Full Dimensional Protection (FDP) that ensures Naval warfighting effectiveness.' FDP involves three initiatives: Critical Infrastructure Protection (CIP), Information Assurance and Privacy. This article provides an overview on the DON CIP initiative. CIP is mission assurance: the identification, assessment and assurance of cyber and physical assets essential to the mobilization, deployment and sustainment of U.S. military operations. Effective critical infrastructure protection identifies vulnerabilities and risks to critical assets supporting warfighting missions, remediates those validated vulnerabilities to protect against compromise, and, if compromised, minimizes impact to mission performance with effective consequence management plans and procedures."

  United States. Department of the Navy

  Reiter, Donald

  2005-04
• Critical Infrastructures: Background and Early Implementation of PDD-63 [Updated June 19, 2001]

  Show summary     Open resource [pdf]     (open full abstract)

  "The nations health, wealth, and security rely on the supply and distribution of certain goods and services. The array of physical assets, processes and organizations across which these goods and services move are called critical infrastructures (e.g. electricity, the power plants that generate it, and the electric grid upon which it is distributed or financial capital, the institutions that manage it, and the record- keeping and communications that move it from one institution to another). Computers and communications, themselves critical infrastructures, are increasingly tying these infrastructures together. There is concern that this reliance on computers and computer networks makes the nations critical infrastructures vulnerable to 'cyber' attacks. In May 1998, President Clinton released Presidential Decision Directive No. 63. The Directive sets up groups within the federal government to develop and implement plans that would protect government-operated infrastructures and calls for a dialogue between government and the private sector to develop a National Infrastructure Assurance Plan that would protect the nations critical infrastructures by the year 2003. PDD-63 identified 12 areas critical to the functioning of the country: information and communications; banking and finance; water supply; transportation; emergency law enforcement; emergency fire service; emergency medicine; electric power, oil, and gas supply and distribution; law enforcement and internal security; intelligence; foreign affairs; and national defense."

  Library of Congress. Congressional Research Service

  Moteff, John D.

  2001-06-19
• Cybersecurity: Critical Infrastructure Authoritative Reports and Resources [December 6, 2016]

  Show summary     Open resource [pdf]     (open full abstract)

  "Critical infrastructure is defined in the USA PATRIOT Act (P.L. 107-56, §1016(e)) as 'systems and assets, physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health and safety, or any combination of those matters.' Presidential Decision Directive 63, or PDD-63, identified activities whose critical infrastructures should be protected: information and communications; banking and finance; water supply; aviation, highways, mass transit, pipelines, rail, and waterborne commerce; emergency and law enforcement services; emergency, fire, and continuity of government services; public health services; electric power, oil and gas production; and storage. In addition, the PDD identified four activities in which the federal government controls the critical infrastructure: (1) internal security and federal law enforcement; (2) foreign intelligence; (3) foreign affairs; and (4) national defense. In February 2013, the Obama Administration issued PPD-21, Critical Infrastructure Security and Resilience, which superseded HSPD-7 issued during the George W. Bush Administration. PPD-21 made no major changes in policy, roles and responsibilities, or programs, but did order an evaluation of the existing public-private partnership model, the identification of baseline data and system requirements for efficient information exchange, and the development of a situational awareness capability. PPD-21 also called for an update of the National Infrastructure Protection Plan, and a new Research and Development Plan for Critical Infrastructure, to be updated every four years. This report serves as a starting point for congressional staff assigned to cover cybersecurity issues as they relate to critical infrastructure."

  Library of Congress. Congressional Research Service

  Tehan, Rita

  2016-12-06
• Critical Infrastructures: A Primer [August 13, 1998]

  Show summary     Open resource [pdf]     (open full abstract)

  The nation's health, wealth, and security rely on the supply and distribution of certain goods and services. The array of physical assets, processes and organizations across which these goods and services move are called critical infrastructures. Computers and communications, themselves critical infrastructures, are increasingly tying these infrastructures together. There is concern that this reliance on computers and computer networks makes the nation's critical infrastructures vulnerable to "cyber" attacks, be they from mischievous teenage hackers or information warriors from foreign countries. In May 1998, the President released Presidential Decision Directive No. 63. The Directive organizes the federal government to develop and implement plans that would protect government-operated infrastructures and calls for a dialogue between government and the private sector to develop a National Infrastructure Assurance Plan that would protect the nation's critical infrastructures by the year 2003.

  Library of Congress. Congressional Research Service

  Moteff, John D.

  1998-08-13
• S. Rept. 107-118: Water Infrastructure Security and Research Development Act, Report to Accompany S. 1593, December 10, 2001

  Show summary     Open resource [pdf]     (open full abstract)

  Based on the recommendations of Presidential Decision Directive 63, issued by President Clinton in 1998, the Environmental Protection Agency and its industry partner, the Association of Metropolitan Water Agencies, have established a communications system, a water infrastructure Information Sharing and Analysis Center, designed to provide real-time threat assessment data to water utilities throughout the nation. Through this partnership, the Environmental Protection Agency and the Association of Metropolitan Water Agencies are working to develop generic assessment tools that individual water utilities can use to assess their facilities for potential physical and cyber threats. In October 2001, the Environmental Protection Agency established the Water Protection Task Force to ensure that activities to protect and secure water supply infrastructure are comprehensive and are carried out expeditiously. During that same month, the EPA disseminated information to America's water utilities information about specific steps they can take to protect their sources of supply and their infrastructure. Working with the FBI, EPA also sent notice to local law enforcement agencies asking them to work closely with their local water utilities to provide extra security. The committee intends for S. 1593 to supplement these short-term efforts by focusing on mid- to long-term actions designed to enhance our current water security capabilities.

  United States. Government Printing Office

  2001-12-10
• Critical Infrastructure Protection: Comments on the National Plan for Information Systems Protection, Statement for the Record by Jack L. Brock, Jr., Director, Governmentwide and Defense Information Systems Accounting and Information Management Division, Testimony before the Subcommittee on Technology, Terrorism and Government Information, Committee on the Judiciary, U.S. Senate

  Show summary     Open resource [pdf]     (open full abstract)

  Government officials are increasingly concerned about computer attacks from individuals and groups with malicious intentions, including terrorists and nations engaging in information warfare. The dramatic rise in the interconnectivity of computer systems has compounded this threat. Today, massive computer networks provide pathways among systems that, if not properly secured, can be used to gain unauthorized access to data and operations from remote locations. The National Plan for Information Systems Protection calls for strengthening the defenses against threats to critical public and private-sector computer systems--particularly those supporting public utilities, telecommunications, finance, emergency services, and government operations. The Plan is intended to begin a dialogue and help develop plans to protect other elements of the nation's infrastructure, including the physical infrastructure and the roles and responsibilities of state and local governments and private industry. In GAO's view, the Plan is an important and positive step toward building the cyber defenses necessary to protect critical information and infrastructures. It (1) identifies the risks arising from the nation's dependence on computer networks for critical services, (2) recognizes the need for the federal government to take the lead in addressing critical infrastructure risks and to serve as a model for information security, and (3) outlines key concepts and general initiatives to help achieve these goals. Opportunities exist, however, to improve the plan and address significant challenges to building the public-private partnership necessary for comprehensive infrastructure protections. GAO believes that, rather than emphasizing intrusion detection capabilities, the plan should strive to provide agencies with the incentives and the tools to implement the management controls essential to comprehensive computer security programs. Also, the plan relies heavily on legislation and requirements already in place that, as a whole, are outmoded and inadequate as well as poorly implemented by the agencies.

  United States. General Accounting Office

  2000-02-01
• President's Commission on Critical Infrastructure Protection: Overview Briefing

  Show summary     Open resource [pdf]     (open full abstract)

  This document presents an overview of the President's Commission on Critical Infrastructure Protection. "The President's Commission on Critical Infrastructure Protection (PCCIP) was created by Executive Order 13010, signed by the President on July 15, 1996. The Executive Order originally stated that the Commission would terminate after one year; however, the order has since been amended to extend the life of the Commission by three months, to October 13, 1997. The Commission is therefore well along in its fifteen-month task of assessing physical and cyber threats to our vital infrastructures and developing policies and strategies to protect them. This overview briefing reports on the status of our work to those elements of the public and private sectors that have an interest in infrastructure assurance issues. We invite your participation as our work continues. Infrastructure protection is a broad subject of great complexity. At the outset we devised an approach to the task, and as work has progressed we have begun to form some general, preliminary impressions. Our outreach program has been extensive, but there are many knowledgeable sources we have not yet explored, and others yet to be discovered. We are by no means certain of our final findings and recommendations. What follows is intended to provide a sense of some of the issues we are exploring in the quest to find workable solutions to a serious problem."

  United States. President's Commission on Critical Infrastructure Protection

  1997-06
• National Infrastructure Protection Plan [Overview]

  Show summary     Open resource [pdf]     (open full abstract)

  "Protecting and ensuring the continuity of the critical infrastructure and key resources (CIKR) of the United States is essential to the Nation's security, public health and safety, economic vitality, and way of life. CIKR includes physical or virtual assets, systems, and networks so vital to the United States that the incapacity or destruction of such assets, systems, or networks would have a debilitating impact on security, national economic security, public health or safety, or any combination of those matters. The National Infrastructure Protection Plan (NIPP) provides the coordinated approach that is used to establish national priorities, goals, and requirements for CIKR protection so that Federal resources are applied in the most effective and efficient manner to reduce vulnerability, deter threats, and minimize the consequences of attacks and other incidents. It establishes the overarching concepts relevant to all CIKR sectors identified under the authority of Homeland Security Presidential Directive 7, and addresses the physical, cyber, and human considerations required for effective implementation of protective programs and resiliency strategies."

  United States. Department of Homeland Security
• Pandemic Impacts to Lifeline Critical Infrastructure

  Show summary     Open resource [pdf]     (open full abstract)

  From the Scope: "The Department of Homeland Security's Office of Cyber and Infrastructure Analysis (DHS/OCIA) produces Critical Infrastructure Security and Resilience Notes in response to changes in the infrastructure protection community's risk environment from terrorist attacks, natural hazards, and other events. This note examines the impact of a pandemic on lifeline critical infrastructure at the local, regional and national level, including the effects of absenteeism on these sectors. This note also reviews the potential economic impacts resulting from a pandemic and procedures for mitigating the impact of a pandemic. This note supports DHS leadership, the DHS Protective Security Advisors, and other Federal, State, and local agencies. This product was developed in coordination with the DHS Office of Health Affairs, the DHS National Protection and Programs Directorate's Office of Infrastructure Protection, the Department of Health and Human Services (HHS), and the Department of Energy (DOE)."

  United States. Department of Homeland Security

  2015-07-30
• Information Security: Cyber Threats Facilitate Ability to Commit Economic Espionage, Statement of Gregory C. Wilshusen, Director, Information Security Issues, Testimony Before the Subcommittee on Counterterrorism and Intelligence, Committee on Homeland Security, House of Representatives

  Show summary     Open resource [pdf]     (open full abstract)

  "The threat of economic espionage--the theft of U.S. proprietary information, intellectual property (IP), or technology by foreign companies, governments, or other actors--has grown. Moreover, dependence on networked information technology (IT) systems has increased the reach and potential impact of this threat by making it possible for hostile actors to quickly steal massive amounts of information while remaining anonymous and difficult to detect. To address this threat, federal agencies have a key role to play in law enforcement, deterrence, and information sharing. Consistent with this threat, GAO [Government Accountability Office] has designated federal information security as a governmentwide high-risk area since 1997 and in 2003 expanded it to include protecting systems and assets vital to the nation (referred to as critical infrastructures). GAO was asked to testify on the cyber aspects of economic espionage. Accordingly, this statement discusses (1) cyber threats facing the nation's systems, (2) reported cyber incidents and their impacts, (3) security controls and other techniques available for reducing risk, and (4) the responsibilities of key federal entities in support of protecting IP. To do this, GAO relied on previously published work in this area, as well as reviews of reports from other federal agencies, media reports, and other publicly available sources. […] In prior reports, GAO has made hundreds of recommendations to better protect federal systems, critical infrastructures, and intellectual property."

  United States. Government Accountability Office

  2012-06-28
• Readout of Secretary Napolitano's Remarks at the ASIS International 58th Annual Seminar [September 10, 2012]

  Show summary     Open resource [pdf]     (open full abstract)

  On September 10, 2012, the Department of Homeland Security issued the following press release: "Secretary of Homeland Security Janet Napolitano today traveled to Philadelphia to deliver remarks at the American Society of Industrial Security (ASIS) International 58th Annual Seminar highlighting the Department of Homeland Security's (DHS) collaboration with the private sector on cybersecurity and protecting our nation's critical cyber infrastructure. 'Protecting critical infrastructure and cyberspace -- including the systems and networks that support the financial services, energy and defense industries -- requires all of us working together,' said Secretary Napolitano. 'From government and law enforcement to the private sector and members of the public, everyone has a role to play in protecting against cyber threats.'"

  United States. Department of Homeland Security. Press Office

  2012-09-10
• Critical Infrastructure Protection: DHS Risk Assessments Inform Owner and Operator Protection Efforts and Departmental Strategic Planning, Report to Congressional Requesters

  Show summary     Open resource [pdf]     (open full abstract)

  "The nation's critical infrastructure includes cyber and physical assets and systems across 16 different sectors whose security and resilience are vital to the nation. The majority of critical infrastructure is owned and operated by the private sector. Multiple federal entities, including DHS, work with infrastructure owners and operators to assess their risks. GAO [Government Accountability Office] was asked to review DHS's risk assessment practices for critical infrastructure. This report describes:(1) DHS's risk assessment practices in 3 of 16 critical infrastructure sectors and private sector representatives' views on the utility of this risk information, and (2) how this risk information influences DHS's strategic planning and private sector outreach. GAO selected 3 of 16 sectors-Critical Manufacturing; Nuclear Reactors, Materials, and Waste; and Transportation Systems-to examine based on their varied regulatory structures and industries. GAO reviewed DHS guidance related to infrastructure protection, the QHSR [Quadrennial Homeland Security Review] and DHS Strategic Plan, and plans for the selected critical infrastructure sectors. GAO interviewed DHS officials responsible for critical infrastructure risk assessments, and the owner and operator representatives who serve as chairs and vice-chairs of coordinating councils for the 3 selected sectors. Information from the 3 sectors is not generalizable to all 16 sectors but provides insight into DHS's risk management practices. GAO provided a draft of this report to DHS and relevant excerpts to the council representatives interviewed during this review. Technical comments provided were incorporated as appropriate."

  United States. Government Accountability Office

  2017-10-30
• Critical Infrastructure Protection: CISA Should Improve Priority Setting, Stakeholder Involvement, and Threat Information Sharing, Report to Congressional Requesters

  Show summary     Open resource [pdf]     (open full abstract)

  From the Highlights: "The risk environment for critical infrastructure ranges from extreme weather events to physical and cybersecurity attacks. The majority of critical infrastructure is owned and operated by the private sector, making it vital that the federal government work with the private sector, along with state, local, tribal, and territorial partners. CISA [Cybersecurity and Infrastructure Security Agency] is the lead federal agency responsible for overseeing domestic critical infrastructure protection efforts. GAO [Government Accountability Office] was asked to review CISA's critical infrastructure prioritization activities. This report examines (1) the extent to which the National Critical Infrastructure Prioritization Program currently identifies and prioritizes nationally significant critical infrastructure, (2) CISA's development of the National Critical Functions framework, and (3) key services and information that CISA provides to mitigate critical infrastructure risks."

  United States. Government Accountability Office

  2022-03
• Critical Infrastructure Protection: DHS Actions Urgently Needed to Better Protect the Nation's Critical Infrastructure, Statement of Tina Won Sherman, Director, Homeland Security and Justice, Testimony Before the Subcommittee on Cybersecurity, Infrastructure Protection, and Innovation, Committee on Homeland Security, House of Representatives

  Show summary     Open resource [pdf]     (open full abstract)

  From the Highlights: "The nation's critical infrastructure consists of physical and cyber assets and systems that are vital to the United States. Their incapacity or destruction could have a debilitating impact on security, national public health and safety, or national economic security. Critical infrastructure provides the essential functions--such as supplying water, generating energy, and producing food--that underpin American society. Protecting this infrastructure is a national security priority. GAO [Government Accountability Office] first designated information security as a government-wide high-risk area in 1997. This was expanded to include protecting (1) cyber critical infrastructure in 2003 and (2) the privacy of personally identifiable information in 2015."

  United States. Government Accountability Office

  Sherman, Tina Won

  2022-04-06
• Cybersecurity Activities at NIST's Information Technology Laboratory, Hearing Before the Subcommittee on Technology and Innovation of the Committee on Science and Technology, House of Representatives, One Hundred Eleventh Congress, First Session, October 22, 2009

  Show summary     Open resource [pdf]     (open full abstract)

  From the opening statement of David Wu: "Congress realized the dangers of networked systems as far back as the 1980s, and in 1987, this committee wrote the Computer Security Act, which charged NIST (National Institute of Standards and Technology) with developing the technical standards to protect non-classified information on federal computer systems. Congress has remained concerned about cyber-threats, and since 1987, Congress has passed 13 laws related to cybersecurity. Today OMB (Office of Management and Budget) reports that federal agencies spend approximately $6 billion per year on cybersecurity to protect a $72 billion IT (Information Technology) infrastructure. In addition, the Federal Government funds $356 million in cybersecurity research each year. I don't believe that simply spending more money or creating more programs is the means to improve cybersecurity. We also need to use our existing resources more efficiently and with specific achievable goals in mind. This is also the main conclusion of the Administration's recent cybersecurity review. The focus of today's hearing is not to review what NIST has done but to address what should be its focus going forward. Since NIST is the only federal agency tasked with protecting non-classified federal computer systems, the testimony we hear today will have a vital and long-lasting affect on our nation's economic and national security." Statements, letters, and materials submitted for the record include those of the following: David Wu, Adrian Smith, Harry E. Mitchell, Cita M. Furlani, Susan Landau, Phyllis Schneck, William Wyatt Starnes, Fred B. Schneider, and Mark Bohannon.

  United States. Government Printing Office

  2010
• 2013-2023 Transportation Industrial Control Systems (ICS) Cybersecurity Standards Strategy

  Show summary     Open resource [pdf]     (open full abstract)

  "The Department of Homeland Security (DHS) National Cyber Security Division (NCSD) is working across the government, collaborating with the private sector, and empowering the public to create a safe, secure, and resilient cyber environment, and to promote cybersecurity knowledge and innovation. Homeland Security Presidential Directive-7 established U.S. policy for identifying, prioritizing, and protecting the Nation's eighteen critical infrastructure/key resources (CI/KR) from terrorist attacks. The NCSD's Control Systems Security Program (CSSP) mission is to reduce risk to the Nation's critical infrastructure by strengthening control systems security through public-private partnerships. This Plan focuses on how the U.S. DHS CSSP will advance industrial control system (ICS) cybersecurity standards development in the Transportation sector over the next five years."

  United States. Department of Homeland Security

  Kaiser, Lisa
• National Cybersecurity and Communications Integration Center [website]

  Show summary     Open resource [html]     (open full abstract)

  "Information sharing is a key part of the Department of Homeland Security's (DHS) mission to create shared situational awareness of malicious cyber activity. Cyberspace has united once distinct information structures, including our business and government operations, our emergency preparedness communications, and our critical digital and process control systems and infrastructures. Protection of these systems is essential to the resilience and reliability of the nation's critical infrastructure and key resources; therefore, to our economic and national security. DHS's National Cybersecurity and Communications Integration Center (NCCIC) is a 24x7 cyber situational awareness, incident response, and management center that is a national nexus of cyber and communications integration for the Federal Government, intelligence community, and law enforcement."

  United States. Department of Homeland Security