Advanced search Help
Searching for terms: ALL (Cyber AND Infrastructure AND Protection) in: title or summary
Clear all search criteria
Only 2/3! You are seeing results from the Public Collection, not the complete Full Collection. Sign in to search everything (see eligibility).
-
Establishing a Quadrennial Energy Review: Memorandum for the Heads of Executive Departments and Agencies, January 9, 2014
"Affordable, clean, and secure energy and energy services are essential for improving U.S. economic productivity, enhancing our quality of life, protecting our environment, and ensuring our Nation's security. Achieving these goals requires a comprehensive and integrated energy strategy resulting from interagency dialogue and active engagement of external stakeholders. To help the Federal Government better meet this responsibility, I am directing the undertaking of a Quadrennial Energy Review. The initial focus for the Quadrennial Energy Review will be our Nation's infrastructure for transporting, transmitting, and delivering energy. Our current infrastructure is increasingly challenged by transformations in energy supply, markets, and patterns of end use; issues of aging and capacity; impacts of climate change; and cyber and physical threats. Any vulnerability in this infrastructure may be exacerbated by the increasing interdependencies of energy systems with water, telecommunications, transportation, and emergency response systems. The first Quadrennial Energy Review Report will serve as a roadmap to help address these challenges. The Department of Energy has a broad role in energy policy development and the largest role in implementing the Federal Government's energy research and development portfolio. Many other executive departments and agencies also play key roles in developing and implementing policies governing energy resources and consumption, as well as associated environmental impacts. In addition, non-Federal actors are crucial contributors to energy policies. Because most energy and related infrastructure is owned by private entities, investment by and engagement of the private sector is necessary to develop and implement effective policies."
United States. Office of the Federal Register
Obama, Barack
2014-01-09
-
Challenges in the Protection of US Critical Infrastructure in the Cyber Realm
From the abstract: "This paper evaluates the US military participation in the arena of domestic cyber security for
critical infrastructure protection. The issue is relevant for two major reasons. First, it deals with
the current phenomena of continuous cyber attacks on US critical infrastructure, which dominates
the discussion of potential future and global threats to the United States. Second, the US is trying
to cope with current challenges to cyber security with military means, which is sparking academic
and political debate. The latter relevance comprises the main argument of this study, that a
military approach to cyber security is not the best choice. Generally, critical infrastructure
protection is inherently civil related. Other factors to consider are Presidential Directives and US
cyber strategies, which assigned the Department of Homeland Security (DHS) to organizing,
synchronizing, and executing critical infrastructure protection for the homeland. Nonetheless, the
US military is deeply involved in domestic affairs regarding cyber security. Numerous reasons
create this curious reality. Ill-defined and unclear classifications of the variety of cyber attacks
make almost everything appear as an undifferentiated hazard. Cyber hype, largely a product of
efforts by the information technology industry, only serves to add to the contemporary
misperception of cyber threats. Terms of cyber related issues are often militarized, over
emphasized, and undifferentiated. The resulting confusion produced inadequate domestic cyber
security efforts, insufficient public-private cooperation, and a turn to the military for leadership.
This absorption of DHS related fields of actions by the Department of Defense are questionable
in two respects: constitutionally power-sharing principles prohibit the military from policing
inside of the United States and the militarization of cyber security may hamper the necessary
public-private cooperation for domestic cyber security."
U.S. Army Command and General Staff College. School of Advanced Military Studies
Trobisch, Jan
2014-01
-
2014 National Guard Bureau Posture Statement: Sustaining an Operational Force
From the Executive Overview, "Constitutionally unique, the National Guard remains capable and ready to rapidly respond to complex civilian and military challenges going forward. From the local to national scene, the National Guard remains a proven performer at home and abroad. Today's threats demand the full capability the National Guard currently provides, and its potential to adapt to meet critical future missions such as cyber threats and complex infrastructure system protection. The National Guard rapidly and competently expands the operational capacity of the Army and the Air Force by providing trained, equipped and ready Soldiers, Airmen and units. These units range from small, elite teams to highly effective brigade, division and air wing organizations across the spectrum of combat, combat support, and combat service support functions. Over the past decade, Guard members have deployed more than 750,000 times in support of operations in Iraq, Afghanistan, the Balkans, the Sinai, the Horn of Africa, and other locations across the globe. Our nation has invested tens of billions of dollars in the National Guard and it has yielded a return that has produced one of the best trained, best equipped dual-mission forces in our 376-year history. The National Guard also blends military and civilian skills, including substantial untapped cyber expertise well-suited to understanding and working in an increasingly complex global environment."
United States. National Guard Bureau
2014
-
Threat to Americans' Personal Information: A Look into the Security and Reliability of the Health Exchange Data Hub, Hearing Before the Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies, Committee on Homeland Security U.S. House of Representatives, One Hundred Thirteenth Congress, First Session, September 11, 2013
This is the September 11, 2013 hearing on "The Threat to Americans' Personal Information," held before the U.S. House Committee on Homeland Security, Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies. From opening statement of Patrick Meehan: "The subcommittee is meeting today to examine the security and reliability of the Health Exchange Data Hub and the existence of any threat to Americans' personal information. […] Today's hearing, 'The Threat to Americans' Personal Information: A Look into the Security and Reliability of the Health Exchange Data Hub,' is the second hearing on this issue in less than two months by this committee, or associated with this committee. The Federal Data Services' hub was established under the rule-making for the Patient Protection and Affordable Care Act. Its purpose is to be the one-stop shop to connect applicants to the Affordable Care Act exchanges. The hub will connect to multiple federal agencies including the Social Security Administration, to verify an applicant's social security number, the IRS [Internal Revenue Service], to verify income […], the Department of Homeland Security to verify citizenship and immigration status, as well as other federal agencies to determine an applicant's eligibility for federal health insurance subsidies. […] Personally identifiable information for every applicant and their families will pass through the data hub from these various agencies. In fact, over 20 million Americans are expected to enter the exchange over the next five years. […] This information will be "stored in the exchange system of records for up to ten years. […] The Government Accountability Office in a June 2013 report called the hub a 'complex undertaking' involving the coordinated actions of multiple federal, state, and private stakeholders. The report concluded that a timely and smooth implementation by October 13, 2013 cannot yet be determined." We're here today to "examine CMS' [Centers for Medicare and Medicaid Services] progress in securing America's personal information. […] As we sit just twenty days removed from the exchanges in the data hub going live on October 1, I have grave concerns from a cybersecurity standpoint. We've assembled a panel of witnesses uniquely qualified and commenting on the scope and readiness of the mounting task at hand." Statements, letters, and materials submitted for the record include those of the following: Michael Astrue, Stephen T. Parente, Kay Daly, and Matt Salo.
United States. Government Printing Office
2014
-
Cyber Incident Response: Bridging the Gap Between Cybersecurity and Emergency Management, Joint Hearing Before the Subcommittee on Emergency Preparedness, Response, and Communications, and the Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies of the Committee on Homeland Security, House of Representatives, One Hundred Thirteenth Congress, First Session, October 30, 2013
This is the October 30, 2013 joint hearing on "Cyber Incident Response" held before the U.S. House Committee on Homeland Security. From the opening statement of Susan W. Brooks: "The Subcommittees on Emergency Preparedness, Response, and Communications and Cybersecurity, Infrastructure Protection and Security Technologies will come to order. […] October is Cybersecurity Awareness Month, and I think it is so very important that we observe this month in part of our awareness because it must be our ability to not only protect our networks and our critical infrastructure from intrusions, but also, what is our ability to respond should an intrusion become successful? After all, we do know that the threat of a cyber attack is real and in a speech just prior to her resignation former Secretary of Homeland Security Janet Napolitano discussed that threat. She forecasted that our country will face a major cyber event that will have a serious effect on our lives, our economy, and the everyday functioning of our society." Statements, letters, and materials submitted for the record include those of the following: Susan W. Brooks, Donald M. Payne, Jr., Yvette D. Clarke, Bennie G. Thompson, Roberta Stempfley, Charley English, Craig Orgeron, Mike Sena, and Paul Molitor.
United States. Government Printing Office
2014
-
Assessing Persistent and Emerging Cyber Threats to the U.S. in the Homeland, Joint Hearing Before the Subcommittee on Counterterrorism and Intelligence and the Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies of the Committee on Homeland Security, House of Representatives, One Hundred Thirteenth Congress, Second Session, May 21, 2014
This is the May 21, 2014 hearing titled "Assessing Persistent and Emerging Cyber Threats to the U.S. in the Homeland." It was presented as a Joint Hearing before the U.S. House of Representatives Subcommittee on Counterterrorism and Intelligence and the Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies of the Committee on Homeland Security. From the opening statement of the honorable Peter King: "The expanding number of cyber actors, ranging from nationstates to terrorists to criminals, as well as increasing attack capability and the increasing intensity of cyber attacks around the globe, have made cyber warfare and cyber crime one of the most significant threats facing the United States. […] Over the last decade the threats facing the United States have become more diverse, as have the tools for conducting attacks and waging war. While the United States has made great strides to secure the homeland since 9/11, our enemies have evolved, and we must now consider that a foreign adversary, terrorist network, or a criminal organization will use cyberspace to penetrate America's defenses. […] The subcommittees are meeting today to hear testimony examining persistent and emerging cyber threats to the United States." Statements, letters, and materials submitted for the record include those of the following: Glenn Lemons, Joseph Demarest, and Larry Zelvin.
United States. Government Printing Office
2014
-
Coast Guard Journal of Safety & Security at Sea: Proceedings of the Marine Safety & Security Council [Volume 71, Number 4]
This edition of Coast Guard Journal of Safety at Sea, Proceedings of the Marine Safety & Security Council is titled, "Cybersecurity: Vulnerabilities, Threats and Risk Management". Featured articles include: "Maritime Governance: Designed with security in Mind"; "The Coast Guard and Cybersecurity: A Legal Framework for Prevention and Response"; "C-Cubed: Increasing Cyber Resilience, Awareness, and Managing Risk"; "Reducing Cyber Risk: Marine Transportation System Cybersecurity Standards, Liability Protection, and Cyber Insurance"; "Cyberspace-The Imminent Operational Domain: A Construct to Tackle the Coast Guard's Tough Challenges"; "Shifting the Paradigm: The DHS Continuous Diagnostics and Mitigation Program"; "Hacking 101: Using Social Engineering Increases Security Attack Effectiveness"; "Zero-Day Vulnerabilities: What To Do When It's Too Late To Prevent an Attack"; "Securing Your Control Systems: Overcoming Vulnerabilities"; "Building Port Resilience: How Cyber Attacks Can Affect Critical Infrastructure"; "Maritime Critical Infrastructure Cyber Risk: Threats, Vulnerabilities, and Consequences"; "Hide and Seek: Managing Automatic Identification System Vulnerabilities"; and "GPS Spoofing and Jamming: A Global Concern For All Vessels".
United States. Coast Guard
2014
-
Critical Infrastructure Protection: More Comprehensive Planning Would Enhance the Cybersecurity of Public Safety Entitites' Emerging Technology, Report to the Congressional Requesters
From the Highlights: "Individuals can contact fire, medical, and police first responders in an emergency by dialing 911. To provide effective emergency services, public safety entities such as 911 call centers use technology including databases that identifies phone number and location data of callers. Because these critical systems are becoming more interconnected, they are also increasingly susceptible to cyberbased threats that accompany the use of Internet-based services. This, in turn, could impact the availability of 911 services. GAO [Government Accountability Office] was asked to review federal coordination with state and local governments regarding cybersecurity at public safety entities. The objective was to determine the extent to which federal agencies coordinated with state and local governments regarding cybersecurity efforts at emergency operations centers, public safety answering points, and first responder organizations involved in handling 911 emergency calls. To do so, GAO analyzed relevant plans and reports and interviewed officials at (1) five agencies that were identified based on their roles and responsibilities established in federal law, policy, and plans and (2) selected industry associations and state and local governments."
United States. Government Accountability Office
2014-01
-
Oversight of Executive Order 13636 and Development of the Cybersecurity Framework, Hearing Before the U.S. House of Representatives Committee on Homeland Security, Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technology, One Hundred Thirteenth Congress, First Session, July 18, 2013
This is the July 18, 2013 hearing, "Oversight of Executive Order 13636 and Development of the Cybersecurity Framework," before the U.S. House of Representatives Committee on Homeland Security, Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technology. From the opening statement of Patrick Meehan: "Today we will focus on the Cybersecurity Framework, under which the National Institute of Standards and Technology (NIST) has the responsibility of working with stakeholders to develop. The Framework is expected to be completed and released in October 2013. On July 1st, NIST released an outline of the framework, which will be the basis of the committee's questioning today. So far NIST has held three workshops to gather input from industry, academia, and other stakeholders, with a fourth expected in September. I believe that the outline of NIST's framework provides an important step to increasing our nation's awareness and ability to protect our networks from crippling cyber attacks. In fact, I believe that there are many mature actors in both government and the private sector working in great coordination currently -- including those at the Department of Homeland Security -- to shield our systems from cyber threats. It is, however, those outliers -- the ones without the awareness, those with insufficient resources -- who can present immense vulnerabilities to entire networks. It is this concern that our subcommittee seeks to have allayed. We must find answers to the question of, how do we incentivize participation without creating counterproductive, onerous standards and regulations?" Statements, letters, and materials submitted for the record include those of the following: Patrick Meehan, Robert Kolasky, Charles H. Romine, and Eric A. Fischer.
United States. Government Printing Office
2014
-
Cybersecurity: An Examination of the Communications Supply Chain, Hearing Before the Subcommittee on Communications and Technology of the Committee on Energy and Commerce, House of Representatives, One Hundred Thirteenth Congress, First Session, May 21, 2013
This is the May 21, 2013 hearing, "Cybersecurity: An Examination of the Communications Supply Chain," before the United States House of Representatives, Committee on Energy and Commerce, Subcommittee on Communications and Technology. From the opening statement of Hon. Greg Walden: "Our communications networks strengths - its ubiquity and interconnected nature - may actually also be a weakness. Those who wish to harm our Nation, to steal money or intellectual property, or merely to cause mischief can focus on myriad hardware and software components that make up the communications infrastructure. And they can do so anywhere in the design, the delivery, the installation, or the operation of those components. So today's hearing will focus on securing that communications supply chain. […] Many of us have concluded that promoting information-sharing through the Cyber Intelligence Sharing and Protection Act, CISPA, that he and Representative Ruppersberger have now twice assured through the House with large bipartisan votes, is pivotal to better securing our networks. It was also in large part this committee's 2012 report on the communications supply chain that prompted this hearing. Supply chain risk management is essential if we are to guard against those that would compromise network equipment or exploit the software that runs over and through it." Statements, letters, and materials submitted for the record include those of the following: Fred Upton, Greg Walden, Jennifer Bisceglie, Robert B. Dix Jr., Mark L. Goldstein, John Lindquist, David Rothenstein, Stewart A. Baker, and Dean Garfield.
United States. Government Printing Office
2014
-
Cognitive and Economic Decision Theory for Examining Cyber Defense Strategies
From the Introduction: "Cyber attacks pose a major threat to modern organizations. These attacks can have nefarious aims and serious consequences, including disruption of operations, espionage, identity theft, and attacks on critical infrastructure. Organizations must put substantial resources into protecting themselves and their customers, clients, and others against cyber attacks. Even with a substantial investment in cyber defense resources, however, the risk of harm from a cyber attack is significant for many organizations. The effectiveness of cyber defense can likely be enhanced if programs are implemented that allow organizations that face similar cyber threats to share information and resources. The threats faced by different organizations may be similar or identical (figure 1), and much of the work done by cyber defenders at these organizations may be redundant (Hui et al. 2010). By sharing information about cyber attacks, effective defense strategies, and personnel with specific expertise, organizations may better protect themselves against cyber threats while maintaining or even reducing the resources dedicated to cyber security."
United States. Department of Energy. Office of Scientific and Technical Information; Sandia National Laboratories
Bier, Asmeret
2014-01
-
Implementation of EO 13636 and PPD-21: Final Report and Recommendations
From the Introduction: "On February 12, 2013, the President signed EO [Executive Order] 13636 and PPD-21, effecting changes throughout the critical infrastructure security and resilience (CISR) mission. The two documents were released concurrently in order to allow for a comprehensive approach to security and risk management, as well as to link cyber resilience and security to physical asset security and resilience. Goals of EO 13636 included the development of a voluntary cybersecurity network; encouraging the adoption of enhanced cybersecurity practices through promotion and incentives; increasing the volume, timeliness, and quality of information sharing; ensuring privacy and civil liberties are protected with regard to enhanced cybersecurity; and exploring existing cybersecurity regulations for possible inclusion in the framework. PPD-21 [Presidential Policy Directive 21] -- which replaces Homeland Security Presidential Directive 7 -- requires the development of near-real-time situational awareness of the status of physical and cyber infrastructure assets; exploration of the cascading impacts of critical infrastructure failures; evaluation of how to further develop the partnership between all levels of government and private sector owners and operators; the development of a comprehensive research and development plan; and the updating of the NIPP [National Infrastructure Protection Plan]."
National Infrastructure Advisory Council (U.S.)
Kepler, David E.; Heasley, Philip G.
2013-11-21
-
2013 Cybersecurity Executive Order: Overview and Considerations for Congress [November 8, 2013]
"The federal role in cybersecurity has been a topic of discussion and debate for over a decade. Despite significant legislative efforts in the 112th and 113th Congress, no major legislation on this topic has been enacted since the Federal Information Security Management Act (FISMA) in 2002, which addressed the security of federal information systems. In February 2013, the White House issued an executive order designed to improve the cybersecurity of U.S. critical infrastructure (CI). Citing repeated cyber-intrusions into critical infrastructure and growing cyberthreats, Executive Order 13636, 'Improving Critical Infrastructure Cybersecurity,' attempts to enhance security and resiliency of CI through voluntary, collaborative efforts involving federal agencies and owners and operators of privately owned CI, as well as use of existing federal regulatory authorities. Entities posing a significant threat to the cybersecurity of critical infrastructure assets include cyberterrorists, cyberspies, cyberthieves, cyberwarriors, and cyberhacktivists. E.O. 13636 attempts to address such threats by, among other things, [1] expanding to other CI sectors an existing Department of Homeland Security (DHS) program for information sharing and collaboration between the government and the private sector; [2] establishing a broadly consultative process for identifying CI with especially high priority for protection; [3] requiring the National Institute of Standards and Technology to lead in developing a Cybersecurity Framework of standards and best practices for protecting CI; and [4] directing regulatory agencies to determine the adequacy of current requirements and their authority to establish additional requirements to address the risks."
Library of Congress. Congressional Research Service
Fischer, Eric A.; Liu, Edward C.; Rollins, John . . .
2013-11-08
-
Presidential Proclamation - Critical Infrastructure Security and Resilience Month, 2013
"Over the last few decades, our Nation has grown increasingly dependent on critical infrastructure, the backbone of our national and economic security. America's critical infrastructure is complex and diverse, combining systems in both cyberspace and the physical world -- from power plants, bridges, and interstates to Federal buildings and the massive electrical grids that power our Nation. During Critical Infrastructure Security and Resilience Month, we resolve to remain vigilant against foreign and domestic threats, and work together to further secure our vital assets, systems, and networks. As President, I have made protecting critical infrastructure a top priority. Earlier this year, I signed a Presidential Policy Directive to shore up our defenses against physical and cyber incidents. In tandem with my Executive Order on cybersecurity, this directive strengthens information sharing within my Administration and between the Federal Government and its many critical infrastructure partners, while also ensuring strong privacy protections. Because of the interconnected nature of our critical infrastructure, my Administration will continue to work with businesses and industry leaders and build on all the great work done to date. With these partners, and in cooperation with all levels of government, we will further enhance the security and resilience of our critical infrastructure. We must continue to strengthen our resilience to threats from all hazards including terrorism and natural disasters, as well as cyber attacks. We must ensure that the Federal Government works with all critical infrastructure partners, including owners and operators, to share information effectively while jointly collaborating before, during, and after an incident. This includes working with infrastructure sectors to harden their assets against extreme weather and other impacts of climate change."
United States. White House Office
Obama, Barack
2013-10-31
-
Readout of Acting Secretary Beers' Trip to New York [October 21, 2013]
On October 21, 2013, the Department of Homeland Security issued the following press release: "Acting Secretary of Homeland Security Rand Beers today traveled to New York City to discuss the Department of Homeland Security's (DHS) work with private sector partners to increase cybersecurity, protect critical infrastructure and make the public less vulnerable to cyber crimes. Acting Secretary Beers began his day with a visit to the NASDAQ MarketSite in Times Square where he rang the Opening Bell alongside private sector partners. Acting Secretary Beers and National Protection and Programs Directorate Deputy Under Secretary for Cybersecurity Phyllis Schneck also delivered remarks and participated in a discussion with business leaders on cybersecurity, as part of National Cyber Security Awareness Month. National Cyber Security Awareness Month engages public and private sector stakeholders -- especially the public -- to create a safe, secure, and resilient cyber environment."
United States. Department of Homeland Security. Press Office
2013-10-21
-
Terminal Blackout: Critical Electric Infrastructure Vulnerabilities and Civil-Military Resiliency
"Threats to the electric grid (cyber, solar, non-nuclear electromagnetic pulse [NNEMP] and high-altitude nuclear electromagnetic pulse [HEMP]), as well as the potential consequences of significant damage to grid components by terrorists and other natural disasters, have increased incrementally since 2001; but details releasable to the public at the unclassified level were rare prior to 2008. Efforts by the Congressional 'Commission to Assess the Threat to the United States from Electromagnetic Pulse' (EMP Attack) to declassify data relevant to American society within their final 2008 report were successful (albeit limited, as much remains classified), and subsequently heralded during a major conference at Niagara Falls, sponsored by a new non-profit non-partisan organization, which hosted highly influential experts and proponents of critical electric infrastructure protection. Participants included sitting and retired Congressional members from both parties; former Directors of the CIA, the National Security Agency, and the Defense Nuclear Agency; counterterrorism analysts; commissioners; nuclear and electrical engineers; scientists; academics; and a wide variety of first responders."
Army War College (U.S.). Center for Strategic Leadership
Ayers, Cynthia E.; Chrosniak, Ken
2013-10
-
U.S. National Cyberstrategy and Critical Infrastructure: The Protection Mandate and Its Execution
From the thesis abstract: "The U.S has experienced numerous strategy assessments, with respect to cybersecurity of the national critical infrastructure and key resources (CI/KR). This is primarily due to the recurring realization of, but failure to address, root issues creating a clear disparity between the strategic national requirements and DHS' execution of its mandate regarding the reactionary protection of CI/KR. This thesis compiles: (1) the current and past literature involving the evolution of critical infrastructure protection, as it relates to cybersecurity; (2) how the current administration is addressing it; and (3) the various roles and authorities allocated to the various major executive agencies. This thesis concludes by providing eight specific recommendations with respect to improving the cybersecurity of the national CI/KR."
Naval Postgraduate School (U.S.)
Roper, Scott T.
2013-09
-
Federal Laws Relating to Cybersecurity: Overview and Discussion of Proposed Revisions [June 20, 2013]
"For more than a decade, various experts have expressed increasing concerns about cybersecurity, in light of the growing frequency, impact, and sophistication of attacks on information systems in the United States and abroad. Consensus has also been building that the current legislative framework for cybersecurity might need to be revised. The complex federal role in cybersecurity involves both securing federal systems and assisting in protecting nonfederal systems. Under current law, all federal agencies have cybersecurity responsibilities relating to their own systems, and many have sector-specific responsibilities for critical infrastructure. More than 50 statutes address various aspects of cybersecurity either directly or indirectly, but there is no overarching framework legislation in place. While revisions to most of those laws have been proposed over the past few years, no major cybersecurity legislation has been enacted since 2002."
Library of Congress. Congressional Research Service
Fischer, Eric A.
2013-06-20
-
Executive Order 13636: Improving Critical Infrastructure Cybersecurity, Department of Homeland Security Integrated Task Force, Incentives Study Analytic Report
"In February 2013, the President signed Executive Order (EO) 13636, 'Improving Critical Infrastructure Cybersecurity,' and Presidential Policy Directive (PPD)-21, 'Critical Infrastructure Security and Resilience.' That same day, President Obama warned in his State of the Union Address: America must also face the rapidly growing threat from cyber-attacks. We know hackers steal people's identities and infiltrate private e-mail. We know foreign countries and companies swipe our corporate secrets. Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, and our air traffic control systems. We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy. The policies set forth in these directives are intended to strengthen the security and resilience of critical infrastructure against evolving threats and hazards, while incorporating strong privacy and civil liberties protections into every cybersecurity initiative. These documents call for an updated and overarching national Framework that reflects the increasing role of cybersecurity in securing physical assets. […] EO 13636 and PPD-21 are intended to strengthen the security and resilience of critical infrastructure through an updated and overarching national Framework that acknowledges the increased role of cybersecurity in securing physical assets. The government and the private sector have a mutually shared interest in ensuring the viability of critical infrastructure, and the provision of essential services, under all conditions. Critical infrastructure owners and operators are often the greatest beneficiary of investing in their own security, and they have a social responsibility to adopt best practices for cybersecurity. However, the private sector may be justifiably concerned about the return on security investments that may not yield immediately measureable benefits. Effective incentives can help the private sector justify the costs of improved cybersecurity by balancing the short-term costs of additional investment with similarly near-term benefits."
United States. Department of Homeland Security
2013-06-12
-
Cybersecurity, Preparing for and Responding to the Enduring Threat, Hearing Before the Committee on Appropriations, United States Senate, One Hundred Thirteenth Congress, First Session Special Hearing, June 12, 2013
This testimony compilation is from the June 12, 2013 hearing, "Cybersecurity: Preparing for and Responding to the Enduring Threat," before the U.S. Senate Committee on Appropriations. From the opening statement of Keith B. Alexander: "I am here representing the Department of Defense in general and the men and women, military and civilian, who serve at U.S. Cyber Command (USCYBERCOM) and the National Security Agency/Central Security Service (NSA/CSS). It is my honor to appear today with colleagues from the Department of Justice (DOJ) and its Federal Bureau of Investigation (FBI), the Department of Homeland Security (DHS), and the National Institute of Science and Technology (NIST). I hope to describe some of the challenges we face in performing the difficult but vital missions of keeping U.S. national security systems secure, helping to protect our nation's critical infrastructure from national-level cyber attacks, and working with other U.S. Government agencies, state and local authorities, national allies, and the private sector in defending our nation's interests in cyberspace. Together we make up a team deeply committed to compliance with the law and the protection of privacy rights that works every day with other U.S. government agencies, industry, academia, citizens, and allies, for only our combined efforts will enable us to make progress in cybersecurity for the nation as a whole." Statements, letters, and materials submitted for the record include those of the following: Keith B. Alexander, Richard A. McFeely, Patrick D. Gallagher, and Rand Beers.
United States. Government Printing Office
2013-06-12
-
Memorandum: Transforming Our Nation's Electric Grid Through Improved Siting, Permitting, and Review, Memorandum for the Heads of Executive Departments and Agencies, June 7, 2013
"Our Nation's electric transmission grid is the backbone of our economy, a key factor in future economic growth, and a critical component of our energy security. Countries that harness the power of clean, renewable energy will be best positioned to thrive in the global economy while protecting the environment and increasing prosperity. In order to ensure the growth of America's clean energy economy and improve energy security, we must modernize and expand our electric transmission grid. Modernizing our grid will improve energy reliability and resiliency, allowing us to minimize power outages and manage cyber-security threats. By diversifying power sources and reducing congestion, a modernized grid will also create cost savings for consumers and spur economic growth. Modernizing our Nation's electric transmission grid requires improvements in how transmission lines are sited, permitted, and reviewed. As part of our efforts to improve the performance of Federal siting, permitting, and review processes for infrastructure development, my Administration created a Rapid Response Team for Transmission (RRTT), a collaborative effort involving nine different executive departments and agencies (agencies), which is working to improve the efficiency and effectiveness of transmission siting, permitting, and review, increase interagency coordination and transparency, and increase the predictability of the siting, permitting, and review processes. In furtherance of Executive Order 13604 of March 22, 2012 (Improving Performance of Federal Permitting and Review of Infrastructure Projects), this memorandum builds upon the work of the RRTT to improve the Federal siting, permitting, and review processes for transmission projects. Because a single project may cross multiple governmental jurisdictions over hundreds of miles, robust collaboration among Federal, State, local, and tribal governments must be a critical component of this effort."
United States. Office of the Federal Register
Obama, Barack
2013-06-07
-
Evaluation of Cyber Sensors for Enhancing Situational Awareness in the ICS Environment
From the thesis abstract: "Industrial Control Systems (ICS) monitor and control operations associated with the national critical infrastructure (e.g., electric power grid, oil and gas pipelines and water treatment facilities). These systems rely on technologies and architectures that were designed for system reliability and availability. Security associated with ICS was never an inherent concern, primarily due to the protections afforded by network isolation. However, a trend in ICS operations is to migrate to commercial networks via TCP/IP [Transmission Control Protocol/Internet Protocol] in order to leverage commodity benefits and cost savings. As a result, system vulnerabilities are now exposed to the online community. Indeed, recent research has demonstrated that many exposed ICS devices are being discovered using readily available applications (e.g., Shodan search engine and Google-esque queries). Due to the lack of security and logging capabilities for ICS, most knowledge about attacks are derived from real world incidents after an attack has already occurred. Further, the distributed nature and volume of devices requires a cost effective solution to increase situational awareness. This research evaluates two low cost sensor platforms for enhancing situational awareness in the ICS environment. Data obtained from the sensors provide insight into attack tactics (e.g., port scans, Nessus scans, Metasploit modules, and zero-day exploits) and characteristics (e.g., attack origin, frequency, and level of persistence). The results indicate that the low cost cyber sensors perform sufficiently within the ICS environment. Furthermore, findings enable security professionals to draw an accurate, real-time awareness of the threats against ICS devices and help shift the security posture from reactionary to preventative."
Air Force Institute of Technology (U.S.)
Otis, Jeremy R.
2013-06
-
DHS Can Take Actions to Address Its Additional Cybersecurity Responsibilities
"In 2010, the Office of Management and Budget designated the Department of Homeland Security (DHS) with the primary responsibilities of overseeing the Federal-wide information security program and evaluating its compliance with the 'Federal Information Security Management Act of 2002'. The National Protection and Programs Directorate (NPPD), which is primarily responsible for fulfilling DHS security missions, assumed this responsibility for the Department. Subsequent to the President's issuance of Executive Order 13618 in July 2012, NPPD's Office of Cybersecurity and Communications was reorganized in an effort to promote security, resiliency, and reliability of the Nation's cyber and communications infrastructure. We audited NPPD to determine whether the Office of Cybersecurity and Communications has implemented its additional cybersecurity responsibilities effectively to improve the security posture of the Federal Government. […] Although actions have been taken, NPPD can make further improvements to address its additional cybersecurity responsibilities. For example, the Federal Network Resilience division must develop a strategic implementation plan to define its long-term goals on improving agencies' information security programs. Further, increased communication and coordination with Government agencies can improve the 'Federal Information Security Management Act' reporting process. Finally, NPPD must address deficiencies in maintaining and tracking the training records of CyberScope contractor personnel and implement the required DHS baseline configuration settings. We are making six recommendations to the Acting Assistant Secretary, Office of Cybersecurity and Communications. NPPD concurred with all recommendations and has begun to take actions to implement them."
United States. Department of Homeland Security. Office of Inspector General
2013-06
-
Computer Security Division: 2012 Annual Report
"With the continued proliferation of information, the explosion of devices connecting to the expanding communication infrastructure and the evolving threat environment, the need for cybersecurity standards and best practices that address interoperability, usability and privacy continues to be critical for the Nation. The Computer Security Division (CSD), a component of the Information Technology Laboratory at the National Institute of Standards and Technology (NIST) is responsible for developing standards, guidelines, tests, and metrics for the protection of non-national security federal information and communication infrastructure. These standards, guidelines, tests, and metrics are also important resources for the private sector. In 2012, CSD aligned its resources to enable greater development and application of practical, innovative security technologies and methodologies, and to enhance our ability to address current and future computer and information security challenges in support of critical national and international priorities. CSD extended its research and development agenda for high-quality, cost-effective security and privacy mechanisms to foster improved information security across the federal government and the global information security community. In 2012, NIST concluded the five-year SHA-3 Cryptographic Hash Algorithm Competition with the selection of KECCAK for standardization and worldwide adoption. The selection of this cryptographic hash algorithm, an indispensable component for the information and communication systems that support commerce in the modern era, confirmed NIST's well-respected and trusted technical authority in this field."
United States. Department of Commerce; National Institute of Standards and Technology (U.S.)
O'Reilly, Patrick J.
2013-06
-
Electric Grid Vulnerability: Industry Responses Reveal Security Gaps
"The last few years have seen the threat of a crippling cyber-attack against the U.S. electric grid increase significantly. Secretary of Defense Leon Panetta identified a 'cyber-attack perpetrated by nation states or extremist groups' as capable of being 'as destructive as the terrorist attack on 9/11.' A five-year old National Academy of Sciences report declassified and released in November 2012 found that physical damage by terrorists to large transformers could disrupt power to large regions of the country and could take months to repair, and that 'such an attack could be carried out by knowledgeable attackers with little risk of detection or interdiction.' On May 16, 2013, the Department of Homeland Security testified that in 2012, it had processed 68% more cyber-incidents involving Federal agencies, critical infrastructure, and other select industrial entities than in 2011. It also recently warned industry of a heightened risk of cyber-attack, and reportedly noted increased cyber-activity that seemed to be based in the Middle East, including Iran. Current efforts to protect the nation's electric grid from cyber-attack are comprised of voluntary actions recommended by the North American Electric Reliability Corporation (NERC), an industry organization, combined with mandatory reliability standards that are developed through NERC's protracted, consensus-based process. Additionally, an electric utility or grid-related entity may take action on its own initiative. In light of the increasing threat of cyber-attack, numerous security experts have called on Congress to provide a federal entity with the necessary authority to ensure that the grid is protected from potential cyber-attacks and geomagnetic storms. Despite these calls for action, Congress has not provided any governmental entity with that necessary authority."
United States. Congress. House
2013-05-21
-
Joint Statement on U.S.-Japan Cyber Dialogue
"The Governments of the United States and Japan held the first U.S.-Japan Cyber Dialogue in Tokyo on May 9-10, 2013. The U.S.-Japan Cyber Dialogue, initiated at the Presidential-Prime Ministerial level, reflects our nations' broad engagement and long-standing cooperation on important bilateral and global issues. The Cyber Dialogue is a consultation for exchanging cyber threat information, aligning international cyber policies, comparing national cyber strategies, cooperating on planning and efforts to protect critical infrastructure, and discussing the cooperation on cyber areas in national defense and security policy."
United States. Department of State
2013-05-10
-
Cyber Infrastructure Protection, Volume II
"This book is a follow-on to our earlier book published in 2011 and represents a detailed look at various aspects of cyber security. The chapters in this book are the result of invited presentations in a 2-day conference on cyber security held at the City University of New York, City College, June 8-9, 2011. Our increased reliance on the Internet, information, and networked systems has also raised the risks of cyber attacks that could harm our nation's cyber infrastructure. The cyber infrastructure encompasses a number of sectors including the nation's mass transit and other transportation systems, railroads, airlines, the banking and financial systems, factories, energy systems and the electric power grid, and telecommunications, which increasingly rely on a complex array of computer networks. Many of these infrastructures' networks also connect to the public Internet. Unfortunately, many information systems, computer systems, and networks were not built and designed with security in mind. As a consequence, our cyber infrastructure contains many holes, risks, and vulnerabilities that potentially may enable an attacker to cause damage or disrupt the operations of this cyber infrastructure. Threats to the safety and security of the cyber infrastructure come from many directions: hackers, terrorists, criminal groups, and sophisticated organized crime groups; even nation-states and foreign intelligence services conduct cyber warfare. Costs to the economy from these threats are huge and increasing. Cyber infrastructure protection refers to the defense against attacks on such infrastructure and is a major concern of both the government and the private sector."
Army War College (U.S.). Strategic Studies Institute
Jordan, Louis H.; Saadawi, Tarek Nazir, 1951-; Boudreau, Vicent
2013-05
-
Cybersecurity: Selected Legal Issues [April 17, 2013]
"For many, the Internet has become inextricably intertwined with daily life. Many rely on it to perform their jobs, pay their bills, send messages to loved ones, track their medical care, and voice political opinions, among a host of other activities. Likewise, government and business use the Internet to maintain defense systems, protect power plants and water supplies, and keep other types of critical infrastructure running. Consequently, the federal government's role in protecting U.S. citizens and critical infrastructure from cyber attacks has been the subject of recent congressional interest. This report discusses selected legal issues that frequently arise in the context of legislation to address vulnerabilities of private critical infrastructure to cyber threats, efforts to protect government networks from cyber threats, and proposals to facilitate and encourage sharing of cyber threat information amongst private sector and government entities. This report also provides an overview of the ways in which federal laws of these types may preempt or affect the applicability of state law."
Library of Congress. Congressional Research Service
Liu, Edward C.; Stevens, Gina Marie; Ruane, Kathleen Ann . . .
2013-04-17
-
Security and Privacy Controls for Federal Information Systems and Organizations [Updated May 7, 2013]
This publication from the National Institute of Standards and Technology includes updates from May 7, 2013. A list of changes made to the document can be found on page XVII. "This publication provides a catalog of security and privacy controls for federal information systems and organizations and a process for selecting controls to protect organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation from a diverse set of threats including hostile cyber attacks, natural disasters, structural failures, and human errors (both intentional and unintentional). The security and privacy controls are customizable and implemented as part of an organization-wide process that manages information security and privacy risk. The controls address a diverse set of security and privacy requirements across the federal government and critical infrastructure, derived from legislation, Executive Orders, policies, directives, regulations, standards, and/or mission/business needs. The publication also describes how to develop specialized sets of controls, or overlays, tailored for specific types of missions/business functions, technologies, or environments of operation. Finally, the catalog of security controls addresses security from both a functionality perspective (the strength of security functions and mechanisms provided) and an assurance perspective (the measures of confidence in the implemented security capability). Addressing both security functionality and security assurance ensures that information technology products and the information systems built from those products using sound systems and security engineering principles are sufficiently trustworthy."
National Institute of Standards and Technology (U.S.)
2013-04
-
Communications Network Security: Outcome-Based Measures Would Assist DHS in Assessing Effectiveness of Cybersecurity Efforts, Report to Congressional Requesters
"Ensuring the effectiveness and reliability of communications networks is essential to national security, the economy, and public health and safety. The communications networks (including core and access networks) can be threatened by both natural and human-caused events, including increasingly sophisticated and prevalent cyber-based threats. GAO [Government Accountability Office] has identified the protection of systems supporting the nation's critical infrastructure--which includes the communications sector--as a government-wide high-risk area. GAO was asked to (1) identify the roles of and actions taken by key federal entities to help protect communications networks from cyber-based threats, (2) assess what is known about the extent to which cyber incidents affecting the communications networks have been reported to the FCC [Federal Communications Commission] and DHS [Department of Homeland Security], and (3) determine if Defense's pilot programs to promote cybersecurity in the defense industrial base can be used in the communications sector. To do this, GAO focused on core and access networks that support communication services, as well as critical components supporting the Internet. GAO analyzed federal agency policies, plans, and other documents; interviewed officials; and reviewed relevant reports."
United States. Government Accountability Office
2013-04
