Advanced search    Help

Clear all search criteria

Only 2/3! You are seeing results from the Public Collection, not the complete Full Collection. Sign in to search everything (see eligibility).

• Critical Infrastructure Protection: OMB Leadership Needed to Strengthen Agency Planning Efforts to Protect Federal Cyber Assets, Report to Congressional Requesters

  Show summary     Open resource [pdf]     (open full abstract)

  "Because the nation's critical infrastructure relies on information technology systems and data, the security of those assets is critical to ensuring national security and public safety. In 2003, the President directed federal agencies to (1) develop plans for the protection of their computer-related (cyber) critical infrastructure assets and (2) submit them for approval to the Office of Management and Budget (OMB) by July 31, 2004. To help agencies do this, OMB issued guidance with 19 criteria deemed essential for effective cyber critical infrastructure protection planning that were required to be included in the plans. GAO was asked to determine (1) the extent to which agencies developed their plans and whether they submitted them to OMB by the deadline and (2) whether the plans met criteria in OMB's guidance. To do this, GAO reviewed plans from 24 agencies, many of which own and operate key government cyber and other critical infrastructure; reviewed OMB documentation; interviewed officials; and compared submitted plans to relevant criteria […]. GAO is recommending that OMB (1) direct agencies to update cyber plans to fully address OMB requirements and (2) follow up to see that agencies make sure plans meet requirements and are being implemented. In commenting on a draft of this report, OMB agreed with the first recommendation; it agreed with the second after GAO revised it to better clarify OMB and agency follow up responsibilities."

  United States. Government Accountability Office

  2009-10-15
• ITL Bulletin: NIST to Develop a Cybersecurity Framework to Protect Critical Infrastructure (March 2013)

  Show summary     Open resource [pdf]     (open full abstract)

  "The reliability and trustworthiness of our nation's critical infrastructure is vital to the economic and national security of the United States. Under Executive Order 13636, 'Improving Critical Infrastructure Cybersecurity,' the President has directed National Institute for Standards and Technology (NIST) to develop a voluntary framework for reducing cyber risks to our nation's critical infrastructure. The Cybersecurity Framework will consist of standards, methodologies, and procedures that promote the protection of information systems supporting crucial infrastructure operations. It will promote the wide adoption of best practices to increase cybersecurity across all sectors and industry types. The flexible and cost-effective approach of the Framework will assist owners and operators of critical infrastructure in managing cybersecurity risk while ensuring business confidentiality and individual privacy. Working with stakeholders in government, industry, and academia, NIST's Information Technology Laboratory has initiated the development of the Framework by conducting a comprehensive review of the current cybersecurity landscape through a Request for Information (RFI). Published in the 'Federal Register' of February 26, 2013, the RFI requests information to identify, refine, and guide the many interrelated challenges and efforts needed to draft the Framework. As always, NIST will engage with and seek input from stakeholders through an open public review and comment process, workshops, and other means of engagement."

  National Institute of Standards and Technology (U.S.); Information Technology Laboratory (National Institute of Standards and Technology). Computer Security Division

  Lennon, Elizabeth B.

  2013-03
• Serial No. 113-17: Facilitating Cyber Threat Information Sharing and Partnering with the Private Sector to Protect Critical Infrastructure: An Assessment of DHS Capabilities, Hearing Before the Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies of the Committee on Homeland Security, House of Representatives, One Hundred Thirteenth Congress, First Session, May 16, 2013

  Show summary     Open resource [pdf]     (open full abstract)

  This testimony is from the May 16, 2013 hearing, "Facilitating Cyber Threat Information Sharing and Partnering with the Private Sector to Protect Critical Infrastructure: An Assessment of DHS Capabilities" before the U.S. House Committee on Homeland Security, Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies: From the opening statement of Patrick Meehan: "The NCCIC [National Cybersecurity & Communications Integration Center] is one of the U.S. Government's key civilian interfaces with the private sector for cyber threat information sharing, incident response, and protecting U.S. critical infrastructure. The NCCIC is a collaborative method for federal agencies, state and local governmental entities, and the private sector to communicate cyber threat information, analysis, and prevention methods in real-time. The Subcommittee has been crafting a body of work that will help to establish key areas where we can improve the Department's critical infrastructure protection from a cyber attack. We have examined the threat, particularly from nation-states. We have looked at protecting U.S. citizens from civil liberty violations. And today, we look at the threat mitigation capabilities at the Department of Homeland Security." Statements, letters, and materials submitted for the record include those of the following: Patrick Meehan, Yvette D. Clarke, Bennie G. Thompson, Roberta Stempfley, Larry Zelvin, and Charles K. Edwards.

  United States. Government Printing Office

  2013
• Serial No. 113-9: Cyber Threats from China, Russia and Iran: Protecting American Critical Infrastructure, U.S. House of Representatives, Committee on Homeland Security, Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies, One Hundred Thirteenth Congress, First Session, March 20, 2013

  Show summary     Open resource [pdf]     (open full abstract)

  This is the March 20, 2013 hearing entitled "Cyber Threats from China, Russia and Iran: Protecting American Critical Infrastructure" before the U.S. House of Representatives Committee on Homeland Security, Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies on March 20, 2013. From the opening statement of Patrick Meehan: "Today's hearing is timely and relevant. We are examining the cyber threat posed by nation states: China, Russia, and Iran. I focus on the 'nation state' aspect of this threat because it represents a new battlefield in state relations and we must prepare accordingly. Since the New Year, there have been significant developments in the cyber domain, highlighted by the fact the U.S. Government has finally begun to name the nation states most responsible for cyber attacks against the United States. I believe identifying the threat is critical to combatting this problem and protecting our critical infrastructure. Over the last two months, the Obama Administration has rightly placed cybersecurity at the top of the public agenda. In his State of the Union speech, President Obama specifically cited 'foreign countries' swiping our corporate secrets, attacking our financial institutions, and sabotaging our power grid. While he didn't name any specific countries, last week, Tom Donilon, the President's National Security Advisor, outed China as the place where cyber intrusions are emanating on 'an unprecedented scale.' Also last week, in the Annual Threat Assessment by the U.S. Intelligence Community delivered to Congress last week, the Director of National Intelligence (DNI), James Clapper, named cyber as the top threat to U.S. national security. This represents a major shift in the threat assessment by the U.S. Intelligence Community and makes our work on this Committee even more important." Statements, letters and materials submitted for the record include those of the following: Patrick Meehan, Michael McCaul, Frank J. Cilluffo, Richard Bejtlich, Ilan Berman, and Martin Libicki.

  United States. Government Printing Office

  2013
• Serial No. 112-19: The DHS Cybersecurity Mission: Promoting Innovation and Securing Critical Infrastructure, Hearing Before the Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies of the Committee on Homeland Security, House of Representatives, One Hundred Twelfth Congress, First Session, April 15, 2011

  Show summary     Open resource [pdf]     (open full abstract)

  From the opening statement of Daniel E. Lungren: "Today, the subcommittee will examine the relationship between the Department of Homeland Security and the owners and operators of critical infrastructure. What is working well, what could be done better, and how to improve in the future. [...] The public-private partnership remains a key part of the Nation's efforts to secure and protect its critical cyber-reliant infrastructure. While criticized by some, it is still evolving since its inception a decade ago. Because of the leadership of NPPD [National Protection and Programs Directorate] Under Secretary Rand Beers and Deputy Secretary Phillip Reitinger, the Department has strategically positioned cybersecurity resources and assets in an effort to develop a more trusted and mutually beneficial public-private partnership that is needed to defend cyberspace. Without ownership, partnership is the next best thing for promoting cybersecurity and protecting our critical infrastructure. If properly developed and implemented, the public-private partnership cybersecurity model can be leveraged to improve the culture of security and the willingness of the private sector to make the necessary investments to secure their critical infrastructure. With all this cyber expertise, is the Department making a real difference in defending critical infrastructure? Are they protecting Government and private sector cyber space and responding effectively to cyber attacks? Are they assisting the private sector in detecting, defending, and recovering from cyber attack? Is the Department making available to its partners the critical threat information they need to protect their networks? Today we will hear from the Homeland Security Department and a number of key economic sectors, whose critical infrastructure is vital to maintaining our robust economy, on how this public-private partnership is progressing." Statements, letters, and materials submitted for the record include those of the following: Daniel E. Lungren, Yvette D. Clark, Seán McGurk, Gerry Cauley, Jane Carlin, and Edward Amoroso.

  United States. Government Printing Office

  2012
• Resourcing DHS's Cybersecurity and Innovation Missions: A Review of the Fiscal Year 2020 Budget Request for the Cybersecurity and Infrastructure Security Agency and the Science and Technology Directorate, Hearing Before the subcommittee on Cybersecurity, Hearing Before the Subcommittee on Cybersecurity, Infrastructure Protection, and Innovation of the Committee on Homeland Security, House of Representatives, One Hundred Sixteenth Congress, First Session, April 30, 2019

  Show summary     Open resource [pdf]     (open full abstract)

  This is the April 30, 2019 hearing on "Resourcing DHS's Cybersecurity and Innovation Missions: A Review of the Fiscal Year 2020 Budget Request for the Cybersecurity and Infrastructure Security Agency and the Science and Technology Directorate" held before the House Subcommittee on Cybersecurity, Infrastructure Protection, and Innovation of the Committee on Homeland Security. From the opening statement of Cedric L. Richmond: "From election security to supply chain security, we ask more of DHS's cybersecurity arm every year. Despite CISA's [Cybersecurity and Infrastructure Security Agency] growing mission, its budget has remained stagnant. Since taking office, the President and those around him have paid a lot of lip-service to the issues related to cybersecurity and innovation. But there hasn't been much follow-through." Statements, letters, and materials submitted for the record include those of the following: Christopher C. Krebs, and William Bryan.

  United States. Government Publishing Office

  2019
• Serial No. 113-13: Striking the Right Balance: Protecting Our Nation's Critical Infrastructure from Cyber Attack and Ensuring Privacy and Civil Liberties, Hearing Before the Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies of the Committee on Homeland Security, House of Representatives, One Hundred Thirteenth Congress, First Session, April 25, 2013

  Show summary     Open resource [pdf]     (open full abstract)

  This is the April 25, 2013 hearing on "Striking the Right Balance: Protecting Our Nation's Critical Intrastructure from Cyber Attack and Ensuring Privacy and Civil Liberties" held before the United States House of Representatives, Committee on Homeland Security, Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies. From the opening statement of Patrick Meehan: "The subcommittee is meeting today to examine the balance between preventing a cyber attack on our Nation's critical infrastructure and ensuring privacy and civil liberties are protected. [...] During this Congress, our subcommittee has been examining the cybersecurity threat to individuals and to our critical infrastructure. Our Nation has made great strides, but the threat is multi-faceted and we are only as strong as our weakest link." Statements, letters, and materials submitted for the record include those of the following: Patrick Meehan, Yvette D. Clarke, Bennie G. Thompson, Ellen Callahan, Cheri F. McGuire, and Harriet P. Pearson.

  United States. Government Printing Office

  2013
• Challenges in the Protection of US Critical Infrastructure in the Cyber Realm

  Show summary     Open resource [pdf]     (open full abstract)

  From the abstract: "This paper evaluates the US military participation in the arena of domestic cyber security for critical infrastructure protection. The issue is relevant for two major reasons. First, it deals with the current phenomena of continuous cyber attacks on US critical infrastructure, which dominates the discussion of potential future and global threats to the United States. Second, the US is trying to cope with current challenges to cyber security with military means, which is sparking academic and political debate. The latter relevance comprises the main argument of this study, that a military approach to cyber security is not the best choice. Generally, critical infrastructure protection is inherently civil related. Other factors to consider are Presidential Directives and US cyber strategies, which assigned the Department of Homeland Security (DHS) to organizing, synchronizing, and executing critical infrastructure protection for the homeland. Nonetheless, the US military is deeply involved in domestic affairs regarding cyber security. Numerous reasons create this curious reality. Ill-defined and unclear classifications of the variety of cyber attacks make almost everything appear as an undifferentiated hazard. Cyber hype, largely a product of efforts by the information technology industry, only serves to add to the contemporary misperception of cyber threats. Terms of cyber related issues are often militarized, over emphasized, and undifferentiated. The resulting confusion produced inadequate domestic cyber security efforts, insufficient public-private cooperation, and a turn to the military for leadership. This absorption of DHS related fields of actions by the Department of Defense are questionable in two respects: constitutionally power-sharing principles prohibit the military from policing inside of the United States and the militarization of cyber security may hamper the necessary public-private cooperation for domestic cyber security."

  U.S. Army Command and General Staff College. School of Advanced Military Studies

  Trobisch, Jan

  2014-01
• Serial No. 115-26: Challenges of Recruiting and Retaining a Cybersecurity Work Force, Hearing Before the Subcommittee on Cybersecurity and Infrastructure Protection of the Committee on Homeland Security, House of Representatives, One Hundred Fifteenth Congress, First Session, September 7, 2017

  Show summary     Open resource [pdf]     (open full abstract)

  This is the September 7, 2017 hearing on "Challenges of Recruiting and Retaining a Cybersecurity Work Force," held before the Subcommittee on Cybersecurity and Infrastructure Protection of the Committee on Homeland Security. From the opening statement of John Ratcliffe: "Cybersecurity is one of the most daunting National security and economic security challenges of our generation. As our adversaries grow in sophistication, so, too, will the challenges associated with preventing their attacks. [...] Some industry estimates are that 53 percent of organizations now experience delays of 6 months or longer to find qualified cyber-security candidates. We know that the entire industry is facing an unprecedented shortage of cybersecurity workers at all levels of competency, from front-line defenders to CIOs [Chief Information Officer]. It is against this backdrop that the Department of Homeland Security must compete with the private sector to recruit and retain the best talent possible in order to carry out its cybersecurity mission and to protect our critical infrastructure. Unfortunately, DHS's issues are compounded by the additional hiring challenges often felt by the Federal Government. DHS must work to overcome slow hiring processes and work force supply and pipeline issues in order to build the essential work force required to meet its cyber mission. DHS must strategically plan for the training, recruitment, and the retention of its cybersecurity work force." Statements, letters, and materials submitted for the record include those of the following: Frederick R. Chang, Scott Montgomery, Michael Papay, and Juliet 'Jules' Okafor.

  United States. Government Publishing Office

  2018
• Critical Infrastructure Protection: DHS Leadership Needed to Enhance Cybersecurity, Statement of David A. Powner, Director, Information Technology Management Issues, Testimony before the House Committee on Homeland Security, Subcommittee on Economic Security, Infrastructure Protection, and Cybersecurity

  Show summary     Open resource [pdf]     (open full abstract)

  "Increasing computer interconnectivity has revolutionized the way that our nation and much of the world communicate and conduct business. While the benefits have been enormous, this widespread interconnectivity also poses significant risks to our nation's computer systems and, more importantly, to the critical operations and infrastructures they support. The Homeland Security Act of 2002 and federal policy establish DHS as the focal point for coordinating activities to protect the computer systems that support our nation's critical infrastructures. GAO was asked to summarize recent reports on (1) DHS's responsibilities for cybersecurityrelated critical infrastructure protection and for recovering the Internet in case of a major disruption (2) challenges facing DHS in addressing its cybersecurity responsibilities, including leadership challenges, and (3) recommendations to improve the cybersecurity of national critical infrastructures, including the Internet."

  United States. Government Accountability Office

  2006-09-13
• Cyber Infrastructure Protection, Volume II

  Show summary     Open resource [pdf]     (open full abstract)

  "This book is a follow-on to our earlier book published in 2011 and represents a detailed look at various aspects of cyber security. The chapters in this book are the result of invited presentations in a 2-day conference on cyber security held at the City University of New York, City College, June 8-9, 2011. Our increased reliance on the Internet, information, and networked systems has also raised the risks of cyber attacks that could harm our nation's cyber infrastructure. The cyber infrastructure encompasses a number of sectors including the nation's mass transit and other transportation systems, railroads, airlines, the banking and financial systems, factories, energy systems and the electric power grid, and telecommunications, which increasingly rely on a complex array of computer networks. Many of these infrastructures' networks also connect to the public Internet. Unfortunately, many information systems, computer systems, and networks were not built and designed with security in mind. As a consequence, our cyber infrastructure contains many holes, risks, and vulnerabilities that potentially may enable an attacker to cause damage or disrupt the operations of this cyber infrastructure. Threats to the safety and security of the cyber infrastructure come from many directions: hackers, terrorists, criminal groups, and sophisticated organized crime groups; even nation-states and foreign intelligence services conduct cyber warfare. Costs to the economy from these threats are huge and increasing. Cyber infrastructure protection refers to the defense against attacks on such infrastructure and is a major concern of both the government and the private sector."

  Army War College (U.S.). Strategic Studies Institute

  Jordan, Louis H.; Saadawi, Tarek Nazir, 1951-; Boudreau, Vicent

  2013-05
• Information Security: DHS Needs to Continue to Advance Initiatives to Protect Federal Systems, Statement of Gregory C. Wilshusen, Director, Information Security Issues, Testimony Before the Subcommittee on Cybersecurity and Infrastructure Protection, Committee on Homeland Security, House of Representatives

  Show summary     Open resource [pdf]     (open full abstract)

  "Cyber-based intrusions and attacks on federal systems are evolving and becoming more sophisticated. GAO [Government Accountability Office] first designated information security as a government-wide high-risk area in 1997. This was expanded to include the protection of cyber critical infrastructure in 2003 and protecting the privacy of personally identifiable information in 2015. DHS plays a key role in strengthening the cybersecurity posture of the federal government. Among other things, DHS has initiatives for (1) detecting and preventing malicious cyber intrusions into agencies' networks and (2) deploying technology to assist agencies to continuously diagnose and mitigate cyber threats and vulnerabilities. This statement provides an overview of GAO's work related to DHS's efforts to improve the cybersecurity posture of the federal government. In preparing this statement, GAO relied on previously published work, as well as information provided by DHS on its actions in response to GAO's previous recommendations. In a January 2016 report, GAO made nine recommendations related to expanding NCPS's [National Cybersecurity Protection System] capability to detect cyber intrusions; notifying customers of potential incidents; providing analytic services; and sharing cyber-related information, among other things. DHS concurred with the recommendations and is taking actions to implement them."

  United States. Government Accountability Office

  Wilshusen, Gregory C.

  2017-03-28
• Cyber Infrastructure Protection

  Show summary     Open resource [pdf]     (open full abstract)

  "This book provides an integrated view and a comprehensive framework of the various issues relating to cyber infrastructure protection. It provides the foundation for long-term policy development, a roadmap for cyber security, and an analysis of technology challenges that impede cyber infrastructure protection. The book is divided into three main parts. Part I deals with strategy and policy issues related to cyber security. It provides a theory of cyber power, a discussion of Internet survivability as well as large scale data breaches and the role of cyber power in humanitarian assistance. Part II covers social and legal aspects of cyber infrastructure protection and it provides discussions concernsing the attack dynamics of politically and religiously motivated hackers. Part III discusses the technical aspects of cyber infrastructure protection including the resilience of data centers, intrusion detection, and a strong focus on IP-networks."

  Army War College (U.S.). Strategic Studies Institute

  Saadawi, Tarek Nazir, 1951-; Jordan, Louis H.

  2011-05-09
• Technology Assessment: Cybersecurity for Critical Infrastructure Protection

  Show summary     Open resource [pdf]     (open full abstract)

  Computers are crucial to the operations of government and business. Computers and networks essentially run the critical infrastructures that are vital to our national defense, economic security, and public health and safety. Unfortunately, many computer systems and networks were not designed with security in mind. As a result, the core of our critical infrastructure is riddled with vulnerabilities that could enable an attacker to disrupt operations or cause damage to these infrastructures. Critical infrastructure protection (CIP) involves activities that enhance the security of our nation's cyber and physical infrastructure. Defending against attacks on our information technology infrastructure- cybersecurity-is a major concern of both the government and the private sector. Consistent with guidance provided by the Senate's Fiscal Year 2003 Legislative Branch Appropriations Report (S. Rpt. 107-209), GAO conducted this technology assessment on the use of cybersecurity technologies for CIP in response to a request from congressional committees. This assessment addresses the following questions: (1) What are the key cybersecurity requirements in each of the CIP sectors? (2) What cybersecurity technologies can be applied to CIP? (3) What are the implementation issues associated with using cybersecurity technologies for CIP, including policy issues such as privacy and information sharing?

  United States. General Accounting Office

  2004-05-28
• Serial No. 113-39: Cyber Incident Response: Bridging the Gap Between Cybersecurity and Emergency Management, Joint Hearing Before the Subcommittee on Emergency Preparedness, Response, and Communications, and the Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies of the Committee on Homeland Security, House of Representatives, One Hundred Thirteenth Congress, First Session, October 30, 2013

  Show summary     Open resource [pdf]     (open full abstract)

  This is the October 30, 2013 joint hearing on "Cyber Incident Response" held before the U.S. House Committee on Homeland Security. From the opening statement of Susan W. Brooks: "The Subcommittees on Emergency Preparedness, Response, and Communications and Cybersecurity, Infrastructure Protection and Security Technologies will come to order. […] October is Cybersecurity Awareness Month, and I think it is so very important that we observe this month in part of our awareness because it must be our ability to not only protect our networks and our critical infrastructure from intrusions, but also, what is our ability to respond should an intrusion become successful? After all, we do know that the threat of a cyber attack is real and in a speech just prior to her resignation former Secretary of Homeland Security Janet Napolitano discussed that threat. She forecasted that our country will face a major cyber event that will have a serious effect on our lives, our economy, and the everyday functioning of our society." Statements, letters, and materials submitted for the record include those of the following: Susan W. Brooks, Donald M. Payne, Jr., Yvette D. Clarke, Bennie G. Thompson, Roberta Stempfley, Charley English, Craig Orgeron, Mike Sena, and Paul Molitor.

  United States. Government Printing Office

  2014
• Future of Cyber and Telecommunications Security at DHS, Hearing Before the Subcommittee on Economic Security, Infrastructure Protection, and Cybersecurity of the Committee on Homeland Security, House of Representatives, One Hundred Ninth Congress, Second Session, September 13, 2006

  Show summary     Open resource [pdf]     (open full abstract)

  From the opening statement of Daniel E. Lungren: "Information and communications technology are a prime target for those intending to do us harm and a successful terrorist attack could cause immeasurable danger and damage to our everyday lives, for example, disrupt our electrical power supply or disrupt our ability to respond to emergencies. [...] We are concerned the department has not been as effective as possible in ensuring the security and resiliency of our information infrastructure or its efficient reconstitution in the case of an incident of national significance. We have been fortunate enough not to have suffered a debilitating information infrastructure incident, but we cannot rely upon good [fortune] alone. We must create a strong, focused organization to ensure our cyber assets our protected and to enable us to respond effectively to a cyber incident." Several organizational representatives, including those from the GAO, Cybersecurity Industry Alliance, the Information Technology Sector Coordinating Council, and the Telecommunications Sector Coordinating Council offer up perspectives and private sector expectations for coordinating the protection of America's information infrastructure. Statements, letters, and materials submitted for the record include those of the following: Daniel E. Lungren, Loretta Sanchez, Norman D. Dicks, Sheila Jackson Lee, Stevan Pearce, Mark E. Souder, George Foresman, David Powner, David Barron, Guy Copeland, Paul B. Kurtz, and William Pelgrin.

  United States. Government Printing Office

  2008
• Serial No. 115-39: Maximizing the Value of Cyber Threat Information Sharing, Hearing Before the Subcommittee on Cybersecurity and Infrastructure Protection of the Committee on Homeland Security, House of Representatives, One Hundred Fifteenth Congress, First Session, November 15, 2017

  Show summary     Open resource [pdf]     (open full abstract)

  This is the November 15, 2017 hearing on "Maximizing the Value of Cyber Threat Information Sharing," held before the Subcommittee on Cybersecurity and Infrastructure Protection of the Committee on Homeland Security. From the opening statement of John Ratcliffe: "The severity of the threats we face in cyber space can't be over-stated. Seemingly, every week there's a new headline about a new breach, a new hack, or a new trove of sensitive information that's been compromised. Or there's a new report highlighting the vulnerabilities of our Government, the private sector, and the American people face from malicious actors. Those on the operational front of cybersecurity know the threat landscape is evolving at every second. In cyber space, it's nearly impossible to concisely declare who the threat actor is, what they're going to do next, and what the cascading effects may be. The industry method is to prioritize, assess the risks that net-works face and prioritize actions to address those risks, and then keep moving down the list. We in the Government must learn from the private sector, assess risks, prioritize mitigation, and keep moving." Statements, letters, and materials submitted for the record include those of the following: Robert K. Knake, Ann Barron-Dicamillo, Patricia Cagliostro, and Robert H. Mayer.

  United States. Government Publishing Office

  2018
• Cybersecurity Workforce: DHS Needs to Take Urgent Action to Identify Its Position and Critical Skill Requirements, Statement of Gregory C. Wilshusen Director, Information Security Issues, Testimony Before the Subcommittees on Cybersecurity and Infrastructure Protection and Oversight and Management Efficiency, Committee on Homeland Security, House of Representatives

  Show summary     Open resource [pdf]     (open full abstract)

  "DHS is the lead agency tasked with protecting the nation's critical infrastructure from cyber threats. The Homeland Security Cybersecurity Workforce Assessment Act of 2014 required DHS to identify, categorize, and assign employment codes to all of the department's cybersecurity workforce positions. These codes define work roles and tasks for cybersecurity specialty areas such as program management and system administration. Further, the act required DHS to identify and report its cybersecurity workforce critical needs."

  United States. Government Accountability Office

  Wilshusen, Gregory C.

  2018-03-07
• Serial No. 115-52: Examining DHS's Efforts to Strengthen Its Cybersecurity Workforce, Joint Hearing Before the Subcommittee on Cybersecurity and Infrastructure Protection and the Subcommittee on Oversight and Management Efficiency of the Committee on Homeland Security, House of Representatives, One Hundred Fifteenth Congress, Second Session, March 7, 2018

  Show summary     Open resource [pdf]     (open full abstract)

  This document is the March 7, 2018 hearing titled "Examining DHS's Efforts to Strengthen Its Cybersecurity Workforce" before the House Subcommittee on Cybersecurity and Infrastructure Protection and the Subcommittee on Oversight and Management Efficiency of the Committee on Homeland Security. From the opening statement of John Ratcliffe: "Last month, the Government Accountability Office released a report entitled, ''Urgent need for DHS to take actions to identify its position and critical skill requirements.'' The findings are pretty troubling. While DHS has taken actions to idetify, categorize, and assign employment codes to its cybersecurity positions, its efforts have been neither timely, nor complete. Identifying DHS work force capability gaps and recruiting to fill them, is a problem that this committee has long examined. However, GAO found that DHS has not identified its Department-wide security or cybersecurity critical needs. Ensuring that DHS collects complete and accurate data on all filled and vacant cybersecurity positions for identification and coding efforts is a task that DHS must not ignore, nor fail to complete." Statements, letters, and materials submitted for the record include those of the following: John Ratcliffe, Scott Perry, J. Luis Correa, Michael T. McCaul, Bennie G. Thompson, Sheila Jackson Lee, Cedric L. Richmond, Gregory Wilshusen, Angela Bailey, and Rita Moss.

  United States. Government Printing Office

  2018
• Critical Infrastructure Protection: Measures Needed to Assess Agencies' Promotion of the Cybersecurity Framework, Report to Congressional Committees

  Show summary     Open resource [pdf]     (open full abstract)

  "U.S. critical infrastructures, such as financial institutions and communications networks, are systems and assets vital to national security, economic stability, and public health and safety. Systems supporting critical infrastructures face an evolving array of cyber-based threats. To better address cyber-related risks to critical infrastructure, federal law and policy called for NIST [National Institute of Standards and Technology] to develop a set of voluntary cybersecurity standards and procedures that can be adopted by industry to better protect critical cyber infrastructure. The Cybersecurity Enhancement Act of 2014 included provisions for GAO [Government Accountability Office] to review aspects of the cybersecurity standards and procedures developed by NIST. This report determines the extent to which (1) NIST facilitated the development of voluntary cybersecurity standards and procedures and (2) federal agencies promoted these standards and procedures. GAO examined NIST's efforts to develop standards, surveyed a non-generalizable sample of critical infrastructure stakeholders, reviewed agency documentation, and interviewed relevant officials."

  United States. Government Accountability Office

  2015-12-17
• Cyber Infrastructure Protection, Volume III

  Show summary     Open resource [pdf]     (open full abstract)

  "We have achieved great advancement in computing systems in both hardware and software and their security. On the other hand, we still see massive cyberattacks that result in enormous data losses. Recent attacks have included sophisticated cyberattacks targeting many institutions, including those who provide management and host the core parts of Internet infrastructure. The number and types of attacks, the duration of attacks, and their complexity are all on the rise. The Cyber Infrastructure Protection (CIP) colloquium for the academic year 2015-16 was focused on strategy and policy directions relating to cyberspace; and how those directions should deal with the fastpaced, technological evolution of that domain. [...] This book is a follow-on to our earlier two books published in 2011 and 2013 respectively; and offers a detailed look at various aspects of cybersecurity. The chapters in this book are the result of invited presentations in a 1-day conference on cybersecurity that was held at the City University of New York (CUNY), City College, on October 15, 2015. A key contribution of this book is that it provides an integrated framework and a comprehensive view of the various cyber infrastructure protection (CIP) approaches. The book is divided into three main parts: Part I addresses policy and strategy for cybersecurity and cybercrime; Part II focuses on the cybersecurity of smart cities; and, Part III discusses cyber infrastructure security and technical issues. We strongly recommend this book for policymakers and researchers."

  Army War College (U.S.). Strategic Studies Institute

  Saadawi, Tarek Nazir, 1951-; Colwell, John D., Jr.

  2017-06
• Serial No. 114-29: Promoting and Incentivizing Cybersecurity Best Practices, Hearing Before the Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies of the Committee on Homeland Security, House of Representatives, One Hundred Fourteenth Congress, First Session, July 28, 2015

  Show summary     Open resource [pdf]     (open full abstract)

  This is the July 28, 2015 hearing on "Promoting and Incentivizing Cybersecurity Best Practices," held before the House of Representatives Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies of the Committee on Homeland Security. From the opening statement of John Ratcliffe: "The Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies will come to order. The subcommittee is meeting today to examine the potential benefits of expanding the Support Antiterrorism by Fostering Effective Technologies Act, referred to as the SAFETY Act, to clarify that on a voluntary basis cybersecurity products and services can be reviewed and certified to receive enhanced liability protections for large-scale cyber incidents. Right now, our cyber defenses are weak, and, because addressing cybersecurity vulnerabilities is costly, we need to find ways to promote and incentivize investment in cybersecurity. We need to incentivize companies to have a robust cyber-risk management plan in place. Through this hearing, we want to hear from our expert witnesses if the SAFETY Act Office at the Department of Homeland Security could be leveraged to promote and incentivize cybersecurity best practices within its existing framework." Statements, letters, and materials submitted for the record include those of the following: Brian E. Finch, Raymond B. Biagini, and Andrea M. Matwyshyn.

  United States. Government Publishing Office

  2016
• Critical Infrastructure Protection: Sector-Specific Plans' Coverage of Key Cyber Security Elements Varies: Statement of David A. Powner, Director, Information Technology Management Issues before Congressional Subcommittees, Committee on Homeland Security, U.S. House of Representatives, October 31, 2007

  Show summary     Open resource [pdf]     (open full abstract)

  "The nation's critical infrastructure sectors-such as banking and finance, information technology, and public health-rely on computerized information and systems to provide services to the public. To fulfill the requirement for a comprehensive plan, including cyber aspects, the Department of Homeland Security (DHS) issued a national plan in June 2006 for the sectors to use as a road map to enhance the protection of critical infrastructure. Lead federal agencies, referred to as sector-specific agencies, are responsible for coordinating critical infrastructure protection efforts such as the development of plans that are specific to each sector. GAO was asked to summarize a report being released today that identifies the extent to which the sector plans addressed key aspects of cyber security, including cyber assets, key vulnerabilities, vulnerability reduction efforts, and recovery plans. In the report, GAO analyzed each sector-specific plan against criteria that were developed on the basis of DHS guidance. In its report, GAO recommends that the Secretary of Homeland Security request that, by September 2008, the sector-specific agencies develop plans that fully address all of the cyber-related criteria. In written comments on a draft of the report, DHS concurred with GAO's recommendation. The extent to which the sectors addressed aspects of cyber security in their sector-specific plans varied; none of the plans fully addressed all 30 cyber security-related criteria. Several sector plans-including the information technology and telecommunications sectors-fully addressed many of the criteria, while others-such as agriculture and food and commercial facilities-were less comprehensive."

  United States. Government Accountability Office

  Powner, David A.

  2007-10-31
• Critical Infrastructure Protection: Sector-Specific Plans' Coverage of Key Cyber Security Elements Varies

  Show summary     Open resource [pdf]     (open full abstract)

  "The nation's critical infrastructure sectors-such as public health, energy, water, and transportation-rely on computerized information and systems to provide services to the public. To fulfill the requirement for a comprehensive plan, including cyber aspects, the Department of Homeland Security (DHS) issued a national plan in June 2006 for the sectors to use as a road map to enhance the protection of critical infrastructure. Lead federal agencies, referred to as sector-specific agencies, are responsible for coordinating critical infrastructure protection efforts, such as the development of plans that are specific to each sector. In this context, GAO was asked to determine if these sector-specific plans address key aspects of cyber security, including cyber assets, key vulnerabilities, vulnerability reduction efforts, and recovery plans. To accomplish this, GAO analyzed each sector-specific plan against criteria that were developed on the basis of DHS guidance. To assist the sectors in securing their cyber infrastructure, GAO recommends that the Secretary of Homeland Security request that, by September 2008, the sector-specific agencies develop plans that address all of the cyber-related criteria. In written comments on a draft of this report, DHS concurred with GAO's recommendation and provided technical comments that have been addressed as appropriate."

  United States. Government Accountability Office

  2007-10-31
• Serial No. 115-73: Assessing the State of Federal Cybersecurity Risk Determination, Hearing Before the Subcommittee on Cybersecurity and Infrastructure Protection of the Committee on Homeland Security, House of Representatives, One Hundred Fifteenth Congress, Second Session, July 25, 2018

  Show summary     Open resource [pdf]     (open full abstract)

  This is the July 25, 2018 hearing on "Assessing the State of Federal Cybersecurity Risk Determination," held before the U.S. House Subcommittee on Cybersecurity and Infrastructure Protection of the Committee on Homeland Security. From the opening statement of Hon. John Ratcliffe: "The subcommittee is meeting this morning to receive testimony regarding how the Federal Government understands and manages enterprise-wide cybersecurity risks. I now recognize myself for an opening statement. As we convene today, this subcommittee is concerned that the Federal Government is not yet equipped to determine how threat actors seek to gain access to our private information." Statements, letters, and materials submitted for the record include those of the following: Ken Durbin, Summer Fowler, and Ari Schwartz.

  United States. Government Publishing Office

  2018-07-25
• U.S. Department of Energy Audit Report: Cyber-Related Critical Infrastructure Identification and Protection Measures

  Show summary     Open resource [pdf]     (open full abstract)

  "In recent years, critical infrastructure protection has taken on increasing national importance as attacks and resulting damage to the country's critical cyber interests have increased. In 1998, in response to these threats, the Administration issued a directive to demonstrate the Federal government's commitment to protecting critical assets. More recently, President Bush signaled his support for critical infrastructure protection efforts by issuing Executive Order 13231, Critical Infrastructure Protection in the Information Age. The President's order seeks to strengthen the protection of critical information systems, including emergency preparedness communications, and the physical assets that support those systems. The Office of Inspector General has undertaken a series of reviews designed to evaluate the security and performance of the Department's information technology programs. Based on this work, we concluded in our Special Report on Management Challenges at the Department of Energy, (DOE/IG-0538, December 2001) that security of cyber assets is one of the most significant challenges facing the Department. The objective of this audit was to determine whether the Department had identified and developed protection measures for its critical cyber and related physical infrastructure assets."

  United States. Department of Energy. Office of Audit Services

  2002-03
• Serial No. 115-7: Current State of Private-Sector Engagement for Cybersecurity, Hearing Before the Subcommittee on Cybersecurity and Infrastructure Protection of the Committee on Homeland Security, House of Representatives, One Hundred Fifteenth Congress, First Session, March 9, 2017

  Show summary     Open resource [pdf]     (open full abstract)

  This is from the March 9, 2017 hearing, "Current State of DHS Private Sector Engagement for Cybersecurity" before the U.S. House of Representatives Subcommittee on Cybersecurity and Infrastructure Protection of the Committee on Homeland Security. From the opening statement of John Ratcliffe: "Cybersecurity touches every aspect of the world we live in. It's central to every sector of our economy. It's vitally important for the protection of all Americans' most sensitive information, and it's one of the foremost national security challenges of our time. Our collective ability to combat these threats -- with the government and the private sector working together -- will be one of the defining public policy challenges of our generation. Today, the Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection meets to hear from key stakeholders on the current state of private sector engagement for DHS' cybersecurity mission. As chairman of this subcommittee, I don't take the responsibility that we as lawmakers in this room have lightly. In a world of rapidly evolving threats, we have been entrusted to be part of the solution, and I believe today's hearing will be an important piece of this ongoing effort. DHS' cyber mission includes a robust portfolio of existing private sector partnerships -- including Information Sharing and Analysis Organizations, the Cyber Information Sharing and Collaboration Program, Sector Coordinating Councils, and the Automated Indicator Sharing Program. Specifically, we hope to learn how these partnerships can be improved and what more DHS can be doing to ensure that these programs and activities are meaningful, substantive and effective. Today, private sector entities -- including U.S. critical infrastructure owners and operators -- are on the frontline of the conflict in cyberspace. Our civilian networks face countless attacks every day from bad actors who seek to infiltrate our trusted systems, cripple commerce, and expose Americans' personal information. And every day, these bad actors are using more advanced tactics, techniques and procedures, and higher quality information. It is only through constant and vigilant innovation that their attacks can be prevented, identified and mitigated." Statements, letters, and materials submitted for the record include those of the following: Daniel Nutkis, Scott Montgomery, Jeffrey Greene, Ryan M Gillis, and Robyn Greene.

  United States. Government Publishing Office

  2017
• Enhancing and Implementing the Cybersecurity, Elements of the Sector-Specific Plans, Joint Hearing Before the Subcommittee on Emerging Threats, Cybersecurity and Science and Technology Joint with the Subcommittee on Transportation, Security and Infrastructure Protection of the Committee on Homeland Security, House of Representatives, One Hundred Tenth Congress, First Session, October 31, 2007

  Show summary     Open resource [pdf]     (open full abstract)

  From the opening statement of James R. Langevin: "The subcommittees today are meeting to receive testimony on enhancing and implementing the cybersecurity elements of the sector-specific plans. [...] Although critical infrastructure protection is usually associated with physical protection of facilities, there is a growing realization that cybersecurity must receive equal attention. This holds true especially since the Nation's critical infrastructure relies extensively on computerized information systems and electronic data. [...] One of the most important ways we can secure our infrastructure is through the implementation of the sector-specific plans. [...] The completion of the sector-specific plans will allow DHS to write a national annual report on critical infrastructure protection which is designed to give us a general assessment of the security of our infrastructure. This firsthand report is scheduled to be released next week. Today, we will focus specifically on the cyber aspects of these plans." Statements, letters, and materials submitted for the record include those of the following: James R. Langevin, Michael T. McCaul, Sheila Jackson-Lee, Daniel E. Lungren, Yvette D. Clarke, Bill Pascrell, Jr., Greg Garcia, George Hender, J. Michael Hickey, David Powner, Larry Clinton, Lawrence A. Gordon, Sally Katzen, Michael O'Hanlon, and David Powner.

  United States. Government Printing Office

  2009
• Critical Infrastructure Protection: DHS Needs to Fully Address Its Cybersecurity Responsibilities, Statement of David Powner, Director, Information Technology Management Issues, Testimony before the Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology, Committee on Homeland Security, House of Representatives

  Show summary     Open resource [pdf]     (open full abstract)

  "Recent cyber attacks demonstrate the potentially devastating impact these pose to our nation's computer systems and to the federal operations and critical infrastructures that they support. They also highlight that we need to be vigilant against individuals and groups with malicious intent, such as criminals, terrorists, and nation-states perpetuating these attacks. Federal law and policy established the Department of Homeland Security (DHS) as the focal point for coordinating cybersecurity, including making it responsible for protecting systems that support critical infrastructures, a practice commonly referred to as cyber critical infrastructure protection. Since 2005, GAO has reported on the responsibilities and progress DHS has made in its cybersecurity efforts. GAO was asked to summarize its key reports and their associated recommendations aimed at securing our nation's cyber critical infrastructure. To do so, GAO relied on previous reports, as well as two reports being released today, and analyzed information about the status of recommendations."

  United States. Government Accountability Office

  2008-09-16
• Critical Infrastructure Protection: DHS Needs to Better Address Its Cybersecurity Responsibilities, Statement of David Powner, Director, Information Technology Management Issues, Testimony Before the Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology, Committee on Homeland Security, House of Representatives

  Show summary     Open resource [pdf]     (open full abstract)

  "Recent cyber attacks demonstrate the potentially devastating impact these pose to our nation's computer systems and to the federal operations and critical infrastructures that they support. They also highlight that we need to be vigilant against individuals and groups with malicious intent, such as criminals, terrorists, and nation-states perpetuating these attacks. Federal law and policy established the Department of Homeland Security (DHS) as the focal point for coordinating cybersecurity, including making it responsible for protecting systems that support critical infrastructures, a practice commonly referred to as cyber critical infrastructure protection. Since 2005, GAO [Government Accountability Office] has reported on the responsibilities and progress DHS has made in its cybersecurity efforts. GAO was asked to summarize its key reports and their associated recommendations aimed at securing our nation's cyber critical infrastructure. To do so, GAO relied on previous reports, as well as two reports being released today, and analyzed information about the status of recommendations."

  United States. Government Accountability Office

  2008-09-16