Public Safety Tech Topic #20 - Cyber Security and Communications

In Tech Topic #19, the importance of communications systems as the backbone for information exchange including voice, data, video, and Internet connectivity for all other critical industry sectors within the United States was demonstrated. As such, communications systems were shown to be a critical component of our national security and emergency preparedness resources and therefore they constitute an important component of our overall national critical infrastructure. In this topic the security of the communications infrastructure is discussed. The focus is not from a physical security perspective but rather, the cyber security of communications systems – that is the vulnerability of our communications to information warfare. Hence, in this topic the security of our communications systems is shown to be a very important aspect of our national infrastructure protection plans.

The number of incidents of documented attacks on computer-based systems and communications systems increases on a daily basis. These range from unsophisticated access attempts by curious hackers to the malicious attempts to extract financial gain by criminal enterprises. Fortunately, cyber attacks directly on communications infrastructures themselves have been rare, most likely because the perpetrators rely on a functioning communications infrastructure to achieve their objectives. The growth of malicious activities grew in the wake of the Telecommunications Act of 1996 as perpetrators capitalized on the "openness" of networks, particularly the public Internet. The end result of these activities though can be catastrophic to the normal operations of communications and control systems and may threaten our national security.

President Clinton recognized this threat to telecommunications in 1998 and through Presidential Decision Directive 63 (PDD-63) required that, "No later than the year 2000, the United States shall have achieved an initial operating capability and no later than five years from today [May 22, 2003] the United States shall have achieved and shall maintain the ability to protect the nation's critical infrastructures from intentional acts that would significantly diminish the abilities of: ... the private sector to ensure the orderly functioning of the economy and the delivery of essential telecommunications, energy, financial and transportation services." This directive was an initial attempt at organizing a government response to potential attacks on critical infrastructure and established the original tenets of a national critical infrastructure protection plan for cyber security. It also included the designation of agency Chief Information Officers (CIO's) who were chartered with the responsibility to protect each Federal agency's critical information infrastructure, especially cyber-based systems.¹

At this point, cyber security and cyberspace began to take on full meaning. Cyberspace was defined as critical infrastructure composed of interconnected computers, servers, routers, switches, and fiber optic cables.² Although cyberspace is clearly not a fantasy, it is also a rather nebulous term referring to the conglomeration of computers and interconnecting communications systems that taken together form the fabric of our overarching communications and information infrastructure.

The institutionalization of government activities to protect computer systems began in 1965 with the Brooks Act that gave the National Bureau of Standards (now the Department of Commerce's National Institute of Standards and Technology (NIST)) responsibility "... To provide for the economic and efficient purchase, lease, maintenance, operation, and utilization of automatic data processing equipment by Federal departments and agencies."³ This action started activities to develop automatic data processing standards and guidelines for Federal computer systems and included guidelines for computer security. NIST has continued to develop such standards which can be found on their web site.⁴

In 2001 as cyber security grew as a topic of national security interest, the White House further instantiated a formal structure for dealing with these issues by chartering an interagency board – The President's Critical Infrastructure Protection Board - with cabinet-level representation and chaired by the Special Advisor to the President for Cyberspace Security within the National Security Council.⁵

This effort was followed in 2002 by enactment of the Electronic Government Act⁶ that required Federal agencies to report their progress in implementing the provisions of the Federal Information Security Management Act (FISMA).⁷ These Congressional actions were intended to provide guidance and reporting requirements for Federal agencies to secure government information systems.

In the succeeding years, attempts to achieve the mandates of PDD-63 were not met. However, interest and focus did not wane; in fact, the import of cyber security increased. In February 2003 President Bush released a National Strategy to Secure Cyberspace (NSSC) that recognized the increased threats of attacks on national information technology infrastructures and established three strategic objectives: 1.) prevent cyber attacks against America's critical infrastructures; 2.) reduce national vulnerability to cyber attacks; and 3.) minimize damage and recovery time from cyber attacks that do occur.⁸ In recognizing the importance of the partnership between private industry and the government to engage in a joint effort to secure cyberspace, the strategy called for five national priorities:

1. A National Cyberspace Security Response System;
2. A National Cyberspace Security Threat and Vulnerability Reduction Program;
3. A National Cyberspace Security Awareness and Training Program;
4. Securing Governments' Cyberspace; and
5. National Security and International Cyberspace Security Cooperation.

With the establishment of the Department of Homeland Security and dissolution of the Protection Board, Homeland Security Presidential Directive 7 (HSPD-7) required the Department of Homeland Security to "...serve as the focal point for the security of cyberspace ..." with a mission that included "... analysis, warning, information sharing, vulnerability reduction, mitigation, and aiding national recovery efforts for critical infrastructure information systems."⁹ This directive established a national policy for Federal departments and agencies to identify and prioritize United States critical infrastructure and key resources and to protect them from terrorist attacks. In addition, it required heads of all Federal agencies to "... develop ... plans for protecting the physical and cyber critical infrastructure and key resources that they own or operate." Hence, the Federal government began to directly address issues of cyber security within the Federal government systems.

As a result of HSPD-7, the Department of Homeland Security established the National Cybersecurity Division (NCSD). The objectives of this division are "... to build and maintain an effective national cyberspace response system, and to implement a cyber-risk management program for protection of critical infrastructure."¹⁰ The primary operational arms of the division are first the Cybersecurity Preparedness and National Cyber Alert System, and secondly the US Computer Emergency Response Team (US-CERT).¹¹ The National Cyber Alert System was created by US-CERT and the Department of Homeland Security to help protect computers. One of US-CERT's overarching goals is to ensure that individuals and agencies have access to timely information through tips and alerts about security topics and events.¹² The US-CERT has become the national first line of defense for the war of cyber security. The CERT's Cyber Risk Management Program assesses risk, prioritizes resources, and executes protective measures in order to secure the cyber infrastructure. It includes such things as current risk assessments and vulnerabilities that are maintained in their vulnerability database, the National Cyber Alert System, for information dissemination, and a number of other references for cyber security measures.

Due to increased cyber activity on an international scale and attacks targeted at U.S. computers and networks – including computer-controlled systems, in January 2008 President Bush signed HSPD-23 establishing a Comprehensive National Cybersecurity Initiative (CNCI).¹³ Although the document is classified, public sources have indicated that in addition to establishing the National Cyber Security Center within the Department of Homeland Security, the Initiative had 12 other objectives:

1. Move towards managing a single federal enterprise network;
2. Deploy intrinsic detection systems;
3. Develop and deploy intrusion prevention tools;
4. Review and potentially redirect research and funding;
5. Connect current government cyber operations centers;
6. Develop a government-wide cyber intelligence plan;
7. Increase the security of classified networks;
8. Expand cyber education;
9. Define enduring leap-ahead technologies;
10. Define enduring deterrent technologies and programs;
11. Develop multi-pronged approaches to supply chain risk management; and
12. Define the role of cyber security in private sector domains.

Although chartered in August of 2007 prior to the issuance of HSPD-23, the Center for Strategic and International Studies (CSIS) Commission on Cybersecurity for the 44th President followed HSPD-23 with a report that was critical of existing national policies and programs and provided a series of recommendations for a comprehensive national approach for securing cyberspace.¹⁴

Upon assuming office as the 44th President, President Obama made cyber security one of his top priorities. As a result, he directed a 60-day comprehensive study and review to assess U.S. policies and structures for cyber security.¹⁵ The Presidential Cyberspace Policy Review adopted the definition of cyberspace set forth in National Security Presidential Directive 54/Homeland Security Presidential Directive 23 (NSPD-54/HSPD-23), which defined cyberspace as:

The interdependent network of information technology infrastructures, and includes the Internet, telecommunications networks, computer systems, and embedded processors and controllers in critical industries. Common usage of the term also refers to the virtual environment of information and interactions between people.

Further, the President's study recommends the following near term actions.

1.	Appoint a cybersecurity policy official responsible for coordinating the Nation's cybersecurity policies and activities; establish a strong NSC directorate, under the direction of the cybersecurity policy official dual-hatted to the NSC and the NEC, to coordinate interagency development of cybersecurity-related strategy and policy.
2.	Prepare for the President's approval an updated national strategy to secure the information and communications infrastructure. This strategy should include continued evaluation of CNCI activities and, where appropriate, build on its successes.
3.	Designate cybersecurity as one of the President's key management priorities and establish performance metrics.
4.	Designate a privacy and civil liberties official to the NSC cybersecurity directorate.
5.	Convene appropriate interagency mechanisms to conduct interagency-cleared legal analyses of priority cybersecurity-related issues identified during the policy-development process and formulate coherent unified policy guidance that clarifies roles, responsibilities, and the application of agency authorities for cybersecurity-related activities across the Federal government.
6.	Initiate a national public awareness and education campaign to promote cybersecurity.
7.	Develop U.S. Government positions for an international cybersecurity policy framework and strengthen our international partnerships to create initiatives that address the full range of activities, policies, and opportunities associated with cybersecurity.
8.	Prepare a cybersecurity incident response plan; initiate a dialog to enhance public-private partnerships with an eye toward streamlining, aligning, and providing resources to optimize their contribution and engagement.
9.	In collaboration with other EOP entities, develop a framework for research and development strategies that focus on game-changing technologies that have the potential to enhance the security, reliability, resilience, and trustworthiness of digital infrastructure; provide the research community access to event data to facilitate developing tools, testing theories, and identifying workable solutions.
10.	Build a cybersecurity-based identity management vision and strategy that addresses privacy and civil liberties interests, leveraging privacy-enhancing technologies for the Nation.

Appendix C, Growth of Modern Communications Technology in the United States and Development of Supporting Legal and Regulatory Frameworks, of the review also notes the role of the Federal Communications Commission. This involvement extends the policies and issues of cyber security to the non-Federal domain as the review notes,

Since its inception, the FCC has remained the primary institution responsible for formulating and implementing U.S. policies and regulations governing private, commercial electronic communications within the United States and between the United States and other countries. Its jurisdiction over "communication by wire and radio" has been reinforced by multiple amendments to the Communications Act over the years. This has enabled the FCC to affect the economic and technical development of virtually all types of electronic communications, including telegraph, telephone service, cable television, radio, television, wireless telecommunications and, more recently, emerging advanced telecommunications technologies and services.

The FCC's interest in cybersecurity is rooted in the Communications Act of 1934, as amended. Under Section 1, the Act charges the Commission with regulating interstate and foreign commerce in communication by wire and radio so as to make available to all the people of the United States rapid, efficient, nationwide, and worldwide wireless and wireline communications services for, among other purposes, the national defense and promotion of the safety of life and property. Cyber attacks can degrade or totally disrupt communications, with implications for the common welfare as well as for national defense and homeland security.

One means by which the FCC has previously sought to address cyber security has been through the Network Reliability and Interoperability Council (NRIC), a former Federal Advisory Committee composed of private sector representatives that cataloged proven operational best practices for carrying out network engineering, monitoring, and maintenance functions.¹⁶ The NRIC has been superseded by the Communications Security, Reliability, And Interoperability Council (CSRIC), but NRIC cyber security best practices remain available on PSHSB's website and are increasingly relevant. NRIC's work on cyber security was conducted by leading network operators from the communications sector and resulted in over 200 best practices to help service providers secure their networks against accidental events and criminal activities. NRIC cyber security best practices can be categorized into four basic areas: (1) updating software; (2) secure equipment management; (3) intrusion prevention and detection; and (4) intrusion analysis and response.

As the number of best practices concerning cyber security would indicate, the potential for harm to computer and communications systems due to cyber security attacks is immense. As a result, cyber security is a rapidly evolving and growing interest within the critical infrastructure community and within the FCC.

¹ See PDD-63 at http://www.fas.org/irp/offdocs/pdd/pdd-63.htm.

² The Department of Homeland Security in the National Strategy to Secure Cyberspace (NSSC) defined cyberspace as the following (See reference in footnote #5 on Page vii). "Our Nation's critical infrastructures are composed of public and private institutions in the sectors of agriculture, food, water, public health, emergency services, government, defense industrial base, information and telecommunications, energy, transportation, banking and finance, chemicals and hazardous materials, and postal and shipping. Cyberspace is their nervous system—the control system of our country. Cyberspace is composed of hundreds of thousands of interconnected computers, servers, routers, switches, and fiber optic cables that allow our critical infrastructures to work. Thus, the healthy functioning of cyberspace is essential to our economy and our national security." From TechTerms.com, "Unlike most computer terms, "cyberspace" does not have a standard, objective definition. Instead, it is used to describe the virtual world of computers. For example, an object in cyberspace refers to a block of data floating around a computer system or network. With the advent of the Internet, cyberspace now extends to the global network of computers. The word "cyberspace" is credited to William Gibson, who used it in his book, Neuromancer, written in 1984. Gibson defines cyberspace as "a consensual hallucination experienced daily by billions of legitimate operators, in every nation, by children being taught mathematical concepts... A graphical representation of data abstracted from the banks of every computer in the human system. Unthinkable complexity. Lines of light ranged in the non-space of the mind, clusters and constellations of data" (New York: Berkley Publishing Group, 1989), pp. 128." See http://www.techterms.com/definition/cyberspace.

³ See http://www.itl.nist.gov/History%20Documents/Brooks%20Act.pdf.

⁴ See the NIST Information Technology, Computer Security Division web site at http://csrc.nist.gov/. It should be noted that the International Standards Organization, ISO, has also established a series of standards for information security; the ISO 27000 series of standards. See http://www.27000.org/.

⁵ See http://www.ncs.gov/library/policy_docs/eo_13231.pdf.

⁶ See NARUC http://www.archives.gov/about/laws/egov-act-section-207.html.

⁷ http://csrc.nist.gov/groups/SMA/fisma/overview.html for a discussion of the provisions of the Act.

⁸ See the NSSC at http://www.dhs.gov/xlibrary/assets/National_Cyberspace_Strategy.pdf.

⁹ See the HSPD-7 at http://www.fas.org/irp/offdocs/nspd/hspd-7.html.

¹⁰ See the Division web site at http://www.dhs.gov/xabout/structure/editorial_0839.shtm.

¹¹ See the US-CERT web site at http://www.us-cert.gov/referral_pg/.

¹² See the US-CERT tips web site at http://www.us-cert.gov/cas/tips/.

¹³ See The Congressional Research Service (CRS) (See http://www.fas.org/sgp/crs/natsec/R40427.pdf) describes this classified Presidential Directive as follows. The CNCI establishes a multipronged approach the federal government is to take in identifying current and emerging cyber threats, shoring up current and future telecommunications and cyber vulnerabilities, and responding to or proactively addressing entities that wish to steal or manipulate protected data on secure federal systems..

¹⁴ See http://csis.org/program/commission-cybersecurity-44th-presidency.

¹⁵ See "'Cyberspace Policy Review: Assuring a Trusted and Resilient Information and Communications Infrastructure"' at http://www.whitehouse.gov/assets/documents/Cyberspace_Policy_Review_final.pdf.

¹⁶ Available via the FCC's website, https://www.fcc.gov/nors/outage/bestpractice/BestPractice.cfm.