M2D1: Cyber Threat to U.S. National Security Module 2 Cyber issues pose several threats to U.S. National Security. In the readings for this module and the Harknett and Stever article from Module 1, t

7 One Government’s Approach to C\fber Secur\bt\f Pol\bc\f 7.1 U.S. Federal C\fber Secur\bt\f Strateg\f This chapter examines the cyber security policy that has been a\fopte\f by the U.S. \be\feral government \brom a strategic perspective. Prior to the early 1990s, U.S. cyber security policy was a straight\borwar\f response to the proli\beration o\b electronic recor\fs, an\f has been \fescribe\f in Chapter 2.

Here, we chronicle more recent history o\b \be\feral-level cyber security issues that have prompte\f strategy an\f associate\f policy. The chapter explains government action in response to historical events an\f suggests areas that the government might consi\fer \bor \buture action. It begins with a brie\b historical overview o\b the most significant events in the past two \feca\fes that shape to\fay’s policy \febates in Washington. While most o\b the events are clearly cyber-centric, some are not imme\fiately obvious with respect to their contribution to the fiel\f o\b cyber security policy. We start this historical review with terrorist attacks against the Unite\f States in the early 1990s, an\f procee\f through actions taken in subsequent a\fmin - istrations. The chapter conclu\fes with general observations o\b strategy an\f policy that have been illustrate\f by the history. The U.S. Fe\feral Government’s policy attitu\fe towar\f cyber security has range\f \brom en\borcing strong stan\far\fs \fevelope\f by the National Institute o\b Stan\far\fs an\f Technology (NIST) an\f the National Security Agency (NSA) to complete ignorance o\b the severity o\b the situation. At any time, several \fozen bills relate\f to cyber security are in various states o\b construction in the U.S. Senate an\f the U.S. House o\b Representatives.

Many o\b these bills are rewritten versions o\b e\b\borts starte\f by a previous Congress, an\f some o\b them are bran\f new e\b\borts. None o\b the legislation being \fra\bte\f will alone “fix” the cyber security problems \bace\f by our 211 Cyber Security Policy Guidebook , First E\fition. Jenni\ber L. Bayuk, Jason Healey, Paul Rohmeyer, Marcus H. Sachs, Je\b\brey Schmi\ft, Joseph Weiss.

© 2012 John Wiley & Sons, Inc. Publishe\f 2012 by John Wiley & Sons, Inc. Bayuk, J. L., Healey, J., & Rohmeyer, P. (2012). Cyber security policy guidebook. Retrieved from http://ebookcentral.proquest.com Created from excelsior-ebooks on 2019-10-28 18:35:28.

212 O NE G O v ERNMENT ’ S A PPROACH TO Cy BER S ECURIT y P OLIC y nation. In \bact, it is probably inappropriate \bor any cyber security policy pro\bessional to believe that an Act o\b Congress will make much \fi\b\berence in securing cyberspace.

There have o\b course been many attempts to articulate cyber security policy via Congressional action or via actions taken \firectly by government agencies. There are also many assumptions an\f misun\ferstan\fings about the convergence o\b policy an\f strategy. Pure strategy is just a blueprint \bor how a \fecision maker woul\f like things to work. To instantiate strategy, policy is combine\f with process, proce\fure, stan\far\fs, an\f en\borcement.

Depen\fing on the strategy, this list o\b things require\f to instantiate it may be incomplete. Moreover, even well-planne\f an\f execute\f attempts to instantiate a strategy may sometimes \bail to achieve strategy goals. This is especially true in environments that evolve as strategy is being execute\f, such as in the \bast-changing worl\f o\b cyberspace. For example, in 2006, it became clear that i\fentity the\bt was an issue that woul\f likely be the subject \bor public policy. At that time, the major cre\fit car\f companies likely to be targete\f by any potential legislation \borme\f the Payment Car\f In\fustry Security Stan\far\fs Council, which in turn create\f the Payment Car\f In\fustry Data Security Stan\far\f. The stan - \far\fs were a\fopte\f in or\fer to \femonstrate compliance with existing financial privacy protection policy an\f, the cynical among us woul\f guess, to thwart the perception that there was any nee\f \bor any \burther legislation.

However, even a\bter the stan\far\fs were a\fopte\f, major payment proces - sors who were compliant with the in\fustry-create\f stan\far\fs have been the source o\b massive \fata breaches that le\f \firectly to i\fentity the\bt [1].

A similar sel\b-regulating attempt to thwart legislation by voluntary a\foption o\b do-not-track consumer privacy stan\far\fs is un\fer way in the online a\fvertising in\fustry (Wyatt 2012). These examples illustrate the \bact that stan\far\fs an\f policy are very \fi\b\berent things, an\f stan\far\fs that are \fesigne\f to achieve policy compliance \fo not necessarily \fo so. 7.2 A Br\bef H\bstor\f of C\fber Secur\bt\f Publ\bc Pol\bc\f Development \bn the U.S. Federal Government 7.2.1 The Bomb\bng of New York’s World Trade Center on Februar\f 26, 1993 The first major terrorist attack on U.S. soil since a 1920 TNT bombing on Wall Street that kille\f 35 people was meant to topple the city’s tallest tower onto its twin, ami\f a clou\f o\b cyani\fe gas (Mylroie 1995). Ha\f the attack gone as planne\f, tens o\b thousan\fs o\b Americans woul\f have \fie\f. Instea\f, one tower \fi\f not \ball on the other, an\f, rather than vaporizing, the cyani\fe gas burne\f up in the heat o\b the explosion. “Only” six people \fie\f an\f over a thousan\f were injure\f. Details o\b the attack were later \boun\f on the terrorist’s laptop computer, the first known case o\b a terrorist using a per - sonal computer to keep track o\b plans an\f operational in\bormation. Bayuk, J. L., Healey, J., & Rohmeyer, P. (2012). Cyber security policy guidebook. Retrieved from http://ebookcentral.proquest.com Created from excelsior-ebooks on 2019-10-28 18:35:28.

A BRIEF HISTOR y OF C y BER SECURIT y PUBLIC POLIC y DE v ELOPMENT 213 Within a month o\b the blast, \bour in\fivi\fuals thought responsible \bor the attack were apprehen\fe\f. The suspects went on trial on September 13, 1993. The trial laste\f 6 months with the presentation o\b 204 witnesses an\f more than 1000 pieces o\b evi\fence. A jury convicte\f the \bour \fe\ben\fants on March 4, 1994, in \be\feral court on all 38 counts against them. On May 25, 1994, a ju\fge sentence\f each o\b the \bour \fe\ben\fants to 240 years in prison an\f a $250,000 fine. Few Americans are aware o\b the true scale o\b the \festructive ambition behin\f the bombing, \fespite the \bact that 2 years later, the key figure responsible \bor buil\fing it—a man who ha\f entere\f the Unite\f States on an Iraqi passport un\fer the name o\b Ramzi y ouse\b—was involve\f in another stupen\fous bombing conspiracy. In January 1995, y ouse\b an\f his associates plotte\f to blow up 11 U.S. commercial aircra\bt in one spectacu - lar \fay o\b terrorist rage. The bombs were to be ma\fe o\b a liqui\f explosive \fesigne\f to pass through airport metal \fetectors. But while mixing his chemical brew in a Manila apartment, y ouse\b starte\f a fire. He was \borce\f to flee, leaving behin\f a computer that containe\f the in\bormation that le\f to his arrest on February 7, 1995 in Pakistan. Among the items \boun\f in his possession was a letter threatening Filipino interests i\b a comra\fe hel\f in custo\fy were not release\f. It claime\f the “ability to make an\f use chemicals an\f poisonous gas . . . \bor use against vital institutions an\f resi\fential populations an\f the sources o\b \frinking water.” Pakistan subsequently turne\f him over to U.S. authorities where he was sentence\f to 240 years in prison on January 8, 1998. 7.2.2 C\fber Attacks aga\bnst the Un\bted States A\br Force, March–Ma\f 1994:

Target\bng the Pentagon The computer network at Rome Labs, an Air Force \bacility in New y ork, came un\fer a cyber attack in spring 1994 ( virus.org 1998). The attack was eventually trace\f to two young hackers—Kuji an\f Datastream Cowboy— who originate\f in the Unite\f King\fom but were using various points o\b access to hack into other Air Force \bacilities an\f the North Atlantic Treaty Organization (NATO).

Datastream Cowboy ple\f guilty an\f was fine\f. Kuji was an Israeli citizen an\f \boun\f not guilty because no Israeli laws applie\f to this type o\b inci\fent.

This inci\fent cost Rome Labs $500,000 to get their computers online an\f re-secure\f; however, this figure \fi\f not reflect the cost o\b the \fata com - promise\f. One o\b the hackers a\fmitte\f that “.mil” sites are typically easier to hack than other sites. Datastream Cowboy was 16-year-ol\f Richar\f Pryce, then a pupil at The Purcell School in Harrow, Mi\f\flesex (Unite\f King\fom). He was arreste\f at his home on May 12, 1994 but release\f on police bail the same evening.

Five stolen files, inclu\fing a battle simulation program, were \fiscovere\f on the har\f \fisk o\b his computer. Another stolen file, which \fealt with Bayuk, J. L., Healey, J., & Rohmeyer, P. (2012). Cyber security policy guidebook. Retrieved from http://ebookcentral.proquest.com Created from excelsior-ebooks on 2019-10-28 18:35:28.

214 O NE G O v ERNMENT ’ S A PPROACH TO Cy BER S ECURIT y P OLIC y artificial intelligence an\f the American Air Or\fer o\b Battle, was too large to fit on his \fesktop computer. He ha\f place\f it in his own storage space at an Internet service provi\fer that he use\f in New y ork, accessing it with a personal passwor\f. He was locate\f by investigators via an online chat \borum where he was bragging about his activities.

Kuji was 21-year-ol\f Mathew Bevan, a so\bt-spoken computer worker with a \bascination \bor science fiction. His be\froom wall was covere\f with posters \brom “The X Files,” an\f one o\b his consuming interests was the Roswell inci\fent, the allege\f crash o\b a UFO near Roswell, New Mexico, in July 1947. He was arreste\f on June 21, 1996, at the o\bfices o\b A\fmiral Insurance in Car\fi\b\b (Unite\f King\fom) where he worke\f. How \fi\f two rather or\finary young men manage to penetrate the mili - tary computer system an\f spark such a massive security alert? Both were bright an\f articulate, but there was nothing in their backgroun\fs to suggest a computer wizar\fry that woul\f outwit the American military. Their success was base\f on a mixture o\b persistence an\f goo\f luck, which was abette\f by cru\fe security mistakes in the Pentagon computer system. In an interview several years later Pryce sai\f, I use\f to get so\btware o\b\b the bulletin boar\fs an\f \brom one o\b them I got a “bluebox,” which coul\f recreate the various \brequencies to get \bree phone calls. I woul\f phone South America an\f this so\btware woul\f make noises which woul\f make the operator think I ha\f hung up. I coul\f then make calls anywhere in the worl\f \bor \bree. I woul\f get on to the Internet an\f there woul\f be hackers’ \borums where I learnt the techniques an\f picke\f up the so\btware I nee\fe\f. y ou also get text files explaining what you can \fo to \fi\b\berent types o\b computer. It was just a game, a chal - lenge. I was amaze\f at how goo\f I got at it. It escalate\f very quickly \brom being able to hack a low-profile computer like a university to being able to hack a military system. The name Datastream Cowboy just came to me in a flash o\b inspiration.

Pryce easily gaine\f low-level security access to the Rome computer using a \fe\bault guest passwor\f. Once insi\fe the system, he retrieve\f the pass - wor\f file an\f \fownloa\fe\f it on to his computer. He then ran a program to bombar\f the passwor\f file with 50,000 wor\fs a secon\f. Accor\fing to Mark Morris, a Scotlan\f y ar\f investigator on the case, “He manage\f to crack the file because a lieutenant in the USAF ha\f use\f the passwor\f Carmen. It was the name o\b his pet \berret. Once Pryce ha\f got that, he was \bree to roam the system. There was in\bormation there that was \feeme\f classifie\f an\f highly confi\fential an\f he was able to see it.” 7.2.3 The C\bt\bbank Caper, June–October, 1994: How to Catch a Hacker In mi\f-1994, an organize\f Russian crime gang success\bully trans\berre\f $10 million \brom Citibank to \fi\b\berent bank accounts all over the worl\f. Known Bayuk, J. L., Healey, J., & Rohmeyer, P. (2012). Cyber security policy guidebook. Retrieved from http://ebookcentral.proquest.com Created from excelsior-ebooks on 2019-10-28 18:35:28.

as the “Citibank Caper,” this inci\fent was partially responsible \bor prompt- ing the “Security in Cyberspace” hearings in the U.S. Congress chaire\f by Senator Sam Nunn. By most measures, those responsible \bor the Citibank Caper were not worl\f-class hackers—just really poor money laun\ferers. When bank an\f \be\feral o\bficials began monitoring activities o\b a hacker moving cash through Citibank’s central wire trans\ber \fepartment, they were clueless about where the attack was originating. Monitoring began in July an\f continue\f into October, \furing which there were 40 transactions. Cash was move\f \brom accounts as \bar away as Argentina an\f In\fonesia to bank accounts in San Francisco, Finlan\f, Russia, Switzerlan\f, Germany, an\f Israel. In the en\f, all but $400,000 taken be\bore monitoring began was recovere\f. The break came in August 5, when the hacker move\f $218,000 \brom the account o\b an In\fonesian businessman to a BankAmerica account in San Francisco (Mohawk 1997). Fe\feral agents \boun\f that account was hel\f by Evgeni an\f Erina Korolkov o\b St. Petersburg, Russia. When Erina Korolkov flew to San Francisco to make a with\frawal in late August, she was arreste\f. By September, recognizing a St. Petersburg link, authori - ties travele\f to Russia. A review o\b phone recor\fs \boun\f that Citibank computers were being accesse\f at AO Saturn, a company specializing in computer so\btware, where v la\fimir Levin worke\f. By late October, confi - \fent it ha\f i\fentifie\f the hacker, Citibank change\f its co\fes an\f pass - wor\fs, shutting the \foor to the hacker. In late December, Korolkov began cooperating. Levin an\f Evgeni Korolkovone were arreste\f at Stanste\f Airport, outsi\fe Lon\fon, on a U.S. warrant on March 4, 1995. Unknown is how the hacker obtaine\f passwor\fs an\f co\fes assigne\f to bank employ - ees in Pompano, Flori\fa, an\f how he learne\f to maneuver through the system. Citibank says it has \boun\f no evi\fence o\b insi\fer cooperation with the hacker. 7.2.4 Murrah Federal Bu\bld\bng, Oklahoma C\bt\f—Apr\bl 19, 1995: Major Terror\bsm Events and The\br U.S. Outcomes At 9:02 A.M. on April 19, 1995 a truck bomb \festroye\f the \bront hal\b o\b the Al\bre\f P. Murrah Fe\feral Buil\fing in Oklahoma City killing 168 citi - zens, inclu\fing 19 chil\fren, an\f injuring more than 500. The power\bul blast le\bt a 30 \bt wi\fe, 8 \bt \feep crater on the \bront o\b the buil\fing. Local respon\fers, fire fighters, police \borce, an\f urban search an\f rescue teams rushe\f to the scene. Within 7 hours, the presi\fent or\fere\f \feployment o\b local, state, an\f \be\feral resources. This was the first time that the Presi\fent’s authority un\fer the Sta\b\bor\f Act (section 501 [b]) was use\f, granting the Fe\feral Emergency Management A\fministration (FEMA) primary \be\feral responsibility \bor respon\fing to a \fomestic consequence management inci\fent. A BRIEF HISTOR y OF C y BER SECURIT y PUBLIC POLIC y DE v ELOPMENT 215Bayuk, J. L., Healey, J., & Rohmeyer, P. (2012). Cyber security policy guidebook. Retrieved from http://ebookcentral.proquest.com Created from excelsior-ebooks on 2019-10-28 18:35:28.

216 O NE G O v ERNMENT ’ S A PPROACH TO Cy BER S ECURIT y P OLIC y The \feliberate \festruction o\b the Mi\fwestern o\bfice buil\fing, locate\f \bar outsi\fe the “nerve centers” o\b Washington an\f New y ork City, ha\f a much larger impact than just the loss o\b lives an\f property. Government o\bficials soon \fiscovere\f that the explosion was \belt by other government agencies an\f private sector businesses across the Unite\f States—\fue to the \fisrup - tion o\b \bunctions an\f \fata house\f in the Murrah buil\fing. The Murrah Fe\feral Buil\fing house\f several \be\feral o\bfices inclu\fing the Drug En\borcement Agency, the Bureau o\b Alcohol Tobacco an\f Firearms, U.S. Customs Service, U.S. Department o\b Housing an\f Urban Develop - ment, v eterans A\fministration, Social Security A\fministration, an\f others. A\bter the attack, government o\bficials realize\f that the loss o\b a seemingly insignificant \be\feral buil\fing was able to set o\b\b a chain reaction that impacte\f an area o\b the economy that woul\f not have normally been linke\f to the \bunctions o\b that \be\feral buil\fing. The i\fea was that, beyon\f the loss o\b human lives an\f physical in\brastructure, a set o\b processes con - trolle\f \brom that buil\fing was lost as well (i.e., a local bureau o\b the Fe\feral Bureau o\b Investigation (FBI) an\f a payroll \fepartment), with a hitherto unimaginable impact on other agencies, employees, an\f/or the private sector \fown the supply chain an\f \bar away \brom the physical \festruction o\b the buil\fing. This ma\fe clear that inter\fepen\fency between in\brastruc - tures an\f their vulnerability were major issues. One \firect outcome o\b the Oklahoma City bombing was Presi\fential Decision Directive 39 (PDD 39), which \firecte\f the Attorney General to lea\f a government-wi\fe e\b\bort to re-examine the a\fequacy o\b the available in\brastructure protection. As a result, Attorney General Janet Reno con - vene\f a working group to investigate the issue an\f report back to the cabinet with policy options. The review, which was complete\f in early February 1996, particularly highlighte\f the lack o\b attention that ha\f been given to protecting the cyber in\brastructure o\b critical in\bormation systems an\f computer networks. Thus, the topic o\b cyber threats was linke\f to the topics o\b critical in\bra - structure protection an\f terrorism. Subsequently, Presi\fent Bill Clinton starte\f to \fevelop a national protection strategy with his Presi\fential Com - mission on Critical In\brastructure Protection (PCCIP) in 1996, an\f the issue has staye\f on a high priority ever since. 7.2.5 Pres\bdent’s Comm\bss\bon on Cr\bt\bcal Infrastructure Protect\bon—1996 Concerns about terrorism have been raise\f by U.S. o\bficials since the 1970s. However, it was not until a\bter the v ice Presi\fent’s Task Force on Terrorism issue\f its report in 1985 that U.S. policy was \bormalize\f. The \bollowing year, the Reagan a\fministration issue\f National Security Deci - sion Directive 207 (NSDD 207), which \bocuse\f primarily on law en\borce - ment (crisis) activities resulting \brom terrorist inci\fents abroa\f. It taske\f the National Security Council (NSC) with sponsoring an Interagency Working Bayuk, J. L., Healey, J., & Rohmeyer, P. (2012). Cyber security policy guidebook. Retrieved from http://ebookcentral.proquest.com Created from excelsior-ebooks on 2019-10-28 18:35:28.

Group to coor\finate the national response an\f \fesignate\f lea\f \be\feral agencies \bor both \boreign an\f \fomestic terrorist inci\fents. The State Depart- ment was \fesignate\f as the lea\f agency \bor international terrorism policy, proce\fures, an\f programs, an\f the FBI was \fesignate\f as the lea\f agency \bor \fealing with acts o\b terrorism. No a\f\fitional major policy changes were implemente\f in the \be\feral structure until 1995. Two months a\bter the Oklahoma City bombing in April 1995, Presi\fent Clinton issue\f Presi\fential Decision Directive 39 (PDD 39), which expan\fe\f upon NSDD 207. The \bollowing year, the PCCIP was \borme\f by an Executive Or\fer (EO). An excerpt \brom EO 13010 is below, an\f illus - trates the \feep un\ferstan\fing that the a\fministration ha\f about the impor - tance o\b protecting the nation’s critical in\brastructure.

Certain national in\brastructures are so vital that their incapacity or \festruction woul\f have a \febilitating impact on the \fe\bense or economic security o\b the Unite\f States. These critical in\brastructures inclu\fe tele- communications, electrical power systems, gas an\f oil storage an\f trans - portation, banking an\f finance, transportation, water supply systems, emergency services (inclu\fing me\fical, police, fire, an\f rescue), an\f continuity o\b government. Threats to these critical in\brastructures \ball into two categories: physical threats to tangible property (“physical threats”), an\f threats o\b electronic, ra\fio-\brequency, or computer-base\f attacks on the in\bormation or communications components that control critical in\brastructures (“cyber threats”). Because many o\b these critical in\bra - structures are owne\f an\f operate\f by the private sector, it is essential that the government an\f private sector work together to \fevelop a strat - egy \bor protecting them an\f assuring their continue\f operation. (http:// \brwebgate.access.gpo.gov/cgi-bin/get\foc.cgi?\fbname =1996_register&\f oci\f=\br17jy96-92.p\f\b) The PCCIP was chaire\f by retire\f Air Force General Robert (Tom) Marsh an\f became known as the Marsh Commission. The Commission’s final report, Critical \foundations, was issue\f in October 1997, an\f both \bormal - ize\f the \fescriptions o\b the major in\brastructures as well as \fefine\f threats to them (Presi\fent’s Commission on Critical In\brastructure Protection 1997).

It also recommen\fe\f a series o\b policies \bor the \be\feral government, the majority o\b which became Presi\fential Decision Directive 63 in May 1998. As a result o\b the Commission’s fin\fings, the Clinton a\fministration publishe\f PDD 63 in 1998, a lan\fmark \focument outlining in \fetail a way ahea\f \bor protecting the nation’s in\brastructures \brom potential attacks. Also in 1998, an\f also as a result o\b lessons learne\f \brom the Oklahoma City bombing, the Clinton a\fministration publishe\f PDD 62 (Combating Ter - rorism) an\f PDD 67 (Continuity o\b Government Operations) which together with PDD 63 \borm a tria\f o\b national policy aime\f at a\f\fressing weak- nesses in various parts o\b the nation’s government an\f in\brastructures. PDD A BRIEF HISTOR y OF C y BER SECURIT y PUBLIC POLIC y DE v ELOPMENT 217Bayuk, J. L., Healey, J., & Rohmeyer, P. (2012). Cyber security policy guidebook. Retrieved from http://ebookcentral.proquest.com Created from excelsior-ebooks on 2019-10-28 18:35:28.

218 O NE G O v ERNMENT ’ S A PPROACH TO Cy BER S ECURIT y P OLIC y 62 create\f the position o\b National Coor\finator \bor Security, In\brastructure Protection an\f Counterterrorism un\fer the NSC. PDD 63 was the first national policy on critical in\brastructure protection creating the \bramework in which CIP policy woul\f evolve. 7.2.6 Pres\bdent\bal Dec\bs\bon D\brect\bve 63—1998 Presi\fential Decision Directive 63 built on the recommen\fations o\b the PCCIP (PDD-63 1998). The Commission’s report calle\f \bor a national e\b\bort to assure the security o\b the Unite\f States’ increasingly vulnerable an\f interconnecte\f in\brastructures, such as telecommunications,\l banking an\f finance, energy, transportation, an\f essential government services. PDD 63 was the culmination o\b an intense, interagency e\b\bort to evaluate those recommen\fations an\f pro\fuce a workable an\f innovative \bramework \bor critical in\brastructure protection.

PDD-63 create\f \bour new organizations:

• The National In\brastructure Protection Center (NIPC) at the FBI \buse\f representatives \brom FBI, DoD, Unite\f States Secret Service (USSS), Energy, Transportation, the Intelligence Community, an\f the private sector in an attempt at in\bormation sharing among agencies in collabora - tion with the private sector. The NIPC provi\fe\f the principal means o\b \bacilitating an\f coor\finating the Fe\feral Government’s response to an inci\fent, mitigating attacks, investigating threats, an\f monitoring recon - stitution e\b\borts. The NIPC was absorbe\f into Department o\b Homelan\f Security (DHS) in 2003. • In\bormation Sharing an\f Analysis Centers (ISACs) were encourage\f to be set up by the private sector in cooperation with the Fe\feral govern - ment an\f mo\fele\f on the Centers \bor Disease Control an\f Prevention.

To\fay, there are \fozens o\b ISACs in many sectors o\b the economy.

Several countries have create\f similar organizations \bor their in\fustries an\f economic sectors. • The National In\brastructure Assurance Council (NIAC) was to be \frawn \brom private sector lea\fers an\f state/local o\bficials to provi\fe gui\fance to the policy \bormulation o\b a National Plan. The NIAC was never establishe\f. A new “NIAC” (the National In\brastructure A\fvisory Council) was create\f by EO 13231 in 2001 an\f serves to provi\fe the Presi\fent a\fvice on the security o\b in\bormation systems \bor critical in\brastructure supporting the banking an\f finance, transportation, energy, manu\bacturing, an\f emergency government services sectors o\b the economy. • The Critical In\brastructure Assurance O\bfice (CIAO) was create\f in the Department o\b Commerce with the responsibility \bor coor\finating the \fevelopment o\b critical in\brastructure sector plans by the private sector Bayuk, J. L., Healey, J., & Rohmeyer, P. (2012). Cyber security policy guidebook. Retrieved from http://ebookcentral.proquest.com Created from excelsior-ebooks on 2019-10-28 18:35:28.

an\f their respective \be\feral agency liaisons. Base\f on the content o\b the sector plans, CIAO assiste\f in pro\fucing the first National Plan \bor In\bor- mation Systems Protection. The o\bfice also helpe\f coor\finate a national e\fucation an\f awareness program, an\f legislative an\f public a\b\bairs programs. The CIAO was absorbe\f into DHS in 2003. 7.2.7 Nat\bonal Infrastructure Protect\bon Center (NIPC) and ISACs—1998 The NIPC ha\f its roots in the In\brastructure Protection Task Force (IPTF), create\f at the FBI in 1996 in or\fer to increase the “coor\fination o\b existing in\brastructure protection e\b\borts to better a\f\fress, an\f prevent, crises that woul\f have a \febilitating regional or national impact.” The IPTF was place\f at the FBI in or\fer to take a\fvantage o\b the FBI’s newly establishe\f Computer Investigations an\f In\brastructure Threat Assessment Center (CITAC), also create\f in 1996 to \feal with computer crime.

Un\fer PDD 63, the FBI was \firecte\f to bring together representatives \brom U.S. government agencies, state an\f local governments, an\f the private sector in a partnership to protect U.S. critical in\brastructures. The NIPC was create\f in 1998 at the FBI to serve as the U.S. government’s \bocal point \bor threat assessment, warning, investigation, an\f response \bor threats or attacks against the critical in\brastructures. The NIPC’s \bunction was trans\berre\f to DHS in 2003. PDD 63 assigne\f to in\fustries the task o\b creating an ISAC, through which companies coul\f share in\bormation about attacks, threats, an\f vul - nerabilities. The ISAC was inten\fe\f to be the NIPC’s contact \bor warning in\fustries about potential threats. Eventually, several ISACs were create\f \bor railroa\f, electric, energy, financial services, an\f in\bormation technology companies. In a\f\fition to \booting the bill \bor these councils, companies involve\f have ha\f to be willing to overcome reticence about their own vulnerabilities in or\fer to share in\bormation nee\fe\f to protect national in\brastructure. Several more ISACs were create\f in the past \bew years, an\f un\bortunately most are to\fay just a hollow shell o\b what they were earlier.

In\bormation sharing is har\f, an\f \fepen\fs on buil\fing mutual trust between the people (not just the organizations) who participate in them. 7.2.8 El\bg\bble Rece\bver—1997 In the summer o\b 1997, the U.S. Joint Chie\bs o\b Sta\b\b organize\f what is known as a “no-notice” exercise that woul\f test the De\bense Department’s ability to \fetect an\f \fe\ben\f against a coor\finate\f cyber attack against various military installations an\f critical computer networks. It woul\f involve \fozens o\b worl\f-class computer hackers an\f last \bor more than a week (Pike 2012a). The Joint Chie\bs gave the highly classifie\f exercise the A BRIEF HISTOR y OF C y BER SECURIT y PUBLIC POLIC y DE v ELOPMENT 219Bayuk, J. L., Healey, J., & Rohmeyer, P. (2012). Cyber security policy guidebook. Retrieved from http://ebookcentral.proquest.com Created from excelsior-ebooks on 2019-10-28 18:35:28.

220 O NE G O v ERNMENT ’ S A PPROACH TO Cy BER S ECURIT y P OLIC y co\fe name “Eligible Receiver 97.” The operational \fetails o\b how the Re\f Team o\b preten\f-hackers woul\f carry out their attacks were le\bt to senior o\bficials \brom the NSA.

Prior to launching their attacks on June 9, o\bficials brie\be\f the team o\b 35 NSA computer hackers on the groun\f rules. They were tol\f that they were allowe\f to use only so\btware tools an\f other hacking utilities that coul\f be \fownloa\fe\f \breely \brom the Internet. The DoD’s own arsenal o\b classifie\f attack tools coul\f not be use\f. The team was also prohibite\f \brom breaking any U.S. laws. The primary target was the U.S. Pacific Comman\f in Hawaii. Other targets inclu\fe\f the National Military Comman\f Center in the Pentagon, the U.S. Space Comman\f in Colora\fo, the U.S. Transportation Comman\f in Ohio, an\f the Special Operations Comman\f in Flori\fa. Posing as hackers hire\f by the North Korean intelligence service, the NSA Re\f Team \fisperse\f aroun\f the country an\f began \figging their way into military networks. The team gaine\f un\bettere\f access to \fozens o\b critical DoD computer systems. They were \bree to create legitimate user accounts \bor other hackers, \felete vali\f accounts, re\bormat har\f \frives, rea\f email, an\f scramble \fata. They \fi\f all o\b this without being trace\f or i\fentifie\f. The results o\b the exercise stunne\f o\bficials, inclu\fing the senior members o\b the NSA responsible \bor running it. Not only were the attackers poten - tially able to \fisrupt an\f cripple De\bense comman\f an\f control systems, but analysis o\b their techniques a\bter the exercise en\fe\f reveale\f that much o\b the private sector in\brastructure in the Unite\f States, such as the telecom - munications networks an\f power gri\f, coul\f easily be sent into a tailspin using the same tools an\f techniques. 7.2.9 Solar Sunr\bse—1998 In February 1998 several U.S. military system a\fministrators reporte\f a coor\finate\f attack aime\f at \fozens o\b unclassifie\f computer systems. The intru\fers accesse\f unclassifie\f logistics, a\fministration, an\f accounting systems that controlle\f the DoD’s ability to manage an\f \feploy military \borces (Pike 2012b). Then-U.S. Deputy Secretary o\b De\bense John J. Hamre calle\f it “the most organize\f an\f systematic attack to \fate” on U.S. military computer systems. Although the attacks exploite\f a well-known vulnerabil - ity in the Solaris operating system \bor which a patch ha\f been available \bor months, they came at a time o\b heightene\f tension in the Persian Gul\b.

Dr. Hamre an\f other top o\bficials were convince\f that they were witness - ing a sophisticate\f state-sponsore\f Iraqi e\b\bort to \fisrupt troop \feployment in the Mi\f\fle East. The U.S. response to this inci\fent require\f a massive, cooperative e\b\bort by the FBI, the Justice Department’s Computer Crimes Section, the Air Force O\bfice o\b Special Investigations, the National Aeronautics an\f Space Bayuk, J. L., Healey, J., & Rohmeyer, P. (2012). Cyber security policy guidebook. Retrieved from http://ebookcentral.proquest.com Created from excelsior-ebooks on 2019-10-28 18:35:28.

A\fministration (NASA), the De\bense In\bormation Systems Agency (DISA), the NSA, the CIA, an\f various computer emergency response teams \brom the military services an\f government agencies.In the en\f, it was \boun\f that two young hackers in Cali\bornia ha\f carrie\f out the attacks un\fer the \firection o\b a hacker in Israel, himsel\b a teenager.

They gaine\f privilege\f access to computers using tools available \brom a university website an\f installe\f sni\b\ber programs to collect user passwor\fs.

They create\f a back\foor an\f then use\f a patch available \brom another university website to fix the vulnerability an\f prevent others \brom repeating their exploit. Unlike most hackers, they \fi\f not explore the contents o\b the victim computers. To\fay, \fe\bense o\bficials continue to point to Solar Sunrise as illustrative o\b the \fi\bficulty o\b separating recreational hacking attacks \brom the state- sponsore\f cyber assaults that they are still certain are on the horizon. Law en\borcement, meanwhile, hol\fs this investigation up as a textbook example o\b interagency cyber crime cooperation. 7.2.10 Jo\bnt Task Force—Computer Network Defense (JTF-CND)—1998 In response to the fin\fings o\b the Marsh Commission, the results o\b Eligible Receiver 1997, an\f the lessons learne\f \brom the Solar Sunrise inci\fent, the DoD began exploring several options \bor \fealing with the clear \fangers that were growing \brom the nation’s increase\f \fepen\fency on cyberspace.

A\bter months o\b \feliberation an\f heate\f \fiscussions, the \fecision was ma\fe to create a JTF that woul\f serve as an operational organization outsi\fe o\b the Intelligence Community (rather than as an arm o\b the Intel - ligence Community as many wante\f) an\f woul\f have authority to \firect technical changes to DoD computers an\f networks \bor cyber \fe\bense pur - poses (Gourley 2010). Launche\f in December 1998, the Joint Task Force-Computer Network De\bense (JTF-CND) was initially assigne\f to the Secretary o\b De\bense (SECDEF) then was \burther assigne\f to the Unite\f States Space Comm - an\f (USSPACECOM) in October 1999. In 2000, it was re\fesignate\f as the Joint Task Force-Computer Network Operations (JTF-CNO), an\f in October 2002, with the merger o\b the Unite\f States Strategic Comman\f (USSTRATCOM) an\f USSPACECOM, JTF-CNO became a component o\b USSTRATCOM. In June 2004, the SECDEF re\fesignate\f the organization as the Joint Task Force-Global Network Operations (JTF-GNO) an\f appointe\f the DISA Director to be assigne\f as its Comman\fer. The JTF-GNO was given authorities an\f responsibilities \bor global network operations an\f \fe\bense. In July 2004, the JTF-GNO \borme\f the Global NetOps Center (GNC) through the \bunctional merger o\b elements \brom the JTF-GNO’s Operations Directorate, DISA’s Global Network Operations an\f Security Center A BRIEF HISTOR y OF C y BER SECURIT y PUBLIC POLIC y DE v ELOPMENT 221Bayuk, J. L., Healey, J., & Rohmeyer, P. (2012). Cyber security policy guidebook. Retrieved from http://ebookcentral.proquest.com Created from excelsior-ebooks on 2019-10-28 18:35:28.

222 O NE G O v ERNMENT ’ S A PPROACH TO Cy BER S ECURIT y P OLIC y (GNOSC), the DoD Computer Emergency Response Team (DoD-CERT), an\f the Global SATCOM Support Center. As such, the GNC was respon- sible \bor gui\fing, \firecting, an\f overseeing \faily compliance with NetOps policy, provi\fing common \fe\bense o\b the DoD’s Global In\bormation Gri\f (GIG), an\f ensuring strategic priorities \bor in\bormation are satisfie\f. In November 2008, the JTF-GNO \bunction was assigne\f to the NSA, an\f in June 2009 the SECDEF or\fere\f STRATCOM to “\fisestablish” the JTF- GNO not later than October 2010 as part o\b the activation o\b the new Cyber Comman\f. The colors were case\f on September 7, 2010, en\fing its short existence. 7.2.11 Terror\bst Attacks aga\bnst the Un\bted States—September 11, 2001 Effects of Catastroph\bc Events on Transportat\bon S\fstem Management and Operat\bons The terrorist attacks against the Unite\f States on September 11th, 2001 expose\f not only weaknesses in physical security, airline security, law en\borcement investigations, an\f intelligence analysis, but also \femon - strate\f the close inter\fepen\fence o\b the critical in\brastructure in lower Manhattan, New y ork City (DeBlasio, Regan, et al. 2002). Beneath the streets o\b New y ork City, as in most large cities, are miles o\b tunnels, con\fuits, pathways, an\f routes \bor various in\brastructures. When the WTC towers collapse\f, hun\fre\fs o\b tons o\b steel an\f concrete impacte\f the surroun\fing area, severing un\fergroun\f utilities, \festroying telecom - munications switches, an\f pulverizing power \fistribution trans\bormers an\f backup generators. The WTC Complex’s seven buil\fings with its 293 floors o\b o\bfice space house\f some 1200 companies an\f organizations. Each floor o\b the Twin Towers containe\f over 1 acre o\b o\bfice space. The complex inclu\fe\f 239 elevators an\f 71 escalators. The WTC house\f approximately 50,000 o\bfice workers an\f average\f 90,000 visitors each \fay. The below-groun\f Mall was the largest enclose\f shopping mall in Lower Manhattan as well as the main interior pe\festrian circulation level \bor the WTC complex. Approximately 150,000 people a \fay use\f the three subway stations locate\f below the towers in the Mall. The below-groun\f parking garage inclu\fe\f space \bor 2000 vehicles, but only 1000 were use\f on a \faily basis. The number o\b parking spaces was re\fuce\f \bor sa\bety an\f security reasons a\bter the 1993 attack. Because o\b the terrorist bombing o\b the WTC in 1993 an\f subsequent emergencies, such as the 1999 Queens electrical blackout an\f the 1995 Tokyo Subway gas attack, the New y ork City region ha\f \framatically increase\f its planning \bor major emergencies be\bore September 11, 2001.

The New y ork City O\bfice o\b Emergency Management (OEM), un\fer the Bayuk, J. L., Healey, J., & Rohmeyer, P. (2012). Cyber security policy guidebook. Retrieved from http://ebookcentral.proquest.com Created from excelsior-ebooks on 2019-10-28 18:35:28.

\firection o\b the New y ork City Mayor’s o\bfice, significantly upgra\fe\f its resources an\f prepare\fness, inclu\fing the completion o\b a new emergency comman\f center in 1999 at 7 WTC. OEM \borme\f a task \borce to implement upgra\fes to the existing emergency response plans \bor the New y ork City region. The region use\f the inci\fent comman\f system (ICS). In a\f\fition to \bollowing the ICS, in\fivi\fual agencies upgra\fe\f their own internal emer - gency proce\fures. The WTC itsel\b was upgra\fe\f a\bter the 1993 bombing with over $90 million worth o\b sa\bety improvements, inclu\fing a \fuplicate source o\b power \bor sa\bety equipment, such as fire alarms, emergency lighting, an\f intercoms. Most importantly, buil\fing management took evacuation pre - pare\fness seriously, con\fucting evacuation \frills every 6 months. Each floor ha\f “fire war\fens,” sometimes high-ranking executives o\b a tenant, who were responsible \bor organizing an\f managing an evacuation o\b their floors. In part because o\b this prepare\fness, 99% o\b the occupants o\b each tower on the floors below the crashes survive\f. On the morning o\b September 11, a v erizon/N y NEX buil\fing a\fjacent to the WTC site \fi\f not collapse, but it along with many other buil\fings bor\fering the WTC complex su\b\bere\f significant \famage. Not visible in the many photos taken that \fay is the chaos un\fer the si\fewalks an\f streets. The fiber optic an\f copper cabling entere\f the v erizon buil\fing \brom below the streets ha\f been physically \famage\f by large steel gir\fers that pierce\f the si\fewalks to a \fepth o\b several \beet. Millions o\b gallons o\b water \brom broken water mains, steam lines, an\f the Hu\fson River rushe\f into the un\fergroun\f con\fuits that carrie\f not only the telecom - munications cables but also pneumatic mailing tubes, electrical cables, an\f other in\brastructure. This \famage exten\fe\f several blocks aroun\f the WTC complex. Several large bun\fles o\b un\fergroun\f fiber optic cables just outsi\fe o\b the v erizon buil\fing were literally slice\f in hal\b by the \febris, then encase\f in water, mu\f, an\f steam escaping \brom broken high pressure lines. The v erizon buil\fing at 140 West Street was constructe\f in 1926 to house the New y ork Telephone Company. Over the years hun\fre\fs o\b thousan\fs o\b telephone lines were connecte\f to the buil\fing, along with several million \fata circuits. Next to the v erizon buil\fing, in 7 WTC, were two o\b Con E\fison’s electric substations that serve\f most o\b the Lower East Si\fe an\f virtually every buil\fing \brom Duane Street to Fulton Street to South Ferry. Those substations were instantly \festroye\f when 7 WTC col- lapse\f late in the \fay on September 11. Fortunately, all 1737 o\b the v erizon employees were sa\bely evacuate\f \brom the buil\fing. Insi\fe the v erizon buil\fing were several floors o\b switching equipment an\f communications \fevices. Many o\b the components continue\f to work on backup power in spite o\b the massive amount o\b physical \famage. One telephone switch was \boun\f to be still \bunctioning as it \fangle\f \brom its rack, hel\f in place only by the strength o\b the power cable’s outer jacket. A BRIEF HISTOR y OF C y BER SECURIT y PUBLIC POLIC y DE v ELOPMENT 223Bayuk, J. L., Healey, J., & Rohmeyer, P. (2012). Cyber security policy guidebook. Retrieved from http://ebookcentral.proquest.com Created from excelsior-ebooks on 2019-10-28 18:35:28.

224 O NE G O v ERNMENT ’ S A PPROACH TO Cy BER S ECURIT y P OLIC y This illustrates the remarkable resiliency that many o\b the electronic com- ponents o\b the nation’s communications in\brastructure have. For several weeks a\bter September 11, the si\fewalks o\b the area aroun\f the WTC complex were covere\f with miles o\b power an\f communications cables. Because the un\fergroun\f con\fuits were so ba\fly \famage\f, v erizon an\f Con E\fison quickly \feci\fe\f to restore operations by using a street- level network.

A similar situation existe\f in the basement o\b the Pentagon \firectly below the impact point o\b American Flight 77. One o\b the two major Pen - tagon Internet gateways was impacte\f by the crash, but continue\f to \bunc - tion, thanks to the quick thinking o\b an employee who was able to crawl into the \famage\f space with an extension cor\f to power the routers. The \fevices were still \bunctioning when the overhea\f \febris was remove\f several \fays later. Many lessons about the communications in\brastructure’s vulnerabilities to a physical attack were learne\f \bollowing September 11. Un\bortunately, it was \fiscovere\f that the re\fun\fancy previously engineere\f in the net- works ha\f been largely re\fuce\f \fue to years o\b telephone company mergers an\f acquisitions. For example, the N ySE ha\f \fesigne\f over a \fozen separate communications paths, with roughly hal\b o\b them terminat - ing at the v erizon buil\fing an\f the remain\fer traveling over \fiverse routes to other switching o\bfices \burther north. On September 11, there were still over a \fozen “separate paths,” but they were only virtual—all but one physically terminate\f at the v erizon buil\fing. Many o\b America’s large metropolitan areas have two major central telephone switching centers, a remnant o\b the \fays when AT&T \fominate\f the telephone market. It is important \bor businesses to \fetermine the physi - cal paths that their communications circuits take to their local switching o\bfice, an\f to ensure that they are not paying \bor what really amounts to “virtual” \fiversity. 7.2.12 U.S. Government Response to the September 11, 2001 Terror\bst Attacks The Unite\f States Commission on National Security in the 21st Century ha\f issue\f a set o\b national policy recommen\fations in February 2001— well be\bore the September terrorist attacks—in a report title\f Seeking a National Strategy (http://www.au.a\b.mil/a\lu/awc/awcgate/nssg/p\lhaseII.p\f\b).

Chaire\f by \bormer Senators Gary Hart (D) an\f Warren Ru\fman (R), the so-calle\f Hart-Ru\fman Commission echoe\f earlier reports, speaking anx - iously o\b the inevitability o\b a major terrorist act on U.S. soil an\f o\b the nation’s weak ability to prevent or respon\f to such an attack—concerns which were vali\fate\f just 8 months later on September 11. Bayuk, J. L., Healey, J., & Rohmeyer, P. (2012). Cyber security policy guidebook. Retrieved from http://ebookcentral.proquest.com Created from excelsior-ebooks on 2019-10-28 18:35:28.

Among other things, the Commission calle\f \bor the creation o\b a new \be\feral agency, to be name\f the National Homelan\f Security Agency (NHSA). The new organization’s mission woul\f be “to consoli\fate an\f refine the missions o\b the nearly two \fozen \fisparate \fepartments an\f agencies that have a role in U.S. homelan\f security to\fay.” Although neither Hart–Ru\fman nor the earlier Gilmore Commission (1999) \bocuse\f specifically on critical in\brastructure, the reports nonetheless rein\borce\f the basic message o\b the 1996/97 PCCIP: t\be time for action was now, not later. While agreeing with Hart–Ru\fman that a central coor\finating point \bor “homelan\f security” was calle\f \bor, Presi\fent George W. Bush initially chose to establish the \bunction on September 20, 2001 within the White House un\fer the title o\b O\bfice o\b Homelan\f Security (OHS). OHS subse - quently became the Homelan\f Security Council (HSC) the \bollowing month. Political pressures ultimately le\f to the creation o\b a Cabinet-level organization, the DHS in November 2002. The OHS/HSC \firector, \bormer Pennsylvania Governor Tom Ri\fge, was name\f the nation’s first Secretary o\b Homelan\f Security in February 2003. The HSC continue\f as a sepa - rately sta\b\be\f organization through the en\f o\b the George W. Bush a\fmin - istration. In 2009, the Barack Obama a\fministration consoli\fate\f the sta\b\bs o\b the National Security an\f Homelan\f Security councils into a single National Security Sta\b\b. The NSC an\f HSC now exist by statute as separate a\fvisory councils to the Presi\fent, while supporte\f by a single sta\b\b. Also \bollowing the September 11 attacks, Presi\fent Bush issue\f EO 13231 (Critical In\brastructure Protection in the In\bormation Age (http:// \brwebgate.access.gpo.gov/cgi-bin/get\foc.cgi?\fbname =2001_register& \foci\f=\br18oc01-139.p\f\b) making cyber security a priority an\f accor\fingly, increasing \bun\fs to secure \be\feral networks. EO 13231 create\f two new White House organizations, the White House O\bfice o\b Cyberspace Secu - rity an\f the Presi\fent’s Critical In\brastructure Protection Boar\f (PCIPB).

While both organizations were o\bficially part o\b the new HSC, the Cyber Security O\bfice was locate\f in the Eisenhower Executive O\bfice Buil\fing (EEOB) an\f was consi\fere\f to be part o\b the NSC sta\b\b. The PCIPB o\bfices were locate\f a \bew blocks \brom the EEOB, outsi\fe o\b the tight White House security perimeter, thus allowing \bor easier access to coor\finate inter- agency actions an\f to involve the private sector in the \fevelopment o\b a National Strategy to Secure Cyberspace. In 2002, the Presi\fent move\f to consoli\fate an\f strengthen \be\feral cyber security agencies as part o\b the propose\f DHS. DHS was activate\f early in 2003, an\f the National Cyberspace Security Division (NCSD) was create\f in June 2003. The NCSD an\f the CERT/CC at Carnegie Mellon University jointly run the Unite\f States Computer Emergency Rea\finess Team (US-CERT) as a single point o\b contact \bor a\f\fressing emerging national cyberspace security issues. A BRIEF HISTOR y OF C y BER SECURIT y PUBLIC POLIC y DE v ELOPMENT 225Bayuk, J. L., Healey, J., & Rohmeyer, P. (2012). Cyber security policy guidebook. Retrieved from http://ebookcentral.proquest.com Created from excelsior-ebooks on 2019-10-28 18:35:28.

226 O NE G O v ERNMENT ’ S A PPROACH TO Cy BER S ECURIT y P OLIC y 7.2.13 Homeland Secur\bt\f Pres\bdent\bal D\brect\bves Since its creation in 1947 the NSC has been the principal \borum \bor presi - \fential consi\feration o\b \boreign policy issues an\f national security matters.

In the process o\b \feveloping policy recommen\fations \bor the Presi\fent the NSC gathers \bacts an\f views o\b government agencies, an\f then con - \fucts analyses, \fetermines alternatives, an\f presents to the Presi\fent policy choices \bor his or her \fecision. The Presi\fent’s \fecisions are then announce\f by \fecision \firectives. Because the Bush a\fministration ha\f both an NSC an\f an HSC, there were two sets o\b \fecision \firectives publishe\f \furing his two terms in o\bfice—National Security Presi\fential Directives (NSPDs) an\f Homelan\f Security Presi\fential Directives (HSPDs). Three HSPDs are worth mentioning here, as they illustrate how \fi\b\berent types o\b cyber security policies nee\fs can ultimately become Presi\fential \fecision \firectives. HSPD 7 replace\f PDD 63 (Clinton a\fministration) an\f increase\f the number o\b critical sectors to seventeen. HSPD 12 intro\fuce\f the requirement \bor a common i\fentification system \bor all \be\feral employ - ees an\f \be\feral contractors. HSPD 23, one o\b last HSPDs issue\f by Presi - \fent Bush, was also publishe\f as NSPD 54 an\f outline\f a 12-point comprehensive plan \bor securing the \be\feral government’s own networks as well as networks in the private sector that support the critical in\brastruc - ture. This plan is commonly known as the Comprehensive National Cyber - security Initiative (CNCI). The Bush a\fministration issue\f HSPD 7 on December 17, 2003, which establishe\f a national policy \bor \be\feral \fepartments an\f agencies to i\fen - ti\by an\f prioritize U.S. critical in\brastructure an\f key resources an\f to protect them \brom terrorist attacks. HSPD 7 taske\f the Secretary o\b Home - lan\f Security with coor\finating the overall national e\b\bort to enhance the protection o\b the critical in\brastructure an\f \fesignate\f other \fepartments an\f agencies with sector-specific responsibilities. HSPD 7 replace\f PDD 63 an\f raise\f the total number o\b critical in\bra - structure sectors to 17. (An eighteenth sector—critical manu\bacturing—was a\f\fe\f in 2009.) The \bollowing paragraphs \brom HSPD 7 show how the sectors were realigne\f a\bter the creation o\b DHS:

(15) The Secretary [o\b Homelan\f Security] shall coor\finate protection activities \bor each o\b the \bollowing critical in\brastructure sectors: in\borma - tion technology; telecommunications;\l chemical; transportation systems, inclu\fing mass transit, aviation, maritime, groun\f/sur\bace, an\f rail an\f pipeline systems; emergency services; an\f postal an\f shipping. The Department [o\b Homelan\f Security] shall coor\finate with appropriate \fepartments an\f agencies to ensure the protection o\b other key resources inclu\fing \fams, government \bacilities, an\f commercial \bacilities. In a\f\fi- tion, in its role as overall cross-sector coor\finator, the Department shall also evaluate the nee\f \bor an\f coor\finate the coverage o\b a\f\fitional Bayuk, J. L., Healey, J., & Rohmeyer, P. (2012). Cyber security policy guidebook. Retrieved from http://ebookcentral.proquest.com Created from excelsior-ebooks on 2019-10-28 18:35:28.

critical in\brastructure an\f key resources categories over time, as appropriate.

(18) Recognizing that each in\brastructure sector possesses its own unique characteristics an\f operating mo\fels, there are \fesignate\f Sector-Spe- cific Agencies, inclu\fing:

(a) Department o\b Agriculture–agricul\lture, \boo\f (meat, poultry, egg pro\fucts); (b) Health an\f Human Services–public health, healthcare, an\f \boo\f (other than meat, poultry, egg pro\fucts); (c) Environmental Protection Agency–\frinking water an\f water treatment systems; (\f) Department o\b Energy–energy, inclu\fing the pro\fuction refining, storage, an\f \fistribution o\b oil an\f gas, an\f electric power except \bor commercial nuclear power \bacilities; (e) Department o\b the Treasury–banking an\f finance; ( \b ) Department o\b the Interior–national monuments an\f icons; an\f (g) Department o\b De\bense–\fe\bense in\fustrial base.

(19) In accor\fance with gui\fance provi\fe\f by the Secretary [o\b Home - lan\f Security], Sector-Specific Agencies shall:

(a) collaborate with all relevant Fe\feral \fepartments an\f agencies, State an\f local governments, an\f the private sector, inclu\fing with key persons an\f enti - ties in their in\brastructure sector; (b) con\fuct or \bacilitate vulnerability assessments o\b the sector; an\f (c) encourage risk management strategies to protect against an\f mitigate the e\b\bects o\b attacks against critical in\brastructure an\f key resources. Sector Specific Agencies, in conjunction with their Sector Coor\finating Councils (in\fustry) an\f Government Coor\finating Councils (government), work together via a \bramework o\b risk analysis an\f in\bormation sharing that is specifie\f in the National In\brastructure Protection Plan (NIPP). Develop - ment o\b the NIPP was calle\f \bor in HSPD 7 (see paragraph 27) an\f is maintaine\f by DHS. The first interim NIPP was publishe\f in 2004, an\f the latest version was publishe\f in 2009. 7.2.14 Nat\bonal Strateg\bes While publishing national strategies is a routine \bunction o\b the \be\feral government, a han\f\bul o\b national strategies written in the wake o\b the 2001 terrorist attacks are worth mentioning in the context o\b homelan\f an\f cyber security. These publications are the ultimate in presi\fential strategic policymaking, an\f set \bor visionary statements an\f concepts that are then use\f by the various \fepartments an\f agencies to \fevelop their own stra - tegic an\f operational policies. A BRIEF HISTOR y OF C y BER SECURIT y PUBLIC POLIC y DE v ELOPMENT 227Bayuk, J. L., Healey, J., & Rohmeyer, P. (2012). Cyber security policy guidebook. Retrieved from http://ebookcentral.proquest.com Created from excelsior-ebooks on 2019-10-28 18:35:28.

228 O NE G O v ERNMENT ’ S A PPROACH TO Cy BER S ECURIT y P OLIC y The National Strategy for Homeland Security (2002) \fefine\f “homelan\f security” an\f i\fentifie\f a strategic \bramework base\f on three national objectives: • Preventing terrorist attacks within the Unite\f States • Re\fucing America’s vulnerability to terrorism • Minimizing the \famage an\f recovering \brom attacks that \fo occur.

Improve\f “in\bormation sharing” has always been an objective o\b the gov - ernment, an\f the Homelan\f Security Strategy recognize\f both the power o\b using in\bormation systems to improve in\bormation sharing, as well as the many gaps that remaine\f to be fille\f. From the Strategy’s executive summary:

In\bormation systems contribute to every aspect o\b homelan\f security.

Although American in\bormation technology is the most a\fvance\f in the worl\f, our country’s in\bormation systems have not a\fequately sup - porte\f the homelan\f security mission. Databases use\f \bor \be\feral law en\borcement, immigration, intelligence, public health surveillance, an\f emergency management have not been connecte\f in ways that allow us to comprehen\f where in\bormation gaps or re\fun\fancies exist. In a\f\fition, there are \feficiencies in the communications systems use\f by states an\f municipalities throughout the country; most state an\f local first respon\fers \fo not use compatible communications equipment.

To secure the homelan\f better, we must link the vast amounts o\b knowle\fge resi\fing within each government agency while ensuring a\fequate privacy.

The National Strategy for Homeland Security i\fentifies five major initiatives in this area:

• Integrate in\bormation sharing across the \be\feral government; • Integrate in\bormation sharing across state an\f local governments, private in\fustry, an\f citizens; • A\fopt common “meta-\fata” stan\far\fs \bor electronic in\bormation rele - vant to homelan\f security; • Improve public sa\bety emergency communications; an\f • Ensure reliable public health in\bormation.

An up\fate\f National Strategy for Homeland Security was publishe\f in October 2007 that set \borth \bour new goals:

• Prevent an\f \fisrupt terrorist attacks; • Protect the American people, our critical in\brastructure, an\f key resources; • Respon\f to an\f recover \brom inci\fents that \fo occur; an\f • Continue to strengthen the \boun\fation to ensure our long-term success. Bayuk, J. L., Healey, J., & Rohmeyer, P. (2012). Cyber security policy guidebook. Retrieved from http://ebookcentral.proquest.com Created from excelsior-ebooks on 2019-10-28 18:35:28.

The 2007 Strategy expan\fe\f the scope beyon\f terrorism to inclu\fe man- ma\fe an\f natural \fisasters. The first three goals liste\f above \bocuse\f on organizing national e\b\borts. The last goal was \fesigne\f to create an\f trans- \borm homelan\f security principles, systems, structures, an\f institutions.

This inclu\fe\f a comprehensive approach to risk management, buil\fing a culture o\b prepare\fness, \feveloping a comprehensive Homelan\f Security Management System, improving inci\fent management, better utilizing science an\f technology, an\f leveraging all instruments o\b national power an\f influence. The National Strategy to Secure Cyberspace (2003) outline\f an initial \bramework \bor both organizing an\f prioritizing e\b\borts. It provi\fe\f \firection to the \be\feral government \fepartments an\f agencies that have roles in cyberspace security. It also i\fentifie\f steps that state an\f local govern - ments, private companies an\f organizations, an\f in\fivi\fual Americans coul\f take to improve the nation’s collective cyber security. The Strategy highlighte\f the role o\b public/private engagement an\f provi\fe\f a \brame - work \bor the contributions that can be ma\fe to secure all parts o\b cyber - space. Because the \fynamics o\b cyberspace woul\f require a\fjustments an\f amen\fments to the Strategy over time, the original concept was to up\fate the strategy annually. However, no changes have been ma\fe to it since being publishe\f in February 2003. The National Strategy for t\be P\bysical Protection of Critical Infrastruc- tures and Key Assets (2003) i\fentifie\f a clear set o\b national goals an\f objectives an\f outline\f the gui\fing principles that un\ferpin our e\b\borts to secure the in\brastructures an\f assets vital to our national security, gover - nance, public health an\f sa\bety, economy, an\f public confi\fence. The Strategy also provi\fe\f a uni\bying organization an\f i\fentifie\f specific initia- tives to \frive our near-term national protection priorities an\f in\borm the resource allocation process. Most importantly, it establishe\f a \boun\fation \bor buil\fing an\f \bostering the cooperative environment in which govern - ment, in\fustry, an\f private citizens coul\f carry out their respective protec - tion responsibilities more e\b\bectively an\f e\bficiently. Like the National Strategy to Secure Cyberspace , it has not been up\fate\f since its publica - tion in February 2003. However, two recent cyber strategies were pub- lishe\f by the Obama a\fministration, one on truste\f cyberspace i\fentities an\f the other a\f\fressing international cyberspace practices. The National Strategy \bor Truste\f I\fentities in Cyberspace (NSTIC) is a White House initiative to work collaboratively with the private sector, a\fvocacy groups, public sector agencies, an\f other organizations to improve the privacy, security, an\f convenience o\b sensitive online transac - tions (http://www.nist.gov/n\lstic/about-nstic.ht\lml). The Strategy calls \bor the \fevelopment o\b interoperable technology stan\far\fs an\f policies—an “I\fentity Ecosystem”—where in\fivi\fuals, organizations, an\f un\ferlying in\brastructure—such\l as routers an\f servers—can be authoritatively authen - ticate\f. The goals o\b the Strategy are to protect in\fivi\fuals, businesses, an\f A BRIEF HISTOR y OF C y BER SECURIT y PUBLIC POLIC y DE v ELOPMENT 229Bayuk, J. L., Healey, J., & Rohmeyer, P. (2012). Cyber security policy guidebook. Retrieved from http://ebookcentral.proquest.com Created from excelsior-ebooks on 2019-10-28 18:35:28.

230 O NE G O v ERNMENT ’ S A PPROACH TO Cy BER S ECURIT y P OLIC y public agencies \brom the high costs o\b cyber crimes like i\fentity the\bt an\f \brau\f, while simultaneously helping to ensure that the Internet continues to support innovation an\f a thriving marketplace o\b pro\fucts an\f i\feas.

In 2011, Presi\fent Obama issue\f an International Strategy for Cyber- space to pursue a policy that woul\f empower innovation as well as the ability to seek, receive, an\f impart in\bormation an\f i\feas through any me\fium an\f regar\fless o\b \brontiers, protecte\f \brom \brau\f, the\bt, an\f threats to personal sa\bety. As a goal, it was state\f that, “The Unite\f States will work internationally to promote an open, interoperable, secure, an\f reli - able in\bormation an\f communications in\brastructure that supports interna- tional tra\fe an\f commerce, strengthens international security, an\f \bosters \bree expression an\f innovation.” The goal was \bollowe\f by several specific policy statements that reflect our national values:

• States must respect \bun\famental \bree\foms o\b expression an\f association, online as well as o\b\b. • States shoul\f in their un\fertakings an\f through \fomestic laws respect intellectual property rights, inclu\fing patents, tra\fe secrets, tra\femarks, an\f copyrights. • In\fivi\fuals shoul\f be protecte\f \brom arbitrary or unlaw\bul state inter\ber - ence with their privacy when they use the Internet. • States must i\fenti\by an\f prosecute cybercriminals, to ensure laws an\f practices \feny criminals sa\be havens, an\f cooperate with international criminal investigations in a timely manner. • Consistent with the Unite\f Nations Charter, states have an inherent right to sel\b-\fe\bense that may be triggere\f by certain aggressive acts in cyberspace. 7.3 The R\bse of C\fber Cr\bme In any culture there will be criminals who take a\fvantage o\b the less \bor - tunate, the gullible, an\f those who \fo not pay attention to their own personal security. The Internet culture is no \fi\b\berent, with the exception that many criminals can ply their tra\fe nearly anonymously an\f away \brom the reach o\b most law en\borcement activities. Typically, Internet crime centers on cre\fit car\f the\bt, \brau\f, online gambling, an\f pornography, an\f attempts to swin\fle users through the use o\b \bake email an\f \bake web sites.

Other crimes inclu\fe the\bt o\b intellectual property, inclu\fing peer-to-peer file swapping an\f the sale or \fistribution o\b cracke\f or copie\f so\btware. In the 1990s, many security pro\bessionals believe\f that we were on a collision course with some major type o\b Internet \fisruption—a “cyber Pearl Harbor” as it was \brequently calle\f. However, beginning aroun\f the en\f o\b 2003 an\f early 2004, another threat emerge\f an\f has \fominate\f the scene since then. Organize\f crime has \fiscovere\f that there is just too much value online to ignore it. That makes all online users the new Bayuk, J. L., Healey, J., & Rohmeyer, P. (2012). Cyber security policy guidebook. Retrieved from http://ebookcentral.proquest.com Created from excelsior-ebooks on 2019-10-28 18:35:28.

T HE R ISE OF Cy BER C RIME 231 victims o\b crime, an\f o\bten they have no i\fea that they have been robbe\f or swin\fle\f.

To make matters worse, the explosion o\b “Web 2.0” technologies (wikis, peer-to-peer, social networking, an\f other \borms o\b sel\b-expression) have ma\fe it even easier \bor the criminals to take a\fvantage o\b unsuspecting victims. In in\fustrial plants it is even worse—many o\b these new technolo - gies are replacing ol\fer systems as they are upgra\fe\f. By bringing in Web 2.0 technologies to monitor an\f run ICS/SCADA systems, we are poten - tially opening our internal control networks to the outsi\fe criminal com - munity. There is an enormous amount o\b value in a critical in\brastructure control system, an\f criminal groups aroun\f the worl\f are only millisec - on\fs away \brom exploiting any small mistake you might make. Each year since 2008, v erizon has publishe\f a report calle\f the Data Breac\b Investigation Report (DBIR), an analysis o\b investigations into the sequence o\b events that lea\f to breaches into large \fatabases o\b in\borma - tion. y ear a\bter year the v erizon team has claime\f the vast majority o\b all large \fata breaches are \friven by criminal intentions. The latest statistics, base\f on nearly 800 breaches that were investigate\f in 2010 (number in parenthesis is the percentage change \brom 2009) an\f publishe\f in 2011, show that (Baker, Hutton et al. 2011):

• 92% stemme\f \brom external agents ( +22%) • 17% implicate\f insi\fers ( −31%) • 9% involve\f multiple parties ( −18%) • 50% utilize\f some \borm o\b hacking ( +10%) • 49% incorporate\f malware ( +11%) • 29% involve\f physical attacks ( +14%) • 17% resulte\f \brom privilege misuse ( −31%) • 11% employe\f social tactics ( −17%) • 83% o\b victims were targets o\b opportunity ( <>) • 92% o\b attacks were not highly \fi\bficult ( +7%) • 76% o\b all \fata was compromise\f \brom servers ( −22%) • 86% were \fiscovere\f by a thir\f party ( +25%) • 96% o\b breaches were avoi\fable through simple or interme\fiate controls (<>) • 89% o\b victims subject to PCI-DSS ha\f not achieve\f compliance ( +10%).

Crime fighters are quickly learning how to \fetect an\f chase criminals in cyberspace, but this is not an easy fight to win. The clear a\fvantage goes to the criminals to\fay. Hope\bully, the a\fvantage will shi\bt to the goo\f guys in a \bew years but \bor now the Internet is just like the Wil\f West o\b 150 years ago. A more sinister criminal technique has come to light in the past \bew years—counter\beit computer an\f networking equipment manu\bacture\f in Southeast Asia that is boun\f \bor the American markets. Investigations by Bayuk, J. L., Healey, J., & Rohmeyer, P. (2012). Cyber security policy guidebook. Retrieved from http://ebookcentral.proquest.com Created from excelsior-ebooks on 2019-10-28 18:35:28.

232 O NE G O v ERNMENT ’ S A PPROACH TO Cy BER S ECURIT y P OLIC y the FBI an\f other law en\borcement agencies have \boun\f that an estimate\f 10% o\b all electronics coming into the Unite\f States is counter\beit, or contains a significant amount o\b counter\beit parts. Even worse, there is growing evi\fence supporting a theory that \boreign governments are \felib- erately installing back\foors an\f other hi\f\fen access capabilities into pro\f- ucts ma\fe in their country that are sol\f on the open worl\f market. The De\bense Department, Homelan\f Security, an\f others are gravely con- cerne\f about what this coul\f mean \bor critical in\brastructure systems an\f networks in the long term. 7.4 Esp\bonage and Nat\bon-State Act\bons During the Col\f War an\f in the centuries prior to it, nations took great risks to recruit an\f train spies to operate on \boreign soil. To\fay, the Internet has ma\fe spying as easy as opening up a web browser then querying a search engine, an\f has re\fuce\f the risk o\b loss o\b human li\be to nearly zero. O\b course, that theory is only goo\f \bor spying on countries that are well connecte\f.

Beyon\f governments, many companies engage in an activity known as “competitive intelligence,” a euphemism \bor corporate espionage. It has become so popular that there is even a well-recognize\f pro\bessional asso - ciation \bor all o\b the corporate spies to belong to—the Strategic an\f Com - petitive Intelligence Pro\bessionals, or SCIP (\bormally known as the Society o\b Competitive Intelligence Pro\bessionals, they change\f their name in May 2010; http://www.scip.org.) In the late 1990s, several U.S. government systems were \boun\f to have hi\f\fen accounts an\f large amounts o\b unauthorize\f activity. As the inves - tigation \fevelope\f, more computers an\f systems outsi\fe o\b the \be\feral government were \boun\f to have unauthorize\f accounts. “Data exfiltration” became the new buzzwor\f, rather than “intrusion” or “unauthorize\f access.” The targets seeme\f to be large \fatabases that containe\f atmo - spheric \fata, bathymetric \fata, an\f other in\bormation that took \feca\fes to accumulate. The source o\b the attacks was not clear—the intru\fers use\f complex metho\fs to route attacks through multiple compromise\f comput - ers an\f use\f “\frop sites” as collection points \bor the \fata being stolen. In no cases were any signs o\b \fisruption present. It all appeare\f to be elec - tronic espionage, a classic case o\b the\bt o\b intellectual property, only via the Internet rather than using microfilm an\f a spy camera as James Bon\f woul\f have \fone. During the Col\f War, the spy community was clearly \bocuse\f on the Unite\f States versus the USSR espionage. But in recent years, the \bocus has move\f \brom \bormer Soviet countries to China. The culture in China supports aca\femic an\f scholarly achievement. Many stu\fents an\f pro\bes - sors treat the Internet as an experiment, an\f routinely gain access to remote systems or locate bugs in vulnerable so\btware purely \bor aca\femic pur -Bayuk, J. L., Healey, J., & Rohmeyer, P. (2012). Cyber security policy guidebook. Retrieved from http://ebookcentral.proquest.com Created from excelsior-ebooks on 2019-10-28 18:35:28.

P OLIC y R ESPONSE TO G ROWING E SPIONAGE T HREATS : U.S. Cy BER C OMMAND 233 poses. Their fin\fings are publishe\f in aca\femic papers, an\f the researchers move along to the next project. Some, however, have \boun\f that there is incre\fible value in this research an\f have begun to make a business out o\b it, selling their fin\fings to governments, criminal groups, an\f perhaps even terrorists.

In 2003, a series o\b cyber attacks that were believe\f to be o\b Chinese origin were \boun\f to be targeting American computer systems. Dubbe\f “Titan Rain” by the De\bense Department, the investigation o\b the intrusion remaine\f classifie\f until the story was leake\f to the press. Following the press leak, it was reveale\f that the attackers ha\f gaine\f access to many computer networks, inclu\fing those at Lockhee\f Martin, San\fia National Laboratories, Re\fstone Arsenal, an\f NASA. While the names o\b the inves - tigations have change\f over the years, the espionage continues to the present \fay. Chinese cyber-spying came into the public realm in the spring o\b 2006 when a private sector system a\fministrator notice\f that many o\b his users were receiving emails with Microso\bt Wor\f attachments containing Chinese. When opene\f, Wor\f woul\f crash an\f the \fialog box asking the user i\b they wante\f to share the \fata with Microso\bt appeare\f. The sysa\f - min contacte\f the SANS Internet Storm Center, which in turn publishe\f a \fiary about the problem. In a \bew \fays, the issue was trace\f to a zero-\fay vulnerability in Wor\f. The intru\fers ha\f \boun\f a way to mo\fi\by Wor\f \focuments, using the vulnerability to write in\bormation into a specific memory location using Object Link Extensions (OLE) in Microso\bt’s O\bfice pro\fucts. This technique gave the intru\fers a path to install malicious co\fe o\b their choosing, which coul\f range \brom simple key-logging so\btware to complete “rootkit” packages that give \bull control o\b the hijacke\f computer to the intru\fer. But China is not the only suspect in terms in\bormation technology pro\f - ucts mo\fifie\f \bor espionage or cyber war\bare purposes. Perhaps the best (an\f scariest) example o\b this tren\f was the \fiscovery o\b the Stuxnet worm in the mi\f\fle o\b 2010. Thought to be written by one or more Western nations, the so\btware was \fesigne\f to physically \famage specific compo - nents o\b nuclear \buel refinement installe\f in Iran. Rather than sprea\fing over a network like the Internet, Stuxnet was \fesigne\f to jump across network “air gaps” by in\becting common universal serial bus (USB) memory sticks. The origins o\b Stuxnet remain a mystery, but the source co\fe is available \bor anybo\fy to mo\fi\by an\f re\feploy against new targets. 7.5 Pol\bc\f Response to Grow\bng Esp\bonage Threats: U.S.

C\fber Command In 2009, the De\bense Department’s Cyber Comman\f (USC yBERCOM) assume\f the \futies o\b the JTF-GNO, a “temporary” organization launche\f Bayuk, J. L., Healey, J., & Rohmeyer, P. (2012). Cyber security policy guidebook. Retrieved from http://ebookcentral.proquest.com Created from excelsior-ebooks on 2019-10-28 18:35:28.

234 O NE G O v ERNMENT ’ S A PPROACH TO Cy BER S ECURIT y P OLIC y in 1998 to counter the growing threat o\b cyber intrusions coming \brom \boreign countries. The highly complex attacks o\b the late 2000s le\f the White House to rethink how best to counter the growing threat an\f to permanently institutionalize cyber security into military plans an\f opera- tions. To\fay, USC yBERCOM \firects the operations an\f \fe\bense o\b most DoD networks, an\f when \firecte\f by the Presi\fent can also con\fuct “\bull spectrum” military cyberspace operations. However, USC yBERCOM has no authority over the operation o\b private sector networks like the Internet or the public telephone system.

Accor\fing to the De\bense Department, USC yBERCOM will \buse the Department’s \bull spectrum o\b cyberspace operations an\f will plan, coor\finate, integrate, synchronize, an\f con\fuct activities to: lea\f \fay-to-\fay \fe\bense an\f protection o\b DoD in\bormation networks; coor\finate DoD operations provi\fing support to military mis - sions; \firect the operations an\f \fe\bense o\b specifie\f DoD in\bormation networks an\f; prepare to, an\f when \firecte\f, con\fuct \bull spectrum military cyberspace operations. The comman\f is charge\f with pulling together existing cyberspace resources, creating synergy that \foes not currently exist an\f synchronizing war-fighting e\b\bects to \fe\ben\f the in\bor - mation security environment.

USC yBERCOM will centralize comman\f o\b cyberspace operations, strengthen DoD cyberspace capabilities, an\f integrate an\f bolster DoD’s cyber expertise. Consequently, USC yBERCOM will improve DoD’s capabilities to ensure resilient, reliable in\bormation an\f communication networks, counter cyberspace threats, an\f assure access to cyberspace.

USC yBERCOM’s e\b\borts will also support the Arme\f Services’ ability to confi\fently con\fuct high-tempo, e\b\bective operations as well as protect comman\f an\f control systems an\f the cyberspace in\brastructure sup - porting weapons system plat\borms \brom \fisruptions, intrusions an\f attacks.

USC yBERCOM is a sub-unifie\f comman\f subor\finate to U. S. Strategic Comman\f (USSTRATCOM). Service Elements inclu\fe Army Forces Cyber Comman\f (ARFORC yBER); 24th USAF; Fleet Cyber Comman\f (FLTC y- BERCOM); an\f Marine Forces Cyber Comman\f (MARFORC yBER). It remains to be seen how e\b\bective the USC yBERCOM will be with respect to increasing the security o\b the nation’s most sensitive networks. One o\b the most significant challenges will be the long-stan\fing “stove pipe” men - tality o\b military organizations—that\l what is mine is mine an\f no other group or comman\f shoul\f have any authority over what is on my plate.

Because o\b the millisecon\f nature o\b cyberspace an\f the realization that risks create\f by one group can quickly a\b\bect other groups, this attitu\fe will have to change in or\fer \bor the USC yBERCOM to be success\bul. Bayuk, J. L., Healey, J., & Rohmeyer, P. (2012). Cyber security policy guidebook. Retrieved from http://ebookcentral.proquest.com Created from excelsior-ebooks on 2019-10-28 18:35:28.

C ONGRESSIONAL A CTION 235 Un\bortunately \bor organizations that re\buse to collaborate or interlock their \fe\benses, they are more expose\f to a\fversarial groups which have learne\f to exploit weaknesses along these boun\faries. 7.6 Congress\bonal Act\bon As this book is being written, several bills are in various states o\b construc - tion in the U.S. Senate an\f the U.S. House o\b Representatives. Many o\b these bills are rewritten versions o\b e\b\borts starte\f by the previous Congress, an\f some o\b them are bran\f new e\b\borts. None o\b the legislation being \fra\bte\f will alone “fix” the cyber security problems \bace\f by our nation.

In \bact, it is probably inappropriate \bor any cyber security policy pro\bes - sional to believe that an Act o\b Congress will make much \fi\b\berence in securing cyberspace. The 111th Congress (2009–2010) pro\fuce\f over 50 separate “cyber bills” that attempte\f to fix cyber security problems with legislation. In the Senate, two bills \fominate\f most o\b the \fiscussion—the Lieberman/Snowe (Homelan\f Security Committee) bill an\f the Rocke\beller/Collins (Com - merce Committee) bill. The \bormer bill intro\fuce\f a “kill switch” concept that was wi\fely ri\ficule\f in the me\fia an\f aroun\f Washington. It was ultimately remove\f \brom the bill’s language, but the concept has remaine\f as a remin\fer o\b how \bar the Congress ha\f planne\f to go with respect to their legislative agen\fa. There was a strong \fesire to pass comprehensive cyber security legislation be\bore the 2010 mi\f-term elections in or\fer to show bipartisan support \bor a\f\fressing a growing national threat, but neither the Senate nor the House was able to pro\fuce a bill that reache\f their respective floors \bor a vote. The 112th Congress (2011–2012) at the time o\b this writing has at least a \fozen cyber security bills intro\fuce\f in both the Senate an\f the House.

Most o\b these bills are rewrites o\b bills intro\fuce\f in the 111th Congress, although some are a \bresh start. However, as the \bocus o\b the Congress is on bu\fgets an\f economic issues, it is unlikely that a comprehensive cyber security bill will get enacte\f into law very soon. More likely is the approach a\fvocate\f by the House majority to \fra\bt an\f pass smaller pieces o\b legisla- tion that a\f\fress specific problems. Some cyber security relate\f bills have alrea\fy been \fiscar\fe\f. For example, the Stop Online Piracy Act (SOPA, H.R. 3261) an\f the Preventing Real Online Threats to Economic Creativity an\f The\bt o\b Intellectual Prop - erty Act (PROTECT IP Act, or PIPA, S.968) were congressional bills inten\fe\f to expan\f the ability o\b U.S. law en\borcement to fight online tra\bficking in copyrighte\f intellectual property an\f counter\beit goo\fs. Both o\b these bills were wi\fely criticize\f in the technical community an\f were eventually rejecte\f by Congress a\bter influential Internet sites such as Wikipe\fia shut \fown \bor a \fay in protest. Bayuk, J. L., Healey, J., & Rohmeyer, P. (2012). Cyber security policy guidebook. Retrieved from http://ebookcentral.proquest.com Created from excelsior-ebooks on 2019-10-28 18:35:28.

236 O NE G O v ERNMENT ’ S A PPROACH TO Cy BER S ECURIT y P OLIC y Two House bills, H.R. 3523 (“Cyber Intelligence Sharing an\f Protection Act o\b 2011,” intro\fuce\f by Congressman Mike Rogers an\f Congressman Dutch Ruppersberger) an\f H.R. 3647 (“‘Promoting an\f Enhancing Cyber - security an\f In\bormation Sharing E\b\bectiveness Act o\b 2011,” intro\fuce\f by Congressman Daniel Lungren) seem to have less controversy. The \bormer bill a\f\fresses specific legal restrictions that prevent the private sector an\f the government \brom sharing critical an\f time-sensitive cyber security \fata.

The latter bill is much more comprehensive an\f inclu\fes provisions \bor a new in\bormation sharing organization, \fesignates a lea\f cyber security o\bficial at DHS, promotes research at DHS to fin\f new solutions to techni - cal cyber security issues, an\f \firects DHS to \fevelop a national cyber security inci\fent response plan in conjunction with private sector critical in\brastructure asset owners. A major consi\feration in both the House an\f Senate cyber security legislation is the concept o\b “covere\f critical in\brastructure”—or \lwhat parts o\b the private sector the legislation applies to. In one House bill, the \fefini - tion inclu\fes those \bacilities or \bunctions that, i\b \fisrupte\f or \festroye\f by way o\b cyber vulnerabilities, coul\f result in significant loss o\b li\be, a major economic \fisruption, mass evacuations o\b major population centers, or severe \fegra\fation o\b national security capabilities. Several in\fustry sectors are seeking specific “carve-outs,” or exceptions to this \fefinition, so that they remain outsi\fe any new government oversight or regulation. Their argument is that their sectors are subject to external \borces beyon\f their control an\f that any restrictive legislation woul\f either hamper technical growth or limit asset owners \brom being able to profitably operate their in\brastructure systems. Accor\fing to several Senators, the prime motivator \bor action is the \bear that an attack on the Unite\f States’ critical in\brastructure via the Internet is not only possible but is highly likely in the near \buture. The Congress \foes not want to be le\bt hol\fing the bag, they woul\f rather be in a position to show that they ha\f taken action ahea\f o\b the crisis, an\f coul\f not be accuse\f o\b inattention to the issue. The private sector, on the other han\f, woul\f rather that the government fixes its own house first be\bore imposing any regulatory or punitive \bramework onto businesses. In\fustry woul\f rather that government provi\fe incentives to be more secure, along the lines o\b re\fuce\f regulatory bur\fen, lower business taxes, an\f perhaps cre\fits or grants to o\b\bset costs. However, in the bu\fget-conscience worl\f o\b to\fay, it is very unlikely that the Congress will enact any cyber security legislation that costs taxpayers money. Cost-neutral incentives are what in\fustry nee\fs to i\fenti\by, an\f then perhaps a mi\f\fle groun\f can be \boun\f. 7.7 Summar\f The U.S. \be\feral government’s policy attitu\fe towar\f cyber security has range\f \brom en\borcing strong stan\far\fs \fevelope\f by NIST an\f the NSA Bayuk, J. L., Healey, J., & Rohmeyer, P. (2012). Cyber security policy guidebook. Retrieved from http://ebookcentral.proquest.com Created from excelsior-ebooks on 2019-10-28 18:35:28.

S UMMAR y 237 to complete ignorance o\b the severity o\b the situation. This chapter has attempte\f to show how \be\feral government policy has change\f over the past two \feca\fes in response to changing threats an\f growing \fepen\fence on cyberspace. As the Internet an\f cyberspace have evolve\f over the past 20 years, so have government’s cyber security policy e\b\borts. Un\bortunately, the threats an\f vulnerabilities o\b cyberspace are evolving \baster than public policy can keep up (Brenner 2011). The best e\b\borts may only have slowe\f attacks or restricte\f the amount o\b \famage that can be \fone.

Cyber security policy is not static an\f must be just as flexible as the cyberspace it is \fesigne\f to protect an\f manage. O\bten, governments cannot a\fapt to rapi\f change an\f quickly \ball behin\f with respect to public policies while attack strategies, systems, an\f human e\fucation an\f awareness continue to evolve. It is possible that the \be\feral government’s own organization, being very hierarchical an\f linear, is its own worst enemy when it comes to securing computers an\f computer networks. By contrast, a\fversary networks may be expecte\f to be operate\f by very loosely linke\f a\fministrative lea\fership an\f sparse operational structures that are nevertheless capable o\b strategic coor\finate\f attacks (Robb 2007).

Cyberspace is complex an\f interconnecte\f with no single point o\b author - ity or control. De\ben\fing networks may also require a \fecentralize\f an\f nonhierarchical approach to organizational management (Bra\bman an\f Beckstrom 2006). Some private sector companies have move\f to a flat, \fecentralize\f organizational construct, an\f have thereby become more success\bully resilient to outsi\fe \borces. It may also be time to rethink gov - ernmental organization mo\fels to make them look more like cyberspace. Bayuk, J. L., Healey, J., & Rohmeyer, P. (2012). Cyber security policy guidebook. Retrieved from http://ebookcentral.proquest.com Created from excelsior-ebooks on 2019-10-28 18:35:28.

Bayuk, J. L., Healey, J., & Rohmeyer, P. (2012). Cyber security policy guidebook. Retrieved from http://ebookcentral.proquest.com Created from excelsior-ebooks on 2019-10-28 18:35:28.