Department of State Washington File: Excerpt: White House Issues Cyber Security Plan

*EPF506 09/20/2002
Excerpt: White House Issues Cyber Security Plan
(Containing threats requires cooperation from all sectors, plan recommends) (3880)

The President��s Critical Infrastructure Protection Board (PCIPB) has issued a draft plan for upgrading security protections for the nation��s cyberspace infrastructure.

"��The National Strategy to Secure Cyberspace�� describes initiatives to secure U.S. information systems against deliberate, malicious disruption and to foster an increased national resiliency," according to the report��s introduction. The strategy emphasizes that protection of the nation��s information technology infrastructure is not a job that government can do alone, but one that requires the cooperation and diligence of home computer users, business users, and state and local governments.

The plan has been in the making for a year, and is still a work in progress. The version released September 18 is a draft, and the PCIPB is still accepting public comment on how the strategy should be further amended.

The PCIPB plan is an adjunct to the nation��s homeland security plans. The authors say a wide range of characters threaten the critical information infrastructure that supports all business, government and public safety systems. The report also notes thousands of millions of dollars in losses suffered by businesses over the last year when their computer systems were temporarily disabled by viruses and worms set loose through cyberspace.

"The overall national strategic goal is to empower all Americans to secure their portions of cyberspace," the report says, emphasizing the need for heightened awareness, more sophisticated protective technologies, and ongoing education and training.

The report also emphasizes the importance of working with the international community to achieve a higher level of global awareness and assure the adoption of adequate cybersecurity measures by all nations.

The report is available in full at http://www.whitehouse/pcipb.gov

Following are excerpts from the report:

(begin excerpt)

(begin excerpt)

HIGHLIGHTS

This section summarizes and provides a framework for the rest of the document. It highlights in one place the most important recommendations that will be discussed in later sections.

Strategy

The security of cyberspace depends vitally on all owners of the nation's cyber infrastructure, from the home user to the Federal government. Each individual and organization has a responsibility to secure its own portion of cyberspace. The Strategy is designed to empower each person and each organization to do its part. It provides a roadmap for how to achieve cybersecurity and provides tools to better empower all Americans to do so.

To create this strategic roadmap, the owners of each major component of cyberspace have been developing their own plans for securing their portions of the infrastructure. Some of these plans are already developed and are contained in this document. Others will be added over time. Together they will reflect a national partnership between private sectors, government, and individuals to vigorously create, maintain, and update the security of cyberspace.

The overall national strategic goal is to empower all Americans to secure their portions of cyberspace. This strategic goal will be accomplished through six major tools for empowering people and organizations to do their part:

1. Awareness and Information: Educate and create awareness among users and owners of cyberspace of the risks and vulnerabilities of their system and the means to mitigate these risks.
2. Technology and Tools: Produce new and more secure technologies, implement those technologies more quickly, and produce current technologies in a more secure way.
3. Training and Education: Develop a large and well-qualified cybersecurity workforce to meet the needs of industry and government, and to innovate and advance the nation's security capabilities.
4. Roles and Partnerships: Foster responsibility of individuals, enterprises, and sectors for security at all levels through the use of market forces, education and volunteer efforts, public-private partnerships, and, in the last resort, through regulation or legislation.
5. Federal Leadership: Improve Federal cybersecurity to make it a model for other sectors by increasing accountability; implementing best practices; expanding the use of automated tools to continuously test, monitor, and update security practices; procuring secure and certified products and services; implementing leading-edge training and workforce development; and deterring and preventing cyber attacks.
6. Coordination and Crisis Management: Develop early warning and efficient sharing of information both within and between public and private sectors so that attacks are detected quickly and responded to efficiently.

In each section of this Strategy, the reader will find some or all of these themes reflected in two ways. First, the introduction to each section lays out the strategic goals for that audience or level of the Strategy. Second, each section highlights ongoing programs, recommendations, and topics for discussion that will serve to develop the strategic goals.

In this section, these strategies and supporting actions are summarized. In this National Strategy, the reader will find new recommendations for actions, and numerous questions and topics for debate. It will be the goal of the Federal government to help facilitate the evolution of these discussions so that they become recommendations. Recommendations will evolve, in turn, and some will become initiatives of individuals, organizations, or government.

Summary of Recommendations by Section The National Strategy calls for actions at all levels and across all sectors. Some of the major strategic innovations called for in this document are highlighted below. A detailed discussion of each of these innovations is included in the pages that follow.

Awareness and Information The Strategy identifies the need for increased awareness about the vulnerability of America's cyber infrastructure and provides information that each person, company, organization, and agency can use to help make cyberspace more secure. It recommends:
--Home users and small businesses should recognize that they have an important role to play in securing cyberspace, including securing their own computer systems, accessing the Internet in a secure manner and drawing on best practices that can be found at a number of web sites including: www. StaySafeOnline.info, www.nipc.gov, and www.crsc.nist.gov.
--The President's Critical Infrastructure Protection Board's Awareness Committee should foster a public-private partnership to develop and disseminate cybersecurity awareness materials, specifically, audience-specific tools and resources for annual awareness training.
--State and local governments and private entities should identify or develop guidelines covering cyber awareness, literacy, training, and education, including ethical conduct in cyberspace, tailored to each level of a student's education.

Technology and Tools The Strategy identifies the need for increased cybersecurity-related research. It recommends:
--A public-private partnership should, as a high priority, develop best practices and new technology to increase security of digital control system (DCS) and supervisory control and data acquisition (SCADA) systems in utilities, manufacturing, and other networks. In the interim, owners and operators of pipelines and power grids that rely on DCS/ SCADA systems should closely examine the risks of Internet connections and take appropriate actions, such as implementing secure authentication within 24 months. Other industries with heavy reliance on DCS/ SCADA should consider doing the same. The Department of Energy's recent guidelines provide information on securing SCADA systems.
--The President's Critical Infrastructure Protection Board should coordinate with the Director of the Office of Science and Technology Policy on a program of Federal government research and development including near-term (1-3 years), mid- term (3-5 years), and long-term (5 years out and longer) IT security research. Federally funded near-term IT security research and development for FY04 and beyond should include priority programs identified by OSTP and the R& D Committee. Existing priorities include, among others, intrusion detection, Internet infrastructure security (including protocols e. g. BGP, DNS), application security, denial of service, communications security (including SCADA system encryption and authentication), high assurance systems and secure system composition.
--Public-private partnerships should identify cross-sectoral cyber and physical interdependencies. They should develop plans to reduce related vulnerabilities, in conjunction with programs proposed in National Strategy for Homeland Security. It is within the scope of the National Infrastructure Simulation and Analysis Center to assist with these efforts.

Training and Education The Strategy addresses the existing gap between the need for qualified IT professionals and America's ability to train and develop these workers. Specific recommendations include:
--States should consider creating Cyber Corps scholarship-for-service programs at State universities, to fund the education of undergraduate and graduate students specializing in IT security who are willing to repay their grants by working for the states. The existing Federal Cyber Corps scholarship-for-service program should be assessed for possible expansion to additional universities, with both faculty development and scholarship funding. The program could also add a faculty and program development effort with community colleges.
-- The CIO council and relevant Federal agencies should consider establishing a "Cyberspace Academy," linking Federal cybersecurity and computer forensics training programs.
--IT security professionals, associations, and other appropriate organizations should explore approaches to and the feasibility of a nationally recognized certification program, including a continuing education and retesting program. The Federal government could assist in the establishment of such a program, and, if it is created, consider requiring that Federal IT security personnel be appropriately certified.

Roles and Partnerships The Strategy recognizes that all Americans have a role to play in cybersecurity, and identifies the market mechanisms for stimulating sustained actions to secure cyberspace. It recommends:
--CEOs should consider forming enterprisewide corporate security councils to integrate cybersecurity, privacy, physical security, and operational considerations.
--State and local governments should consider establishing IT security programs for their departments and agencies, including awareness, audits, and standards. State, county, and municipal associations could provide assistance, materials, and model programs.
--Internet service providers, beginning with major ISPs, should consider adopting a "code of good conduct" governing their cybersecurity practices, including their security-related cooperation with one another.
--The Federal government should identify and remove barriers to public-private information sharing and promote the timely two-way exchange of data to promote increased cyberspace security.
--Colleges and universities should consider establishing together: (a) one or more information sharing and analysis centers (ISACs) to deal with cyber attacks and vulnerabilities; (b) model guidelines empowering Chief Information Officers (CIOs) to address cybersecurity; (c) one or more sets of best practices for IT security; and (d) model user awareness programs and materials.

Federal Leadership The Strategy recognizes the pressing need to make Federal cyberspace security a model for the nation. It recommends:

--In order to enhance the procurement of more secure IT products, the Federal government, by 4Q FY03, will complete a comprehensive program performance review of the National Information Assurance Program (NIAP) to determine the extent to which NIAP is cost effective and targets a clearly identified security gap; whether it has defined goals to close the gap, whether it is achieving those goals, and the extent to which program improvements, streamlining, or expansion are appropriate and cost effective.

--Federal departments should continue to expand the use of automated, enterprisewide security assessment and security policy enforcement tools, and actively deploy threat management tools to preempt attacks. By 3Q FY03, the Federal government will determine whether specific actions are necessary (e. g., through the policy or budget processes) to promote the greater use of these tools.

--By the end of 2Q FY03, consider the cost effectiveness of a scenario-based security and contingency preparedness exercise for a selected cross- government business process. Should such an exercise take place, any security weaknesses shall be included as part of agencies' Government Information Security Reform Act (GISRA) corrective action plans.

--Federal departments and agencies must be especially mindful of security risks when using wireless technologies. Federal agencies should consider installing systems that continuously check for unauthorized wireless connections to their networks. Agencies should carefully review the recent NIST report on the use of wireless technologies and take into account NIST recommendations and findings. In that regard, agency policy and procedures should reflect careful consideration of additional risk reduction measures including the use of strong encryption, bidirectional authentication, shielding standards and other technical security considerations, configuration management, intrusion detection, incident handling, and computer security education and awareness programs.

--As part of the annual departmental IT security audits, agencies should include a review of IT- related privacy regulation compliance.

Coordination and Crisis Management The Strategy identifies a pressing need for a comprehensive national analysis and warning capability. It recommends: ° ISPs, hardware and software vendors, IT security-related companies, computer emergency response teams, and the ISACs, together, should consider establishing a Cyberspace Network Operations Center (Cyberspace NOC), physical or virtual, to share information and ensure coordination to support the health and reliability of Internet operations in the United States. Although it would not be a government entity and would be managed by the private sector, the Federal government should explore ways in which it could cooperate with the Cyberspace NOC.

--Industry should, in voluntary partnership with the Federal government, complete and regularly update cybersecurity crisis contingency plans, including a recovery plan for Internet functions.

--The law enforcement and national security community should develop a system to detect a national cyber attack (cyber war) and a plan for immediate response. As part of this process, the appropriate entities should establish requirements and options.

--Owners and operators of information system networks and network data centers should consider developing remediation and contingency plans to reduce the consequences of large-scale physical damage to facilities supporting such networks. Where requested, the Federal government could help coordinate such efforts and provide technical assistance.

--The United States should work with individual nations and with nongovernmental organizations (e. g., Forum of Incident Response and Security Teams (FIRST)), and international organizations (e. g., International Telecommunications Union (ITU)), to promote the establishment of national and international watch and warning networks that will be designed to detect and prevent cyber attacks as they emerge. In addition, such networks could help support efforts to investigate and respond to attacks.

Six tools for empowerment discussed for each level of audience The Strategy provides a roadmap to help Americans understand their part in securing cyberspace. To make this roadmap easier to use, it is divided into audience levels: Level 1 for home users and small businesses, Level 2 for large enterprises, Level 3 for sectors including government, private industry, and higher education, Level 4 for national issues and efforts, and Level 5 for discussion of global issues. Each of these levels and their sub-levels will have its own strategic goal. These goals will be supported by strategic actions that the nation will take to achieve the goals. The six tools for empowerment (see page 11) will help drive corresponding strategic actions at each level. Some or all of the six tools may be employed at each level. For example, "Awareness and Information" will help empower the home user as well as private sector employees and Federal workers to secure their portion of cyberspace. Roles and partnerships will be identified and described at all levels. Not every tool will be appropriate for every level, but, taken together, these tools will underpin all of the nation's efforts to secure cyberspace.

(end excerpt)

(begin excerpt)

LEVEL 5: GLOBAL
The strategic goal is to work with the international community to ensure the integrity of the global information networks that support critical U. S. economic and national security infrastructure. This goal can be achieved through a range of initiatives. The United States will:

--promote the development of an international network to identify and defend against cyber incidents as they begin;
--encourage all nations to pass adequate cybersecurity laws so that U. S. law enforcement can investigate and prosecute cybercrime committed against the United States and its interests, whether it originates domestically or abroad;
--work through international organizations to foster a "Culture of Security" worldwide, to ensure the long-term security of the global information infrastructure; and,
--promote the international adoption of common international technical standards that can help assure the security of global information infrastructures.

Issues and Challenges

The U. S. interest in promoting cybersecurity extends well beyond its borders. Critical domestic information infrastructures are directly linked with Canada, Mexico, Europe, Asia, and South America. The nation's economy and security depend on far- flung U. S. corporations, military forces, and foreign trading partners that, in turn, require secure and reliable global information networks to function. The vast majority of cyber attacks originates or passes through systems abroad, crosses several borders, and requires international cooperation to stop.

In 1998, the United States received a wake-up call to the national security dimensions of the threat. Eventually dubbed "Solar Sunrise," this incident found U. S. military systems under electronic assault, with computer systems in the United Arab Emirates the apparent source. Unclassified logistics, administrative, and accounting systems essential to the management and deployment of military forces were penetrated at a time that military action was being considered against Iraq due to its failure to comply with UN inspection teams trying to uncover evidence of weapons of mass destruction. The timing of the attacks raised U. S. suspicion that this was the first wave of a major cyber attack by a hostile nation.

It was eventually learned that two California teenagers under the guidance and direction of a sophisticated Israeli hacker, himself a teenager, had orchestrated the attacks using hacker tools readily available on the Internet. They had attempted to hide their involvement by connecting through overseas computers. Even cybercrimes committed by Americans against U. S. computers often have an international component.

Another event illustrated the threat to the global economy no less starkly. Early in February 2000, computer servers hosting several of the largest commercial web sites on the Internet were flooded with connection requests, which clogged systems and consumed server capacity. Ultimately, these distributed denial-of- service (DDoS) attacks paralyzed large parts of the Internet. Only through close cooperation between U. S. and Canadian law enforcement investigators was it discovered that a Canadian teenager, operating under the moniker of "Mafiaboy," had been breaking into legions of computers around the world for many months. Retaining control over these compromised servers, he created a "zombie army" which on command would flood the servers of his next corporate victim. The slowdowns and outages that occurred resulted in more than an estimated billion dollars in economic losses.

Only a few months later, on the morning of May 4, 2000, the "I love you" virus began infecting computers around the globe. First detected in Asia, this virus quickly swept around the world in a wave of indiscriminate attacks on government and private sector networks. By the time the destructive pace of the virus had been slowed, it had infected nearly 60 million computers and caused billions of dollars in damage. Cooperation among law enforcement authorities around the world led to the identification of the perpetrator, a computer science dropout in the Philippines. He was neither charged nor punished for his deeds because, at the time, the Philippine criminal code did not explicitly outlaw such actions.

Together, these incidents make clear that U. S. domestic efforts alone cannot deter or prevent this tide of attacks. We must work closely with our international partners to put into place those cooperative mechanisms that can help prevent the damage resulting from such attacks; and if prevention fails, have those instruments in place that can help us to investigate and prosecute such crimes.

Discussion of Strategy

The United States will promote a wide range of initiatives to enhance cyberspace security globally and will disseminate key policy messages through the full array of bilateral, multilateral and international fora, as appropriate. These initiatives will: build real-time, "24/ 7" watch-and-warning networks to identify incidents and stop them; establish and link a network of cyberspace security coordinators in each nation; use international organizations to promote regionally the principles and standards essential to fostering a global culture of cyberspace security; assist nations in developing the laws and acquiring the skills to effectively investigate and prosecute cybercrime across international borders; and foster collaboration among the best minds in the world on long-term solutions to cybersecurity.

Strengthening International Coordination

Threat Management: For the past three years, the United States has been reaching out to other countries on the issue of cyberspace security. These efforts will be expanded to ensure that international coordination in preventing debilitating cyber incidents is institutionalized. We will encourage each nation to develop its own watch-and- warning network capable of informing government agencies, the public, and other countries about impending attacks or viruses. To facilitate real-time sharing of the threat information as it comes to light, the United States will foster the establishment of an international network capable of receiving, assessing, and disseminating this information globally. Such a network will build on the capabilities of nongovernmental institutions such as the Forum of Incident Response and Security Teams (FIRST) and such long- standing international telecommunications institutions as the International Telecommunication Union (ITU) of which nearly every nation is a member together with over 600 private sector organizations.

National Cyberspace Coordinators The United States will urge each nation to build on the common Y2K experience and appoint a centralized point-of- contact who can act as a liaison between domestic and global cybersecurity efforts. Establishing these points of contact can greatly enhance the international coordination and resolution of cyberspace security issues.

North American Cyberspace Security Particular emphasis will be put on ensuring that North America will be a "Safe Cyber Zone." Working with Canada and Mexico to identify best practices for securing the many shared and connected information networks that underpin telecommunications, energy, transportation, and banking and finance systems, emergency service, food, public health, and water systems, the United States will seek coordinated solutions to ensure the integrity and reliability of those systems critical to Americans way of life.

Working Through International Organizations -- Combating Cybercrime: The United States will actively foster international cooperation in investigating and prosecuting cybercrime. Ongoing multilateral efforts, such as those in the G-8, Asia-Pacific Economic Council (APEC), Organization of Economic Cooperation and development, and the Council of Europe, are important to success in this area. The United States will work to implement agreed-upon recommendations and action plans that are developed in these fora. Among these initiatives, the United States in particular will urge countries to join the 24- hour, high-tech crime contact network begun within the G-8, and now expanded to the Council of Europe membership, as well as other countries.

The United States has signed and supports the recently concluded Council of Europe Convention on Cybercrime, which requires countries to make cyber attacks a substantive criminal offense and to adopt procedural and mutual assistance measures to better combat cybercrime across international borders. The United States will encourage other nations to accede to the Convention or, at a minimum, make their laws consonant with these requirements.

Efforts to Develop Secure Networks: To ensure the security of information systems and to promote the sharing of important knowledge, the United States will engage in cooperative efforts to solve technical, scientific, and policy-related problems connected with assuring the integrity of information networks. Key initiatives will encourage the development and adoption of international technical standards and facilitate collabora-tion and research among the world's best scientists and researchers.

The United States will also promote such efforts as the Organization for Economic Cooperation and Development (OECD), Guidelines for the Security of Information Systems and Networks, which strive to inculcate a "culture of security" across all participants in the new information society.

Because most nations' key information infrastructures reside in private hands, the United States will seek the participation of U. S. industry to engage foreign counterparts in a peer-to-peer dialogue, with the twin objectives of making an effective business case for cybersecurity, and explaining successful means for partnering with government on cyber-security.

(end excerpt)

(end excerpt)

(Distributed by the Office of International Information Programs, U.S. Department of State. Web site: http://usinfo.state.gov)

Return to Public File Main Page

Return to Public Table of Contents