Securing the Cyber Homeland
Research project examining the effectiveness of the United States Cyber Security posture. Created by Donnel A. Hinkins for HLS498 Homeland Security Capstone at Thomas Edison States College.
Content
1|SECURING THE CYBER HOMELAND
SECURING THE CYBER HOMELAND Donnel A. Hinkins 2014FEB HLS-498-OL0009 Homeland Security Capstone Mentor: Dr. Marian Leerburger
2|SECURING THE CYBER HOMELAND
ABSTRACT
This report focuses on the United States’ cyber security posture. This research was conducted with the intention of determining if the United States is adequately prepared to thwart or respond the cyber attacks. The qualitative research method was used. Data was gathered through a combination of document review and open answer surveys by individuals working in the Information Assurance and Cyber Security fields in the government and private sector. This research examines the risks to critical infrastructure in the United States in regards to possible cyber attacks. This research also examines the collaboration efforts being made between government agencies and between government and the private sector. Lastly, the impact the nation’s protection efforts have on civil liberties is examined to determine if it is effective.
3|SECURING THE CYBER HOMELAND
TABLE OF CONTENTS Chapter 1: Introduction………………………………………………………..Page 1 Chapter 2: Literature Review……………………………………………….... Page 8 Chapter 3: Research Design and Methodology………………………………. Page 13 Chapter 4: Results of the Study or Creative Project…………………………. Page 18 Chapter 5: Summary and Discussion………………………………………… Page 25 References…………………………………………………………………… Page 31 Appendix……………………………………………………………………...Page 37
4|SECURING THE CYBER HOMELAND
CHAPTER 1: INTRODUCTION The internet is a web of connected nodes that span the entire globe. The internet has billions of users who use it for a variety of reasons, such as email, banking, ecommerce transactions, education, and several other reasons. The unlimited possibilities of the internet along with its global reach make it a potential target for criminal activity. A globally connected internet also increases the possibly that an adversary can use the internet to target critical systems of companies or other nations. As a nod to the increased risks of the global internet, the US Defense Department named Cyberspace a new domain of warfare in 2011. William Lynn, US Deputy Secretary of Defense, stated in 2010 that, “As a doctrinal matter, the Pentagon has formally recognized cyberspace as a new domain of warfare. Although cyberspace is a manmade domain, it has become just as critical to military operations as land, sea, air, and space. As such, the military must be able to defend and operate within it (Aucsmith, 2012).” As more people get online and as they rely more on the internet in our day to day lives it is important to remain safe and secure in cyberspace. On home computers users use a combination of antispyware or antivirus software to protect them from potential online threats. However, an antivirus software residing on one computer can only go so far. The process of identifying and mitigating potential exploitations is a continuous and important process. In Homeland Security, the primary goal is exactly as it sounds- it is to protect the homeland. With so many uses of the internet, it is imperative that the United States Government work to protect its citizens and infrastructure in cyberspace as well. This leads to an important question. Is the United States adequately prepared to thwart and respond to possible cyber security attacks? As mentioned, the goal of Homeland Security is to protect the nation from the many threats that it faces. Certainly national cyber security is important given the many threats that the
5|SECURING THE CYBER HOMELAND
USA faces in cyberspace. Government at times can be large and cumbersome, with many agencies tasked with the same or similar functions. As we learned from the 9/11 Commission Report, one of the biggest shortfalls that led to the failure of preventing and responding to the attacks was agencies not working together efficiently. According to the 9/11 Commission Report, “the Incident Command System did not function to integrate awareness among agencies or to facilitate interagency response” (National Commission on Terrorist Attacks upon the United States, 2004). This report will investigate the current United States cyber security posture with the intention of identifying successes and pitfalls in the national cyber security protection efforts. In order to answer the main question there are a few other considerations that must be taken into account. Is the United States’ critical infrastructure protected? This is important because although rare, the United States power grid and water systems have components that reside in cyberspace. Imagine if a hacker in another country an ocean away can successfully target specific computer system that manages a key function of the power grid. It would not be the first time that the internet was used militarily. The United States and Israel are accused of successfully deploying a computer virus that targeted computer systems in Iran’s major nuclear complexes. The Stuxnet virus is just an example of how the internet can be used militarily to target and destroy infrastructure. The power grid and water systems are not the only targets for internet based attacks. Any of the uses of the internet can be targeted for possible exploitation, just think about the billions in monetary transactions conducted on in cyberspace every day. Criminals don’t even need to leave their homes to conduct high profile heists. Another key question to be asked is if the cyber security protection efforts are a collaborative effort between all branches of the government. As mentioned earlier, the
6|SECURING THE CYBER HOMELAND
government can be large and cumbersome at times, with multiple agencies serving the same or similar functions. Regardless, some government agencies have specific missions and capabilities that others do not. For example, the intelligence communities may have signals intelligence that would be helpful to uncover or thwart a cyber attack. It would be important that these agencies share information and collaborate with one another in order to maximize the potential for success. Preparing for and mitigating cyber security risks is not solely a job for government. Just as in the emergency preparedness component of homeland security, cyber security protection efforts must require that government and the private sector maintain a level of cooperation. This brings up another very important question. Are government and private sector efforts effectively coordinated? Individuals in the private sector may also possess skills that are not possessed by those working in the government sector. Also the private sector consists of companies that manufacture information technology equipment as well as software to protect against threats, such as antivirus software. It is important that government and the private sector are in collaboration on a frequent basis in order to share information on threats and work on possible courses of action to resolve those threats. On another note, it is important that related information is communicated efficiently to regular end users. The majority of internet connected systems in America are at regular user’s homes and pockets. These devices are being used by people who have varying skill sets when it comes to information technology. That being said, it is nonetheless important that end users are aware of the risks they face online and that at a minimum they know how to keep themselves protected in cyberspace. A final, very important question that must be asked is whether or not a concerted effort is made to protect civil liberties in the efforts to secure the nation’s cyber infrastructure? This is important because the United States is a nation known for freedom. In the quest to secure the
7|SECURING THE CYBER HOMELAND
cyber homeland, protecting civil liberties is paramount. Any effort to secure infrastructure must be met with an equal effort in ensuring that civil liberties aren’t violated. This means that policy should reflect such a goal. An example of implementing such a strategy is the hiring of individuals tasked with the sole responsibility of identifying potential violations of civil liberties in cyber protection programs. This is especially true for the government sector because they possess tools and techniques to gather signals intelligence that may not be public but may be beneficial to the end goal. Those tools may help protect the cyber homeland but precautions must be taken to ensure that they are not used in a way that infringes on the basic rights of privacy that every American is guaranteed. The internet is changing the world in more ways than one. The militarization of the internet is inevitable in the future. There is a lack of international legislation that governs exploration of the internet, much less the rights and freedoms a user on the internet possesses. Much like the Moon Treaty and the Antarctic Treaty, the international community will eventually have to recognize the internet as a sort of uncharted frontier that no person or nation can claim ownership of and work to prevent the militarization. But regardless of any legislation, there will be those who will use cyberspace to inflict digital terrorism. Therefore it is important that the United States recognize that guarding against cyber attacks must be a high profile homeland security goal. The questions asked in this paper will identify if the United States cyber security posture if effective by examining the policies, procedures, and the major players that shape it.
8|SECURING THE CYBER HOMELAND
CHAPTER 2: LITERARY REVIEW Cyberspace is a digital realm that consists of interconnected computer systems and the methods of transporting data between them. The term cyberspace is a more roughly used to describe the internet and its various uses. The uses can range from conducting business to communicating with family to playing video games with people from around the world. In reality cyberspace is not a physical domain. Although cyberspace is not a physical place, it has characteristics of a real world location. One can’t travel to cyberspace but with cyberspace, the world is at your fingertips. The internet can be your bookstore, your movie theater, and even your school. The uses and benefits of cyberspace elevate it to the level of a physical realm simply because there are so many possibilities. Much like every other physical domain, there is always opportunity for exploration. There is also the possibility of exploitation as well. As nations work to implement strategies to mitigate the potential for terrorism, terrorists are forced to adapt their strategies as well. This requires nations to balance their approach to cyberspace in respect to exploration and the potential for exploitation by adversaries. While cyberspace offers an unlimited potential for growth and introduction new capabilities, it also comes with vulnerabilities and the potential that the benefits can be exploited. This leads to a very important question. Is the United States adequately prepared to thwart and respond to possible cyber security attacks? In order to determine fully the effectiveness of the United States cyber security posture one must identify all possible targets. The overall goal of terrorism is to promote fear amongst the population. An attack on a symbolic site could have a psychological effect on the public. An attack on critical infrastructure can cause widespread panic and ultimately it can be costly to the nation. According to Sean Caldron, the government’s approach to protecting cyberspace focuses on the concept of “critical infrastructure.” The USA PATRIOT Act of 2001 defines critical
9|SECURING THE CYBER HOMELAND
infrastructure as the “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters” (Condron, 2007). The term critical infrastructure can refer to transportation, the water supply, communication systems, electrical distribution systems, financial systems, and a few other assets. Collectively, all of these assets and their operations are important to the nation. There are many assets that make up the nation’s critical infrastructure. For the purpose of this paper, identifying the risk posed by adversaries utilizing cyberspace is of importance. If an adversary can gain access and control of a critical system in cyberspace, their actions can affect people in the real world. A connection to the public internet is not a requirement to infect a computer. In fact, many critical systems such as those at water treatment plants and power grids are rarely connected to the internet. Viruses and other malicious software can be delivered by other means, such as a thumb drive or an unprotected computer with access to the internet. Malicious software can then spread across the private intranet at those sites and infect other computers or equipment. This scenario is exactly how the Stuxnet virus inadvertently spread from Iranian sites to the internet. According to Vincent Manzo of The National Internet, “an error in the code caused the worm to replicate itself and spread when an Iranian technician connected an infected laptop computer to the internet” (Manzo, 2013). The effectiveness of Stuxnet is indeed a milestone for the United States’ offensive cyber capabilities. However, the unintended spread as well as the precedent its use set for using cyber warfare (or sabotage) to influence a political dispute is something that the United States must take note of when updating its cyber security posture. Using Stuxnet as a blueprint, the use of such technology offensively could be an opening for other nations to justify using cyber weapons as well.
10 | S E C U R I N G T H E C Y B E R H O M E L A N D
In order to effectively use all of the tools and capabilities at the disposal of the United States Government, there must be a collaborative effort between all branches of the government. Relevant information must flow between all government players in order to maximize the potential for success. In order to do so, policy must reflect the desire and agencies must work to create a mutual framework for conducting joint operations. An example of such an agreement is the Memorandum of Agreement between the Department of Defense and the Department of Homeland Security. In 2010, Robert Gates and Janet Napolitano, Secretaries of Defense and Homeland Security respectively, signed a Memorandum of Agreement between the two agencies. The agreement’s purpose was to “set forth terms by which DHS and DoD will provide personnel, equipment, and facilities in order to increase interdepartmental collaboration in strategic planning for the Nation's cybersecurity, mutual support for cybersecurity capabilities development, and synchronization of current operational cybersecurity mission activities” (Gates & Napolitano, 2010). Overall, the US Government has realized the benefit of integrating certain activities at an interagency level. The President of the United States, Barack Obama, recognizes the importance of mutual assistance in cyber security operations much like other Homeland Security functions. After taking office in 2009, the President convened a Cyberspace Policy Review. The purpose of the panel was to review “federal efforts to defend the U.S. information and communications infrastructure and the development of a comprehensive approach to securing America’s digital infrastructure” (Obama, 2009). The recommendations made by the Cyberspace Policy Review were used to bolster the Comprehensive National Cybersecurity Iniative or CNCI that was created during the Bush Administration. The overall purpose of the CNCI was to strengthen the cyber security of the nation through a set of interdependent goals. However, the President
11 | S E C U R I N G T H E C Y B E R H O M E L A N D
recognized that the CNCI couldn’t achieve its goals without changing certain aspects of how the government operated. In the past, infighting between different executive branch agencies did more harm than good to the overall cyber security strategy. According to Jesse Emspak, Security Contributor for Tech News Daily, “bureaucratic battles among federal agencies over primacy in cybersecurity mostly between the Department of Homeland Security and the National Security Agency seem to have settled into a working, if not always perfect, relationship” (Emspak, 2011). Of those changes recommended by the Cyberspace Policy Review, interagency cooperation was determined to be necessary to enhance the possibility of success. Agencies must work together, because ultimately they are working to support the same customers- the American people. In cyber security the government is not the only source of protection. The private sector is important to the overall cyber security strategy as well. That being said, cooperation must not only be between government agencies. Maintaining an effective cyber security posture means bringing players from the private sector into the mix. This leads to another important question. Are government and private sector efforts effectively coordinated? The hardware, software, and means of communication that make up cyberspace are created by professionals the public sector. Surely, it would be imperative to include software and hardware developers and others in the private sector in the overall cyber security defense plan. After all, it is their software and hardware that would be subject to exploitation. Policy wise, President Obama issued Executive Order 13636 in February 2013. The title of the Executive Order was “Improving Critical Infrastructure Cybersecurity”. The President, emboldened by the frequency of digital encroachment on critical infrastructure, created Executive Order 13636. Section 4(a) of Executive Order 13636 states that “it is policy of the United States Government to increase the volume, timeliness, and quality of cyber threat information shared with U.S. private sector
12 | S E C U R I N G T H E C Y B E R H O M E L A N D
entities so that these entities may better protect and defend themselves against cyber threats” (Obama, 2013). This is an indication that the administration realizes the importance of bringing the public sector to the table. As the nation improves its offensive and defensive cyber security tools, there must be a concerted effort to insure that those tools aren’t used to infringe on the civil liberties that are a way of life in America. The Constitution of the United States guarantees basic rights and freedoms that must not be taken away. Even an effort to “provide for the common defense” is not justification to infringe on those rights and freedoms. The desire to protect the privacy of Americans must be engrained in law and in policy. Section 5(a) of Executive Order 13636 directs agencies to “coordinate their activities under the order with their senior agency officials for privacy and civil liberties and ensure that privacy and civil liberties protections are incorporated into such activities” (Obama, 2013). In addition to a protecting the nation from cyber attacks, there must be an effort to insure that the nation does not stray away from the values that its citizens hold so dear. It is important that the United States develop and maintain capabilities to thwart, and respond if necessary to cyber attacks. Protecting the critical infrastructure of the nation is of utmost importance. Interagency cooperation and collaboration is important to the cyber defense mission. Coordination between the government and the private sector is a crucial piece of the puzzle. Lastly, the nation must not be so caught up in the pursuit of defense that it fails to meet its moral obligations to the American people. Civil liberties must not take a backseat to any program, even those intended to defend the nation.
13 | S E C U R I N G T H E C Y B E R H O M E L A N D
CHAPTER 3: RESEARCH DESIGN AND METHODOLOGY Introduction The purpose of this research is to determine if the United States is adequately prepared to thwart and respond to possible cyber attacks? In order to answer the main question, there are several related sub questions that must be answered. Is the United States’ critical infrastructure protected? Are cyber security protection efforts a collaborative effort between all branches of the government? Are government and private sector efforts effectively coordinated? Is a concerted effort made to protect civil liberties in the efforts to secure the nation’s cyber infrastructure? By answering these questions the researcher will be able to critique the current cyber security posture. To maximize the effectiveness of this report and in order to answer each question, specific research methods will be followed. Specific statistical information is not important to the overall question which combined with the sub questions, is a matter of policy and procedural effectiveness. Therefore, the qualitative research method will be the most suitable for this project. This is because the qualitative research method uses words and pictures and focuses on occurrences in natural settings. By following the qualitative research method, the researcher will be able to determine the effectiveness of the United States’ cyber security posture. Plan of Action The plan of action for this research project will be structured in a manner that will allow the researcher freedom to gather relevant data from multiple sources. The overall design of the research will be that of a case study. According to the World English Dictionary, a case study is “the act or an instance of analyzing one or more particular cases or case histories with a view to making generalizations” (“case study”). This research project will use document review extensively. The government has massive repositories documents related to past, current, and
14 | S E C U R I N G T H E C Y B E R H O M E L A N D
future plans for government policy. Researching laws, memorandums, Executive Orders, and other documents will provide a wealth of information on the research topic. There will also be a need to read and analyze white papers from cyber security professionals in the public arena. A combination of structured and unstructured interviews will also be conducted. Informal interviews with representatives from US-CERT and CYBERCOM will be helpful because those individuals are responsible for the bulk of the United States cyber security planning and enforcement. Information Assurance personnel across the military will also be utilized, because they will, at least at a basic level have experience on external attacks against their systems and the steps implemented to mitigate those risks. Interviews will be generally unstructured to allow the participants freedom to discuss only the information they are comfortable with sharing. This is because some of the cyber security work conducted by US-CERT and CYBERCOM is classified. Classified information will be protected at all times and in no way will be used, gathered, and discussed for this project. Participants will be required to obtain permission for discussing their processes and procedures, even if they aren’t classified because they can still be sensitive nonetheless and as with classified data, sensitive information will not be used, gathered or discussed at all for the purpose of conducting this project. The only information that will be used is information that would otherwise be considered to be public knowledge. Research Methodology for Data Collection for Research and Applied Projects Document review and secondary research will be the primary methods for gathering information on the first sub question. That question deals with whether or not the United States’ critical infrastructure is protected. There may not be a massive amount of information on this topic for obvious reasons. However, there are other individuals that have studied this topic extensively. Their work will provide the basis for the secondary research. The specifics on which
15 | S E C U R I N G T H E C Y B E R H O M E L A N D
critical systems (if any) that reside on the internet may not be readily available. Therefore, the researcher must look at the work of others to help answer this question. Also, there are articles that cover the topic and incidents that have occurred already. In those articles there will be a lot of lessons learned. Those lessons learned will in turn provide the researcher with an idea of where the problems lay in securing critical infrastructure as well as provide information on what the government plans to do to address those issues. The researcher will also need to pay attention to new technology in the works such as the smart grid. The new technology specifications and descriptions themselves may hint at problems that currently exist and provide insight on what is being done to address those problems. Document review will be the primary source of data for gathering information on the second sub question. That question is, are cyber security protection efforts a collaborative effort between all branches of the government? Document review will be primary because memorandums and other directives will dictate the desire for such collaborative activities. Furthermore, the policies and procedures for setting up and conducting interagency collaborative activities will be dictated in documents such as memorandums of agreement or understanding between the respective agencies. Interviews with information assurance and security personnel will also be pertinent because they are the people tasked with managing risks related to the transfer, storage, and usage of data. Information Assurance technicians should be aware of any collaborative effort to secure information systems; at the very minimum those that are government owned and reside on a government network. The combination of document review and informal interviews should provide an idea of procedures, programs, and policies that encourage interagency cooperation on cyber security.
16 | S E C U R I N G T H E C Y B E R H O M E L A N D
The third question will generally be answered by information gained through document review. The purpose of the third question is to determine whether or not government and private sector efforts are effectively coordinated. This question can be answered by a variety of means. The researcher will need to look for evidence of government and private sector collaboration across several spectrums. Are government agencies sharing data with technology companies that make antivirus software or hardware manufacturers? Does the private sector share propriety information with the government? Does the government work with the private sector to create training programs for government information technology personnel? Each one of these questions will be important to answer in order to answer the main question because if the researcher can show the extent of government and private sector cyber security collaboration and cooperation, the researcher will be in a better position to answer the question as to whether or not that cooperation is effective. The fourth and final question will be answered mainly by document review. The final question is meant to analyze the government’s ability and commitment to protecting civil liberties. The ability to adequately protect the cyber infrastructure means that the government will have to apply special techniques and capabilities. This question seeks to determine if there is an equal balance in the ability to protect the cyber infrastructure and the desire to simultaneously ensure that the rights and liberties of citizens are protected. The researcher will need to analyze appropriate documentation concerning personnel and procedures meant to address civil liberty concerns. A desire to protect civil liberties would be reflected in policy and procedures. Does the government employ individuals with the sole purpose of identifying and addressing civil liberty concerns? What procedures are followed when violations are found? The answers to those questions must be uncovered by the researcher in order to determine the answer to the question.
17 | S E C U R I N G T H E C Y B E R H O M E L A N D
Conclusion: Analysis and Organization of Data Once the data is gathered it must be organized appropriately. The researcher must follow a general outline when organizing the data. The main question will be answered by four sub questions. Each of the sub questions are very distinct, specific, and important to answering the main question. The data gathered by research must be organized in a manner that will effectively answer the sub questions and therefore the main question. Information gathered by interviews with cyber security experts will be used when such information exists on any specific topic. However, government documents such as memorandums, laws, and Executive Orders will be relied upon greatly in the project. The documents will provide great detail on where the nation was, where it is currently, and where it is headed in respect to cyber security awareness and protection. The researcher must be careful not to neglect new policies or laws when using the government documents as references. This is because items, such as Executive Orders can be rescinded by new administrations or replaced with new policies. Therefore, important attention to detail must be given when citing those documents. Together the documentation review and interviews will allow the researcher to determine whether or not the government is adequately prepared to thwart and respond to cyber security incidents.
18 | S E C U R I N G T H E C Y B E R H O M E L A N D
CHAPTER 4: RESULTS OF THE STUDY The purpose of this research project is to determine if the United States is adequately prepared to thwart and respond to possible cyber attacks. There are several sub questions that must be answered. Is the United States’ critical infrastructure protected? Are cyber security protection efforts a collaborative effort between all branches of the government? Are government and private sector efforts effectively coordinated? Is a concerted effort made to protect civil liberties in the efforts to secure the nation’s cyber infrastructure? By answering these questions the researcher will have enough information to determine if the current cyber security strategy is working effectively. While conducting the research, specific research methods were followed. The qualitative research method was followed when conducting the research for this project. The qualitative research method was preferred because it uses words and pictures and focuses on occurrences in natural settings. The combination of document reviews and informal interviews were used in an attempt to determine the effectiveness of the United States’ cyber security posture. The data gathered from the first question was mainly through document reviews. The question focuses on whether or not the United States’ critical infrastructure is protected. As expected there was not a massive amount of data sources for this topic. The topic itself is a sensitive one and there was no expectation that the answers to the question would be readily available. Therefore, the research was focused on gathering information on past occurrences as well as new technological advances. The idea was that by researching the past, the researcher would be able to have an idea of where the nation was in respect to protecting critical infrastructure. Also the research focused on emerging technology with the belief that those innovations were triggered by the desire to update past flaws. Knowing those flaws was believed to be important in determining current vulnerabilities.
19 | S E C U R I N G T H E C Y B E R H O M E L A N D
In order to determine if critical infrastructure is protected, one must know what critical infrastructure is. The Department of Homeland Security defines critical infrastructure as “the backbone of our nation's economy, security and health. Critical infrastructure are the assets, systems, and networks, whether physical or virtual, so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof” (“critical infrastructure”). That being said, critical infrastructure is agriculture, water, emergency services, defense industry, banking, hazmat, energy, communications, and transportation and the systems that provide the services. For this research project the focus was specifically centered on the critical infrastructure with components that reside in cyberspace or those that can be exploited by cyber attacks. According to a press release from Aegis London, a recently completed study determined that there is a “shift from attacks focused on breaching sensitive data to those which target critical infrastructure” (Freed, 2014). The study was commission by Aegis London and completed by BAE Systems Applied Intelligence. The report found that cyber attacks were no longer solely focused on information technology infrastructure. According to the Chairman of AEGIS London Alan Maquire, “cyber terrorists have turned their attention to operational technologies and the critical infrastructure they support” (Freed, 2014). One positive finding by the study was that power companies are generally aware of the risks they face related to their technology systems. Regardless, many experts in the energy sector feel that there remains a risk that will eventually materialize in the unforeseen future. The development of the Smart Grid is meant to address the issues of the current century old power grid. Resiliency against physical and cyber attacks is a primary goal of the Smart Grid program.
20 | S E C U R I N G T H E C Y B E R H O M E L A N D
The second sub question to be answered was related to interagency cyber security cooperation and whether or not it is effective. Data gathered to answer the second question was gathered through document review and a basic survey (see Appendix, Figure 2). The survey consisted of six open ended essay questions. The first six questions dealt with the respondent’s opinions on interagency cyber security cooperation, cooperation with the private sector, and the US cyber security posture in general. The survey also allowed the respondent to comment on what he or she felt was lacking in the nation’s cyber security strategy. The survey was sent to individuals representing cyber security operations in the government and private sector. The respondents were obtained through professional networking, peers, and a listserv of IT personnel across the DoD. The respondents consisted of a chief information officer, a cyber security expert from US-CERT, and the CEO of a firm that provides cyber security training, just to name a few. There were 12 respondents total to the survey. There were varying opinions on the issue of interagency cooperation in regards to cyber security. The majority of the respondents felt that there is not adequate collaboration between governmental agencies. There were some respondents who argued that the reason interagency collaboration was lacking was due to the fact that there was a lack of a system for facilitating information sharing. And even in the cases that there was a system, the agencies would pick and choose what information to share with one another either to keep it a secret or avoid embarrassment that may be caused by negative disclosures. There were also respondents that felt that efforts were being improved. However, there was a general theme that bureaucracy was to blame for efforts not being properly coordinated. Curt Schadewald, a Cyber Security Analyst for the National Guard Bureau elaborated on this topic further (see Appendix, Figure 3.11). Mr. Schadewald noted that US-CERT does in fact have mechanisms in place to share data. However
21 | S E C U R I N G T H E C Y B E R H O M E L A N D
he believes that the success rests on the individual agency’s ability to report. Mr. Schadewald mentioned Cyber Guard as an example of interagency collaboration. Cyber Guard was a weeklong joint exercise between the National Guard, USCYBERCOM, NSA, and FBI and focused on defensive cyber security efforts amongst the various agencies. Another intended purpose of the Cyber Guard exercise was to build working relationships between the cyber security professionals in those agencies. Policy wise, the collaboration of governmental agencies on cyber security matters is considered to be a major goal of the Comprehensive National Cybersecurity Initiative. The Comprehensive National Cybersecurity Initiative or CNCI specifically identifies information sharing as a core necessity of maintaining effective cyber security efforts. A key initiative of the CNCI is to “to establish a front line of defense against today’s immediate threats by creating or enhancing shared situational awareness of network vulnerabilities, threats, and events within the Federal Government—and ultimately with state, local, and tribal governments and private sector partners—and the ability to act quickly to reduce our current vulnerabilities and prevent intrusions” (“CNCI”). The CNCI identifies other initiatives that are meant to reinforce the national cyber security strategy. The CNCI is being developed as the main policy for US cyber security efforts. The third question pertains to the effectiveness of collaboration between government and private sector entities. The participants of the survey were asked if they felt that the efforts between government and private sector were effectively coordinated. This was another question that resulted in varying answers. There were some respondents who felt that there was no need for government and private sector collaboration, and there were those who felt that there should be a limited amount of collaboration between the two. Mr. Collins Orizu, an Information
22 | S E C U R I N G T H E C Y B E R H O M E L A N D
Security Network Analyst with US-CERT noted in his survey that US-CERT uses software called EINSTEIN that helps in the efforts to collaborate with the private sector (see Appendix, Figure 3.12). As a result of EINSTEIN “US-CERT has greater situational awareness and can more effectively develop and more readily share security relevant information with network defenders across the U.S. Government, as well as with security professionals in the private sector and the American public” (Obama, 2013). The general consensus reached by examining the responses to the question, was that there is a level of collaboration. However each side has its own reasons as to why they don’t share all data with each other. The government is believed to share only information that is not classified and the private sector only shares information that is necessary. That being said the belief is that the government’s reluctance to share information with the private sector is related to the desire to control the disclosure of sensitive information or the means for obtaining such information. The private sector’s reluctance is believed to be related to the pursuit of profits and the overall fear of government interference in corporate cyber security efforts. There is information sharing and collaboration between the government and public sector but government policy and procedures are seen as hampering the ability for the two to truly cooperate. As a matter of policy the administration of President Barack Obama is focused on bringing all players in the cyber security arena to the table. Executive Order, 13636 signed by President Obama is an example of such a desire. Executive Order 13636 directs the National Institute of Standards and Technology to develop a voluntary framework meant to foster cooperation between public and private entities in regards to cyber security. According to a Press Release by the White House, through the Framework for Improving Critical Infrastructure Cyber Security “industry and government are strengthening the security and resiliency of critical
23 | S E C U R I N G T H E C Y B E R H O M E L A N D
infrastructure in a model of public-private cooperation” (Obama, 2013). The development of the framework itself is an example of government and private sector collaboration and cohesion, as NIST compiled recommendations from across the cyber security spectrum when creating the framework. NIST is still accepting recommendations and lessons learned from organizations and individuals to ensure that the framework is continuously up to date. The final question to be answered is related to the government efforts to protect the civil liberties of Americans while securing the nation in cyberspace. In order to answer this question the researcher must examine policy to determine if there is a desire. Furthermore, it is important to know what is being done to ensure that civil liberties aren’t violated. When developing the Framework for Improving Critical Infrastructure Cyber Security, the President “directed that these activities be conducted in a way that is consistent with ensuring the privacy rights and civil liberties guaranteed in the Constitution and cherished by all Americans” (Obama, 2013). Privacy experts across the government were said to have been consulted during the development of the Framework. The Memorandum of Agreement between the Departments of Homeland Security and Defense states that “the agreement will focus national cybersecurity efforts, increasing the overall capacity and capability of both DHS' s homeland security and DoD's national security missions, while providing integral protection for privacy, civil rights, and civil liberties” (Gates & Napolitano, 2010). There are jobs in the government that exist for the purpose of advancing privacy and civil liberties and investigating violations. Accordingly, it is evident that there is a desire to protect civil liberties while protecting the cyber homeland. In conclusion, through the application of various research methods and procedures, information has been gathered to assist in determining the effectiveness of the United States’ cyber security posture. The government is working to identify and secure the nation’s critical
24 | S E C U R I N G T H E C Y B E R H O M E L A N D
infrastructure. There is collaboration and joint cyber operations between governmental agencies. There is also a level of cooperation between the federal government and the private sector. The opinion of the effectiveness of that cooperation is one that varies depending on who you ask. Lastly, the government is continuing to work to protect the civil liberties of citizens of the United States. Lessons learned are being used to enhance all aspects of the United States cyber security efforts.
25 | S E C U R I N G T H E C Y B E R H O M E L A N D
CHAPTER 5: SUMMARY AND DISCUSSION Introduction: A globally connected network of computers presents a variety of benefits to the users. However the global reach makes it a potential target for criminal activity. As more people get online and as people rely more on the internet in our day to day lives it is important to remain safe and secure in cyberspace. In Homeland Security, the primary goal is protect the homeland. With so many uses of the internet, it is imperative that the United States Government work to protect its citizens and infrastructure in cyberspace as well. This leads to an important question. Is the United States adequately prepared to thwart and respond to possible cyber security attacks? It is obvious that national cyber security is important given the many threats that exist in cyberspace. The purpose of this report was to investigate the current United States cyber security posture with the intention of identifying successes and pitfalls in the national cyber security protection efforts.
Statement of Problem As mentioned above, the purpose of this research project was to determine if the United States is adequately prepared to thwart and respond to possible cyber security attacks. Several sub questions were answered in with the intention of providing information that would be helpful to determining if the United States’ cyber security posture is adequate. Is the United States’ critical infrastructure protected? Are cyber security protection efforts a collaborative effort between all branches of the government? Are government and private sector efforts effectively coordinated? Is a concerted effort made to protect civil liberties in the efforts to secure the nation’s cyber infrastructure? Those were the four sub questions that form the basis of this research project.
26 | S E C U R I N G T H E C Y B E R H O M E L A N D
Review of Methodology Specific research methods were followed to gather relevant data. Specific statistical information was not important to the overall question. The main question combined with the sub questions, is a truly matter of policy and procedural effectiveness. Because of this, the qualitative research method was determined to be the most suitable for this project. The qualitative research method uses words and pictures and focuses on occurrences in natural settings. By following the qualitative research method, the data was effectively gathered they would aid in the determination as to the effectiveness of the United States’ cyber security posture.
Summary of Results
Is the United States’ critical infrastructure protected? Through research it was determined that steps have been taken to ensure that critical infrastructure is protected. The research determined that contrary to popular belief, there is only a small percentage of operational hardware related to the power grid that is connected to the public internet. Computers on the same internal network that get infected can still infect other machines on that network. Therefore, these systems still present a risk to critical infrastructure. There have been alleged instances of the US government using defensive cyber weapons, such as the Stuxnet virus. The virus crippled Iranian centrifuges and weakened their ability to create nuclear material. There have also been instances of cyber attacks on critical systems in the United States such as the attack in which foreign hackers caused a pump to fail in a water treatment pump in Illinois. There have been many more cyber attacks, but this was the first confirmed instance of
27 | S E C U R I N G T H E C Y B E R H O M E L A N D
critical infrastructure being damaged through cyber warfare against the United States (Nakashima, 2011). It is to be mentioned that hackers are continuously refocusing their efforts from attempts to steal information to targeting infrastructure. The US Government is working to create and implement the smart grid which will decrease the risk of a cyber attack on the US power grid.
Are cyber security protection efforts a collaborative effort between all branches of the government? The research uncovered programs and policies in place to share information and foster collaboration and cooperation between government agencies. There are programs such as EINSTEIN which allow the analysts from US-CERT to monitor the network gateways of various government agencies for unauthorized traffic. Executive branch level departments such as the Department of Homeland Security and Department of Defense have signed agreements that linked personnel, equipment, and expertise in support of the nation’s cyber security efforts. The National Guard, USCYBERCOM, NSA, and the FBI have performed a joint cyber security exercise called Cyber Guard with the intention of building professional relationships with one another in respect to cyber security. The Comprehensive National Cybersecurity Initiative created during the Bush Administration is being updated and is serving as the primary model for the nation’s cyber security policy.
Are government and private sector efforts effectively coordinated? There is collaboration between the government and private sector. However this is sometimes limited by the government’s laws and regulations and desire to protective sensitive
28 | S E C U R I N G T H E C Y B E R H O M E L A N D
information. The public sector is reluctant to share information with the government because of fears that it can cost them money. The private sector is also concerned about the government imposing rules and regulations on them or otherwise interfering in the operations of their businesses. The Administration of President Barack Obama has taken steps to bring all cyber security experts to the table. The President signed Executive Order 13636, titled Improving Critical Infrastructure Cybersecurity. Executive Order 13636 sets up the stage for the National Institute of Standards and Technology to prepare a voluntary framework that among other things will “increase the volume, timeliness, and quality of cyber threat information shared with U.S. private sector entities so that these entities may better protect and defend themselves against cyber threats” (Obama, 2013). Executive Order 13636 also improves a program that allows personnel from outside of the federal government access to classified information whether it be private sector or local and state officials with a need to know regarding risks to critical infrastructure.
Is a concerted effort made to protect civil liberties in the efforts to secure the nation’s cyber infrastructure? Privacy and civil liberties are fundamental rights in the United States of America. The government has taken steps to insure that those rights are violated by their cyber security protection efforts. The government has personnel employed that assess and respond to possible violations to civil liberties. When developing the Comprehensive National Cybersecurity Initiative, the policy was reviewed by a multitude of individuals with expertise in privacy and civil liberty matters.
29 | S E C U R I N G T H E C Y B E R H O M E L A N D
Discussion of Results The results of this project were enlightening. The United States’ cyber security posture was examined across the board in excruciating detail. Protection of critical infrastructure is important because the critical infrastructure is important in all aspects of life. The events on September 11, 2001 changed how business was conducted. Effective interagency communications and information sharing were the biggest failures that led to the inability to thwart the attacks. The emergence of the internet is opening up new opportunities for exploration and exploitation as well. Information sharing and effective communications between government agencies is important in cyberspace operations. Communication and collaboration with the private sector is important as well. Information must be gathered, processed, and disseminated to relevant parties in a quick and efficient manner and free of government bureaucracy.
Conclusions The significance of this project is the fact that it looks at many aspects to determine if the cyber security posture of the United States is adequate. The answer to whether or not the United States is adequately prepared to respond or thwart a cyber attack varies depending on who is asked. The United States’ can respond to a cyber attack appropriately. Because the United States Department of Defense views cyberspace as a new domain of war, the US is not limited to responding to a cyber attack with another cyber attack. The US reserves the right to respond militarily to a cyber attack. This is an indication on how serious the United States is about cyber security. Collaboration between governmental agencies and private sector is not the sole determination of effectiveness. The protection of civil liberties are important as well because the United States is a nation with a history of freedom and democracy and all programs undertaken
30 | S E C U R I N G T H E C Y B E R H O M E L A N D
should reflect that goal. Through the data gathered during this project it is safe to say that the United States’ cyber security posture is effective, although with all things it should always continue to be updated to remain relevant.
31 | S E C U R I N G T H E C Y B E R H O M E L A N D
REFERENCES Aucsmith, D. (2012, May 26). Cyberspace is a domain of war. Retrieved from http://cyberbelli.com/2012/05/26/cyberspace-is-a-domain-of-war/
This article explains why cyberspace is now viewed as a domain of war by the United States Department of Defense. The article supports the argument by identifying three sets of facts to support the claim. It identifies cyberspace as a domain of war by doctrine, definition, and contestation. The article uses testimony from American cyber security policy makers in the DoD to bolster its arguments.
case study. (n.d.). Collins English Dictionary - Complete & Unabridged 10th Edition. Retrieved April 20, 2014, from Dictionary.com website: http://dictionary.reference.com/browse/case study
The definition of case study is given from a variety of dictionaries.
Condron, S. (2007). Getting it right: Protecting America's critical infrastructure in cyberspace. 20(2), 406. doi: Harvard Journal of Law & Technology
This journal entry discusses the simplicity of gaining technology to conduct a cyber attack. It also identifies figures related to cyber security incidents. Examples of specific attacks by other nations and against other nations are included in the paper. Critical infrastructure is defined by the United States in the US PATRIOT ACT. This paper
32 | S E C U R I N G T H E C Y B E R H O M E L A N D
compares and contrasts homeland security and defense. International law as it applies to cyber security is also referenced in this paper.
Emspak, J. (2011, August 31). Feuding government agencies agree to disagree on cybersecurity. Tech News Daily, Retrieved from http://www.technewsdaily.com/7123-9-11-govtagencies.html
This article discusses the disagreements between the Department of Homeland Security and the National Security Agency related to who is responsible for the nations cyber security. The article gives hypothetical scenarios meant to bring forth a discussion on what agency would be in charge in a given scenario. The article also discusses various cyber security units in several executive branch agencies and sub agencies and their overall functions.
Freed, A. (2014, April 14). Attacks Shift from Data Breaches to Targeting of Critical Infrastructure - The State of Security. The State of Security. Retrieved April 21, 2014, from http://www.tripwire.com/state-of-security/top-security-stories/attacks-shift-fromdata-breaches-to-targeting-of-critical-infrastructure/
This article describes the evolution of cyber crimes. Hackers are turning their efforts from stealing information to activities meant to target critical infrastructure. The article discusses foreign government sponsored cyber attacks based on statistics from US-
33 | S E C U R I N G T H E C Y B E R H O M E L A N D
CERT. This article also references a study conducted by Aegis London in order to strengthen their argument.
Gates, R., & Napolitano, J. Department of Homeland Security, National Protection and Programs Directorate. (2010). Memorandum of agreement between the Department of Homeland Security and the Department of Defense regarding cybersecurity. Washington, DC: United States Government.
The Memorandum of Agreement is between the Department of Homeland Security and the Department of Defense. It establishes a framework for cyber security cooperation between the two agencies. The agencies map out everything from information sharing to joint personnel. The roles and responsibilities of each agency are explained in full detail. Oversight requirements are listed in the document as well as methods for modifying the order.
Homeland Security. (n.d.). What Is Critical Infrastructure?. Retrieved April 21, 2014, from http://www.dhs.gov/what-critical-infrastructure
Department of Homeland Security overview on what critical infrastructure refers to.
Manzo, V. (2013, January 29). Stuxnet and the dangers of cyberwar. The National Interest, Retrieved from http://nationalinterest.org/commentary/stuxnet-the-dangers-cyberwar8030
34 | S E C U R I N G T H E C Y B E R H O M E L A N D
Vincent Manzo breaks down Operation Olympic Games and the development and deployment of the Stuxnet virus. Stuxnet is described as the world’s first cyber superweapon, completing a task that would normally require military actions and conventional weapons. The intended purpose of Stuxnet is described as well as the method in which Stuxnet spread from Iranian computers to those in other nations inadvertently. Mr. Manzo also discusses the pros and cons of the US deploying a cyberweapon, such as the fact that it could possibly allow other nations to justify attempting a similar feat.
Nakashima, E. (2011, November 18). Foreign hackers targeted U.S. water plant in apparent malicious cyber attack, expert says. Washington Post. Retrieved April 25, 2014, from http://www.washingtonpost.com/blogs/checkpoint-washington/post/foreign-hackersbroke-into-illinois-water-plant-control-system-industry-expertsays/2011/11/18/gIQAgmTZYN_blog.html
This article describes the first known cyber attacked against the United States that was intended to damage critical infrastructure. Foreign hackers targeted and broke a water pump at an Illinois water treatment plant. This article discusses the evolution of computer hackers. It also describes how the attack was traced to Russia.
National Commission on Terrorist Attacks upon the United States. (2004). The 9/11 commission report: Final report of the National Commission on Terrorist Attacks upon the United
35 | S E C U R I N G T H E C Y B E R H O M E L A N D
States. Washington, DC: National. Commission on Terrorist Attacks upon the United States.
The 9/11 Commission Report was created to identify the shortcomings that led to the failure to prevent the attacks against the United States on September 11, 2001. The evolution of counterterrorism is also discussed. Al Qaeda’s initial attacks that led up to those of 9/11 are discussed. This report covers the attacks on September 11 in great detail as it identifies the pitfalls and successes of all players responsible from the airline crew to the first responders. Recommendations for policy changes are made in an effort to prevent such an attack from happening again.
Obama, B. (2009, May). In Robert Gibbs (Chair). Remarks by the President on securing our nation's cyber infrastructure. Presentation delivered in East Room of the White House Daily press briefing, Washington, DC. Retrieved from www.whitehouse.gov/the-pressoffice/remarks-president-securing-our-nations-cyber-infrastructure
This source is a readout of President Barack Obama’s press conference on May 29, 2009. The President’s topic was securing the nation’s cyber infrastructure. The President discussed the efforts his administration made over his first 4 months in office related to cyber security. He discussed the pros and cons of the internet. The President also outlines his goals from protecting the nation’s cyber infrastructure while insuring that privacy and civil liberties are protected.
36 | S E C U R I N G T H E C Y B E R H O M E L A N D
Obama, B. The White House, Office of the Press Secretary. (2013, February 12). Executive order -- improving critical infrastructure cybersecurity (Executive Order 13636). Retrieved from website: http://www.whitehouse.gov/the-press-office/2013/02/12/executive-orderimproving-critical-infrastructure-cybersecurity
Executive Order 13636 was signed by President Barack Obama in February 2013. This Executive Order sets the cyber security policy of the executive branch. Critical infrastructure is defined within the order. The order identifies a mechanism for information sharing, policy coordination, protection of privacy and civil liberties. The order also directs the National Institute of Standards and Technology to create a voluntary cybersecurity framework.
The Comprehensive National Cybersecurity Initiative. (n.d.). The White House. Retrieved April 25, 2014, from http://www.whitehouse.gov/issues/foreign-policy/cybersecurity/nationalinitiative
This article discusses the Comprehensive National Cybersecurity Initiative. The Comprehensive National Cybersecurity Initiative , or CNCI was a product of the Bush administration. However after taking office President Barack Obama convened a review of cyber security policies which resulted in the updating of the CNCI. The CNCI is being shaped to become the primary policy for the United States cyber security operations.
37 | S E C U R I N G T H E C Y B E R H O M E L A N D
APPENDIX Figure 1: Survey Consent Page
38 | S E C U R I N G T H E C Y B E R H O M E L A N D
Figure 2: Survey Questions
39 | S E C U R I N G T H E C Y B E R H O M E L A N D
40 | S E C U R I N G T H E C Y B E R H O M E L A N D
Figure 3.1: Respondent 1 Survey Answers
41 | S E C U R I N G T H E C Y B E R H O M E L A N D
Figure 3.2: Respondent 2 Survey Answers
42 | S E C U R I N G T H E C Y B E R H O M E L A N D
Figure 3.3: Respondent 3 Survey Answers
43 | S E C U R I N G T H E C Y B E R H O M E L A N D
Figure 3.4: Respondent 4 Survey Answers
44 | S E C U R I N G T H E C Y B E R H O M E L A N D
Figure 3.5: Respondent 5 Survey Answers
45 | S E C U R I N G T H E C Y B E R H O M E L A N D
Figure 3.6: Respondent 6 Survey Answers
46 | S E C U R I N G T H E C Y B E R H O M E L A N D
Figure 3.7: Respondent 7 Survey Answers
47 | S E C U R I N G T H E C Y B E R H O M E L A N D
Figure 3.8: Respondent 8 Survey Answers
48 | S E C U R I N G T H E C Y B E R H O M E L A N D
Figure 3.9: Respondent 9 Survey Answers
49 | S E C U R I N G T H E C Y B E R H O M E L A N D
Figure 3.10: Respondent 10 Survey Answers
50 | S E C U R I N G T H E C Y B E R H O M E L A N D
Figure 3.11: Respondent 11 Survey Answers
51 | S E C U R I N G T H E C Y B E R H O M E L A N D
Figure 3.12: Respondent 12 Survey Answers
SECURING THE CYBER HOMELAND Donnel A. Hinkins 2014FEB HLS-498-OL0009 Homeland Security Capstone Mentor: Dr. Marian Leerburger
2|SECURING THE CYBER HOMELAND
ABSTRACT
This report focuses on the United States’ cyber security posture. This research was conducted with the intention of determining if the United States is adequately prepared to thwart or respond the cyber attacks. The qualitative research method was used. Data was gathered through a combination of document review and open answer surveys by individuals working in the Information Assurance and Cyber Security fields in the government and private sector. This research examines the risks to critical infrastructure in the United States in regards to possible cyber attacks. This research also examines the collaboration efforts being made between government agencies and between government and the private sector. Lastly, the impact the nation’s protection efforts have on civil liberties is examined to determine if it is effective.
3|SECURING THE CYBER HOMELAND
TABLE OF CONTENTS Chapter 1: Introduction………………………………………………………..Page 1 Chapter 2: Literature Review……………………………………………….... Page 8 Chapter 3: Research Design and Methodology………………………………. Page 13 Chapter 4: Results of the Study or Creative Project…………………………. Page 18 Chapter 5: Summary and Discussion………………………………………… Page 25 References…………………………………………………………………… Page 31 Appendix……………………………………………………………………...Page 37
4|SECURING THE CYBER HOMELAND
CHAPTER 1: INTRODUCTION The internet is a web of connected nodes that span the entire globe. The internet has billions of users who use it for a variety of reasons, such as email, banking, ecommerce transactions, education, and several other reasons. The unlimited possibilities of the internet along with its global reach make it a potential target for criminal activity. A globally connected internet also increases the possibly that an adversary can use the internet to target critical systems of companies or other nations. As a nod to the increased risks of the global internet, the US Defense Department named Cyberspace a new domain of warfare in 2011. William Lynn, US Deputy Secretary of Defense, stated in 2010 that, “As a doctrinal matter, the Pentagon has formally recognized cyberspace as a new domain of warfare. Although cyberspace is a manmade domain, it has become just as critical to military operations as land, sea, air, and space. As such, the military must be able to defend and operate within it (Aucsmith, 2012).” As more people get online and as they rely more on the internet in our day to day lives it is important to remain safe and secure in cyberspace. On home computers users use a combination of antispyware or antivirus software to protect them from potential online threats. However, an antivirus software residing on one computer can only go so far. The process of identifying and mitigating potential exploitations is a continuous and important process. In Homeland Security, the primary goal is exactly as it sounds- it is to protect the homeland. With so many uses of the internet, it is imperative that the United States Government work to protect its citizens and infrastructure in cyberspace as well. This leads to an important question. Is the United States adequately prepared to thwart and respond to possible cyber security attacks? As mentioned, the goal of Homeland Security is to protect the nation from the many threats that it faces. Certainly national cyber security is important given the many threats that the
5|SECURING THE CYBER HOMELAND
USA faces in cyberspace. Government at times can be large and cumbersome, with many agencies tasked with the same or similar functions. As we learned from the 9/11 Commission Report, one of the biggest shortfalls that led to the failure of preventing and responding to the attacks was agencies not working together efficiently. According to the 9/11 Commission Report, “the Incident Command System did not function to integrate awareness among agencies or to facilitate interagency response” (National Commission on Terrorist Attacks upon the United States, 2004). This report will investigate the current United States cyber security posture with the intention of identifying successes and pitfalls in the national cyber security protection efforts. In order to answer the main question there are a few other considerations that must be taken into account. Is the United States’ critical infrastructure protected? This is important because although rare, the United States power grid and water systems have components that reside in cyberspace. Imagine if a hacker in another country an ocean away can successfully target specific computer system that manages a key function of the power grid. It would not be the first time that the internet was used militarily. The United States and Israel are accused of successfully deploying a computer virus that targeted computer systems in Iran’s major nuclear complexes. The Stuxnet virus is just an example of how the internet can be used militarily to target and destroy infrastructure. The power grid and water systems are not the only targets for internet based attacks. Any of the uses of the internet can be targeted for possible exploitation, just think about the billions in monetary transactions conducted on in cyberspace every day. Criminals don’t even need to leave their homes to conduct high profile heists. Another key question to be asked is if the cyber security protection efforts are a collaborative effort between all branches of the government. As mentioned earlier, the
6|SECURING THE CYBER HOMELAND
government can be large and cumbersome at times, with multiple agencies serving the same or similar functions. Regardless, some government agencies have specific missions and capabilities that others do not. For example, the intelligence communities may have signals intelligence that would be helpful to uncover or thwart a cyber attack. It would be important that these agencies share information and collaborate with one another in order to maximize the potential for success. Preparing for and mitigating cyber security risks is not solely a job for government. Just as in the emergency preparedness component of homeland security, cyber security protection efforts must require that government and the private sector maintain a level of cooperation. This brings up another very important question. Are government and private sector efforts effectively coordinated? Individuals in the private sector may also possess skills that are not possessed by those working in the government sector. Also the private sector consists of companies that manufacture information technology equipment as well as software to protect against threats, such as antivirus software. It is important that government and the private sector are in collaboration on a frequent basis in order to share information on threats and work on possible courses of action to resolve those threats. On another note, it is important that related information is communicated efficiently to regular end users. The majority of internet connected systems in America are at regular user’s homes and pockets. These devices are being used by people who have varying skill sets when it comes to information technology. That being said, it is nonetheless important that end users are aware of the risks they face online and that at a minimum they know how to keep themselves protected in cyberspace. A final, very important question that must be asked is whether or not a concerted effort is made to protect civil liberties in the efforts to secure the nation’s cyber infrastructure? This is important because the United States is a nation known for freedom. In the quest to secure the
7|SECURING THE CYBER HOMELAND
cyber homeland, protecting civil liberties is paramount. Any effort to secure infrastructure must be met with an equal effort in ensuring that civil liberties aren’t violated. This means that policy should reflect such a goal. An example of implementing such a strategy is the hiring of individuals tasked with the sole responsibility of identifying potential violations of civil liberties in cyber protection programs. This is especially true for the government sector because they possess tools and techniques to gather signals intelligence that may not be public but may be beneficial to the end goal. Those tools may help protect the cyber homeland but precautions must be taken to ensure that they are not used in a way that infringes on the basic rights of privacy that every American is guaranteed. The internet is changing the world in more ways than one. The militarization of the internet is inevitable in the future. There is a lack of international legislation that governs exploration of the internet, much less the rights and freedoms a user on the internet possesses. Much like the Moon Treaty and the Antarctic Treaty, the international community will eventually have to recognize the internet as a sort of uncharted frontier that no person or nation can claim ownership of and work to prevent the militarization. But regardless of any legislation, there will be those who will use cyberspace to inflict digital terrorism. Therefore it is important that the United States recognize that guarding against cyber attacks must be a high profile homeland security goal. The questions asked in this paper will identify if the United States cyber security posture if effective by examining the policies, procedures, and the major players that shape it.
8|SECURING THE CYBER HOMELAND
CHAPTER 2: LITERARY REVIEW Cyberspace is a digital realm that consists of interconnected computer systems and the methods of transporting data between them. The term cyberspace is a more roughly used to describe the internet and its various uses. The uses can range from conducting business to communicating with family to playing video games with people from around the world. In reality cyberspace is not a physical domain. Although cyberspace is not a physical place, it has characteristics of a real world location. One can’t travel to cyberspace but with cyberspace, the world is at your fingertips. The internet can be your bookstore, your movie theater, and even your school. The uses and benefits of cyberspace elevate it to the level of a physical realm simply because there are so many possibilities. Much like every other physical domain, there is always opportunity for exploration. There is also the possibility of exploitation as well. As nations work to implement strategies to mitigate the potential for terrorism, terrorists are forced to adapt their strategies as well. This requires nations to balance their approach to cyberspace in respect to exploration and the potential for exploitation by adversaries. While cyberspace offers an unlimited potential for growth and introduction new capabilities, it also comes with vulnerabilities and the potential that the benefits can be exploited. This leads to a very important question. Is the United States adequately prepared to thwart and respond to possible cyber security attacks? In order to determine fully the effectiveness of the United States cyber security posture one must identify all possible targets. The overall goal of terrorism is to promote fear amongst the population. An attack on a symbolic site could have a psychological effect on the public. An attack on critical infrastructure can cause widespread panic and ultimately it can be costly to the nation. According to Sean Caldron, the government’s approach to protecting cyberspace focuses on the concept of “critical infrastructure.” The USA PATRIOT Act of 2001 defines critical
9|SECURING THE CYBER HOMELAND
infrastructure as the “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters” (Condron, 2007). The term critical infrastructure can refer to transportation, the water supply, communication systems, electrical distribution systems, financial systems, and a few other assets. Collectively, all of these assets and their operations are important to the nation. There are many assets that make up the nation’s critical infrastructure. For the purpose of this paper, identifying the risk posed by adversaries utilizing cyberspace is of importance. If an adversary can gain access and control of a critical system in cyberspace, their actions can affect people in the real world. A connection to the public internet is not a requirement to infect a computer. In fact, many critical systems such as those at water treatment plants and power grids are rarely connected to the internet. Viruses and other malicious software can be delivered by other means, such as a thumb drive or an unprotected computer with access to the internet. Malicious software can then spread across the private intranet at those sites and infect other computers or equipment. This scenario is exactly how the Stuxnet virus inadvertently spread from Iranian sites to the internet. According to Vincent Manzo of The National Internet, “an error in the code caused the worm to replicate itself and spread when an Iranian technician connected an infected laptop computer to the internet” (Manzo, 2013). The effectiveness of Stuxnet is indeed a milestone for the United States’ offensive cyber capabilities. However, the unintended spread as well as the precedent its use set for using cyber warfare (or sabotage) to influence a political dispute is something that the United States must take note of when updating its cyber security posture. Using Stuxnet as a blueprint, the use of such technology offensively could be an opening for other nations to justify using cyber weapons as well.
10 | S E C U R I N G T H E C Y B E R H O M E L A N D
In order to effectively use all of the tools and capabilities at the disposal of the United States Government, there must be a collaborative effort between all branches of the government. Relevant information must flow between all government players in order to maximize the potential for success. In order to do so, policy must reflect the desire and agencies must work to create a mutual framework for conducting joint operations. An example of such an agreement is the Memorandum of Agreement between the Department of Defense and the Department of Homeland Security. In 2010, Robert Gates and Janet Napolitano, Secretaries of Defense and Homeland Security respectively, signed a Memorandum of Agreement between the two agencies. The agreement’s purpose was to “set forth terms by which DHS and DoD will provide personnel, equipment, and facilities in order to increase interdepartmental collaboration in strategic planning for the Nation's cybersecurity, mutual support for cybersecurity capabilities development, and synchronization of current operational cybersecurity mission activities” (Gates & Napolitano, 2010). Overall, the US Government has realized the benefit of integrating certain activities at an interagency level. The President of the United States, Barack Obama, recognizes the importance of mutual assistance in cyber security operations much like other Homeland Security functions. After taking office in 2009, the President convened a Cyberspace Policy Review. The purpose of the panel was to review “federal efforts to defend the U.S. information and communications infrastructure and the development of a comprehensive approach to securing America’s digital infrastructure” (Obama, 2009). The recommendations made by the Cyberspace Policy Review were used to bolster the Comprehensive National Cybersecurity Iniative or CNCI that was created during the Bush Administration. The overall purpose of the CNCI was to strengthen the cyber security of the nation through a set of interdependent goals. However, the President
11 | S E C U R I N G T H E C Y B E R H O M E L A N D
recognized that the CNCI couldn’t achieve its goals without changing certain aspects of how the government operated. In the past, infighting between different executive branch agencies did more harm than good to the overall cyber security strategy. According to Jesse Emspak, Security Contributor for Tech News Daily, “bureaucratic battles among federal agencies over primacy in cybersecurity mostly between the Department of Homeland Security and the National Security Agency seem to have settled into a working, if not always perfect, relationship” (Emspak, 2011). Of those changes recommended by the Cyberspace Policy Review, interagency cooperation was determined to be necessary to enhance the possibility of success. Agencies must work together, because ultimately they are working to support the same customers- the American people. In cyber security the government is not the only source of protection. The private sector is important to the overall cyber security strategy as well. That being said, cooperation must not only be between government agencies. Maintaining an effective cyber security posture means bringing players from the private sector into the mix. This leads to another important question. Are government and private sector efforts effectively coordinated? The hardware, software, and means of communication that make up cyberspace are created by professionals the public sector. Surely, it would be imperative to include software and hardware developers and others in the private sector in the overall cyber security defense plan. After all, it is their software and hardware that would be subject to exploitation. Policy wise, President Obama issued Executive Order 13636 in February 2013. The title of the Executive Order was “Improving Critical Infrastructure Cybersecurity”. The President, emboldened by the frequency of digital encroachment on critical infrastructure, created Executive Order 13636. Section 4(a) of Executive Order 13636 states that “it is policy of the United States Government to increase the volume, timeliness, and quality of cyber threat information shared with U.S. private sector
12 | S E C U R I N G T H E C Y B E R H O M E L A N D
entities so that these entities may better protect and defend themselves against cyber threats” (Obama, 2013). This is an indication that the administration realizes the importance of bringing the public sector to the table. As the nation improves its offensive and defensive cyber security tools, there must be a concerted effort to insure that those tools aren’t used to infringe on the civil liberties that are a way of life in America. The Constitution of the United States guarantees basic rights and freedoms that must not be taken away. Even an effort to “provide for the common defense” is not justification to infringe on those rights and freedoms. The desire to protect the privacy of Americans must be engrained in law and in policy. Section 5(a) of Executive Order 13636 directs agencies to “coordinate their activities under the order with their senior agency officials for privacy and civil liberties and ensure that privacy and civil liberties protections are incorporated into such activities” (Obama, 2013). In addition to a protecting the nation from cyber attacks, there must be an effort to insure that the nation does not stray away from the values that its citizens hold so dear. It is important that the United States develop and maintain capabilities to thwart, and respond if necessary to cyber attacks. Protecting the critical infrastructure of the nation is of utmost importance. Interagency cooperation and collaboration is important to the cyber defense mission. Coordination between the government and the private sector is a crucial piece of the puzzle. Lastly, the nation must not be so caught up in the pursuit of defense that it fails to meet its moral obligations to the American people. Civil liberties must not take a backseat to any program, even those intended to defend the nation.
13 | S E C U R I N G T H E C Y B E R H O M E L A N D
CHAPTER 3: RESEARCH DESIGN AND METHODOLOGY Introduction The purpose of this research is to determine if the United States is adequately prepared to thwart and respond to possible cyber attacks? In order to answer the main question, there are several related sub questions that must be answered. Is the United States’ critical infrastructure protected? Are cyber security protection efforts a collaborative effort between all branches of the government? Are government and private sector efforts effectively coordinated? Is a concerted effort made to protect civil liberties in the efforts to secure the nation’s cyber infrastructure? By answering these questions the researcher will be able to critique the current cyber security posture. To maximize the effectiveness of this report and in order to answer each question, specific research methods will be followed. Specific statistical information is not important to the overall question which combined with the sub questions, is a matter of policy and procedural effectiveness. Therefore, the qualitative research method will be the most suitable for this project. This is because the qualitative research method uses words and pictures and focuses on occurrences in natural settings. By following the qualitative research method, the researcher will be able to determine the effectiveness of the United States’ cyber security posture. Plan of Action The plan of action for this research project will be structured in a manner that will allow the researcher freedom to gather relevant data from multiple sources. The overall design of the research will be that of a case study. According to the World English Dictionary, a case study is “the act or an instance of analyzing one or more particular cases or case histories with a view to making generalizations” (“case study”). This research project will use document review extensively. The government has massive repositories documents related to past, current, and
14 | S E C U R I N G T H E C Y B E R H O M E L A N D
future plans for government policy. Researching laws, memorandums, Executive Orders, and other documents will provide a wealth of information on the research topic. There will also be a need to read and analyze white papers from cyber security professionals in the public arena. A combination of structured and unstructured interviews will also be conducted. Informal interviews with representatives from US-CERT and CYBERCOM will be helpful because those individuals are responsible for the bulk of the United States cyber security planning and enforcement. Information Assurance personnel across the military will also be utilized, because they will, at least at a basic level have experience on external attacks against their systems and the steps implemented to mitigate those risks. Interviews will be generally unstructured to allow the participants freedom to discuss only the information they are comfortable with sharing. This is because some of the cyber security work conducted by US-CERT and CYBERCOM is classified. Classified information will be protected at all times and in no way will be used, gathered, and discussed for this project. Participants will be required to obtain permission for discussing their processes and procedures, even if they aren’t classified because they can still be sensitive nonetheless and as with classified data, sensitive information will not be used, gathered or discussed at all for the purpose of conducting this project. The only information that will be used is information that would otherwise be considered to be public knowledge. Research Methodology for Data Collection for Research and Applied Projects Document review and secondary research will be the primary methods for gathering information on the first sub question. That question deals with whether or not the United States’ critical infrastructure is protected. There may not be a massive amount of information on this topic for obvious reasons. However, there are other individuals that have studied this topic extensively. Their work will provide the basis for the secondary research. The specifics on which
15 | S E C U R I N G T H E C Y B E R H O M E L A N D
critical systems (if any) that reside on the internet may not be readily available. Therefore, the researcher must look at the work of others to help answer this question. Also, there are articles that cover the topic and incidents that have occurred already. In those articles there will be a lot of lessons learned. Those lessons learned will in turn provide the researcher with an idea of where the problems lay in securing critical infrastructure as well as provide information on what the government plans to do to address those issues. The researcher will also need to pay attention to new technology in the works such as the smart grid. The new technology specifications and descriptions themselves may hint at problems that currently exist and provide insight on what is being done to address those problems. Document review will be the primary source of data for gathering information on the second sub question. That question is, are cyber security protection efforts a collaborative effort between all branches of the government? Document review will be primary because memorandums and other directives will dictate the desire for such collaborative activities. Furthermore, the policies and procedures for setting up and conducting interagency collaborative activities will be dictated in documents such as memorandums of agreement or understanding between the respective agencies. Interviews with information assurance and security personnel will also be pertinent because they are the people tasked with managing risks related to the transfer, storage, and usage of data. Information Assurance technicians should be aware of any collaborative effort to secure information systems; at the very minimum those that are government owned and reside on a government network. The combination of document review and informal interviews should provide an idea of procedures, programs, and policies that encourage interagency cooperation on cyber security.
16 | S E C U R I N G T H E C Y B E R H O M E L A N D
The third question will generally be answered by information gained through document review. The purpose of the third question is to determine whether or not government and private sector efforts are effectively coordinated. This question can be answered by a variety of means. The researcher will need to look for evidence of government and private sector collaboration across several spectrums. Are government agencies sharing data with technology companies that make antivirus software or hardware manufacturers? Does the private sector share propriety information with the government? Does the government work with the private sector to create training programs for government information technology personnel? Each one of these questions will be important to answer in order to answer the main question because if the researcher can show the extent of government and private sector cyber security collaboration and cooperation, the researcher will be in a better position to answer the question as to whether or not that cooperation is effective. The fourth and final question will be answered mainly by document review. The final question is meant to analyze the government’s ability and commitment to protecting civil liberties. The ability to adequately protect the cyber infrastructure means that the government will have to apply special techniques and capabilities. This question seeks to determine if there is an equal balance in the ability to protect the cyber infrastructure and the desire to simultaneously ensure that the rights and liberties of citizens are protected. The researcher will need to analyze appropriate documentation concerning personnel and procedures meant to address civil liberty concerns. A desire to protect civil liberties would be reflected in policy and procedures. Does the government employ individuals with the sole purpose of identifying and addressing civil liberty concerns? What procedures are followed when violations are found? The answers to those questions must be uncovered by the researcher in order to determine the answer to the question.
17 | S E C U R I N G T H E C Y B E R H O M E L A N D
Conclusion: Analysis and Organization of Data Once the data is gathered it must be organized appropriately. The researcher must follow a general outline when organizing the data. The main question will be answered by four sub questions. Each of the sub questions are very distinct, specific, and important to answering the main question. The data gathered by research must be organized in a manner that will effectively answer the sub questions and therefore the main question. Information gathered by interviews with cyber security experts will be used when such information exists on any specific topic. However, government documents such as memorandums, laws, and Executive Orders will be relied upon greatly in the project. The documents will provide great detail on where the nation was, where it is currently, and where it is headed in respect to cyber security awareness and protection. The researcher must be careful not to neglect new policies or laws when using the government documents as references. This is because items, such as Executive Orders can be rescinded by new administrations or replaced with new policies. Therefore, important attention to detail must be given when citing those documents. Together the documentation review and interviews will allow the researcher to determine whether or not the government is adequately prepared to thwart and respond to cyber security incidents.
18 | S E C U R I N G T H E C Y B E R H O M E L A N D
CHAPTER 4: RESULTS OF THE STUDY The purpose of this research project is to determine if the United States is adequately prepared to thwart and respond to possible cyber attacks. There are several sub questions that must be answered. Is the United States’ critical infrastructure protected? Are cyber security protection efforts a collaborative effort between all branches of the government? Are government and private sector efforts effectively coordinated? Is a concerted effort made to protect civil liberties in the efforts to secure the nation’s cyber infrastructure? By answering these questions the researcher will have enough information to determine if the current cyber security strategy is working effectively. While conducting the research, specific research methods were followed. The qualitative research method was followed when conducting the research for this project. The qualitative research method was preferred because it uses words and pictures and focuses on occurrences in natural settings. The combination of document reviews and informal interviews were used in an attempt to determine the effectiveness of the United States’ cyber security posture. The data gathered from the first question was mainly through document reviews. The question focuses on whether or not the United States’ critical infrastructure is protected. As expected there was not a massive amount of data sources for this topic. The topic itself is a sensitive one and there was no expectation that the answers to the question would be readily available. Therefore, the research was focused on gathering information on past occurrences as well as new technological advances. The idea was that by researching the past, the researcher would be able to have an idea of where the nation was in respect to protecting critical infrastructure. Also the research focused on emerging technology with the belief that those innovations were triggered by the desire to update past flaws. Knowing those flaws was believed to be important in determining current vulnerabilities.
19 | S E C U R I N G T H E C Y B E R H O M E L A N D
In order to determine if critical infrastructure is protected, one must know what critical infrastructure is. The Department of Homeland Security defines critical infrastructure as “the backbone of our nation's economy, security and health. Critical infrastructure are the assets, systems, and networks, whether physical or virtual, so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof” (“critical infrastructure”). That being said, critical infrastructure is agriculture, water, emergency services, defense industry, banking, hazmat, energy, communications, and transportation and the systems that provide the services. For this research project the focus was specifically centered on the critical infrastructure with components that reside in cyberspace or those that can be exploited by cyber attacks. According to a press release from Aegis London, a recently completed study determined that there is a “shift from attacks focused on breaching sensitive data to those which target critical infrastructure” (Freed, 2014). The study was commission by Aegis London and completed by BAE Systems Applied Intelligence. The report found that cyber attacks were no longer solely focused on information technology infrastructure. According to the Chairman of AEGIS London Alan Maquire, “cyber terrorists have turned their attention to operational technologies and the critical infrastructure they support” (Freed, 2014). One positive finding by the study was that power companies are generally aware of the risks they face related to their technology systems. Regardless, many experts in the energy sector feel that there remains a risk that will eventually materialize in the unforeseen future. The development of the Smart Grid is meant to address the issues of the current century old power grid. Resiliency against physical and cyber attacks is a primary goal of the Smart Grid program.
20 | S E C U R I N G T H E C Y B E R H O M E L A N D
The second sub question to be answered was related to interagency cyber security cooperation and whether or not it is effective. Data gathered to answer the second question was gathered through document review and a basic survey (see Appendix, Figure 2). The survey consisted of six open ended essay questions. The first six questions dealt with the respondent’s opinions on interagency cyber security cooperation, cooperation with the private sector, and the US cyber security posture in general. The survey also allowed the respondent to comment on what he or she felt was lacking in the nation’s cyber security strategy. The survey was sent to individuals representing cyber security operations in the government and private sector. The respondents were obtained through professional networking, peers, and a listserv of IT personnel across the DoD. The respondents consisted of a chief information officer, a cyber security expert from US-CERT, and the CEO of a firm that provides cyber security training, just to name a few. There were 12 respondents total to the survey. There were varying opinions on the issue of interagency cooperation in regards to cyber security. The majority of the respondents felt that there is not adequate collaboration between governmental agencies. There were some respondents who argued that the reason interagency collaboration was lacking was due to the fact that there was a lack of a system for facilitating information sharing. And even in the cases that there was a system, the agencies would pick and choose what information to share with one another either to keep it a secret or avoid embarrassment that may be caused by negative disclosures. There were also respondents that felt that efforts were being improved. However, there was a general theme that bureaucracy was to blame for efforts not being properly coordinated. Curt Schadewald, a Cyber Security Analyst for the National Guard Bureau elaborated on this topic further (see Appendix, Figure 3.11). Mr. Schadewald noted that US-CERT does in fact have mechanisms in place to share data. However
21 | S E C U R I N G T H E C Y B E R H O M E L A N D
he believes that the success rests on the individual agency’s ability to report. Mr. Schadewald mentioned Cyber Guard as an example of interagency collaboration. Cyber Guard was a weeklong joint exercise between the National Guard, USCYBERCOM, NSA, and FBI and focused on defensive cyber security efforts amongst the various agencies. Another intended purpose of the Cyber Guard exercise was to build working relationships between the cyber security professionals in those agencies. Policy wise, the collaboration of governmental agencies on cyber security matters is considered to be a major goal of the Comprehensive National Cybersecurity Initiative. The Comprehensive National Cybersecurity Initiative or CNCI specifically identifies information sharing as a core necessity of maintaining effective cyber security efforts. A key initiative of the CNCI is to “to establish a front line of defense against today’s immediate threats by creating or enhancing shared situational awareness of network vulnerabilities, threats, and events within the Federal Government—and ultimately with state, local, and tribal governments and private sector partners—and the ability to act quickly to reduce our current vulnerabilities and prevent intrusions” (“CNCI”). The CNCI identifies other initiatives that are meant to reinforce the national cyber security strategy. The CNCI is being developed as the main policy for US cyber security efforts. The third question pertains to the effectiveness of collaboration between government and private sector entities. The participants of the survey were asked if they felt that the efforts between government and private sector were effectively coordinated. This was another question that resulted in varying answers. There were some respondents who felt that there was no need for government and private sector collaboration, and there were those who felt that there should be a limited amount of collaboration between the two. Mr. Collins Orizu, an Information
22 | S E C U R I N G T H E C Y B E R H O M E L A N D
Security Network Analyst with US-CERT noted in his survey that US-CERT uses software called EINSTEIN that helps in the efforts to collaborate with the private sector (see Appendix, Figure 3.12). As a result of EINSTEIN “US-CERT has greater situational awareness and can more effectively develop and more readily share security relevant information with network defenders across the U.S. Government, as well as with security professionals in the private sector and the American public” (Obama, 2013). The general consensus reached by examining the responses to the question, was that there is a level of collaboration. However each side has its own reasons as to why they don’t share all data with each other. The government is believed to share only information that is not classified and the private sector only shares information that is necessary. That being said the belief is that the government’s reluctance to share information with the private sector is related to the desire to control the disclosure of sensitive information or the means for obtaining such information. The private sector’s reluctance is believed to be related to the pursuit of profits and the overall fear of government interference in corporate cyber security efforts. There is information sharing and collaboration between the government and public sector but government policy and procedures are seen as hampering the ability for the two to truly cooperate. As a matter of policy the administration of President Barack Obama is focused on bringing all players in the cyber security arena to the table. Executive Order, 13636 signed by President Obama is an example of such a desire. Executive Order 13636 directs the National Institute of Standards and Technology to develop a voluntary framework meant to foster cooperation between public and private entities in regards to cyber security. According to a Press Release by the White House, through the Framework for Improving Critical Infrastructure Cyber Security “industry and government are strengthening the security and resiliency of critical
23 | S E C U R I N G T H E C Y B E R H O M E L A N D
infrastructure in a model of public-private cooperation” (Obama, 2013). The development of the framework itself is an example of government and private sector collaboration and cohesion, as NIST compiled recommendations from across the cyber security spectrum when creating the framework. NIST is still accepting recommendations and lessons learned from organizations and individuals to ensure that the framework is continuously up to date. The final question to be answered is related to the government efforts to protect the civil liberties of Americans while securing the nation in cyberspace. In order to answer this question the researcher must examine policy to determine if there is a desire. Furthermore, it is important to know what is being done to ensure that civil liberties aren’t violated. When developing the Framework for Improving Critical Infrastructure Cyber Security, the President “directed that these activities be conducted in a way that is consistent with ensuring the privacy rights and civil liberties guaranteed in the Constitution and cherished by all Americans” (Obama, 2013). Privacy experts across the government were said to have been consulted during the development of the Framework. The Memorandum of Agreement between the Departments of Homeland Security and Defense states that “the agreement will focus national cybersecurity efforts, increasing the overall capacity and capability of both DHS' s homeland security and DoD's national security missions, while providing integral protection for privacy, civil rights, and civil liberties” (Gates & Napolitano, 2010). There are jobs in the government that exist for the purpose of advancing privacy and civil liberties and investigating violations. Accordingly, it is evident that there is a desire to protect civil liberties while protecting the cyber homeland. In conclusion, through the application of various research methods and procedures, information has been gathered to assist in determining the effectiveness of the United States’ cyber security posture. The government is working to identify and secure the nation’s critical
24 | S E C U R I N G T H E C Y B E R H O M E L A N D
infrastructure. There is collaboration and joint cyber operations between governmental agencies. There is also a level of cooperation between the federal government and the private sector. The opinion of the effectiveness of that cooperation is one that varies depending on who you ask. Lastly, the government is continuing to work to protect the civil liberties of citizens of the United States. Lessons learned are being used to enhance all aspects of the United States cyber security efforts.
25 | S E C U R I N G T H E C Y B E R H O M E L A N D
CHAPTER 5: SUMMARY AND DISCUSSION Introduction: A globally connected network of computers presents a variety of benefits to the users. However the global reach makes it a potential target for criminal activity. As more people get online and as people rely more on the internet in our day to day lives it is important to remain safe and secure in cyberspace. In Homeland Security, the primary goal is protect the homeland. With so many uses of the internet, it is imperative that the United States Government work to protect its citizens and infrastructure in cyberspace as well. This leads to an important question. Is the United States adequately prepared to thwart and respond to possible cyber security attacks? It is obvious that national cyber security is important given the many threats that exist in cyberspace. The purpose of this report was to investigate the current United States cyber security posture with the intention of identifying successes and pitfalls in the national cyber security protection efforts.
Statement of Problem As mentioned above, the purpose of this research project was to determine if the United States is adequately prepared to thwart and respond to possible cyber security attacks. Several sub questions were answered in with the intention of providing information that would be helpful to determining if the United States’ cyber security posture is adequate. Is the United States’ critical infrastructure protected? Are cyber security protection efforts a collaborative effort between all branches of the government? Are government and private sector efforts effectively coordinated? Is a concerted effort made to protect civil liberties in the efforts to secure the nation’s cyber infrastructure? Those were the four sub questions that form the basis of this research project.
26 | S E C U R I N G T H E C Y B E R H O M E L A N D
Review of Methodology Specific research methods were followed to gather relevant data. Specific statistical information was not important to the overall question. The main question combined with the sub questions, is a truly matter of policy and procedural effectiveness. Because of this, the qualitative research method was determined to be the most suitable for this project. The qualitative research method uses words and pictures and focuses on occurrences in natural settings. By following the qualitative research method, the data was effectively gathered they would aid in the determination as to the effectiveness of the United States’ cyber security posture.
Summary of Results
Is the United States’ critical infrastructure protected? Through research it was determined that steps have been taken to ensure that critical infrastructure is protected. The research determined that contrary to popular belief, there is only a small percentage of operational hardware related to the power grid that is connected to the public internet. Computers on the same internal network that get infected can still infect other machines on that network. Therefore, these systems still present a risk to critical infrastructure. There have been alleged instances of the US government using defensive cyber weapons, such as the Stuxnet virus. The virus crippled Iranian centrifuges and weakened their ability to create nuclear material. There have also been instances of cyber attacks on critical systems in the United States such as the attack in which foreign hackers caused a pump to fail in a water treatment pump in Illinois. There have been many more cyber attacks, but this was the first confirmed instance of
27 | S E C U R I N G T H E C Y B E R H O M E L A N D
critical infrastructure being damaged through cyber warfare against the United States (Nakashima, 2011). It is to be mentioned that hackers are continuously refocusing their efforts from attempts to steal information to targeting infrastructure. The US Government is working to create and implement the smart grid which will decrease the risk of a cyber attack on the US power grid.
Are cyber security protection efforts a collaborative effort between all branches of the government? The research uncovered programs and policies in place to share information and foster collaboration and cooperation between government agencies. There are programs such as EINSTEIN which allow the analysts from US-CERT to monitor the network gateways of various government agencies for unauthorized traffic. Executive branch level departments such as the Department of Homeland Security and Department of Defense have signed agreements that linked personnel, equipment, and expertise in support of the nation’s cyber security efforts. The National Guard, USCYBERCOM, NSA, and the FBI have performed a joint cyber security exercise called Cyber Guard with the intention of building professional relationships with one another in respect to cyber security. The Comprehensive National Cybersecurity Initiative created during the Bush Administration is being updated and is serving as the primary model for the nation’s cyber security policy.
Are government and private sector efforts effectively coordinated? There is collaboration between the government and private sector. However this is sometimes limited by the government’s laws and regulations and desire to protective sensitive
28 | S E C U R I N G T H E C Y B E R H O M E L A N D
information. The public sector is reluctant to share information with the government because of fears that it can cost them money. The private sector is also concerned about the government imposing rules and regulations on them or otherwise interfering in the operations of their businesses. The Administration of President Barack Obama has taken steps to bring all cyber security experts to the table. The President signed Executive Order 13636, titled Improving Critical Infrastructure Cybersecurity. Executive Order 13636 sets up the stage for the National Institute of Standards and Technology to prepare a voluntary framework that among other things will “increase the volume, timeliness, and quality of cyber threat information shared with U.S. private sector entities so that these entities may better protect and defend themselves against cyber threats” (Obama, 2013). Executive Order 13636 also improves a program that allows personnel from outside of the federal government access to classified information whether it be private sector or local and state officials with a need to know regarding risks to critical infrastructure.
Is a concerted effort made to protect civil liberties in the efforts to secure the nation’s cyber infrastructure? Privacy and civil liberties are fundamental rights in the United States of America. The government has taken steps to insure that those rights are violated by their cyber security protection efforts. The government has personnel employed that assess and respond to possible violations to civil liberties. When developing the Comprehensive National Cybersecurity Initiative, the policy was reviewed by a multitude of individuals with expertise in privacy and civil liberty matters.
29 | S E C U R I N G T H E C Y B E R H O M E L A N D
Discussion of Results The results of this project were enlightening. The United States’ cyber security posture was examined across the board in excruciating detail. Protection of critical infrastructure is important because the critical infrastructure is important in all aspects of life. The events on September 11, 2001 changed how business was conducted. Effective interagency communications and information sharing were the biggest failures that led to the inability to thwart the attacks. The emergence of the internet is opening up new opportunities for exploration and exploitation as well. Information sharing and effective communications between government agencies is important in cyberspace operations. Communication and collaboration with the private sector is important as well. Information must be gathered, processed, and disseminated to relevant parties in a quick and efficient manner and free of government bureaucracy.
Conclusions The significance of this project is the fact that it looks at many aspects to determine if the cyber security posture of the United States is adequate. The answer to whether or not the United States is adequately prepared to respond or thwart a cyber attack varies depending on who is asked. The United States’ can respond to a cyber attack appropriately. Because the United States Department of Defense views cyberspace as a new domain of war, the US is not limited to responding to a cyber attack with another cyber attack. The US reserves the right to respond militarily to a cyber attack. This is an indication on how serious the United States is about cyber security. Collaboration between governmental agencies and private sector is not the sole determination of effectiveness. The protection of civil liberties are important as well because the United States is a nation with a history of freedom and democracy and all programs undertaken
30 | S E C U R I N G T H E C Y B E R H O M E L A N D
should reflect that goal. Through the data gathered during this project it is safe to say that the United States’ cyber security posture is effective, although with all things it should always continue to be updated to remain relevant.
31 | S E C U R I N G T H E C Y B E R H O M E L A N D
REFERENCES Aucsmith, D. (2012, May 26). Cyberspace is a domain of war. Retrieved from http://cyberbelli.com/2012/05/26/cyberspace-is-a-domain-of-war/
This article explains why cyberspace is now viewed as a domain of war by the United States Department of Defense. The article supports the argument by identifying three sets of facts to support the claim. It identifies cyberspace as a domain of war by doctrine, definition, and contestation. The article uses testimony from American cyber security policy makers in the DoD to bolster its arguments.
case study. (n.d.). Collins English Dictionary - Complete & Unabridged 10th Edition. Retrieved April 20, 2014, from Dictionary.com website: http://dictionary.reference.com/browse/case study
The definition of case study is given from a variety of dictionaries.
Condron, S. (2007). Getting it right: Protecting America's critical infrastructure in cyberspace. 20(2), 406. doi: Harvard Journal of Law & Technology
This journal entry discusses the simplicity of gaining technology to conduct a cyber attack. It also identifies figures related to cyber security incidents. Examples of specific attacks by other nations and against other nations are included in the paper. Critical infrastructure is defined by the United States in the US PATRIOT ACT. This paper
32 | S E C U R I N G T H E C Y B E R H O M E L A N D
compares and contrasts homeland security and defense. International law as it applies to cyber security is also referenced in this paper.
Emspak, J. (2011, August 31). Feuding government agencies agree to disagree on cybersecurity. Tech News Daily, Retrieved from http://www.technewsdaily.com/7123-9-11-govtagencies.html
This article discusses the disagreements between the Department of Homeland Security and the National Security Agency related to who is responsible for the nations cyber security. The article gives hypothetical scenarios meant to bring forth a discussion on what agency would be in charge in a given scenario. The article also discusses various cyber security units in several executive branch agencies and sub agencies and their overall functions.
Freed, A. (2014, April 14). Attacks Shift from Data Breaches to Targeting of Critical Infrastructure - The State of Security. The State of Security. Retrieved April 21, 2014, from http://www.tripwire.com/state-of-security/top-security-stories/attacks-shift-fromdata-breaches-to-targeting-of-critical-infrastructure/
This article describes the evolution of cyber crimes. Hackers are turning their efforts from stealing information to activities meant to target critical infrastructure. The article discusses foreign government sponsored cyber attacks based on statistics from US-
33 | S E C U R I N G T H E C Y B E R H O M E L A N D
CERT. This article also references a study conducted by Aegis London in order to strengthen their argument.
Gates, R., & Napolitano, J. Department of Homeland Security, National Protection and Programs Directorate. (2010). Memorandum of agreement between the Department of Homeland Security and the Department of Defense regarding cybersecurity. Washington, DC: United States Government.
The Memorandum of Agreement is between the Department of Homeland Security and the Department of Defense. It establishes a framework for cyber security cooperation between the two agencies. The agencies map out everything from information sharing to joint personnel. The roles and responsibilities of each agency are explained in full detail. Oversight requirements are listed in the document as well as methods for modifying the order.
Homeland Security. (n.d.). What Is Critical Infrastructure?. Retrieved April 21, 2014, from http://www.dhs.gov/what-critical-infrastructure
Department of Homeland Security overview on what critical infrastructure refers to.
Manzo, V. (2013, January 29). Stuxnet and the dangers of cyberwar. The National Interest, Retrieved from http://nationalinterest.org/commentary/stuxnet-the-dangers-cyberwar8030
34 | S E C U R I N G T H E C Y B E R H O M E L A N D
Vincent Manzo breaks down Operation Olympic Games and the development and deployment of the Stuxnet virus. Stuxnet is described as the world’s first cyber superweapon, completing a task that would normally require military actions and conventional weapons. The intended purpose of Stuxnet is described as well as the method in which Stuxnet spread from Iranian computers to those in other nations inadvertently. Mr. Manzo also discusses the pros and cons of the US deploying a cyberweapon, such as the fact that it could possibly allow other nations to justify attempting a similar feat.
Nakashima, E. (2011, November 18). Foreign hackers targeted U.S. water plant in apparent malicious cyber attack, expert says. Washington Post. Retrieved April 25, 2014, from http://www.washingtonpost.com/blogs/checkpoint-washington/post/foreign-hackersbroke-into-illinois-water-plant-control-system-industry-expertsays/2011/11/18/gIQAgmTZYN_blog.html
This article describes the first known cyber attacked against the United States that was intended to damage critical infrastructure. Foreign hackers targeted and broke a water pump at an Illinois water treatment plant. This article discusses the evolution of computer hackers. It also describes how the attack was traced to Russia.
National Commission on Terrorist Attacks upon the United States. (2004). The 9/11 commission report: Final report of the National Commission on Terrorist Attacks upon the United
35 | S E C U R I N G T H E C Y B E R H O M E L A N D
States. Washington, DC: National. Commission on Terrorist Attacks upon the United States.
The 9/11 Commission Report was created to identify the shortcomings that led to the failure to prevent the attacks against the United States on September 11, 2001. The evolution of counterterrorism is also discussed. Al Qaeda’s initial attacks that led up to those of 9/11 are discussed. This report covers the attacks on September 11 in great detail as it identifies the pitfalls and successes of all players responsible from the airline crew to the first responders. Recommendations for policy changes are made in an effort to prevent such an attack from happening again.
Obama, B. (2009, May). In Robert Gibbs (Chair). Remarks by the President on securing our nation's cyber infrastructure. Presentation delivered in East Room of the White House Daily press briefing, Washington, DC. Retrieved from www.whitehouse.gov/the-pressoffice/remarks-president-securing-our-nations-cyber-infrastructure
This source is a readout of President Barack Obama’s press conference on May 29, 2009. The President’s topic was securing the nation’s cyber infrastructure. The President discussed the efforts his administration made over his first 4 months in office related to cyber security. He discussed the pros and cons of the internet. The President also outlines his goals from protecting the nation’s cyber infrastructure while insuring that privacy and civil liberties are protected.
36 | S E C U R I N G T H E C Y B E R H O M E L A N D
Obama, B. The White House, Office of the Press Secretary. (2013, February 12). Executive order -- improving critical infrastructure cybersecurity (Executive Order 13636). Retrieved from website: http://www.whitehouse.gov/the-press-office/2013/02/12/executive-orderimproving-critical-infrastructure-cybersecurity
Executive Order 13636 was signed by President Barack Obama in February 2013. This Executive Order sets the cyber security policy of the executive branch. Critical infrastructure is defined within the order. The order identifies a mechanism for information sharing, policy coordination, protection of privacy and civil liberties. The order also directs the National Institute of Standards and Technology to create a voluntary cybersecurity framework.
The Comprehensive National Cybersecurity Initiative. (n.d.). The White House. Retrieved April 25, 2014, from http://www.whitehouse.gov/issues/foreign-policy/cybersecurity/nationalinitiative
This article discusses the Comprehensive National Cybersecurity Initiative. The Comprehensive National Cybersecurity Initiative , or CNCI was a product of the Bush administration. However after taking office President Barack Obama convened a review of cyber security policies which resulted in the updating of the CNCI. The CNCI is being shaped to become the primary policy for the United States cyber security operations.
37 | S E C U R I N G T H E C Y B E R H O M E L A N D
APPENDIX Figure 1: Survey Consent Page
38 | S E C U R I N G T H E C Y B E R H O M E L A N D
Figure 2: Survey Questions
39 | S E C U R I N G T H E C Y B E R H O M E L A N D
40 | S E C U R I N G T H E C Y B E R H O M E L A N D
Figure 3.1: Respondent 1 Survey Answers
41 | S E C U R I N G T H E C Y B E R H O M E L A N D
Figure 3.2: Respondent 2 Survey Answers
42 | S E C U R I N G T H E C Y B E R H O M E L A N D
Figure 3.3: Respondent 3 Survey Answers
43 | S E C U R I N G T H E C Y B E R H O M E L A N D
Figure 3.4: Respondent 4 Survey Answers
44 | S E C U R I N G T H E C Y B E R H O M E L A N D
Figure 3.5: Respondent 5 Survey Answers
45 | S E C U R I N G T H E C Y B E R H O M E L A N D
Figure 3.6: Respondent 6 Survey Answers
46 | S E C U R I N G T H E C Y B E R H O M E L A N D
Figure 3.7: Respondent 7 Survey Answers
47 | S E C U R I N G T H E C Y B E R H O M E L A N D
Figure 3.8: Respondent 8 Survey Answers
48 | S E C U R I N G T H E C Y B E R H O M E L A N D
Figure 3.9: Respondent 9 Survey Answers
49 | S E C U R I N G T H E C Y B E R H O M E L A N D
Figure 3.10: Respondent 10 Survey Answers
50 | S E C U R I N G T H E C Y B E R H O M E L A N D
Figure 3.11: Respondent 11 Survey Answers
51 | S E C U R I N G T H E C Y B E R H O M E L A N D
Figure 3.12: Respondent 12 Survey Answers
