Cyber Security Policy Guidebook E-Book

Foreword

Not long ago, I was the Director of Cybersecurity Policy at the U.S. Department of Homeland Security (DHS). In that role, I routinely met with the department’s staff responsible for cyber security operations. In one such meeting, focused on cyber risk management and metrics, we were having a bit of a difficult time seeing one another’s perspectives on a related issue. At one point a senior member of the operations staff looked across the table at me and opined, “You actually think policy ought to drive operations?”

Beyond the obvious dysfunction behind his question, it pointed to some of the core themes this book attempts to address: cyber security policy’s importance, its relation to both strategy and operations, its relevance to a very diverse set of stakeholders and decision makers, and the inevitable controversy and debate it engenders. These are very much the issues of our time, but they are not issues for the timid.

Perhaps to my DHS colleague’s chagrin, in fact, policy does and should drive operations. As the authors clearly point out, policy necessarily drives decisions at many different levels. How many of us have not heard the President of the United States include these words in a speech, “it is the policy of my administration. … ”? His job is (with Congress) to set national policy, approve appropriate implementation activities to carry out that policy, and then ensure that policy is properly enforced or adjusted as circumstances dictate. Executives at other levels have similar responsibilities.

In the evolution of all things cyber, however, policy has not been a driver. Rather, it has been an afterthought. The authors make this very point in several ways, and in so doing, they raise a vitally important issue: should cyber security policy always be reactive? The obvious answer is “no;” or else the operations and standards it drives will also always be reactive, leading to an inherently untenable situation in which cyber security efforts always lag the attacks they are meant to prevent. If this situation sounds all too familiar, it is because cyber security practitioners have been on this treadmill far too long, with no sign of it ending.

The great problem, of course, is that the setting of proactive cyber security policy is, at least in any democratic environment, an extremely difficult and time-consuming task. Even the simplest perusal of Chapter 6 of this book will be sufficient to inform the reader that the ground on which almost any cyber security policy is contested is muddy ground indeed.

As a general rule, when one is most muddled with the complexity of building a particular system correctly, it is best to take a big step back—and then elevate oneself to see the larger picture. Only then can one ask the all-important question framed in this book, “Am I building the right system?” In my own experience, the too frequent answer to this question is “no.” It is incredibly painful for those who are building the wrong system, but building it correctly, and therefore deeply invested in it, to hear that answer.

All of which points, I believe, to the raison d’etre for a Cyber Security Policy Guidebook such as this. If read with an unjaundiced eye, it will help the reader to see the bigger cyber security picture and its vitally important policy setting, no matter the vantage point. This cannot help but be an aide.

It is a very happy circumstance that the authors of this book are highly regarded professionals, experts in their respective niches, and that they bring many years of experience to the topic. As they point out, the topic is incredibly expansive—a natural result of the ubiquity of “cyber” anything in today’s networked world. Indeed, if the topic were not so incredibly important and relevant, it might be silly even to attempt to get one’s arms around it.

But to anyone for whom national security, business operations, or anything related to the Internet is important, and that covers most of us, understanding some measure of the topic is critical. To that end, this book is most useful.

Andy CuttsFormer Director of Cybersecurity Policy at the U.S. Department of Homeland Security

Preface

The idea for this book coincided with a conference on Cyber Security Policy (SIT 2010). The conference had sessions ranging from security technology investment decisions by venture capitalists to the implications of cyber security policy on personal privacy. Though all speakers were experts in their field and were asked to address cyber security policy topics, many instead focused on strategy or technology issues. Even where it was clear that policy was being discussed, policies were often not articulated clearly enough for panelists and audience members to participate in informed debate. This observation itself became the buzz at the conference and made it a truly memorable experience for many who attended.

The experience made it clear that cyber security policy means different things to different people, even those who work in cyber security. This conclusion led us to the format of this book. That is, the book is designed to lead the reader through concepts that are individually easy to assimilate, and collectively provide a solid understanding of the field of cyber security and the place of policy within it.

We also knew that there is no one person experienced enough in cyber security to have been able to single-handedly write this book. The team was chosen to ensure that all the major fields of experience in cyber security were covered. Each contributed to chapters and sections that were specific to their experience. However, all chapters were scrutinized by all authors to ensure a cohesive presentation for the expected variety of readers. Policy is the domain of authoritative executives. Executive authority may stem from the social contracts by which governments are established or the domain of a private enterprise. This book was written with those executives in mind, but it is not intended solely for their consumption. In order that cyber security policy analysis receive the critical scrutiny essential to sound legislation on both public and private fronts, the audience for this book must extend to executive advisors, educators, researchers, legislative staff, and practitioners in the field. Though each member of the audience brings his or her own background and experience to the material presented herein, we expect that current concepts on cyber security policy will be enriched by sharing this common presentation framework and nomenclature with colleagues in the same field, whose professional experience has exposed them to cyber security issues of varying scope. Most literature about cyber security falls into two categories: technology and advice. This book will refrain from technical jargon and also from recommendations with respect to decisions in any given case of cyber security policy. Although the book endeavors to explain technology issues in cyber security, it does so in layman’s terms. At the same time, the book emphasizes the importance of critical and analytical thinking about decisions with respect to cyber security and will equip the reader with descriptions of the impact of specific policy choices, letting the reader decide whether to view that impact as positive or negative.

This guidebook integrates explanations of cyber security policy alternatives across potential executive, legislative, judiciary, commercial, military, and diplomatic action. Readers across these disciplines are expected to view its contents through the lens of their own area of expertise and also gain insights from issues encountered by others. It will be an introductory text for the uninitiated, while at the same time providing a holistic reference for experts in the field of cyber security.

Originally, the outline of the book was divided into policy domains as defined in the conference, and from these were created book sections assigned to each author. Once work began, however, there was immediate skepticism and doubt among the authors on the approach. Some topics at the conference were broad in scope. For example: Law Enforcement, Privacy, Civil Rights, and Personal Liberties; Emergent Technologies, Innovation, and Business Growth; and Global Implications of Cyber Security Policies. Others were focused on a specific type of system, such as Next Generation Air Transportation System and Electric Power Distribution. No one thought that simply combining policy content from each section would achieve the mission of the volume. The volume could not appear splintered into sets of issues of interest to only one industry while still achieving its goal of educating an outsider on what a cyber security policy issue was. This recognition led to the development of a more holistic, unified view of the guidebook approach.

Chapter 1 introduces the reader to the relationship between cyberspace, cyber security, and cyber security policy. Chapter 2 provides a brief history of cyber security. It provides the background necessary for a lay person to understand the current state of the art as well as the state of the practice in establishing security controls in cyberspace. The chapter is not a chronicle of cyber crime or legislative attempts to establish cyber security controls, but it does highlight significant events that have influenced the evolution of controls.

Chapter 3 describes the state of the practice in measuring cyber security. It revisits the history of Chapter 2 from the perspective of security goals and objectives. It discusses various approaches that have been used to determine whether goals for cyber security have been met. Three case studies of cyber-enabled systems illustrate the approaches. The case studies are of e-commerce, industrial control systems, and personal mobile devices.

Chapter 4 provides guidance for executive decision makers charged with large organizations or constituencies that are cyber security stakeholders. It emphasizes that cyber security management is not unlike other management activities in that successful execution requires clearly articulated goals and corresponding program management. It provides an outline of how to begin to establish a cyber security strategy and associated cyber security policy effort. It suggests a perspective on cyber security issues that is integrated with the mission and purpose of the organization.

Chapter 5 introduces a catalog approach to the examination of cyber security policy issues. It places the history of cyber security and metrics of Chapters 2 and 3 against the context of cyber operations in order to separate the security issues into areas of responsibility. The word “policy” in the domain of cyber security applies to different dimensions of societal issues across multiple organizations and industries. Hence, Chapter 5 describes a demarcation in the scope of issues faced by decision makers in different positions of influence. That is, the policy decisions faced by a telecommunications executive will be very different from the policy decisions faced by a military strategist. However, these divisions are purposely described in chapter sections and not as domains of influence or responsibility because they significantly overlap. The division is made to enhance clarity of explanation and is not meant to introduce nonexistent boundaries.

Chapter 6 builds on the concepts and definitions described in Chapters 1 to 5 to explain the cyber security environment faced by decision makers in each of the five sections of cyber security policy that were introduced in Chapter 5. Each section includes a list of cyber security policy issues faced by different organizations and industries who are stakeholders.

Chapter 7 chronicles the efforts of the U.S. government to align cyber security strategy and policy and observes the impact of historical events on cyber security policy. It closes with references to literature that suggest alternative courses forward.

Chapter 8 presents a summary and shows how the content of each chapter presents different perspectives on the same topic, which is cyber security policy. It emphasizes that approaches to cyber security policy are necessarily different for different cyberspace stakeholders and that the value of security measures must be weighed against their efficacy in achieving individual cyberspace strategy objectives.

We are all five left with a deep appreciation for the depth and breadth of our adopted field. Marcus Sachs’ first-hand experience in both the public and private policy arena was invaluable when it came to chronicling history. Jason Healey’s wealth of experience in policy analysis in both government service and private research shed light on a rich array of issues in nation-state and global diplomacy. Joe Weiss’ in-depth expertise in industrial control systems prevented us from losing focus on critical attributes of our technology infrastructure. Paul Rohmeyer’s academic and business experience in technology management consistently made sure that our narratives were not only meaningful to decision makers, but also that the whole carried a strategic purpose that was obvious to our target audience. Jeff Schmidt’s career-long immersion in Internet governance and software engineering issues provided a sound sanity check on completeness. Jennifer Bayuk’s solid technical background and layman-accessible writing skills framed the presentation of concepts that made sense of it all.

Together, we dedicate this volume to cyber security policymakers, whether vocal or silent. May you achieve success in your respective missions.

Jennifer L. BayukJason HealeyPaul RohmeyerMarcus H. SachsJeffrey SchmidtJoseph Weiss

Acknowledgments

This book was inspired by the Honorable Mike Wynne, the 21st Secretary of the Air Force, who established considerable capability for cyber security in the Air Force, and was at the time single-handedly responsible for raising the awareness of national security-related cyber security policy issues. Among countless other laudatory and critical advisory appointments, Mr. Wynne serves as the Chair of the Advisory Board for the Systems Engineering Research Center and also as Senior Advisor to the President at Stevens Institute of Technology.

To create awareness within academia of the importance of cyber security policy, Mr. Wynne chaired a conference on that topic sponsored by Stevens Institute of Technology (SIT 2010). Opinions were solicited from experts in a wide variety of fields who are stakeholders in cyberspace. Many of them spoke at the conference or attended the discussions. Some were unable to attend but provided their comments in written form. Our grateful thanks extend to the speakers and other participants who lent their expertise to that conference.

We are most indebted to those who reviewed the first completed drafts of this volume. Their invaluable feedback has considerably enhanced the comprehensibility of the cyber security policy curriculum contained herein. We therefore gratefully acknowledge these individuals for their efforts and expertise: Warren Axelrod, Larry Clinton, Kevin Gronberg, Richard Menta, William Miller, Brian Peretti, Andy Purdy, and Michael zur Muehlen. Others who spoke or sent material to be included in this book are also gratefully acknowledged. They include: Michael Aisenberg, Edward Amoroso, Tom Arthur, Paige Atkins, James Arden Barnett, John Boardman, David M. Bowen, Christopher Calabrese, Ann Campbell, C. R. Collazo, Greg Crabb, William Crowell, Matthew D. Howard, John A. Davis, Christopher Day, James X. Dempsey, Edward C. Eichhorn, Robert Elder, Steve Elefant, Dan Geer, Charles Gephart, Gary Gong, Gail L. Graham, Kevin Harnett, Melissa Hathaway, Husin bin Hj Jazri, Erfan Ibrahim, Robert R. Jueneman, Jeffrey S. Katz, John Kefaliotis, Alan Kessler, George Korfiatis, Darren Lacey, Pascal Levensohn, Martin Libicki, Chan D. Lieu, Eric Luiijf, Pablo Martinez, Douglas Maughan, Ellen McCarthy, Dale Meyerrose, Gregory T. Nojeim, John Osterholz, James B. Peake, Jim Richberg, Robert D. Rodriguez, Tom Ruff, Brian Sauser, Ted Schlein, Agam Sinha, Ben Stewart, John N. Stewart, Eric Trapp, David Weild, John Weinschenck, and Paul Winstanley. We have incorporated as many opinions as possible from that conference. We are grateful to these experts for sharing their insight. We look forward to continuing the cyber security policy debates in a constructive manner that will secure peace and prosperity in cyberspace going forward.

1

Introduction

1.1 What Is Cyber Security?

Cyber security refers generally to the ability to control access to networked systems and the information they contain. Where cyber security controls are effective, cyberspace is considered a reliable, resilient, and trustworthy digital infrastructure. Where cyber security controls are absent, incomplete, or poorly designed, cyberspace is considered the wild west of the digital age. Even those who work in the security profession will have a different view of cyber security depending on the aspects of cyberspace with which they personally interact. Whether a system is a physical facility or a collection of cyberspace components, the role of a security professional assigned to that system is to plan for potential attack and prepare for its consequences.

Although the word “cyber” is mainstream vernacular, to what exactly it refers is elusive. Once a term of science fiction based on the then-emerging field of computer control and communication known as cybernetics, it now refers generally to electronic automation (Safire 1994). The corresponding term “cyberspace” has definitions that range from conceptual to technical, and has been claimed by some to be a fourth domain, where land, sea, and air are the first three (Kuehl 2009). There are numerous definitions of cyberspace and cyber security scattered throughout literature. Our intent is not to engage in a debate on semantics, so we do not include these definitions. Moreover, such debates are unnecessary for our purpose, as we generally use the term “cyber” not as a noun, but as an adjective that modifies its subject with the property of supporting a collection of automated electronic systems accessible over networks. As well reflected in language-usage debates in both the field of cognitive linguistics and popular literature on lexicography, the way language is used by a given community becomes the de facto definition (Zimmer 2009), and so we request that our readers set aside the possibility that they will be confused by references to “cyberspace” and “cyber security” and simply refer to their own current concept of these terms when it makes sense to do so, while keeping in mind that we generally the term cyber as an adjective whose detailed attributes will change with the system of interest.

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!