Thursday, June 30, 2011

Enforcing the President’s Cybersecurity Plan

The Obama cybersecurity plan would establish extensive regulations for the security of cyber systems at selected critical infrastructure entities. As I have noted on several occasions in this blog trying to regulate anything without some sort of inspection and compliance verification mechanism is a waste of time. The Administration’s plan addresses this in §6 of their critical infrastructure plan.

Private Sector Evaluators

The proposal avoids the problem of the government having to hire and maintain an expensive cybersecurity inspection workforce by establishing a private sector inspection program. Similar in many ways to the way TSA regulates the inspection process for freight going on to passenger aircraft, the proposal would establish a two-tier system of accreditors and evaluators. The accreditors would be contracted by DHS to “conduct such activities as the Secretary determines to be necessary to effectively carry out accreditations of evaluators and oversee the evaluation process” {§6(b)(2)}.

This is appropriately vague for a legislative proposal and the details would have to be worked out during the process of developing the supporting regulations. Some of the details need to be worked out, however, in the legislative process. For example, it seems obvious to me, but it is never mentioned in the proposal that it will be the covered entities that somehow pay for the evaluation process. What is less clear is how the administration plans on paying for the accreditation process.

How Many Evaluators

As I mentioned in my earlier blog post over at Digital Bond's SCADA Security blog, Larry Clinton of the Internet Security Alliance raises an interesting issue about this evaluation force. On page 10 of his written testimony for last week’s House hearing he states:

“Moreover, it is acknowledged on all sides that we face a critical shortage of qualified cyber security personnel, and so the army of evaluators created under this proposal will almost by definition not be adequately trained.”
The situation will be even worse for industrial control systems evaluations. There is nothing in the President’s proposal that addresses the differences between IT and ICS cyber systems. This is especially critical establishing an evaluation force. Even a well trained and experienced IT security expert will have difficulties evaluating a security plan and its implementation for control systems. A less well trained evaluator trying to apply a generic set of cyber security standards to a control system will cause more problems than most cyber attacks.

Nobody knows how large an evaluation force will be needed to enforce these proposals. The reason is that no one knows how many entities will covered by the critical infrastructure cybersecurity program. From a control system perspective it could be just a relatively small number of pipeline systems and electrical transmission systems if a restrictive view of the “dependent upon information infrastructure to operate” requirement of §3(b)(1)(B) is used to designate covered entities. If Mr. Clinton’s fear of a more expansive definition is realized the ICS inspection force could be quite large.

Conflicts of Interest

One of the easiest ways to expand the size of the potential evaluator work force is to utilize existing security contractors. This, of course, sets up the potential for some interesting conflicts of interest. A contractor that advises a facility on establishing a security program could find itself evaluating that same program. While one would expect that regulations should address this, many would expect this to be specifically addressed in any legislation mandating such a private sector inspection force.

Personnel Surety

The Internet Security Alliance testimony raises another interesting concern about this inspection force. Again on page 10 of the testimony Mr. Clinton says:

“The single largest vulnerability of our cyber systems comes not from hackers using technology to break into systems, but from “insiders” with approved access to the systems. This proposal creates a virtual army of insiders crawling through our most critical infrastructure’s security systems on an annual basis.”
The failure of the President’s proposal to address the personnel surety issue is completely unacceptable. This is especially true since historically much of the cyber workforce is foreign trained. From the experience that DHS has had with the personnel surety issue in the TWIC program, the Hazmat Endorsement for CDLs and the CFATS program certainly demonstrates that this controversial area needs to be addressed in the legislative proposal.

For control systems inspectors there is an additional area about personnel surety that will have to be addressed. Depending on how expansive the coverage of critical infrastructure actually is, there will be a number of CFATS covered facilities included in the program. The CFATS program has some very specific personnel surety requirements that are currently being rolled out. That program exempts the DHS inspection force (as well as first responders and law enforcement personnel) from the requirement for facilities to complete background checks before allowing these personnel to have unaccompanied access to facilities. Since the cybersecurity evaluators are not DHS employees this exemption will not apply to them.

Actually, I guess that IT evaluators for entities that own or operate CFATS covered facilities will probably have to undergo the same background check process if the IT systems are included in the facilities list of critical or restricted systems. Will evaluators dealing with MTSA covered facilities need to have TWICs? Probably. Water facilities, don’t worry about it, EPA has no personnel surety concerns. Railroads? The FRA don’t care.

Yes, we can clearly see why the cyber security proposal for critical infrastructure needs to specifically address the personnel surety issue.

No comments:

/* Use this with templates/template-twocol.html */