This is part of a continuing series of blog posts about the latest DHS-IdeaScale project to open a public dialog about homeland security topics. This dialog addresses the DHS Integrated Task Force project to help advance the DHS implementation of the President’s Cybersecurity Framework outlined in EO 13636. The earlier posts in this series were:
An interesting new ‘idea’ was posted this week on the site by David Rose [corrected source identity 7-14-13; 15:30 CDT], who prefaced the idea by commenting:
“Just discovered this [the IdeaScale ITFCC] existed, during the 3rd NIST Cyber Security Framework workshop and there are zero (0) ideas on the cyber security framework topic -- so far.
“This tool would help to ensure, or at least provide an opportunity for broader feedback.”
The comment is disappointing on at least two levels. Most of the comments, and certainly all of my comments, seem to have been submitted with the Cybersecurity Framework in mind. Secondly, the ITFCC was supposedly set up to support DHS efforts at supporting the development and implementation of the Cybersecurity Framework and it seems that the only one publicly pushing this is yours truly. Oh well, I suppose there is some satisfaction to be derived from being a voice crying in the wilderness; it provides multiple opportunities to say I told you so.
Community Member states that the submission is “a current copy of the Performance Goals Discussion Paper” presumably being circulated through DHS. It provides a discussion about the purpose and use of “performance goals” as measures of the appropriate level of implementation of the Cybersecurity Framework. Currently those performance goals would be self-evaluated as there is no ‘real intention’ in the administration to use the Cybersecurity Framework as a regulatory tool (except is selected areas where cybersecurity is already regulated).
There are only two primary and three secondary goals provided in the document. They are:
Primary Performance Goals
• PPG 1: During and following a cyber incident, essential services and products continue to be delivered with a high degree of reliability, resiliency, safety and integrity.
• PPG 2: Intellectual property and personal information are protected to maintain the confidentiality of proprietary information and ensure privacy and civil liberties.
Supporting Performance Goals
• SPG 1: Capabilities are built and sustained to prevent, detect, respond to, recover, and learn from cyber incidents as part of an ongoing enterprise risk management process.
• SPG 2: Functions critical to the delivery of essential services and products are sustained, or otherwise rapidly restored, over the course of a cyber incident.
• SPG 3: Preparedness and resilience are continuously improved based on lessons learned from incidents, exercises and other activities.
These goals are broad enough that they could be applied to any organization whether or not they are designated as being ‘critical infrastructure’. This has long been one of the goals of any cybersecurity plan, that it be widely applicable. They are also so widely generic that any attempt to secure networks and control systems, no matter how ineffective, could be viewed as justifying the claim of meeting these goals.
There are to major deficiencies in these goals. First, they can only be effectively measured after a successful cyber-attack; oops it is too late then to know that your controls are ineffective. To be fair this will be the failure point of any set of performance goals. More importantly these goals fail to address preventing the worst physical consequences of a successful cyber-attack. For example; at a high-risk chemical plant safety systems should be in place to prevent off-site consequences from a cyber-attack that would release a toxic inhalation hazard chemical from storage on the site.
To address the former, I have suggested that a third primary performance goal be added to the list:
• PPG 3 - During and after a cyber-attack controls, both computer based and physical, remain actively in play to protect the community from catastrophic physical consequences of process disruptions or interruptions.
I’m not sure that there is any specific way to address the first deficiency. Any real measure of the effectiveness of a cybersecurity control will have to rely on the response to an actual attack. And even effectively responding to a real attack, or several real attacks, will not ensure that the next hacker won’t have discovered a new hole in the system.
Realistically, the appropriateness of any performance goals adopted to support the Cybersecurity Framework will be measured by political not technical means. The question will come down to the willingness of the business community to adopt and implement the performance goals as part of a wide spread cybersecurity program. Unless, or until, these goals are incorporated into law or regulation every effort must be made to ensure that the goals are inoffensive enough to be voluntarily adopted by the business community.
Voice Crying in the Wilderness
Once again, I would like to take the opportunity to urge everyone to visit this IdeaScale site and put in your two cents worth. If you have no more time available than to read a couple of the ideas that catch your fancy, please vote on whether or not you thing the idea has merit. If you have more time available, contribute a comment like Richard did; it will add to the discussion. But better yet, put one of your ideas down on paper and then post it to the site for others to read, vote upon and discuss. Be a real contributor to the development of national policy.