This is part of a continuing series of blog posts about the latest DHS-IdeaScale project to open a public dialog about homeland security topics. This dialog addresses the DHS Integrated Task Force project to help advance the DHS implementation of the President’s Cybersecurity Framework outlined in EO 13636. The earlier posts in this series were:
The last couple of days have seen the introduction of two new ideas that share one thing in common they propose complex new ideas that take more than a couple of paragraphs to explain. The first deals with cyber emergency incident management and the second cyber security performance measurement. And both rely on links to documents outside of the IdeaScale site to fully explain their suggestions.
Cyber Incident Management
On July 15th the idea by (Dan Sweigert) was moved to the site by moderators. There is a single sentence (“Here is my white paper”) on the IdeaScale site and a link to a 3 page SlideShare document. Dan eloquently makes the point that a proper response to a cyber emergency is probably more important than efforts to prevent such incidents. We are not going to be able to prevent 100% of the attacks on critical infrastructure cyber-systems, so we need to put plans in place to respond to successful attacks. He suggests that “serious consideration be given by CSF [Cybersecurity Framework] planners to incorporate a NFPA 1600 and/or NIMS response capability in the EO 13636 CSF” (pg 3).
As I noted in my IdeaScale comment to this idea, this is a good first pass review of a problem that has been grossly overlooked in our discussions of preventing cyber-attacks, particularly on control systems. Dan makes the argument for starting the emergency response planning process and we in the community need to flesh it out.
The second new idea will be familiar to readers of this blog; Russell Thomas offers up his Ten Dimensions of Cyber Security Performance that I described in an earlier blog post. Russell provides a little more meat to the introduction of his idea than did Dan, but he too has to rely on links to off-site writings (in this case his blog) to fully explain the idea.
I voted ‘Agreed’ to both ideas, not because I fully endorse them in every detail, but rather because I thing they are both important new ways of looking at the issues that the Cybersecurity Framework is supposed to address. As such they need to be shared with the community, examined, discussed and modified as necessary.
I doubt that either will make it directly into the Framework being developed. That is not due to lack of scholarship or innovation, but rather that the general game plan for the framework has already been established and there is not enough time remaining in the process to make the kinds of major changes that would be required by the incorporation either of these ideas.
Still, neither would interfere with implementation of the Framework, so just perhaps the cybersecurity community needs to address these ideas outside of the Framework. While we are currently focused on the development and implementation of the Framework, I doubt that anyone really assumes that it will be the final word on cybersecurity, particularly in control system realm.
Endorsing the IdeaScale Process
Once again, I would like to take the opportunity to urge everyone to visit this IdeaScale site and put in your two cents worth. If you have no more time available than to read a couple of the ideas that catch your fancy, please vote on whether or not you thing the idea has merit. If you have more time available, contribute a comment like Richard did; it will add to the discussion. But better yet, put one of your ideas down on paper and then post it to the site for others to read, vote upon and discuss. Be a real contributor to the development of national policy.