Today the DHS National Protection and Programs Directorate (NPPD) published a notice in today’s Federal Register (81 FR 17193-17194) requesting comments on three white papers produced by the NPPD Staff in conjunction with work done by the Cyber Incident Data and Analysis Working Group (CIDAWG) (comprised of CISOs and CSOs from various critical infrastructure sectors, insurers, and other cybersecurity professionals). The white papers address the critical need for information sharing as a means to create a more robust cybersecurity insurance marketplace and improve enterprise cyber hygiene practices across the public and private sectors.
The three white papers are:
• Establishing Community-Relevant Data Categories in Support of a Cyber Incident Data Repository; and
The Value Proposition
The first whitepaper describes how a cyber incident data repository could help advance the cause of cyber risk management. NPPD is seeking input on the following questions in relation to this document:
• What value would an anonymized and trusted cyber incident data repository, as described in the white paper, have in terms of informing and improving cyber risk management practices?
• Do you agree with the potential benefits of an anonymized and trusted repository, as outlined in the white paper, that enterprise risk owners and insurers could use to share, store, aggregate, and analyze sensitive cyber incident data?
• Are there additional benefits of an anonymized and trusted repository that are not mentioned in the white paper? Please explain them briefly.
• What kinds of analysis from an anonymized and trusted repository would be most useful to your organization?
Establishing Community-Relevant Data Categories
The second whitepaper addresses the kinds of prioritized data categories and associated data points that should be shared among repository users to promote new kinds of needed cyber risk analysis. NPPD is seeking input on the following questions in relation to this document:
• Could specific data points within the 16 data categories effectively inform analysis to bolster cyber risk management activities?
• Are the 16 data categories accurately defined?
• What additional data categories could inform useful analysis to improve cyber risk management practices?
• What do these additional data categories mean from a CISO or other cybersecurity professional perspective?
• Rank the level of importance for each data category, including any additional data categories that you have identified.
• What value does each data category and associated data points bring to a better understanding of cyber incidents and their impacts?
• What does each data point actually mean (and to whom); and which ones are the greatest priority, to which stakeholders, and why?
• How easy/difficult would it be to access data associated with these categories in your organization and then share it into a repository and why?
Overcoming Perceived Obstacles
The final white paper identifies perceived obstacles to voluntary cyber incident data sharing and offers potential approaches to overcoming those obstacles. NPPD is seeking input on the following questions in relation to this document:
Would your organization be interested in contributing to a cyber incident data repository and using repository-supported analysis to improve your organization's risk management practices?
• What obstacles do you anticipate—both internal and external to your organization—that might prevent the sharing of cyber incident data into a repository?
• Who might say `no' to sharing and why?
• What mechanisms, policies, and procedures could help overcome these obstacles to sharing?
NPPD is soliciting public comments on the above topics. In particular, it is looking for comments from members of the cybersecurity and insurance communities; chief information security officers (CISOs); chief security officers (CSOs); academia; Federal, State, and local governments; industry; and professional organizations/societies.
NPPD tries to make it clear in this request for comments that they are not looking for specific program proposals at this time. What they are trying to do at this stage is to provide additional information to the CIDAWG for its continued work to better understand the potential of an anonymized and trusted cyber incident data repository to address the cybersecurity needs of the public and private sectors.
Comments may be submitted via email (firstname.lastname@example.org). Comments should be submitted by May 24th, 2016.
There is no indication in the Federal Register Notice whether NPPD is looking at IT or OT systems or both. The reason for this (after a brief look at the table of contents of the three white papers) is that NPPD is apparently not making any differentiation between the two. The second white paper, for instance, includes five theoretical case studies and the first of those is a control system incident.
I have not yet had a chance to take a detailed look at any of the publications, but the brief look that I have made seems to indicate that the CIDAWG is making some subtle (and probably unintentional) oversights in the scope of their work. For instance, the sample data input page (pg 8 of the data categories paper) lists health records under data theft, but it does not specifically include an mention of medical devices, apparently lumping them under the ‘SCADA/ICS Attack’ category. Similarly, there is no specific mention of transportation related attacks.
The other thing that is missing from this discussion appears to be any focus on who would be collecting and analyzing the incident data. It looks to me like there has been an underlying assumption that the government (specifically some organization within NPPD) would be responsible for this function. That may be an appropriate governmental function, but there are alternatives that should also be addressed in this work. The Insurance Institute for Highway Safety, for instance, comes to mind as an organization with a similar function.
The last point that I would like to make here is a question about the openness of this comment process. NPPD has chosen to internalize the comment management process instead of utilizing the Federal eRulemaking Portal. The public advantage of the formal submission process is that all comments are publicly posted in an easily accessible and well understood web site. Now NIST has successfully used an internalized submission management process and they did a good job on their request for information projects in making sure that the comments were clearly posted on their web site. NIST made it clear in the request notices that such postings would be made. NPPD has not done that in this notice.