This is part of a continuing series of blog posts about the
latest DHS-IdeaScale project to open a public dialog about homeland security
topics. This dialog
addresses the DHS Integrated Task Force project to help advance the DHS
implementation of the President’s Cybersecurity Framework outlined in EO 13636.
The earlier posts in this series were:
An interesting new ‘idea’ was posted this week on the site
by David Rose [corrected source identity 7-14-13; 15:30 CDT],
who prefaced the idea by commenting:
“Just discovered this [the
IdeaScale ITFCC] existed, during the 3rd NIST Cyber Security Framework workshop
and there are zero (0) ideas on the cyber security framework topic -- so far.
“This tool would help to ensure, or
at least provide an opportunity for broader feedback.”
The comment is disappointing on at least two levels. Most of
the comments, and certainly all of my comments, seem to have been submitted
with the Cybersecurity Framework in mind. Secondly, the ITFCC was supposedly
set up to support DHS efforts at supporting the development and implementation
of the Cybersecurity Framework and it seems that the only one publicly pushing
this is yours truly. Oh well, I suppose there is some satisfaction to be
derived from being a voice crying in the wilderness; it provides multiple
opportunities to say I told you so.
Performance Goals
Community Member states that the submission is “a current
copy of the Performance Goals Discussion Paper” presumably being circulated
through DHS. It provides a discussion about the purpose and use of “performance
goals” as measures of the appropriate level of implementation of the Cybersecurity
Framework. Currently those performance goals would be self-evaluated as there
is no ‘real intention’ in the administration to use the Cybersecurity Framework
as a regulatory tool (except is selected areas where cybersecurity is already
regulated).
There are only two primary and three secondary goals
provided in the document. They are:
Primary Performance Goals
• PPG 1: During and following a
cyber incident, essential services and products continue to be delivered with a
high degree of reliability, resiliency, safety and integrity.
• PPG 2: Intellectual property and
personal information are protected to maintain the confidentiality of
proprietary information and ensure privacy and civil liberties.
Supporting Performance Goals
• SPG 1: Capabilities are built and
sustained to prevent, detect, respond to, recover, and learn from cyber
incidents as part of an ongoing enterprise risk management process.
• SPG 2: Functions critical to the
delivery of essential services and products are sustained, or otherwise rapidly
restored, over the course of a cyber incident.
• SPG 3: Preparedness and
resilience are continuously improved based on lessons learned from incidents,
exercises and other activities.
These goals are broad enough that they could be applied to
any organization whether or not they are designated as being ‘critical
infrastructure’. This has long been one of the goals of any cybersecurity plan,
that it be widely applicable. They are also so widely generic that any attempt
to secure networks and control systems, no matter how ineffective, could be
viewed as justifying the claim of meeting these goals.
There are to major deficiencies in these goals. First, they
can only be effectively measured after a successful cyber-attack; oops it is
too late then to know that your controls are ineffective. To be fair this will
be the failure point of any set of performance goals. More importantly these
goals fail to address preventing the worst physical consequences of a successful
cyber-attack. For example; at a high-risk chemical plant safety systems should
be in place to prevent off-site consequences from a cyber-attack that would
release a toxic inhalation hazard chemical from storage on the site.
To address the former, I have suggested that a third primary
performance goal be added to the list:
• PPG 3 - During and after a cyber-attack
controls, both computer based and physical, remain actively in play to protect
the community from catastrophic physical consequences of process disruptions or
interruptions.
I’m not sure that there is any specific way to address the
first deficiency. Any real measure of the effectiveness of a cybersecurity
control will have to rely on the response to an actual attack. And even
effectively responding to a real attack, or several real attacks, will not
ensure that the next hacker won’t have discovered a new hole in the system.
Realistically, the appropriateness of any performance goals
adopted to support the Cybersecurity Framework will be measured by political
not technical means. The question will come down to the willingness of the
business community to adopt and implement the performance goals as part of a
wide spread cybersecurity program. Unless, or until, these goals are
incorporated into law or regulation every effort must be made to ensure that
the goals are inoffensive enough to be voluntarily adopted by the business
community.
Voice Crying in the
Wilderness
Once again, I would like to take the opportunity to urge
everyone to visit this IdeaScale site and put in your two cents worth. If you
have no more time available than to read a couple of the ideas that catch your
fancy, please vote on whether or not you thing the idea has merit. If you have
more time available, contribute a comment like Richard did; it will add to the
discussion. But better yet, put one of your ideas down on paper and then post
it to the site for others to read, vote upon and discuss. Be a real contributor
to the development of national policy.
Posts
No comments:
Post a Comment