This is part of a continuing series of blog posts about the
latest DHS-IdeaScale project to open a public dialog about homeland security
topics. This dialog
addresses the DHS Integrated Task Force project to help advance the DHS
implementation of the President’s Cybersecurity Framework outlined in EO 13636.
The earlier posts in this series were:
The last couple of days have seen the introduction of two new
ideas that share one thing in common they propose complex new ideas that take
more than a couple of paragraphs to explain. The first deals with cyber
emergency incident management and the second cyber security performance
measurement. And both rely on links to documents outside of the IdeaScale site
to fully explain their suggestions.
Cyber Incident
Management
On July 15th the idea by dgsweigert
(Dan Sweigert) was moved to the site by moderators. There is a single sentence
(“Here is my white paper”) on the IdeaScale site and a link to a 3 page
SlideShare document. Dan eloquently makes the point that a proper response to a
cyber emergency is probably more important than efforts to prevent such
incidents. We are not going to be able to prevent 100% of the attacks on
critical infrastructure cyber-systems, so we need to put plans in place to
respond to successful attacks. He suggests that “serious consideration be given
by CSF [Cybersecurity Framework] planners to incorporate a NFPA 1600 and/or
NIMS response capability in the EO 13636 CSF” (pg 3).
As I noted in my IdeaScale comment to this idea, this is a
good first pass review of a problem that has been grossly overlooked in our
discussions of preventing cyber-attacks, particularly on control systems. Dan
makes the argument for starting the emergency response planning process and we
in the community need to flesh it out.
Performance
Measurement
The second new idea will be familiar to readers of this
blog; Russell Thomas offers up his Ten Dimensions of Cyber Security Performance
that I
described in an earlier blog post. Russell provides a little more meat to
the introduction of his idea than did Dan, but he too has to rely on links to
off-site writings (in this case his blog) to fully explain the idea.
Voting
I voted ‘Agreed’ to both ideas, not because I fully endorse
them in every detail, but rather because I thing they are both important new
ways of looking at the issues that the Cybersecurity Framework is supposed to
address. As such they need to be shared with the community, examined, discussed
and modified as necessary.
I doubt that either will make it directly into the Framework
being developed. That is not due to lack of scholarship or innovation, but
rather that the general game plan for the framework has already been
established and there is not enough time remaining in the process to make the
kinds of major changes that would be required by the incorporation either of
these ideas.
Still, neither would interfere with implementation of the
Framework, so just perhaps the cybersecurity community needs to address these
ideas outside of the Framework. While we are currently focused on the
development and implementation of the Framework, I doubt that anyone really
assumes that it will be the final word on cybersecurity, particularly in
control system realm.
Endorsing the
IdeaScale Process
Once again, I would like to take the opportunity to urge
everyone to visit this IdeaScale site and put in your two cents worth. If you
have no more time available than to read a couple of the ideas that catch your
fancy, please vote on whether or not you thing the idea has merit. If you have
more time available, contribute a comment like Richard did; it will add to the
discussion. But better yet, put one of your ideas down on paper and then post
it to the site for others to read, vote upon and discuss. Be a real contributor
to the development of national policy.
Posts
No comments:
Post a Comment