New and Timely Cyber Security Information

October is National Cyber Security Awareness Month.  With it, the DHS Private Sector Office has provided a number of resources to help organizations get involved in cyber security awareness.  These include weekly themes, such as Stop. Think. Connect., information on a weekly Twitter Chat series, and other information.

Perhaps released intentionally during National Cyber Security Awareness Month is the call for public comment on the National Cyber Incident Response Plan.  From their website, DHS’ National Protection and Programs Directorate and FEMA’s National Integration Center are leading the development of this document in coordination with the US Department of Justice, the Secretary of Defense, and other partners.  This plan is intended to provide a nation-wide approach to cyber incidents, incorporating roles for the private sector and all levels of government (TR – similar to the National Planning Frameworks, which this document rather heavily references).  The National Engagement Period ends on October 31, so be sure to review the document and provide feedback.  There are also a series of webinars referenced on the website.

In my initial and very cursory review of the plan, I was pleased to see the references to the National Preparedness Goal and National Planning Frameworks.  I’ve mentioned before that we need to strive to align and integrate all preparedness efforts along these lines and I’m thrilled to see it happening.  It’s even more encouraging to see this occurring with something that could be considered a bit fringe to traditional emergency management.  The plan directly references a number of Core Capabilities.  They take an interesting approach with this.  Instead of identifying which Core Capabilities the plan organizes under, they instead align certain Core Capabilities within what they call Lines of Effort.  These Lines of Effort include Threat Response, Asset Response, and Intelligence Support.  For each Core Capability they define the Core Capability, a la the National Preparedness Goal, and describe how that Core Capability applies to Line of Effort, along with listing associated critical tasks. (inserted is Table 2 from the plan which shows this alignment)

cyber-cc-by-loe

What I find even more interesting is the array of Core Capabilities they identified for their Lines of Effort.  While this plan is oriented toward response, the Core Capabilities they identify come from the Mission Areas of Prevention, Protection, Response, and Mitigation, along with including the three common Core Capabilities.  This further reinforces the thought that the Cyber Security Core Capability should also be included as a common Core Capability.  This is an interesting document which I look forward to reviewing in more detail.

© 2016 – Timothy Riecker, CEDP

Emergency Preparedness Solutions, LLCYour Partner in Preparedness

 

Adapting to the Cyber Threat – Who Holds Liability?

Over the past year or so, even the past few months, we have seen a huge increase in high visibility hacks and cyber attacks.  Among the highest profile attacks are:

  • Target department stores suffered the theft of credit card holder data
  • the US government had a huge theft of information of government employees as well as theft of tax payer data from the IRS
  • and just recently the theft and subsequent public release of information of Ashley Madison account holders.

While cyber attacks and hacking didn’t just start occurring recently, our society, laws, and policies have yet to grow to truly keep up with prevention, mitigation, protection, response, and recovery from these incidents.  This is a familiar place we find ourselves in with other human-caused incidents such as mass shootings.  We have recently seen some insurance companies offering cybersecurity policies.  I’m not knowledgeable of the terms and conditions of these policies, but I’m hopeful policy holders are required to have cybersecurity policies and programs in place to help prevent and mitigate against the impacts of a cyber attack.  Presumably, the insurance  policy covers financial losses to the company and perhaps even litigation.  Consumers have a variety of protections available for identity theft offered through banks and credit cards.

With the recently announced class action lawsuit against Ashley Madison, I began thinking about where the real liability for a cyber attack lies.  Certainly those individuals whose personal information was stolen (moral issues aside) may suffer some measure of financial loss.  The same can be held true for those whose data was stolen from the Target and US government hacks.  Those individuals trusted and were generally assured that their personal and financial information would be protected.  These assurances place a liability on the entity that holds their information.  However, we tend to treat liability differently for disasters and acts of terrorism where entities, so long as they made reasonable and prudent efforts to avoid impacts, are held harmless; or in the event of a criminal act, we see liability shifted to the perpetrators of the criminal act.

I’m convinced that any system can eventually be hacked and suffer either data loss or data theft.  Unlike a natural disaster, intentional human-caused incidents include the factor of persistence.  Persistence is a unique element which requires constant and concerted efforts on the part of other humans to prevent, protect, and mitigate against criminal acts.  Given the law of averages and the constant need for cybersecurity experts to keep up with all tactics used by criminals, the good guys are bound to lose a battle once in a while.  While I don’t disagree that those who have their personal information stolen through no fault of their own may be deserving of financial compensation for their losses, I’m left wondering about the real liability of those entities who make reasonable and prudent efforts to protect that data.

Certainly the perpetrators, when found guilty, are at fault and hold the ultimate responsibility, but we have difficulty in identifying and persecuting these attackers.  Even if the perpetrators are found and convicted, is there still a shared liability among other parties?

Like climate change, we struggled for many years fighting the inevitable and thinking we could stop or reverse its effects.  We are finally shifting to a new philosophy of adaptation.  While we do what we can to slow the speed of climate change, many have accepted that climate change, and thus its impacts, are an inevitability.  This leads me to suggest that we need to take the same stance with all disasters, including those caused by humans.  Incidents will occur.  While we MUST do what we can to prevent, protect, and mitigate against them, we need to shift the thinking of society to response, recovery, and adaptation for when, inevitably, it does occur.

While I’m no attorney or expert in liability and litigation, it seems to be a fairly unexplored area in terms of cybersecurity.  I welcome your thoughts and ideas on this.

© 2015 – Timothy Riecker

Emergency Preparedness Solutions, LLC

WWW.EPSLLC.BIZ

Cybersecurity – What is the Government’s Role with Business and Industry?

The National Institute of Standards and Technology was charged by the President with the creation of a framework for improving critical infrastructure cybersecurity, which they accomplished in February of 2014.  This framework and associated documents provides information on critical steps that business and industry, working with the federal government, should take in the protection, prevention, detection, response, investigation, and recovery from a cyberattack.  The importance of this is not only the theft of private information of customers, as occurred in the hacking of Target databases, but most importantly (and the intention of the NIST document) the protection of our nation’s critical infrastructure – most of which is owned and operated by private industry.  What about state governments?  Do they have a role?

Working with various states around the nation, it has been interesting to see how they perceive their role in cybersecurity.  Some are very hands-on, while others are far too comfortable in the back seat.  State governments, it seems, are working to protect the cyber infrastructure they control (their own computer systems and data), but the position they take in respect to the private sector covers the whole spectrum of proactive to wait-and-see.  One wait-and-see-er explains their position away saying that if they don’t own the cyber infrastructure they can’t do anything to protect it.  Interestingly enough, this particular argument came from a larger state which is the recipient of higher cuts of homeland security grant program (HSGP) funds than most and has a significant amount of critical infrastructure, including several nuclear power plants.  They seem to have little interest even working with business and industry to come to common understandings, discuss threat indicators, share ideas, and talk about procedures and priorities.

On the other hand, there are states, both large and small, who see benefit to working with their business and industry to protect critical infrastructure and data interests.  While they acknowledge some challenges with the state not owning the cyberinfrastructure of these companies (nor do they want to), they see nothing but benefits in the formation of cybersecurity working groups and conducting cyber preparedness activities, particularly exercises.  This is the smart approach.

Given the number of cyberattacks that occur every day, it seems inevitable, just like any disaster, that a successful cyberattack on a critical sector of our infrastructure will certainly occur sometime in the future.  Are we prepared?  What are your states doing to prevent, protect, and prepare for such occurrences?  What are we missing?

© 2015 – Timothy Riecker

Emergency Preparedness Solutions, LLC

WWW.EPSLLC.BIZ

Your Complete Guide to the 5 Cybersecurity Bills in Congress

Yesterday Eric Geller, a writer for The Daily Dot, an online internet culture newspaper, posted Your complete guide to the 5 cybersecurity bills in Congress.  This is a great overview of each of the bills and what they entail.  These bills represent an important progression toward a better cybersecurity policy and implementation in the US.  A worthwhile read.

© 2015 – Timothy Riecker

Emergency Preparedness Solutions, LLC

www.epsllc.biz

Cyber Security Video – Stop. Think. Connect

Students and faculty from Grand Valley State University created a video for the West Michigan Cyber Security Consortium and the US Department of Homeland Security’s campaign on cyber security called Tapping In – Stop. Think. Connect.  The information site for the video (including a link to the video) can be found here – Stop. Think. Connect.

It’s a clever video about the dangers of hackers, the importance of individual vigilance, and ways to maintain your own cyber security.  Overall the video is well done and the music is catchy, although I think the production is a bit long (five and a half minutes), leading to the message getting a back seat to the music.  I do like the characterization and the vignettes that drive the video and the overall message.  I’m hopeful they will edit down the piece to provide video segments a bit more palatable to our short attention spans and conducive to inclusion in advertising campaigns. 

More of this is needed.  The public at large seems to pay little attention to cyber security and the role that individuals play in it.  While data infiltrations of large corporations like Target get a great deal of media attention, hackers and phishing scams lead to data and identity theft of individuals on a daily basis. 

How do you promote cyber security in your organization or jurisdiction?  What materials and methods do you use to promote it?  Do you feel you are reaching your audience?  

© 2014 – Timothy Riecker

The Leading Edge of CyberSecurity… Where is it?

Tim RieckerI finally had a chance to read through Homeland Security Today’s publication of The Leading Edge Today.  The January edition was focused on cyber security.  The Producer’s Corner article (i.e. letter from the editor), cites a study and report compiled by Verizon and other entities from around the globe, including the US Secret Service.  This report, called the 2012 Verizon Data Breach Investigations Report, is staggering.  They cite 855 confirmed cases of enterprise data loss and say that most entities that are hacked aren’t aware of it for weeks or months – and are usually notified by someone else of the incident (i.e. law enforcement or an enterprise internet security firm).  The remainder of the publication offers some good information and insight on trends and prevention activities in the realm of cyber security.

Obviously The Leading Edge Today was published prior to the President’s signing of the cyber security executive order just a couple of days ago.  All reports so far indicate that the executive order really has no teeth.  It’s not law and only provides recommendations, although it does call for the establishment of a Cyber Security Framework (perhaps to parallel the National Response Framework?) and calls for the NIST to establish the standards of this framework.  DHS is charged with sector-specific outreach to engage the private sector.  It’s not the full package of what our nation needs, but it’s a start.  It’s apparently a political throwing-down of the glove to challenge Congress to promulgate and pass a cyber security bill.

I’ve not had the chance to do any research on it, but what are other nations doing?  I imagine that there must be countries out there who have not dragged their feet as much as we have on this matter; and hopefully they have been able to implement not only strategic plans that outline progress, but have also implemented tighter defenses.  This may also be an opportunity for a global defense against cyber crimes – particularly in consideration of the perpetrators and the victims often times being from around the world.  In my eyes, this cyber terrorism needs to be viewed as an attack on our sovereignty, on our economy, and on our personal and corporate privacies.  To fight it is to wage war against those who perform it and those nations who sponsor it – just like any other act of terrorism.