Book review: U.S. feds facilitating cybersecurity
By Shalin Hai-Jew, Kansas State University
Cybersecurity: Background, Risk Management and Federal Policies
Christian Sievier
Nova Science Publishers
2019
In a common sense, "cybersecurity" seems to be about a set of awarenesses, smart decision-making, safe(r) behaviors, and perhaps even a cybersecure lifestyle. The attack vectors vary over time and space, and the security advisement changes. There seems to be a gap between the easier actions—like what common people have to engage—and the heavy work of using AI, machine learning, statistical analysis, and other tools to identify threats and “zero days” and respond accordingly at government and corporate scale. In this latter case, there seems to be a major shortage of trained talent to run critical systems.
Christian Sievier’s Cybersecurity: Background, Risk Management and Federal Policies (2019) focuses on the nexus between the federal government in the U.S. and cybersecurity. This work reads like a U.S. government class (a little dry), with a special focus on protecting the nation against cyber threats, especially with an often-naïve partially informed population, widespread reliance on cyber for all aspects of modern life, and complex and changing technologies. The apparent target readers for this work are those who may want to work for or with the federal government to promote cybersecurity.
Chris Jaikaran “Cybersecurity: An Introduction” (Ch. 1) opens with the observation of the importance of networked devices as a part of everyday life. Yet, they can be used to “deny access to services, steal their information, or compromise the digital system they trust” (p. 1). The feds do not have an agreed-on definition of cybersecurity, even as the work involves defending all the facets involved in protecting cyberspace. The Commission on Enhancing National Cybersecurity definition reads as follows:
However, this definition is tailored more for systems administrators and others working in applied IT.
Cybersecurity requires attention to the infrastructure of “servers and switches, miles of cabling, wireless spectrum, and routers”; various devices; software and hardware (p. 3). It requires focus on how to protect data and individual privacy, online resources, reputations, cyber-related lifestyles, and other elements. Cybersecurity involves professionals across a range of fields. The threats that a government faces are more complex and dangerous and potentially far-reaching than those faced by different or smaller entities, including capable and resourced threat actors like particular countries (“Russia, China, Iran, and North Korea” in 2016), criminal organizations, terrorists, and individuals (p. 4). Computer security defined as having three attributes related to data: confidentiality (“data is only known to authorized parties”), integrity (“data and systems are not altered without authorization”), and data availability whenever needed by those so authorized (p. 4). To achieve those aims, various cybersecurity tools have been deployed: threat analyses, malware detection, surveillance, encryption, monitoring, data-checking, data backups, trainings, email blocking, and various policies.
The government has various tools to enable cybersecurity, by wielding laws, setting manufacturing standards, funding smart approaches, going into partnerships with business, and maintaining cybersecurity talent in its ranks. This work summarizes various approaches of the U.S. Congress, given its oversight role over the federal government, and its responsibility to ensure security of various government agencies’ IT and managed data. The author provides a basic summary of Congressional capabilities—to call hearings, to call attention to cybersecurity, to require testimony from businesses, to set up programs, to regulate industry, and to set up incentives for businesses to support cybersecurity. Also: “Congress may choose to spur activity by directing agencies to develop a report or strategy” (Jaikaran, 2019, “Cybersecurity…,” p. 7). The insights read as fairly basic and general. The article does not go into particular cases or particular policies or particular practices.
DHS and its law enforcement arm deal with the breaking of laws such as through “intellectual property theft or financial theft” (Jaikaran, 2019, “DHS’s…,” p. 11). As a large agency, DHS has many entities that work within it: Cybersecurity and Infrastructure Security Agency (CISA), U.S. Secret Service (USSS), Immigration and Customs Enforcement (ICE), Transportation Security Agency (TSA), the U.S. Coast Guard (USCG), Federal Emergency Management Agency (FEMA), and various programs with particular foci. Some entities deal with online traffic logging, continual Internet diagnostics, automated information sharing, electronic crimes task forces, critical infrastructure programs, and educative endeavors (p. 14).
The U.S. Congress plays an important part in promoting cybersecurity. Chris Jaikaran’s “Cybersecurity: Homeland Security Issues for the 116th Congress” (Ch. 3) focuses in on five main cybersecurity topics with nexuses with homeland security that were addressed in this session (from January 3, 2019 to January 3, 2021, the last two years of then President Donald J. Trump’s presidency). The five issues are “Information Sharing, Critical Infrastructure Protection and Cybersecurity, Cyber Supply Chain Risk Management, Federal Agency Oversight, and Data Protection and Privacy” (p. 17). Cybersecurity is practically conceptualized as a “process of risk management” instead of a state of perfect security (with the assumption that there will be failures and system compromises). Risk can be “avoided, transferred, controlled, and accepted” (p. 18). To create a proper security posture, organizations go through threat assessments; they identify vulnerabilities in the IT and bureaucratic systems; they assess potential consequences of achieved attacks and failures. For entities as massive as countries, information sharing can enable a shared distributed defense assuming there is some level of trust and a tendency towards taking appropriate actions as a response. A core cybersecurity framework for the protection of critical infrastructure is one by the National Institute of Standards and Technology (NIST).
One type of concern involves the equipment on which cyber runs and vulnerabilities in the supply chain.
Finally, this work makes the point that government handles sensitive personally identifiable information (PII) among others. How it collects, uses, stores, and transmits this data has to be carefully managed to preclude their leakage or compromise.
The United States Government Accountability Office’s (GAO) “Cybersecurity: Federal Agencies Met Legislative Requirements for Protecting Privacy When Sharing Threat Information” (Ch. 4) opens with a listing of various Honorables in the U.S. legislature who are receiving the written work: Richard Burr, Mark R. Warner, Devin Nunes, and Adam Schiff (all household names from press coverage). What follows are references to authorizing laws and policies, government entities, and Fair Information Practice Principles, drafted to guide the handling of sensitive information.
“Transparency” suggests the importance of notifying individuals that their data is being collected, used, shared, and maintained, and in what ways. “Individual participation” suggests the importance of he person in making decisions about the use of their personally identifiable information (PII) and their enablements in making corrections and accessing “redress” for misuse. “Purpose specification” refers to the need for organizations to “specifically articulate the authority that permits the collection of PII and specifically articulate the purpose or purposes for which the PII is intended to be used.” Organizations should only collect what PII they need for the particular purpose, according to the “data minimization” principle. Organizations should only use the PII “solely for the purpose(s) specified in the notice” and nothing else, based on “use limitation.” The “data quality and integrity” principle assigns responsibility to organizations to “ensure that PII is accurate, relevant, timely, and complete” (US GAO, 2019, “Cybersecurity: Federal Agencies…” p. 33).
Finally, the “accountability and auditing” principle suggests that organizations “should be accountable for complying with these principles, providing training to all employees and contractors who use PII, and auditing the actual use of PII to demonstrate compliance with these principles and all applicable privacy protection requirements against risks such as loss, unauthorized access or use, destruction, modification, or unintended or inappropriate disclosure” (The White House, National Strategy for Trusted Identities in Cyberspace (Washington, D.C.: April 2011, as cited by the US GAO, 2019, “Cybersecurity: Federal Agencies…” p. 33). This work stems from a report on cybersecurity to leaders in the U.S. government.
For the general public, the U.S. GAO is probably most high profile for its budget estimate role in assessing legislative proposals than its accountability role. It does much more than estimate costs of proposed legislation; it conducts department performance audits to ensure accountability and protect taxpayer investments. [It looks to be that they output private reports to the various organizations, but they also report out through a public channel with more general information.]
Gregory C. Wilshusen’s “Cybersecurity: DHS Needs to Enhance Efforts to Improve and Promote the Security of Federal and Private-Sector Networks” (Ch. 5) opens with the GAO’s designation of “information security as a government-wide high-risk area in 1997” including “cyber critical infrastructure in 2003” and the need to protect personally identifiable information in 2015” (p. 37). This work reports on GAO’s findings of DHS efforts towards enabling national-level cybersecurity by ensuring the security of federal- and private- sector computer systems and networks:
This work—a report to Congress—describes what was measurably and objectively achieved, such as the providing of “limited intrusion detection and prevention capabilities to entities across the federal government” and issuing cybersecurity “operational directives to federal agencies” and sharing cybersecurity information and promoting the use of the NIST Framework for Improving Critical Infrastructure Cybersecurity, and partially assessing their cybersecurity workforce. The GAO also identified where and how DHS could improve in handling its cybersecurity mandate (Wilshusen, 2019, “Cybersecurity…,” p. 39). DHS services to government agencies include monthly US-CERT bulletins, in-depth CyberStat reviews, and “red” and “blue” team exercises to test agency systems for robustness against cyberattack (pp. 50 – 51), services which were ranked highly by agencies. One of the subheadings in this chapter reads: “DHS’s National Integration Center Generally Performs Required Functions but Needs to Evaluate its Activities More Completely” (p. 53). This work resulted in the finding that DHS’s efforts were found to have “shortcomings with its programs and a lack of useful performance measures” (p. 58). The report also focused on the need for more efficient service delivery and more effective interactions with their respective partners in the U.S. government and outside (p. 58). Ensuring a qualified cybersecurity workforce was another observed challenge.
Electricity is critical for modern life and human economic productivity globally. Richard J. Campbell “Electric Grid Cybersecurity” (Ch. 6) addresses the importance of protecting this access to electricity by protecting the power plants, electricity transmission infrastructure, hardware and software, and other elements. Risks to the electric grid from “natural, operational, or manmade events” (p. 61). In terms of cybersecurity, “the greatest cyber threats to the grid have been intrusions focused on manipulating industrial control system (ICS) networks” (p. 61) and resultant losses of control over parts of the system. A study by a security firm found industrial control devices have security vulnerabilities, many “insecure-by-design,” that if exploited, the vulnerabilities would have “severe operational impact” (p. 76). The advent of the Internet of Things (IoT) devices is a more recent worry, with the observation that there is botnet malware targeting IoT networks in the wild. The electrical grid interacts with a variety of other systems, so risks can cascade, given connection and complexity:
This work includes summaries of cyberattacks that have already occurred: an attack on a dam in NY by Iranian government hackers, an electric company attacked by N. Korean hackers, and “cyber intrusions at critical energy and manufacturing infrastructure companies” by Russian government hackers (Campbell, 2019, p. 65). The involvement of nation-state actors often means a level of resourcing and sophistication not found in malicious actors outside of governments.
The challenge generally has been to prepare against cyberattacks by strengthening defenses. There are systems in place to detect cyber attacks as quickly as possible and to respond with all due speed and accuracy. Then, too, there is work towards recovery from various attacks. Most interestingly, there are efforts to “accelerate game-changing research, development, and demonstration (RD&D) of resilient energy delivery systems” and cybersecurity tools for “automated defense of future energy delivery systems” (Campbell, 2019, pp. 69 - 70).
The risks of combined physical and cyberattacks could magnify the harm of an attack. One such case is described:
Attacks may also be timed during other broad-scale crises, including natural emergencies.
Another concern involves electric grid risks from large-scale physical attacks on transformers, given “the limited inventory of spare parts” which could result in “months or years to build new units” (Campbell, 2019, p. 73). Supply chain security is also a challenge for the component parts of electrical transformers. The supply chain concerns also include semi-conductors and microprocessors, given that manufacturers span various countries. The firmware—programmable controllers, programmable logic arrays—runs on fixed machine-language code: “If access were gained to such devices (especially during the manufacturing process), a section of code could be covertly inserted in the device and activated in such a way as to impair its functioning in a reliable manner” (p. 82). A certain amount of unreliability can wreck systems. The amounts of such technology do not enable full testing of every chip, but some random testing does occur. A grid exercise was held by the North American Electric Reliability Corporation (NERC) to “test the electricity sector’s ability to respond to grid security emergencies caused by cyber and physical attacks” (p. 75). Improving coordination between various entities may improve a defense response to lessen disruptions and enable more effective recovery.
Artificial intelligence has also been brought to bear to address cybersecurity. AI is “a combination of computational technologies, machines, and software which have the capability to learn from inputs and be self-directed” and which can take data as inputs and engage “machine learning” to identify relevant patterns (Campbell, 2019, p. 88), even in streams of big data as exists in the electrical grid analyzed with high-performance computing (p. 89). There are weaknesses in such approaches, too, given that AI learns by experiential learning, which may make it blind to anomalous or novel threats. Machine learning based on data to create models is only as strong as the training data, and the models can be biased based on the quality of the data. For high-volume high-speed systems, AI and machine learning have their limits. Further, there is the fear that adversaries can figure out a way that AI can be harnessed to “stage future attacks on the grid” (p. 90). Part of cyber defense involves seeing malicious actors conduct reconnaissance and set up for imminent (or eventual) attacks. It is important not only to focus on the known types of attacks but potential new ones.
Some defenses being explored include setting up smart grids, with sensors and automated controls. Here, the electrical grid can defend itself based on accurate sensing and analysis and speedy actions. Another approach is to use microgrids that “operate independently of the grid” with power generated by “fossil fuel, combined heat and power plants, or renewable energy systems” (Campbell, 2019, p. 99). There are efforts to build electrical grids to “meet high resilience standards for electromagnetic pulse (EMP) and geomagnetic disturbances (GMD), as well as physical and cybersecurity” (p. 100). There are efforts to solve the issue of expensive “large, high voltage electric power transformers” (LPTs), such as possibly having some reserve in case these are attacked physically or in other ways (p. 100). This work includes a useful summary of recent legislation (115th Congress) that has impacts on the power grid.
Finally, various electric utilities are responsible to report “grid instances and disturbances” to the Department of Energy (DOE) (Campbell, 2019, p. 94). The author writes:
Constant intelligence-gathering around the threats to the electrical grid is critical. That there are informed professionals looking at such issues is heartening. In a time of the Russian-Ukraine War, with a modern European country pushed back generations based on Russian aggression, critical infrastructure is clearly important for human survival. The need to have national security to protect a nation’s peoples and their well-being is obviously critical.
Applying for a federal loan to pursue higher education is a very common step in the learning process. The Office of Federal Student Aid (FSA), which has oversight over billions in student loans, has a vested interest in protecting student data and personally identifiable information (PII), even as their information moves into the hands of non-school partners. The PII includes “student demographics, student eligibility, student finances, parent demographics, parent finances” among others (p. 128). The United States Government Accountability Office’s “Cybersecurity: Office of Federal Student Aid Should Take Additional Steps to Oversee Non-School Partners’ Protection of Borrower Information” (Ch. 7) describes an assessment of FSA efforts in protecting applicant data handled by federal loan servicers (who make the loans and collect payments), private collection agencies (who pursue loans in default), guaranty agencies (who insure lenders against loss), and Federal Family Education Loan lenders (non-federal lenders including “banks, credit unions, and other lending institutions”) (p. 109). The performance assessment involves looking at performances by these various categories of outside entities. Overseeing the security of such data involves the following: “(1) risk-based security and privacy controls, (2) independent assessments to ensure controls are effectively implemented, (3) corrective actions to address identified weaknesses in controls, and (4) ongoing monitoring of control status” (p. 110).
The GAO assessment has two main objectives:
The actual analysis involved “FSA documentation, reports, policies, and procedures” and interviews of FSA officials (US GAO, 2019, “Cybersecurity: Office of…,” p. 108). What follows is an in-depth backgrounder (replete with plenty of references to legal authorities) followed by the analysis, with identification for areas for improvement. In the performance audit, they point to the importance of the following practices:
Cybersecurity requires adherence to exacting and accurate processes, oversight, and care, without fail.
Gene L. Dodaro’s “High-Risk Series: Urgent Actions are Needed to Address Cybersecurity Challenges Facing the Nation” (Ch. 8) analyzes cybersecurity risk at national scale, with critical infrastructures for energy, water, transportation, financial services, communications, e-government, and others. The U.S. GAO “has made over 3,000 recommendations to agencies since 2010 aimed at addressing cybersecurity shortcomings. As of July 2018, about 1,000 still needed to be implemented” (p. 158). This work is based on a transcript of a hearing on cybersecurity challenges to a legislative subcommittee.
The author writes: “IT systems supporting federal agencies and our nation’s critical infrastructures are inherently at risk. These systems are highly complex and dynamic, technologically diverse, and often geographically dispersed. This complexity increases the difficulty in identifying, managing, and protecting the numerous operating systems, applications, and devices comprising the systems and networks” (Dodaro, 2019, p. 162) and many with interconnections with internal and external systems. In 2017, some 35,277 information security incidents were recorded by the Office of Management and Budget (OMB) (p. 163), with concomitant risks to “economic, national, and personal privacy and security” (p. 164).
Four major cybersecurity challenges include the following: “(1) establishing a comprehensive cybersecurity strategy and performing effective oversight, (2) securing federal systems and information, (3) protecting cyber critical infrastructure, and (4) protecting privacy and sensitive data” (Dodaro, 2019, pp. 169-170). The respective insights are specific to particular agencies. There is a general need to train up more cybersecurity professionals, including from diverse populations. The advent of IoT and other technological updates brings other challenges.
This work concludes with suggestions:
Shalin Hai-Jew works as an instructional designer / researcher at Kansas State University. Her email is shalin@ksu.edu.
Christian Sievier
Nova Science Publishers
2019
198 pp.
In a common sense, "cybersecurity" seems to be about a set of awarenesses, smart decision-making, safe(r) behaviors, and perhaps even a cybersecure lifestyle. The attack vectors vary over time and space, and the security advisement changes. There seems to be a gap between the easier actions—like what common people have to engage—and the heavy work of using AI, machine learning, statistical analysis, and other tools to identify threats and “zero days” and respond accordingly at government and corporate scale. In this latter case, there seems to be a major shortage of trained talent to run critical systems.
Introduction
Christian Sievier’s Cybersecurity: Background, Risk Management and Federal Policies (2019) focuses on the nexus between the federal government in the U.S. and cybersecurity. This work reads like a U.S. government class (a little dry), with a special focus on protecting the nation against cyber threats, especially with an often-naïve partially informed population, widespread reliance on cyber for all aspects of modern life, and complex and changing technologies. The apparent target readers for this work are those who may want to work for or with the federal government to promote cybersecurity.
About Cybersecurity
Chris Jaikaran “Cybersecurity: An Introduction” (Ch. 1) opens with the observation of the importance of networked devices as a part of everyday life. Yet, they can be used to “deny access to services, steal their information, or compromise the digital system they trust” (p. 1). The feds do not have an agreed-on definition of cybersecurity, even as the work involves defending all the facets involved in protecting cyberspace. The Commission on Enhancing National Cybersecurity definition reads as follows:
The process of protecting information and information systems by preventing, detecting, and responding to unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability” (Jaikaran, 2019, “Cybersecurity…,” p. 2)
However, this definition is tailored more for systems administrators and others working in applied IT.
Cybersecurity requires attention to the infrastructure of “servers and switches, miles of cabling, wireless spectrum, and routers”; various devices; software and hardware (p. 3). It requires focus on how to protect data and individual privacy, online resources, reputations, cyber-related lifestyles, and other elements. Cybersecurity involves professionals across a range of fields. The threats that a government faces are more complex and dangerous and potentially far-reaching than those faced by different or smaller entities, including capable and resourced threat actors like particular countries (“Russia, China, Iran, and North Korea” in 2016), criminal organizations, terrorists, and individuals (p. 4). Computer security defined as having three attributes related to data: confidentiality (“data is only known to authorized parties”), integrity (“data and systems are not altered without authorization”), and data availability whenever needed by those so authorized (p. 4). To achieve those aims, various cybersecurity tools have been deployed: threat analyses, malware detection, surveillance, encryption, monitoring, data-checking, data backups, trainings, email blocking, and various policies.
The government has various tools to enable cybersecurity, by wielding laws, setting manufacturing standards, funding smart approaches, going into partnerships with business, and maintaining cybersecurity talent in its ranks. This work summarizes various approaches of the U.S. Congress, given its oversight role over the federal government, and its responsibility to ensure security of various government agencies’ IT and managed data. The author provides a basic summary of Congressional capabilities—to call hearings, to call attention to cybersecurity, to require testimony from businesses, to set up programs, to regulate industry, and to set up incentives for businesses to support cybersecurity. Also: “Congress may choose to spur activity by directing agencies to develop a report or strategy” (Jaikaran, 2019, “Cybersecurity…,” p. 7). The insights read as fairly basic and general. The article does not go into particular cases or particular policies or particular practices.
Department of Homeland Security: Cybersecurity Focus
Cybersecurity threats may emanate from natural disasters, human actions (intended and unintended), and various mixes of challenges. The security posture has to take into account the various challenges. Chris Jaikaran “DHS’s Cybersecurity Mission—An Overview” (Ch. 2) focuses on the Department of Homeland Security and its approach to cybersecurity. The researcher describes their approach as “largely agnostic to any individual threat actor, but informed by the risks that the actor presents” (p. 9). Their cybersecurity objectives are focused on “prevention, protection, mitigation, response and recovery,” engaging the entire span of the cybersecurity risk space (p. 10). DHS evaluates cyber risks and strives to promote “security and resilience of information communication technology (ICT) systems” (p. 10). One major tool involves information sharing with both government and non-government entities. They take on a leading role in supporting victims of cyber incidents: “When a cyber incident occurs, DHS has capabilities and authorities to provide direct assistance to the victim (both federal and non-federal) to help that victim recover from the incident” (p. 10). DHS collaborates with other federal agencies as well to meet their national mandate, with its authorities from the Federal Information Modernization Act of 2014 (P.L. 113 – 283). The author writes:
DHS can block malicious Internet traffic before it enters an agency, inform an agency when it has a vulnerability, direct agencies to mitigate threats, and provide technical assistance to agencies to respond to cyber risk. (Jaikaran, 2019, “DHS’s…,” p. 10)
DHS and its law enforcement arm deal with the breaking of laws such as through “intellectual property theft or financial theft” (Jaikaran, 2019, “DHS’s…,” p. 11). As a large agency, DHS has many entities that work within it: Cybersecurity and Infrastructure Security Agency (CISA), U.S. Secret Service (USSS), Immigration and Customs Enforcement (ICE), Transportation Security Agency (TSA), the U.S. Coast Guard (USCG), Federal Emergency Management Agency (FEMA), and various programs with particular foci. Some entities deal with online traffic logging, continual Internet diagnostics, automated information sharing, electronic crimes task forces, critical infrastructure programs, and educative endeavors (p. 14).
U.S. Congress’s Cybersecurity Roles
The U.S. Congress plays an important part in promoting cybersecurity. Chris Jaikaran’s “Cybersecurity: Homeland Security Issues for the 116th Congress” (Ch. 3) focuses in on five main cybersecurity topics with nexuses with homeland security that were addressed in this session (from January 3, 2019 to January 3, 2021, the last two years of then President Donald J. Trump’s presidency). The five issues are “Information Sharing, Critical Infrastructure Protection and Cybersecurity, Cyber Supply Chain Risk Management, Federal Agency Oversight, and Data Protection and Privacy” (p. 17). Cybersecurity is practically conceptualized as a “process of risk management” instead of a state of perfect security (with the assumption that there will be failures and system compromises). Risk can be “avoided, transferred, controlled, and accepted” (p. 18). To create a proper security posture, organizations go through threat assessments; they identify vulnerabilities in the IT and bureaucratic systems; they assess potential consequences of achieved attacks and failures. For entities as massive as countries, information sharing can enable a shared distributed defense assuming there is some level of trust and a tendency towards taking appropriate actions as a response. A core cybersecurity framework for the protection of critical infrastructure is one by the National Institute of Standards and Technology (NIST).
One type of concern involves the equipment on which cyber runs and vulnerabilities in the supply chain.
Managing risks associated with a global and complex product supply chain for information technology (IT) is known as cyber supply chain risk management (C-SCRM). C-SCRM refers to addressing both the risks that foreign adversaries may introduce to products and unintentional risks, such as poor quality control and vendor management. Policymakers could choose to pursue legislative options to clarify agency responsibilities relative to C-SCRM, such as increasing awareness, providing oversight, prohibiting certain companies from supplying components or services, or requiring an entity to evaluate products for cyber supply chain risks. (Jaikaran, 2019, “Cybersecurity…,” p. 20)
Finally, this work makes the point that government handles sensitive personally identifiable information (PII) among others. How it collects, uses, stores, and transmits this data has to be carefully managed to preclude their leakage or compromise.
U.S. Government Accountability Office (GAO) and Cybersecurity for Privacy Protections
The United States Government Accountability Office’s (GAO) “Cybersecurity: Federal Agencies Met Legislative Requirements for Protecting Privacy When Sharing Threat Information” (Ch. 4) opens with a listing of various Honorables in the U.S. legislature who are receiving the written work: Richard Burr, Mark R. Warner, Devin Nunes, and Adam Schiff (all household names from press coverage). What follows are references to authorizing laws and policies, government entities, and Fair Information Practice Principles, drafted to guide the handling of sensitive information.
“Transparency” suggests the importance of notifying individuals that their data is being collected, used, shared, and maintained, and in what ways. “Individual participation” suggests the importance of he person in making decisions about the use of their personally identifiable information (PII) and their enablements in making corrections and accessing “redress” for misuse. “Purpose specification” refers to the need for organizations to “specifically articulate the authority that permits the collection of PII and specifically articulate the purpose or purposes for which the PII is intended to be used.” Organizations should only collect what PII they need for the particular purpose, according to the “data minimization” principle. Organizations should only use the PII “solely for the purpose(s) specified in the notice” and nothing else, based on “use limitation.” The “data quality and integrity” principle assigns responsibility to organizations to “ensure that PII is accurate, relevant, timely, and complete” (US GAO, 2019, “Cybersecurity: Federal Agencies…” p. 33).
Finally, the “accountability and auditing” principle suggests that organizations “should be accountable for complying with these principles, providing training to all employees and contractors who use PII, and auditing the actual use of PII to demonstrate compliance with these principles and all applicable privacy protection requirements against risks such as loss, unauthorized access or use, destruction, modification, or unintended or inappropriate disclosure” (The White House, National Strategy for Trusted Identities in Cyberspace (Washington, D.C.: April 2011, as cited by the US GAO, 2019, “Cybersecurity: Federal Agencies…” p. 33). This work stems from a report on cybersecurity to leaders in the U.S. government.
Cybersecurity of Federal and Private-Sector Networks
For the general public, the U.S. GAO is probably most high profile for its budget estimate role in assessing legislative proposals than its accountability role. It does much more than estimate costs of proposed legislation; it conducts department performance audits to ensure accountability and protect taxpayer investments. [It looks to be that they output private reports to the various organizations, but they also report out through a public channel with more general information.]
Gregory C. Wilshusen’s “Cybersecurity: DHS Needs to Enhance Efforts to Improve and Promote the Security of Federal and Private-Sector Networks” (Ch. 5) opens with the GAO’s designation of “information security as a government-wide high-risk area in 1997” including “cyber critical infrastructure in 2003” and the need to protect personally identifiable information in 2015” (p. 37). This work reports on GAO’s findings of DHS efforts towards enabling national-level cybersecurity by ensuring the security of federal- and private- sector computer systems and networks:
Since fiscal year 2016, GAO has made 29 recommendations to DHS to enhance the capabilities of NCPS, establish metrics and methods for evaluating performance, and fully assess its cybersecurity workforce, among other things. As of April 2018, DHS had not demonstrated that I had fully implemented most of the recommendations. (p. 38)
This work—a report to Congress—describes what was measurably and objectively achieved, such as the providing of “limited intrusion detection and prevention capabilities to entities across the federal government” and issuing cybersecurity “operational directives to federal agencies” and sharing cybersecurity information and promoting the use of the NIST Framework for Improving Critical Infrastructure Cybersecurity, and partially assessing their cybersecurity workforce. The GAO also identified where and how DHS could improve in handling its cybersecurity mandate (Wilshusen, 2019, “Cybersecurity…,” p. 39). DHS services to government agencies include monthly US-CERT bulletins, in-depth CyberStat reviews, and “red” and “blue” team exercises to test agency systems for robustness against cyberattack (pp. 50 – 51), services which were ranked highly by agencies. One of the subheadings in this chapter reads: “DHS’s National Integration Center Generally Performs Required Functions but Needs to Evaluate its Activities More Completely” (p. 53). This work resulted in the finding that DHS’s efforts were found to have “shortcomings with its programs and a lack of useful performance measures” (p. 58). The report also focused on the need for more efficient service delivery and more effective interactions with their respective partners in the U.S. government and outside (p. 58). Ensuring a qualified cybersecurity workforce was another observed challenge.
Protecting the Electric Grid for National Security
Electricity is critical for modern life and human economic productivity globally. Richard J. Campbell “Electric Grid Cybersecurity” (Ch. 6) addresses the importance of protecting this access to electricity by protecting the power plants, electricity transmission infrastructure, hardware and software, and other elements. Risks to the electric grid from “natural, operational, or manmade events” (p. 61). In terms of cybersecurity, “the greatest cyber threats to the grid have been intrusions focused on manipulating industrial control system (ICS) networks” (p. 61) and resultant losses of control over parts of the system. A study by a security firm found industrial control devices have security vulnerabilities, many “insecure-by-design,” that if exploited, the vulnerabilities would have “severe operational impact” (p. 76). The advent of the Internet of Things (IoT) devices is a more recent worry, with the observation that there is botnet malware targeting IoT networks in the wild. The electrical grid interacts with a variety of other systems, so risks can cascade, given connection and complexity:
Electricity is a subsector of the energy critical infrastructure (CI) sector. Given that the grid relies on several of the other CI sectors (for example, water and fuel transportation), the question of whether these other sectors should also have similar mandatory standards focused on support of the electric power sector… (Campbell, 2019, p. 62)
This work includes summaries of cyberattacks that have already occurred: an attack on a dam in NY by Iranian government hackers, an electric company attacked by N. Korean hackers, and “cyber intrusions at critical energy and manufacturing infrastructure companies” by Russian government hackers (Campbell, 2019, p. 65). The involvement of nation-state actors often means a level of resourcing and sophistication not found in malicious actors outside of governments.
The challenge generally has been to prepare against cyberattacks by strengthening defenses. There are systems in place to detect cyber attacks as quickly as possible and to respond with all due speed and accuracy. Then, too, there is work towards recovery from various attacks. Most interestingly, there are efforts to “accelerate game-changing research, development, and demonstration (RD&D) of resilient energy delivery systems” and cybersecurity tools for “automated defense of future energy delivery systems” (Campbell, 2019, pp. 69 - 70).
The risks of combined physical and cyberattacks could magnify the harm of an attack. One such case is described:
The 2013 attack on the Metcalf substation in California further cast light on the physical vulnerabilities of the grid. After someone broke into a nearby underground vault to cut telephone cables, snipers opened fire on the substation, knocking out 17 large power transformers sending power to Silicon Valley. A blackout was averted by rerouting power around the substation, and local power plants were called upon to produce more electricity. It took the local utility 27 days to restore the substation. The Federal Energy Regulatory Commission’s (FERC’s) chairman at the time reportedly said that ‘if [the attack] were widely replicated across the country, it could take down the U.S. electric grid and black out much of the country. (Campbell, 2019, p. 72)
Attacks may also be timed during other broad-scale crises, including natural emergencies.
Another concern involves electric grid risks from large-scale physical attacks on transformers, given “the limited inventory of spare parts” which could result in “months or years to build new units” (Campbell, 2019, p. 73). Supply chain security is also a challenge for the component parts of electrical transformers. The supply chain concerns also include semi-conductors and microprocessors, given that manufacturers span various countries. The firmware—programmable controllers, programmable logic arrays—runs on fixed machine-language code: “If access were gained to such devices (especially during the manufacturing process), a section of code could be covertly inserted in the device and activated in such a way as to impair its functioning in a reliable manner” (p. 82). A certain amount of unreliability can wreck systems. The amounts of such technology do not enable full testing of every chip, but some random testing does occur. A grid exercise was held by the North American Electric Reliability Corporation (NERC) to “test the electricity sector’s ability to respond to grid security emergencies caused by cyber and physical attacks” (p. 75). Improving coordination between various entities may improve a defense response to lessen disruptions and enable more effective recovery.
Artificial intelligence has also been brought to bear to address cybersecurity. AI is “a combination of computational technologies, machines, and software which have the capability to learn from inputs and be self-directed” and which can take data as inputs and engage “machine learning” to identify relevant patterns (Campbell, 2019, p. 88), even in streams of big data as exists in the electrical grid analyzed with high-performance computing (p. 89). There are weaknesses in such approaches, too, given that AI learns by experiential learning, which may make it blind to anomalous or novel threats. Machine learning based on data to create models is only as strong as the training data, and the models can be biased based on the quality of the data. For high-volume high-speed systems, AI and machine learning have their limits. Further, there is the fear that adversaries can figure out a way that AI can be harnessed to “stage future attacks on the grid” (p. 90). Part of cyber defense involves seeing malicious actors conduct reconnaissance and set up for imminent (or eventual) attacks. It is important not only to focus on the known types of attacks but potential new ones.
Some defenses being explored include setting up smart grids, with sensors and automated controls. Here, the electrical grid can defend itself based on accurate sensing and analysis and speedy actions. Another approach is to use microgrids that “operate independently of the grid” with power generated by “fossil fuel, combined heat and power plants, or renewable energy systems” (Campbell, 2019, p. 99). There are efforts to build electrical grids to “meet high resilience standards for electromagnetic pulse (EMP) and geomagnetic disturbances (GMD), as well as physical and cybersecurity” (p. 100). There are efforts to solve the issue of expensive “large, high voltage electric power transformers” (LPTs), such as possibly having some reserve in case these are attacked physically or in other ways (p. 100). This work includes a useful summary of recent legislation (115th Congress) that has impacts on the power grid.
Finally, various electric utilities are responsible to report “grid instances and disturbances” to the Department of Energy (DOE) (Campbell, 2019, p. 94). The author writes:
The National Cybersecurity and Communications Integration Center (NCCIC) under the Department of Homeland Security’s National Protection and Programs Directorate largely has the role of informing the electricity industry of cyber and physical threats to the grid. The NCCIC is focused on cyber situational awareness, incident response, and management, and coordinates with the Electricity Information Sharing and Analysis Center (E-ISAC), operated by the North American Electric Reliability Corporation. (Campbell, 2019, p. 96)
Constant intelligence-gathering around the threats to the electrical grid is critical. That there are informed professionals looking at such issues is heartening. In a time of the Russian-Ukraine War, with a modern European country pushed back generations based on Russian aggression, critical infrastructure is clearly important for human survival. The need to have national security to protect a nation’s peoples and their well-being is obviously critical.
Office of Federal Student Aid and Non-School Partners’ Privacy Protections
Applying for a federal loan to pursue higher education is a very common step in the learning process. The Office of Federal Student Aid (FSA), which has oversight over billions in student loans, has a vested interest in protecting student data and personally identifiable information (PII), even as their information moves into the hands of non-school partners. The PII includes “student demographics, student eligibility, student finances, parent demographics, parent finances” among others (p. 128). The United States Government Accountability Office’s “Cybersecurity: Office of Federal Student Aid Should Take Additional Steps to Oversee Non-School Partners’ Protection of Borrower Information” (Ch. 7) describes an assessment of FSA efforts in protecting applicant data handled by federal loan servicers (who make the loans and collect payments), private collection agencies (who pursue loans in default), guaranty agencies (who insure lenders against loss), and Federal Family Education Loan lenders (non-federal lenders including “banks, credit unions, and other lending institutions”) (p. 109). The performance assessment involves looking at performances by these various categories of outside entities. Overseeing the security of such data involves the following: “(1) risk-based security and privacy controls, (2) independent assessments to ensure controls are effectively implemented, (3) corrective actions to address identified weaknesses in controls, and (4) ongoing monitoring of control status” (p. 110).
The GAO assessment has two main objectives:
(1) describe the roles of non-school partners and the types of PII shared with them and (2) assess the extent to which FSA policies and procedures for overseeing the non-school partners’ protection of student aid data adhere to federal requirements, guidance, and best practices. (US GAO, 2019, “Cybersecurity: Office of…,” p. 108)
The actual analysis involved “FSA documentation, reports, policies, and procedures” and interviews of FSA officials (US GAO, 2019, “Cybersecurity: Office of…,” p. 108). What follows is an in-depth backgrounder (replete with plenty of references to legal authorities) followed by the analysis, with identification for areas for improvement. In the performance audit, they point to the importance of the following practices:
- require the implementation of risk-based security and privacy controls,
- independently assess the implementation of security controls,
- develop and implement corrective actions, and
- monitor the implementation of controls on an ongoing basis (US GAO, 2019, “Cybersecurity: Office of…,” p. 152)
Cybersecurity requires adherence to exacting and accurate processes, oversight, and care, without fail.
A Nation with Numerous Cybersecurity Attack Surfaces and “Vulns”
Gene L. Dodaro’s “High-Risk Series: Urgent Actions are Needed to Address Cybersecurity Challenges Facing the Nation” (Ch. 8) analyzes cybersecurity risk at national scale, with critical infrastructures for energy, water, transportation, financial services, communications, e-government, and others. The U.S. GAO “has made over 3,000 recommendations to agencies since 2010 aimed at addressing cybersecurity shortcomings. As of July 2018, about 1,000 still needed to be implemented” (p. 158). This work is based on a transcript of a hearing on cybersecurity challenges to a legislative subcommittee.
The author writes: “IT systems supporting federal agencies and our nation’s critical infrastructures are inherently at risk. These systems are highly complex and dynamic, technologically diverse, and often geographically dispersed. This complexity increases the difficulty in identifying, managing, and protecting the numerous operating systems, applications, and devices comprising the systems and networks” (Dodaro, 2019, p. 162) and many with interconnections with internal and external systems. In 2017, some 35,277 information security incidents were recorded by the Office of Management and Budget (OMB) (p. 163), with concomitant risks to “economic, national, and personal privacy and security” (p. 164).
Four major cybersecurity challenges include the following: “(1) establishing a comprehensive cybersecurity strategy and performing effective oversight, (2) securing federal systems and information, (3) protecting cyber critical infrastructure, and (4) protecting privacy and sensitive data” (Dodaro, 2019, pp. 169-170). The respective insights are specific to particular agencies. There is a general need to train up more cybersecurity professionals, including from diverse populations. The advent of IoT and other technological updates brings other challenges.
This work concludes with suggestions:
Specifically, the federal government needs to implement a more comprehensive cybersecurity strategy and improve its oversight, including maintaining a qualified cybersecurity workforce, address security weaknesses in federal systems and information and enhance cyber incidence response efforts; bolster the protection of cyber critical infrastructure; and prioritize efforts to protect individual’s privacy and PII. (Dodaro, 2019, p. 192)
Conclusion
Christian Sievier’s edited collection Cybersecurity: Background, Risk Management and Federal Policies (2019) starts out a little slow, but it becomes much more engaging later on past the summary of U.S. government entities and functions. This work provides insight into an all-of-government approach to cybersecurity and risk management, with so much at stake.
About the Author
Shalin Hai-Jew works as an instructional designer / researcher at Kansas State University. Her email is shalin@ksu.edu.
Previous page on path | Cover, page 17 of 22 | Next page on path |
Discussion of "Book review: U.S. feds facilitating cybersecurity"
Add your voice to this discussion.
Checking your signed in status ...