Skip navigation

Category Archives: Security Policy

Obama’s Cyber Security Executive Order – An Analysis

On February 13th, President Obama met with various leaders in technical, financial, and other industries to discuss the growing threat presented by cyber warfare. The President also signed an Executive Order, which we shall be taking a look at today:

EXECUTIVE ORDER

– – – – – – –

PROMOTING PRIVATE SECTOR CYBERSECURITY INFORMATION SHARING

By the authority vested in me as President by the Constitution and the laws of the United States of America, it is hereby ordered as follows:

Section 1. Policy. In order to address cyber threats to public health and safety, national security, and economic security of the United States, private companies, nonprofit organizations, executive departments and agencies (agencies), and other entities must be able to share information related to cybersecurity risks and incidents and collaborate to respond in as close to real time as possible.

TL;DR: Cybersecurity is important, so everyone should share intel.

Organizations engaged in the sharing of information related to cybersecurity risks and incidents play an invaluable role in the collective cybersecurity of the United States. The purpose of this order is to encourage the voluntary formation of such organizations, to establish mechanisms to continually improve the capabilities and functions of these organizations, and to better allow these organizations to partner with the Federal Government on a voluntary basis.

If your company has access to intel about cyber threats due to being a security research firm or from firsthand experience being attacked, you should definitely tell us (and other companies) ALL the details by establishing intel clubs for all your (and our) friends (AKA companies). You don’t have to, though.

Such information sharing must be conducted in a manner that protects the privacy and civil liberties of individuals, that preserves business confidentiality, that safeguards the information being shared, and that protects the ability of the Government to detect, investigate, prevent, and respond to cyber threats to the public health and safety, national security, and economic security of the United States.

If you’re gonna give your (and our) friends all your intel, we’ve gotta make sure that all privacy and civil liberties are protected, no trade secrets are revealed, the info is safe, and totally lets our friends know every single detail about your company so that we can effectively sp- …um… ‘gather and analyze intelligence’ to protect you and your friends. Also, the bit about public health means that we hate anti-vaxxers.

This order builds upon the foundation established by Executive Order 13636 (note: hyperlinks added) of February 12, 2013 (Improving Critical Infrastructure Cybersecurity), and Presidential Policy Directive-21 (PPD-21) of February 12, 2013 (Critical Infrastructure Security and Resilience).

We’ve already laid out some rules, but we want EVERYBODY to get in on this. It’s good. We promise.

Policy coordination, guidance, dispute resolution, and periodic in-progress reviews for the functions and programs described and assigned herein shall be provided through the interagency process established in Presidential Policy Directive-l  (note: PDF file) (PPD-l) of February 13, 2009 (Organization of the National Security Council System), or any successor.

The Intelligence Community and the National Security Council will be overseeing this and coordinating all of the juicy intel that you’re sharing with Uncle Sa- …uh, each other.

Sec. 2. Information Sharing and Analysis Organizations. (a) The Secretary of Homeland Security (Secretary) shall strongly encourage the development and formation of Information Sharing and Analysis Organizations (ISAOs).

(b) ISAOs may be organized on the basis of sector, sub-sector, region, or any other affinity, including in response to particular emerging threats or vulnerabilities. ISAO membership may be drawn from the public or private sectors, or consist of a combination of public and private sector organizations. ISAOs may be formed as for-profit or nonprofit entities.

ISAOs (Information Sharing and Analysis Organizations) are the outcome of this Executive Order, but they can be formed in many different ways. They can be consists of members from both the public and private sectors and can be formed for specific threats, but the important part is that they can be for-profit, if the organizers so choose. This will not lead to security sharing and will jeopardize existing security firms.

(c) The National Cybersecurity and Communications Integration Center (NCCIC), established under section 226(b) of the Homeland Security Act of 2002 (the “Act”), shall engage in continuous, collaborative, and inclusive coordination with ISAOs on the sharing of information related to cybersecurity risks and incidents, addressing such risks and incidents, and strengthening information security systems consistent with sections 212 and 226 of the Act.

This ISAOs will be under federal ‘guidance’ and will be subject to sections 212 and 226 of the Homeland Security Act of 2002. Under section 212, ‘‘Information Sharing and Analysis Organization’’ means any formal or informal entity or collaboration created or employed by public or private sector organizations.  It then goes on to list three mission objectives for the formation of these ISAOs:

(A) gathering and analyzing critical infrastructure information in order to better understand security problems and interdependencies related to critical infrastructure and protected systems, so as to ensure the availability, integrity, and reliability thereof;

These organizations must freely share trade secrets and other potentially proprietary information in relation to critical infrastructure, so that fellow members of the organization can fully understand and protect it.

(B) communicating or disclosing critical infrastructure information to help prevent, detect, mitigate, or recover from the effects of a interference, compromise, or a incapacitation problem related to critical infrastructure or protected systems;

Similar to the above, this requires that these organizations collaborate and share intelligence in order to protect against attacks or accidents.

(C) voluntarily disseminating critical infrastructure information to its members, State, local, and Federal Governments, or any other entities that may be of assistance in carrying out the purposes specified in subparagraphs (A) and (B). 

Ditto for the last two but this time, it is voluntary and for the benefit of the government, be it local, state, Federal, etc.

Section 226 lays out the framework for the establishment of groups like InfraGard and the new ISAOs that are proposed.

(d) In promoting the formation of ISAOs, the Secretary shall consult with other Federal entities responsible for conducting cybersecurity activities, including Sector-Specific Agencies, independent regulatory agencies at their discretion, and national security and law enforcement agencies.

There will be input from the existing cybersecurity monitoring and responses units within the Federal and local governments.

Sec. 3. ISAO Standards Organization. (a) The Secretary, in consultation with other Federal entities responsible for conducting cybersecurity and related activities, shall, through an open and competitive process, enter into an agreement with a nongovernmental organization to serve as the ISAO Standards Organization (SO), which shall identify a common set of voluntary standards or guidelines for the creation and functioning of ISAOs under this order. The standards shall further the goal of creating robust information sharing related to cybersecurity risks and incidents with ISAOs and among ISAOs to create deeper and broader networks of information sharing nationally, and to foster the development and adoption of automated mechanisms for the sharing of information. The standards will address the baseline capabilities that ISAOs under this order should possess and be able to demonstrate. These standards shall address, but not be limited to, contractual agreements, business processes, operating procedures, technical means, and privacy protections, such as minimization, for ISAO operation and ISAO member participation.

This establishes a framework of standards by which ISAOs shall be judged. There will be open and competitive roles for private organizations, along with Federal entities who shall together for the ISAO Standards Organization (SO). In order to ensure that all ISAOs are able to quickly and effectively gather and share intelligence, standard operating procedures will be put into place.  Interestingly, this also calls for the eventual automation of the gathering and dissemination of intelligence, so it is also likely that these standards exist as a way of ensuring parsable data.

(b) To be selected, the SO must demonstrate the ability to engage and work across the broad community of organizations engaged in sharing information related to cybersecurity risks and incidents, including ISAOs, and associations and private companies engaged in information sharing in support of their customers.

In order to be considered legit, the SO has to show that it can coordinate all of the different ISAOs, associations, and private companies.

(c) The agreement referenced in section 3(a) shall require that the SO engage in an open public review and comment process for the development of the standards referenced above, soliciting the viewpoints of existing entities engaged in sharing information related to cybersecurity risks and incidents, owners and operators of critical infrastructure, relevant agencies, and other public and private sector stakeholders.

The SO will seek open public review and comment, as well as getting advice from existing similar organizations.

(d) The Secretary shall support the development of these standards and, in carrying out the requirements set forth in this section, shall consult with the Office of Management and Budget, the National Institute of Standards and Technology in the Department of Commerce, Department of Justice, the Information Security Oversight Office in the National Archives and Records Administration, the Office of the Director of National Intelligence, Sector-Specific Agencies, and other interested Federal entities. All standards shall be consistent with voluntary international standards when such international standards will advance the objectives of this order, and shall meet the requirements of the National Technology Transfer and Advancement Act of 1995 (Public Law 104-113), and OMB Circular A-119, as revised.

Basically a list of all of the Federal entities that will help develop and manage the SO.

Sec. 4. Critical Infrastructure Protection Program. (a) Pursuant to sections 213 and 214(h) of the Critical Infrastructure Information Act of 2002, I hereby designate the NCCIC as a critical infrastructure protection program and delegate to it authority to enter into voluntary agreements with ISAOs in order to promote critical infrastructure security with respect to cybersecurity.

Establishes that cybersecurity protection will be taken as seriously as critical infrastructure, such as the electric or phone grids, and establishes that NCCIC (National Cybersecurity and Communication Integration Center) will be in charge of it.

(b) Other Federal entities responsible for conducting cybersecurity and related activities to address threats to the public health and safety, national security, and economic security, consistent with the objectives of this order, may participate in activities under these agreements.

NCCIC isn’t the only Fed entity that can get in on this; anyone (Federal) that deals with anything related can participate, too.

(c) The Secretary will determine the eligibility of ISAOs and their members for any necessary facility or personnel security clearances associated with voluntary agreements in accordance with Executive Order 13549 of August 18, 2010 (Classified National Security Information Programs for State, Local, Tribal, and Private Sector Entities), and Executive Order 12829 of January 6, 1993 (National Industrial Security Program), as amended, including as amended by this order.

ISAOs and their members may be eligible for security clearances. That way, they can get that juicy TS/SCI intel about that 4chan guy and how he’ll DDoS their sweet SCADA systems.

Sec. 5. Privacy and Civil Liberties Protections. (a) Agencies shall coordinate their activities under this order with their senior agency officials for privacy and civil liberties and ensure that appropriate protections for privacy and civil liberties are incorporated into such activities. Such protections shall be based upon the Fair Information Practice Principles and other privacy and civil liberties policies, principles, and frameworks as they apply to each agency’s activities.

Privacy and civil liberties are to be taken seriously in the course of cybersecurity intelligence collection, but there is no mention of a specific law by which this should be enforced, instead opting to mention “Fair Information Practice Principles” and various other ‘frameworks’.

(b) Senior privacy and civil liberties officials for agencies engaged in activities under this order shall conduct assessments of their agency’s activities and provide those assessments to the Department of Homeland Security (DHS) Chief Privacy Officer and the DHS Office for Civil Rights and Civil Liberties for consideration and inclusion in the Privacy and Civil Liberties Assessment report required under Executive Order 13636.

It is important to note that the date of Execute Order 13636 was in February of 2013, months before the Snowden-inspired privacy movement took shape. As such, the rules regarding privacy were not established due to public outcry, but are actually the same rules which were in effect that allowed for the Snowden-era programs to operate. 13636 specifies that the Chief Privacy Officer and the Officer for Civil Rights and Civil Liberties shall publish an annual public report (with an allowed classified annex), in order to report on any privacy violations and to suggest changes, which is then reviewed by the Secretary of Homeland Security.

Sec. 6. National Industrial Security Program. Executive Order 12829, as amended, is hereby further amended as follows:

(a) the second paragraph is amended by inserting “the Intelligence Reform and Terrorism Prevention Act of 2004,” after “the National Security Act of 1947, as amended,”;

(b) Sec. 101(b) is amended to read as follows: “The National Industrial Security Program shall provide for the protection of information classified pursuant to Executive Order 13526 of December 29, 2009, or any predecessor or successor order, and the Atomic Energy Act of 1954, as amended (42 U.S.C. 2011 et seq.).”;

(c) Sec. 102(b) is amended by replacing the first paragraph with: “In consultation with the National Security Advisor, the Director of the Information Security Oversight Office, in accordance with Executive Order 13526 of December 29, 2009 (note: linked above), shall be responsible for implementing and monitoring the National Industrial Security Program and shall:”;

(d) Sec. 102(c) is amended to read as follows: “Nothing in this order shall be construed to supersede the authority of the Secretary of Energy or the Nuclear Regulatory Commission under the Atomic Energy Act of 1954, as amended (42 U.S.C. 2011 et seq.), or the authority of the Director of National Intelligence (or any Intelligence Community element) under the Intelligence Reform and Terrorism Prevention Act of 2004, the National Security Act of 1947, as amended, or Executive Order 12333 of December 8, 1981, as amended, or the authority of the Secretary of Homeland Security, as the Executive Agent for the Classified National Security Information Program established under Executive Order 13549 of August 18, 2010 (Classified National Security Information Program for State, Local, Tribal, and Private Sector Entities).”;

(e) Sec. 201(a) is amended to read as follows: “The Secretary of Defense, in consultation with all affected agencies and with the concurrence of the Secretary of Energy, the Nuclear Regulatory Commission, the Director of National Intelligence, and the Secretary of Homeland Security, shall issue and maintain a National Industrial Security Program Operating Manual (Manual). The Secretary of Energy and the Nuclear Regulatory Commission shall prescribe and issue that portion of the Manual that pertains to information classified under the Atomic Energy Act of 1954, as amended (42 U.S.C. 2011 et seq.). The Director of National Intelligence shall prescribe and issue that portion of the Manual that pertains to intelligence sources and methods, including Sensitive Compartmented Information. The Secretary of Homeland Security shall prescribe and issue that portion of the Manual that pertains to classified information shared under a designated critical infrastructure protection program.”;

This big chunk seems to provide a framework and justification for making cybersecurity information related to critical infrastructure classified and subject to review by various committees and agencies, including (but not limited to) the Secretary of Defense, the Director of National Intelligence (DNI), and the President.  It also mentions the National Industrial Security Program Operating Manual, which provides guidelines and procedures for protection and recovery of critical infrastructure and industry, but adds that the Secretary of Homeland Security shall maintain the critical infrastructure protection portion of the Manual.

(f) Sec. 201(f) is deleted in its entirety;

Removes the part that says that the manual will be published no more than one year from the date of the order.

(g) Sec. 201(e) is redesignated Sec. 201(f) and revised by substituting “Executive Order 13526 of December 29, 2009, or any successor order,” for “Executive Order No. 12356 of April 2, 1982.”;

(h) Sec. 201(d) is redesignated Sec. 201(e) and revised by substituting “the Director of National Intelligence, and the Secretary of Homeland Security” for “and the Director of Central Intelligence.”;

As a result of the restructuring of the US intelligence community (IC) as part of the Intelligence Reform and Terrorism Provention Act of 2004, the office of the Director of Central Intelligence (DCI) was abolished and replaced with the office of the Director of National Intelligence (DNI).

(i) a new Sec. 201(d) is inserted after Sec. 201(c) to read as follows: “The Manual shall also prescribe arrangements necessary to permit and enable secure sharing of classified information under a designated critical infrastructure protection program to such authorized individuals and organizations as determined by the Secretary of Homeland Security.”;

Further preparation for sharing classified intel with private parties, as deemed necessary by the Secretary of Homeland Security.

(j) Sec. 202(b) is amended to read as follows: “The Director of National Intelligence retains authority over access to intelligence sources and methods, including Sensitive Compartmented Information. The Director of National Intelligence may inspect and monitor contractor, licensee, and grantee programs and facilities that involve access to such information or may enter into written agreements with the Secretary of Defense, as Executive Agent, or with the Director of the Central Intelligence Agency to inspect and monitor these programs or facilities, in whole or in part, on the Director’s behalf.”;

Ensures that those granted clearances can be monitored and managed.

(k) Sec. 202(d) is redesignated as Sec. 202(e); and

(l) in Sec. 202 a new subsection (d) is inserted after subsection (c) to read as follows: “The Secretary of Homeland Security may determine the eligibility for access to Classified National Security Information of contractors, licensees, and grantees and their respective employees under a designated critical infrastructure protection program, including parties to agreements with such program; the Secretary of Homeland Security may inspect and monitor contractor, licensee, and grantee programs and facilities or may enter into written agreements with the Secretary of Defense, as Executive Agent, or with the Director of the Central Intelligence Agency, to inspect and monitor these programs or facilities in whole or in part, on behalf of the Secretary of Homeland Security.”

The standards for the granting of security clearances shall be determined by the Secretary of Homeland Security and reviewed/managed by the Secretary of Defense or the Director of the CIA.

Sec. 7. Definitions. (a) “Critical infrastructure information” has the meaning given the term in section 212(3) of the Critical Infrastructure Information Act of 2002.

Information not customarily in the public domain and related to the security of critical infrastructure or protected systems.

(b) “Critical infrastructure protection program” has the meaning given the term in section 212(4) of the Critical Infrastructure Information Act of 2002.

Any component or bureau of a covered Federal agency that has been designated by the President or any agency head to receive critical infrastructure information.

(c) “Cybersecurity risk” has the meaning given the term in section 226(a)(1) of the Homeland Security Act of 2002 (as amended by the National Cybersecurity Protection Act of 2014)(note: the 2014 act has not yet been passed).

Threats to and vulnerabilities of information or information systems and any related consequences caused by or resulting from unauthorized access, use, disclosure, degradation, disruption, modification, or destruction of information or information systems, including such related consequences caused by an act of terrorism.

(d) “Fair Information Practice Principles” means the eight principles set forth in Appendix A of the National Strategy for Trusted Identities in Cyberspace.

Transparency, Individual Participation, Purpose Specification, Use Limitation, Data Quality & Integrity, Security, and Accountability & Auditing.  I highly recommend reading the full text of these.

(e) “Incident” has the meaning given the term in section 226(a)(2) of the Homeland Security Act of 2002 (as amended by the National Cybersecurity Protection Act of 2014).

(f) “Information Sharing and Analysis Organization” has the meaning given the term in section 212(5) of the Critical Infrastrucure Information Act of 2002.

(g) “Sector-Specific Agency” has the meaning given the term in PPD-21, or any successor.

More definitions, almost entirely generic.

Sec. 8. General Provisions. (a) Nothing in this order shall be construed to impair or otherwise affect:

(i) the authority granted by law or Executive Order to an agency, or the head thereof; or

(ii) the functions of the Director of the Office of Management and Budget relating to budgetary, administrative, or legislative proposals.

This Executive Order will not supercede previous laws nor will it take away powers from other agencies and executives.

(b) This order shall be implemented consistent with applicable law and subject to the availability of appropriations. Nothing in this order shall be construed to alter or limit any authority or responsibility of an agency under existing law including those activities conducted with the private sector relating to criminal and national security threats. Nothing in this order shall be construed to provide an agency with authority for regulating the security of critical infrastructure in addition to or to a greater extent than the authority the agency has under existing law.

Private sector can keep on doing what it does. Regulations boards and auditors gain no additional powers from this.

(c) All actions taken pursuant to this order shall be consistent with requirements and authorities to protect intelligence and law enforcement sources and methods.

Did we mention that sharing intel is good? Just make sure you do it legally and protect sources and methods.

(d) This order is not intended to, and does not, create any right or benefit, substantive or procedural, enforceable at law or in equity by any party against the United States, its departments, agencies, or entities, its officers, employees, or agents, or any other person.

Nobody can sue anybody over the things in this order.

BARACK OBAMA

There you have it, folks. The bill seems to focus primarily on facilitating the sharing of critical infrastructure cybersecurity intelligence and properly classifying said intel. It also looks like these ISAOs will be the cool kids on the block when it comes to cybersecurity in critical infrastructure circles.

White House to Hold Cyber Security Summit

 

In keeping with its focus on cyber security, The White House (which just approved a $1 billion increase in cyber funding for 2016) is hosting a first Summit on Cybersecurity and Consumer Protection this Friday at Stanford University.

Attendees include a veritable ‘who’s who’ of the tech industry, Wall Street, and various other industries, with the CEOs of Bank of America Corp., U.S. Bancorp, American Express, Kaiser Permanente, Visa Inc., MasterCard Inc., and PayPal, as well as Tim Cook from Apple and representatives from Facebook, Google, Intel, and various other companies.

Among the items on the agenda are:

  • Public-Private Collaboration on Cybersecurity
  • Improving Cybersecurity Practices at Consumer-Oriented Businesses and Organizations
  • Promoting More Secure Payment Technologies
  • Cybersecurity Information Sharing
  • International Law Enforcement Cooperation on Cybersecurity
  • Improving Authentication: Moving Beyond the Password

The White House has also stated that in order to strengthen America’s cyber security posture, its priorities are:

  1. Protecting the country’s critical infrastructure — our most important information systems — from cyber threats.
  2. Improving our ability to identify and report cyber incidents so that we can respond in a timely manner.
  3. Engaging with international partners to promote internet freedom and build support for an open, interoperable, secure, and reliable cyberspace.
  4. Securing federal networks by setting clear security targets and holding agencies accountable for meeting those targets.
  5. Shaping a cyber-savvy workforce and moving beyond passwords in partnership with the private sector.

 

 

It will be interesting to see how this shapes the future of America’s cyber policy and how the rest of the world reacts. If ApplePay becomes the de-facto e-payment standard, what does that mean for Android users? </s>

Facebook Creates Cyber Threat Feed

Today, Facebook announced its new cyber security threat feed ThreatExchange. By integrating various threat-monitoring feeds and through the use of its Facebook Graph system, it will allow users and companies to trace the connections between cyber incidents and its own records. A number of companies are onboard and will be contributing to and utilizing the data. By embracing the philosophy of data-sharing, the goal is to strengthen the web collectively through efficient dissemination of cyber threat intelligence. The beta now has an open signup both for users and contributors.

The First Line of Defense

The first line of the defense in a network is the people who use it. As someone who secures data, it is easy to blame breaches on user error, but in many cases, it is a matter of ignorance rather than stupidity. It is our responsibility to educate and inform our users of the negative opportunities their actions can create and the potential consequences of a breach. The video in the link is a talk from Defcon 19 by Jayson E. Street entitled Steal Everything, Kill Everyone, Cause Total Financial Ruin and Jayson goes into depth describing many breaches that he has done as part of penetration testing. The one weak link in every incident was the human element; they all fell victim to his social engineering and didn’t think to question him. Teach your users to question everything and report suspicious activity. Breed a security culture and your first line of defense will be strong.