Cyber Security and National Security Responsibility and Enforcement

In the current Information Technology (IT) space, private industry has gained a

tremendous amount of communications, information, and infrastructure power and other

resources via the advent of the internet. Whereas companies and other organizations of

individuals had to use libraries, meetings and traditional education methods to perform

research, maintenance or grow knowledge base, today it becomes second nature to simply

go online and find literally dozens of ways for obtaining this information and more. Sharing

ideas amongst peers or even rivals no longer requires expensive travel engagements, time

away from the office or even long distance telephone calls. The internet even eliminates the

need for large telephone networks and charges or in some case even a phone connection.

Most people now have access to Voice Over Internet Protocol (VoIP) devices which

eliminate the need for a traditional telephone circuit. Bills can paid with a click of a mouse

avoiding delays and lost snail mail and saving literally tons of paper and resources related

to transportation of mail. Of course the U.S. Government is to thank for the primary thrust

and early evolution o the internet and invested a lot of resources and U.S. tax payer’s

money in the effort.

As a part of the tremendous value the internet infrastructure brings the industry there

are tradeoffs which must be considered. These tradeoffs can be classified as risks that

expose organizations to adverse conditions they may not have considered or weighed when

taking on the benefits and efficiencies provided by internet communications. It is important

for organizations to analyze the risks and weigh the benefits before choosing to what extent

they will use the internet in their day-to-day business. In lieu of benefits gained by an

organization, using the internet they also carry a responsibility to abide by the rules and

guidelines set for by the laws of the jurisdictions in which they operate and those
established by the organization itself. In addition the organization should be held

accountable and thus responsible to protect the interests of itself and when applicable the

nation’s cyber security.

Industries and organizations that develop products or electronic data services which

are considered design sensitive or controlled should certainly be held accountable to protect

their systems from exposure and intrusion. They should have control plans and procedures,

audit mechanisms and response plans for dealing with incidents. A good model for

organizations to draw from is the Payment Card Industry (PCI) and Health Insurance

Portability and Accountability Act (HIPAA) compliance models. Now the question remains

should the Government impose rules which force organizations to implement cyber security

measures? Moreover, should the Government tell private industry how to setup or improve

their cyber security? We will now examine this question as well as industry’s roles and

responsibilities to help protect national security by implementing good cyber security

controls. As part of the discussion we will examine some real world scenarios which will

validate the needs and provide mechanisms to implement solutions.

Private industry has business responsibilities to achieve organizational goals. While

technology serves to help achieve those goals it also serves to provide portals to external

opportunities and threats. The portals themselves consisting of routers and firewalls are

produced by companies including Cisco. These companies many times have Government

contracts which drive the technologies themselves and hence help support the business

objectives of the organization. In the case of Cisco they are responsible to fulfill the

compliance requirements established by the Federal Information Security Management Act

(FISMA) which was established in 2002. FISMA is really required for Federal Agencies to

improve IT security as they add new products to their infrastructure. It provides an audit
forum for Federal organizations to validate compliance. Cisco has hence developed a router

platform to allow them and Federal entities to comply with network related requirements.

For example, in a Cisco Self-Defending Network, solution components work together more

effectively and are managed as a cohesive system that is distributed across and embedded

within the network infrastructure. The benefits: better security, less management overhead,

and greatly simplified FISMA audit preparation.

In this case Cisco felt it important achieve the FISMA compliance to not only win the

federal sector business which had Government mandated needs to fulfill but they also

carried forward the success to products which are used throughout the private sector and in

turn provide the benefits to those customers. The way Cisco addressed the issue was to

take advantage of their marketing group and perform surveys of over 200 Government

agencies including the military to understand the needs and barriers facing the customers.

They initially determined that budget appropriations and existing security architecture were

their own primary concerns in achieving what the customer perceived as a self healing

technology. They determined the classic IT approach be practiced involved performing

security patching during operating system (O/S) upgrades and patching. This is only a short

term solution and does not correct the underlying architectural issues which exposed the

environment to across enterprises. They created a risk management framework. They

found that failure to correct the issues could result in major financial losses for the customer

and themselves and in extreme conditions even put people’s lives in danger.

As a result of feedback from over 45 Government agencies and military participants

the barriers were even more defined to configuration management, access control, and

incident response.
 As a result of the work Cisco did they came up with a network solution they defined

as the Self-Defending Network (SDN). SDN is Cisco’s strategy to protect federal

organizations from threats caused by both internal and external sources. This protection

helps government organizations take better advantage of the intelligence in network

resources, thus improving overall security while addressing FISMA requirements. Concerns

that Cisco can address, helping to meet FISMA requirements, include unauthorized access,

malicious code, scans and probes, improper usage, and denial-of-service attacks (Cisco,

2007).

Cisco developed the products associated with SDN to hold up to Government audits

conducted as part of FISMA compliance. They also understood that the real needs go

beyond compliance and the true focus of federal agencies is on true system and information

security. Agency officials realize the complexity involved in meeting and maintaining

regulatory compliance and furthermore understand that no single product or process

achieves total compliance. Therefore, a comprehensive approach that involves planning,

process and technology is paramount to compliance. Planning happens within the federal

agency itself with assistance from compliance experts including Cisco themselves.

Processes are day-to-day activities that happen within the organization itself. Technology is

brought to the table by companies like Cisco and other Government partners.

As part of the solution Cisco came up with a complete approach to address the

ongoing needs to protect cyber environments and processes. This solution serves as a

public model that can be utilized by customers of theirs or even others that may not be

purchasing Cisco hardware solutions.

As we continue the discussion as to if private industry should be responsible to help

protect national security by implementing cyber secure practices we turn to legal analogies
which may directly relate to industry obligations. The class work reading assignment, Legal,

Social and Ethical Issues of the Internet, (Bidgoli, 2006) talks about responsible uses for the

internet as they apply to laws or formal policy. The discussion of freedom of speech

demonstrates the power and obligations associated with internet access. However, it does

point out the importance of responsible use and also sites examples of how freedom of

speech could be detrimental to the country or the system. Exploitation of child pornography

is an example where responsibility must be exercised in order to maintain security and

order for adolescents. The subject of free speech includes topics such as moral legitimacy,

internet issues, promotion of destructiveness hate crimes, spam and intellectual property

issues. Much like these topics are addressed from a legal stand point the protection of

national resources and protection of organizations needs to be modeled and structured.

Simply choosing to ignore these types of issues eventually leads to complete exploitation or

usefulness of the network or organization involved. Congress has had to enter into these

legal regulatory processes associated with free speech as it should promote specific cyber

security measures for private industry. Some of these types of laws have even had to be

tested by the U.S. courts systems including the Supreme Court of the United States of

America.

While exploring this analogy we should look at the aspects of Government

enforcement. There are various ways the Government can mandate these policies and

rules to force industry to implement good cyber security measures in the interest of National

Security. As an example the courts and congress have factored in on the rights involved

with controls being used in public libraries to prevent access to pornographic and mature

information to minors in the library. The congress adopted protection laws under the

Children’s Internet Protection Act (CIPA) in 2002. The purpose of the Act is to limit the

exposure of explicit material in public libraries. This issue has been debated and tested all
the way to the U.S. Supreme Court (American Library Association v. United States, 2002),

which actually upheld the rules to control content. Additional legal protests were filed in

2003 (United States v, American Library Association, 2003) which resulted in rulings that

alternative channels be made to allow adult viewing of blocked content. Using this example

as a basis to enact Government enforcement for cyber security implementation

requirements, demonstrates that the Government does have mechanisms to enable this.

Furthermore the U.S. Courts provide the balance to test the checks which congress may

adopt. This system of checks and balances provides a way for enforcement to be groomed

and establish solid criteria for how private industry can be held accountable for

implementing sound cyber security systems while not be unfairly forced to violate the U.S.

Constitutional rights or put unfair burden on them to fulfill this need.

Another example of how private industry is required to enforce proper security, which

includes cyber security, is in the commercial airline sector. Obviously the U.S. has adopted

strong physical security requirements for public transportation in the aviation community.

The advent of the Transportation Security Administration (TSA), created in November 2001

in the wake of the 911 attacks, clearly demonstrates the Government’s ability to enforce

process and procedures with regard to commercial elements considered vital to national

security. Within the charter of TSA, cyber security considerations are included in it various

regulatory authority. Beyond the scope of the aviation community the TSA also has the

responsibility to provide security for national pipelines which carry hazardous materials. In

September 2002 the TSA formed the Pipeline Security Division, within what is now called

the Office of Transportation Sector Network Management (TSNM). The TSNM has

established a set of security guidelines which support the actual Hazardous Materials

Regulations. Within the guidelines is a section dedicated to business security and entitled,

Corporate Security Program (CSP). The program contains guidelines for companies to
adopt a risk-based corporate security program to address and document the organization’s

policies and procedures for managing security related threats, incidents and responses.

The CSP identifies specific areas which must be addressed by private operators

doing work with the pipeline system. The elements addressed include:

 Administration and Management Structure

 Risk Analysis and Assessment

 Physical Access Security Control Measures

 Equipment Maintenance Testing

 Personnel Screening

 Communications

 Personnel Training

 Drill and Exercises

 Security Incident Procedure

 Incident Response Procedures

 Plan Reviews

 Record Keeping

 Supervisory Control Data Acquisition Cyber System Security Measures

 Essential Security Contact Listings

 Security Testing and Audits

A separate section is located within the guideline documentation which is dedicated

specifically to cyber security addresses guideline for securing the IT environment. The

section titled, Cyber Asset Security Measures, establishes a criteria to ensure IT systems

are accounted for and the compensatory controls be applied as part of an overall defense-

in-depth approach. One may recall that Cisco also used a similar approach in their
response to cyber security responsibility. A cyber security measures table is provided with

the document providing criteria segmented as follows with the purpose of ensuring a cyber

secure environment exists by the pipeline operator. A sampling of the measures shows a

mechanism which could be used for other Government mandates to other industries.

 Baseline Measures

o General Security Measures

 Discusses types of devices and system to be evaluated,

frequency of evaluation and methods.

o Information Security Coordination and Responsibilities

 Discusses the development of documentation and teams to

support ongoing discussion and security improvement

throughout a system lifecycle.

o System Lifecycle

 Ongoing design refinement, patching and review processes.

o System Restoration and Recovery

o Intrusion Detection and Response

o Training

o Access Control and Functional Segregation

 Enhanced Cyber Security Measures

o Access Control

 Methods of restricting access.

o Vulnerability Assessment

 Methods and frequency limits of assessment.

 It’s obvious the TSA has created a detailed structure which is imposed upon private

organizations doing work with the national pipeline network. These guidelines could easily

be modified and adopted by other federal agencies to further support the imposition for

control onto the private sector.

In summary, there is plenty evidence to support the position that private industry

should not only take on the responsibility to ensure they have secured their IT environment

but in some cases even contribute to other organizations information and even solutions,

when applicable, for others to synchronize and make use of synergies. In cases like Cisco

their work in the federal sector is a driving force for change which can carry on to other

private organizations by default. There is also legal precedence to substantiate the creation

of laws and litigation controls which could be applied to pressure private industry to take on

specific responsibilities when it comes to cyber security and in turn protecting national

security interests. The next steps are to determine the proper authorities initiate the

movement or to perpetuate phenomena of cyber security awareness and ownership via

multiple Government agencies. We should not wait for the next incident to occur before

reacting since it is already on the radar, according to the National Security Agency, that the

next significant military assault is highly likely to contain a cyber threat component

(McConnell, 2011). This already has occurred in recent international conflicts when Russia

attacked Georgia and disabled most of their internet communications as part of the attack.

The U.S. Government and private industry need to further the progress of cyber security by

growing this give and take and give relationship. In conclusion, we have not only shown that

private industry should take responsibility in contributing to the protection of national

security, but examples of how it is already being done and the value to both the private

sector and the Government. Secondly, when addressing the question of the Government

imposing rules and telling private industry how to go about cyber security, that also has
precedent to validate how this is and can be done. An important point with this though is

that the Government does not directly tell the industry how to implement cyber security, nor

should it take on that level of responsibility and liability. It does and should however;

establish guidelines that help to standardize the implementation. Enforcement of the rules

can be done using the Government processes of check and balances our Government has

established over the past almost 250 years.

References

Bidgoli, H. (2006). Handbook of Information Security: Information Warfare; Social, Legal, and

International Issues; and Security Foundations. Hoboken, NJ: John Wiley and Sons Inc.

Bosworth, S. & Kabay, M.E., & Whyne, E. (2009). Computer Security Handbook. Hoboken,

NJ: John Wiley and Sons Inc.

Cisco Systems (2007). FISMA Compliance with Cisco Federal Solution. Retrieved on 6/8/2011 from

http://www.cisco.com/web/strategy/government/fisma.html

Litan, A. (2008). PCI Compliance Grows but Major Industry Problems Remain.

Stamford, CT: Gartner Incorporation.

Ngugi, B., Vega, G & Dardick, G. (2009). PCI compliance: overcoming the challenges.

International Journal of information Security and Privacy (3.2, pp. 54-68)

Vacca, J. R. (2009). Computer and Information Security Handbook. Burlington,

MA: Morgan Kaufmann Publishers.