Beruflich Dokumente
Kultur Dokumente
In the current Information Technology (IT) space, private industry has gained a
resources via the advent of the internet. Whereas companies and other organizations of
individuals had to use libraries, meetings and traditional education methods to perform
research, maintenance or grow knowledge base, today it becomes second nature to simply
go online and find literally dozens of ways for obtaining this information and more. Sharing
ideas amongst peers or even rivals no longer requires expensive travel engagements, time
away from the office or even long distance telephone calls. The internet even eliminates the
need for large telephone networks and charges or in some case even a phone connection.
Most people now have access to Voice Over Internet Protocol (VoIP) devices which
eliminate the need for a traditional telephone circuit. Bills can paid with a click of a mouse
avoiding delays and lost snail mail and saving literally tons of paper and resources related
to transportation of mail. Of course the U.S. Government is to thank for the primary thrust
and early evolution o the internet and invested a lot of resources and U.S. tax payer’s
As a part of the tremendous value the internet infrastructure brings the industry there
are tradeoffs which must be considered. These tradeoffs can be classified as risks that
expose organizations to adverse conditions they may not have considered or weighed when
for organizations to analyze the risks and weigh the benefits before choosing to what extent
they will use the internet in their day-to-day business. In lieu of benefits gained by an
organization, using the internet they also carry a responsibility to abide by the rules and
guidelines set for by the laws of the jurisdictions in which they operate and those
established by the organization itself. In addition the organization should be held
accountable and thus responsible to protect the interests of itself and when applicable the
Industries and organizations that develop products or electronic data services which
are considered design sensitive or controlled should certainly be held accountable to protect
their systems from exposure and intrusion. They should have control plans and procedures,
audit mechanisms and response plans for dealing with incidents. A good model for
organizations to draw from is the Payment Card Industry (PCI) and Health Insurance
Portability and Accountability Act (HIPAA) compliance models. Now the question remains
should the Government impose rules which force organizations to implement cyber security
measures? Moreover, should the Government tell private industry how to setup or improve
their cyber security? We will now examine this question as well as industry’s roles and
controls. As part of the discussion we will examine some real world scenarios which will
technology serves to help achieve those goals it also serves to provide portals to external
opportunities and threats. The portals themselves consisting of routers and firewalls are
produced by companies including Cisco. These companies many times have Government
contracts which drive the technologies themselves and hence help support the business
objectives of the organization. In the case of Cisco they are responsible to fulfill the
(FISMA) which was established in 2002. FISMA is really required for Federal Agencies to
improve IT security as they add new products to their infrastructure. It provides an audit
forum for Federal organizations to validate compliance. Cisco has hence developed a router
platform to allow them and Federal entities to comply with network related requirements.
For example, in a Cisco Self-Defending Network, solution components work together more
effectively and are managed as a cohesive system that is distributed across and embedded
within the network infrastructure. The benefits: better security, less management overhead,
In this case Cisco felt it important achieve the FISMA compliance to not only win the
federal sector business which had Government mandated needs to fulfill but they also
carried forward the success to products which are used throughout the private sector and in
turn provide the benefits to those customers. The way Cisco addressed the issue was to
take advantage of their marketing group and perform surveys of over 200 Government
agencies including the military to understand the needs and barriers facing the customers.
They initially determined that budget appropriations and existing security architecture were
their own primary concerns in achieving what the customer perceived as a self healing
security patching during operating system (O/S) upgrades and patching. This is only a short
term solution and does not correct the underlying architectural issues which exposed the
found that failure to correct the issues could result in major financial losses for the customer
and themselves and in extreme conditions even put people’s lives in danger.
the barriers were even more defined to configuration management, access control, and
incident response.
As a result of the work Cisco did they came up with a network solution they defined
organizations from threats caused by both internal and external sources. This protection
resources, thus improving overall security while addressing FISMA requirements. Concerns
that Cisco can address, helping to meet FISMA requirements, include unauthorized access,
malicious code, scans and probes, improper usage, and denial-of-service attacks (Cisco,
2007).
Cisco developed the products associated with SDN to hold up to Government audits
conducted as part of FISMA compliance. They also understood that the real needs go
beyond compliance and the true focus of federal agencies is on true system and information
security. Agency officials realize the complexity involved in meeting and maintaining
process and technology is paramount to compliance. Planning happens within the federal
agency itself with assistance from compliance experts including Cisco themselves.
Processes are day-to-day activities that happen within the organization itself. Technology is
brought to the table by companies like Cisco and other Government partners.
As part of the solution Cisco came up with a complete approach to address the
ongoing needs to protect cyber environments and processes. This solution serves as a
public model that can be utilized by customers of theirs or even others that may not be
protect national security by implementing cyber secure practices we turn to legal analogies
which may directly relate to industry obligations. The class work reading assignment, Legal,
Social and Ethical Issues of the Internet, (Bidgoli, 2006) talks about responsible uses for the
internet as they apply to laws or formal policy. The discussion of freedom of speech
demonstrates the power and obligations associated with internet access. However, it does
point out the importance of responsible use and also sites examples of how freedom of
speech could be detrimental to the country or the system. Exploitation of child pornography
order for adolescents. The subject of free speech includes topics such as moral legitimacy,
internet issues, promotion of destructiveness hate crimes, spam and intellectual property
issues. Much like these topics are addressed from a legal stand point the protection of
Simply choosing to ignore these types of issues eventually leads to complete exploitation or
usefulness of the network or organization involved. Congress has had to enter into these
legal regulatory processes associated with free speech as it should promote specific cyber
security measures for private industry. Some of these types of laws have even had to be
tested by the U.S. courts systems including the Supreme Court of the United States of
America.
enforcement. There are various ways the Government can mandate these policies and
rules to force industry to implement good cyber security measures in the interest of National
Security. As an example the courts and congress have factored in on the rights involved
with controls being used in public libraries to prevent access to pornographic and mature
information to minors in the library. The congress adopted protection laws under the
Children’s Internet Protection Act (CIPA) in 2002. The purpose of the Act is to limit the
exposure of explicit material in public libraries. This issue has been debated and tested all
the way to the U.S. Supreme Court (American Library Association v. United States, 2002),
which actually upheld the rules to control content. Additional legal protests were filed in
2003 (United States v, American Library Association, 2003) which resulted in rulings that
alternative channels be made to allow adult viewing of blocked content. Using this example
requirements, demonstrates that the Government does have mechanisms to enable this.
Furthermore the U.S. Courts provide the balance to test the checks which congress may
adopt. This system of checks and balances provides a way for enforcement to be groomed
and establish solid criteria for how private industry can be held accountable for
implementing sound cyber security systems while not be unfairly forced to violate the U.S.
Another example of how private industry is required to enforce proper security, which
includes cyber security, is in the commercial airline sector. Obviously the U.S. has adopted
strong physical security requirements for public transportation in the aviation community.
The advent of the Transportation Security Administration (TSA), created in November 2001
in the wake of the 911 attacks, clearly demonstrates the Government’s ability to enforce
process and procedures with regard to commercial elements considered vital to national
security. Within the charter of TSA, cyber security considerations are included in it various
regulatory authority. Beyond the scope of the aviation community the TSA also has the
responsibility to provide security for national pipelines which carry hazardous materials. In
September 2002 the TSA formed the Pipeline Security Division, within what is now called
the Office of Transportation Sector Network Management (TSNM). The TSNM has
established a set of security guidelines which support the actual Hazardous Materials
Regulations. Within the guidelines is a section dedicated to business security and entitled,
Corporate Security Program (CSP). The program contains guidelines for companies to
adopt a risk-based corporate security program to address and document the organization’s
policies and procedures for managing security related threats, incidents and responses.
The CSP identifies specific areas which must be addressed by private operators
doing work with the pipeline system. The elements addressed include:
Personnel Screening
Communications
Personnel Training
Plan Reviews
Record Keeping
specifically to cyber security addresses guideline for securing the IT environment. The
section titled, Cyber Asset Security Measures, establishes a criteria to ensure IT systems
are accounted for and the compensatory controls be applied as part of an overall defense-
in-depth approach. One may recall that Cisco also used a similar approach in their
response to cyber security responsibility. A cyber security measures table is provided with
the document providing criteria segmented as follows with the purpose of ensuring a cyber
secure environment exists by the pipeline operator. A sampling of the measures shows a
mechanism which could be used for other Government mandates to other industries.
Baseline Measures
o System Lifecycle
o Training
o Access Control
o Vulnerability Assessment
organizations doing work with the national pipeline network. These guidelines could easily
be modified and adopted by other federal agencies to further support the imposition for
In summary, there is plenty evidence to support the position that private industry
should not only take on the responsibility to ensure they have secured their IT environment
but in some cases even contribute to other organizations information and even solutions,
when applicable, for others to synchronize and make use of synergies. In cases like Cisco
their work in the federal sector is a driving force for change which can carry on to other
private organizations by default. There is also legal precedence to substantiate the creation
of laws and litigation controls which could be applied to pressure private industry to take on
specific responsibilities when it comes to cyber security and in turn protecting national
security interests. The next steps are to determine the proper authorities initiate the
multiple Government agencies. We should not wait for the next incident to occur before
reacting since it is already on the radar, according to the National Security Agency, that the
next significant military assault is highly likely to contain a cyber threat component
(McConnell, 2011). This already has occurred in recent international conflicts when Russia
attacked Georgia and disabled most of their internet communications as part of the attack.
The U.S. Government and private industry need to further the progress of cyber security by
growing this give and take and give relationship. In conclusion, we have not only shown that
security, but examples of how it is already being done and the value to both the private
sector and the Government. Secondly, when addressing the question of the Government
imposing rules and telling private industry how to go about cyber security, that also has
precedent to validate how this is and can be done. An important point with this though is
that the Government does not directly tell the industry how to implement cyber security, nor
should it take on that level of responsibility and liability. It does and should however;
establish guidelines that help to standardize the implementation. Enforcement of the rules
can be done using the Government processes of check and balances our Government has
References
Bidgoli, H. (2006). Handbook of Information Security: Information Warfare; Social, Legal, and
International Issues; and Security Foundations. Hoboken, NJ: John Wiley and Sons Inc.
Bosworth, S. & Kabay, M.E., & Whyne, E. (2009). Computer Security Handbook. Hoboken,
Cisco Systems (2007). FISMA Compliance with Cisco Federal Solution. Retrieved on 6/8/2011 from
http://www.cisco.com/web/strategy/government/fisma.html
Litan, A. (2008). PCI Compliance Grows but Major Industry Problems Remain.
Ngugi, B., Vega, G & Dardick, G. (2009). PCI compliance: overcoming the challenges.