Presidents Commission Cybersecurity

The Presidents Commission on Enhancing National Cybersecurity Report on Securing and Growing the Digital Economy has been released and can be found here: presidents-cybersecurity_report

Executive Summary

Presidents Commission Enhancing National Cybersecurity

Recognizing the extraordinary benefit interconnected technologies bring to our digital economy—and equally mindful of the accompanying challenges posed by threats to the security of the cyber landscape—President Obama established this Commission on Enhancing National Cybersecurity. He directed the Commission to assess the state of our nation’s cybersecurity, and he charged this group with developing actionable recommendations for securing the digital economy. The President asked that this enhanced cybersecurity be achieved while at the same time protecting privacy, ensuring public safety and economic and national security, and fostering the discovery and development of new technical solutions.

Presidents Commission on Cybersecurity
Presidents Commission on Enhancing National Cybersecurity

The interconnectedness and openness made possible by the Internet and broader digital ecosystem create unparalleled value for society. But these same qualities make securing today’s cyber landscape difficult. As the world becomes more immersed in and dependent on the information revolution, the pace of intrusions, disruptions, manipulations, and thefts also quickens. Technological advancement is outpacing security and will continue to do so unless we change how we approach and implement cybersecurity strategies and practices. Recent attacks in which everyday consumer devices were compromised for malicious use have made it abundantly clear that we now live in a much more interdependent world. The once-bright line between what is critical infrastructure and everything else becomes more blurred by the day.

While the threats are real, we must keep a balanced perspective. We should be able to reconcile security with innovation and ease of use. The Internet is one of the most powerful engines for social change and economic prosperity. We need to preserve those qualities while hardening it and making it more resilient against attack and misuse. Changes in policies, technologies, and practices must build on the work begun by the private sector and government, especially over the past several years, to address these issues.

Our commitment to cybersecurity must match our commitment to innovation. If our digital economy is to thrive, it must be secure. That means that every enterprise in our society—large and small companies, government at all levels, educational institutions, and individuals—must be more purposefully and effectively engaged in addressing cyber risks. They must also have greater

accountability and responsibility for their own security, which, as we now know all too well, directly impacts the cybersecurity of our country.

From its inception, this nonpartisan Commission developed a report directed both to President Obama and to the President- elect. The Commissioners, who possess a range of expertise relating to cybersecurity, reviewed past reports and consulted with technical and policy experts. The Commission held public hearings, issued an open solicitation for input, and also invited the public at large to share facts and views. It devoted attention to areas including critical infrastructure, the Internet of Things (IoT), research and development (R&D), public awareness and education, governance, workforce, state and local issues, identity management and authentication, insurance, international issues and the role of small and medium-sized businesses.

The Commission identified and considered broader trends affecting each of these topics, notably the convergence of information technologies and physical systems, risk management, privacy and trust, global versus national realms of influence and controls, the effectiveness of free markets versus regulatory regimes and solutions, legal and liability considerations, the importance and difficulty of developing meaningful metrics

for cybersecurity, automated technology–based cybersecurity approaches, and consumer responsibilities. In these areas and others, the Commissioners examined what is working well, where the challenges exist, and what needs to be done to incentivize and cultivate a culture of cybersecurity in the public and private sectors.

There was much to readily agree on, including the growing convergence and interdependencies of our increasingly connected world; the need for greater awareness, education, and active stakeholder engagement in all aspects of cybersecurity, from developers and service providers to policy makers and consumers; the ways in which small- and medium-sized companies face additional pressures and limitations in addressing cybersecurity and the importance of remedying that situation, especially in light of their role in the supply chain; and the need, from both operational and mission perspectives, to clarify the federal government’s roles and responsibilities.

It was also evident that most solutions require joint public– private action. Every enterprise in our society—large and small companies, government at all levels, educational institutions, and individuals—must be more purposefully and effectively engaged in addressing cyber risks. They must be equipped to understand the role they play in their own security and how their actions directly impact the cybersecurity of the nation more broadly.

Other areas required more consideration:

  • how best to incentivize appropriate cybersecurity behaviors and actions and how to determine if or when requirements are called for;
  • who should lead in developing some of the most urgently needed standards and how best to assess whether those standards are being met;
  • what is the feasibility of better informing consumers, for example, through labeling and rating systems;
  • which kinds of research and development efforts are most needed and at what cost;
  • how to project the right number of new cybersecurity professionals our economy needs and how to choose among different approaches for attracting and training the workforce at all levels; and,
  • what the roles and relationships of senior federal officials should be and how best to ensure that they not only have the right authorities but are empowered to take the appropriate actions.

From these discussions, some firm conclusions emerged. Partnerships—between countries, between the national government and the states, between governments at all levels and the private sector—are a powerful tool for encouraging the technology, policies, and practices we need to secure and grow the digital economy. The Commission asserts that the joint collaboration between the public and private sectors before, during, and after a cyber event must be strengthened. When it comes to cybersecurity, organizations cannot operate in isolation.

Resilience must be a core component of any cybersecurity strategy; today’s dynamic cyber threat environment demands a risk management approach for responding to and recovering from an attack.

After building on those points of agreement and identifying foundational principles, the Commissioners organized their

findings into six major imperatives, which together contain a total of 16 recommendations and 53 associated action items.

The imperatives are:

  1. Protect, defend, and secure today’s information infrastructure and digital networks.
  2. Innovate and accelerate investment for the security and growth of digital networks and the digital economy.
  3. Prepare consumers to thrive in a digital age.
  4. Build cybersecurity workforce capabilities.
  5. Better equip government to function effectively and securely in the digital age.
  6. Ensure an open, fair, competitive, and secure global digital economy.

A table detailing these imperatives and their associated recommendations and action items is included in Appendix 1. The groupings should not be viewed as distinct and isolated categories; indeed, a number of recommendations apply to more than the imperative under which they first appear. The text notes when action items are particularly relevant to other imperatives. This structure reflects the interdependent nature of our digital economy, where steps taken to improve the cybersecurity of one enterprise can meaningfully improve the posture and preparedness of others.

Each recommendation is designed to have a major impact, and each action item is meant as a concrete step toward achieving that impact. Many require a commitment of financial resources far above the level we see today. Some are directed at government, some at the private sector, and many at both. Some call for entirely new initiatives, while others call for building on promising efforts currently under way.

Acknowledging the urgency of the challenges facing our nation, the Commission determined that most recommendations can and should begin in the near term, with many meriting action within the first 100 days of the new Administration. All of these recommendations and actions highlight the need for the private sector, government, and American public to recognize cybersecurity as an integral part of our welfare with serious implications for our country’s national and economic security and our prospects to maintain a free and open society.

FCC Privacy Rules Released

FCC Privacy of Customers Rules for Telecommunications Released

Find FCC privacy rules here: Protecting the Privacy of Customers of Broadband and Other Telecommunications Services

SUMMARY : In this document, the Federal Communications Commission (Commission) adopts final rules based on public comments applying the privacy requirements of the Communications Act of 1934, as amended, to broadband Internet access service (BIAS) and other telecommunications services. In adopting these rules the Commission implements the statutory requirement that telecommunications carriers protect the confidentiality of customer proprietary information.

The privacy framework in these rules focuses on transparency, choice, and data security, and provides heightened protection for sensitive customer information, consistent with customer expectations.

fcc privacy rules federal communications commission
Federal Trade Commission Privacy Ruling

The rules require carriers to provide privacy notices that clearly and accurately inform customers; obtain opt- in or opt-out customer approval to use and share sensitive or non-sensitive customer proprietary information, respectively; take reasonable measures to secure customer proprietary information; provide notification to customers, the Commission, and law enforcement in the event of data breaches that could result in harm; not condition provision of service on the surrender of privacy rights; and provide heightened notice and obtain affirmative consent when offering financial incentives in exchange for the right to use a customer’s confidential information.

The Commission also revises its current telecommunications privacy rules to harmonize today’s privacy rules for all telecommunications carriers, and provides a tailored exemption from these rules for enterprise customers of telecommunications services other than BIAS.

FCC Privacy Ruling Effect on State law.

The rules set forth in this subpart shall preempt any State law only to the extent that such law is inconsistent with the rules set forth herein and only if the Commission has affirmatively determined that the State law is preempted on a case-by-case basis. The Commission shall not presume that more restrictive State laws are inconsistent with the rules set forth herein.

National Cybersecurity Policy Forum

The National Cybersecurity Policy Forum is having an event 6 December 2016 at the National Press Club.

Find registration information and agenda here.

U.S. Commerce Secretary Penny Pritzker will deliver the keynote address at the eighth USTelecom National Cybersecurity Policy Forum. Join us for a discussion of cyber policy initiatives that continue to enhance our

nation’s defenses against an array of adversaries. The Secretary will

commerce secritary penny pritzker
Secretary Penny Pritzker

discuss a report by the President’s Commission on Enhancing National Cybersecurity.

Commissioned by the President and the Department of Commerce, the 2016 Cybersecurity Commission Policy Report sets the stage for consideration of national priorities in the cybersecurity policy arena. This event will feature industry and government officials talking about ongoing work opportunities ahead to defend against the growing speed and complexity of cyber attacks.

Keynote
Penny Pritzker, Secretary, U.S. Department of Commerce

Panel One: Cyber Readiness: Government Perspective
Moderator: Tim Starks, Politico Pro journalist and author of Morning Cybersecurity
Panelists: Clete Johnson, Senior Policy Advisor on Cybersecurity to Secretary of the U.S Department of Commerce
Cherilyn Pascoe, Professional Staff Member and Investigator, U.S. Senate Committee on Commerce, Science and Transportation
Kiersten Todt, Executive Director, President’s Commission on Enhancing National Cybersecurity

Panel Two: Industry Collaboration on Cyber Preparedness
Moderator: Joseph Marks, cybersecurity reporter, NextGov
Panelists: Scott Aaronson, Executive Managing Director, Electric Edison Institute
Christopher Boyer, Assistant Vice President, Global Policy, AT&T
Larry Clinton, President, Internet Security Alliance
Heather Hogsett, Vice President of Technology and Risk Strategy, Financial Services Roundtable/BITS
Ola Sage, CEO E-Management and Chair of the IT Sector Coordinating Council

 

Presidents Commission on Cybersecurity

Presidents Commission on Cybersecurity

21 November 2016 Presidents Commission on Cybersecurity in the US conference call.
The  Commissions final report is to go to the president for review on 1 December.
The president has forty-five days to comment on the report. We are hoping the report will be made available to the public soon.

The commission will focus on the following in their 60-70 page report:

  1. Protecting the internet
  2. Innovation and R&D
  3. Consumer role in cybersecurity
  4. Workforce development
  5. Address the governments responsibility
  6. Global competitive business environment

They will address concrete actions short term and long term action items in both the public and private sectors.

presidents commission on cybersecurity
presidents commission on cybersecurity

Our Forum took the opportunity to comment and emphasized the importance of both public and private collaboration to determine reasonableness. We also mentioned the importance of looking at cyber resilience and cyber security as having a key roll enabling organizations to perform their missions.
We are excited they addressed the importance of cybersecurity (we wish they added resilience) in terms of a business differentiator vs a cost. This is at the core of the Global Forum for Advanced Cyber Resilience mission.  It is important for organizations to be able to articulate this value to customers and within the supply chain for both cyber resilient products and services.

The importance of addressing the workforce is critical as well.  We are happy they are taking a holistic view of people processes and technology solving cyber security and resilience.  The forum is a member of the NIST National Initiative for CyberSecurity Education (NICE).  This is great work and has recently made major advances.

They also addressed the Internet of Things and will will be very interested if they expand on the recent release from the Department of Homeland Security on Internet of Things Cybersecurity Strategy.

Thank you to the Presidents Commission on Enhancing Cybersecurity in the US!  We look forward to seeing their final report as a basis for public and private collaboration for mission driven cyber resilience and security.

Internet of Things DHS

DHS Strategic Principals for Security the Internet of Things has been released and can be found here. Internet of Things and the IOT Fact Sheet.

Internet of Things Guidance is a Start

It is great to see this perspective but we need to include the business. The DHS Strategic Principals for Security the Internet of Things need to shift one step further towards the left and consider the importance of the strategy phase. This was obviously written without collaboration with IT Service Management and other business perspectives.  The document suggests incorporating security during the “design phase”.  Our forum contends it is not reasonable or prudent to consider cyber security and resilience starting in the design phase.

We must start in the strategy phase for the creation of products and services.  Yes security must be “designed in” but there are a lot of considerations before starting to design.  Business value is not addressed in this document.  To move forward with anything cyber we must address business to be reasonable and prudent.

comparison of dhs internet of things strategy and forums addintion of strategy phase and continual improvement

Public Private Support of Internet of Things

Consider what the DHS National Cybersecurity and Communications Integration Center (NCCIC), the Dept of Defense Enterprise Service Management Framework (DESMF) which the DoD CIO Terry Halvorsen directs all DoD activities to conform to, Affordable Care (HHS), the IRS, NIST, and majority of federal IT service contracts along with a large portion of IT commercial organizations world wide do. They start with strategy before design, go to transition, then operation with continual improvement associated at each step using a IT service management best practice. We need to take advantage of this investment of taxpayer and commercial resources as much as possible.

Common Thread of Continual Improvement

Strategy, Design, Transition, and Operation have the common thread of continual improvement.  What is not discovered in Strategy can be picked up in Design, but the cost cost increases the further to the right you go before consideration of cyber security/resilience.  Our forum proves this point during collaboration.

Good News for IoT

The good news is there is a lot of great thought for a first cut at this and it will be easier for public and private collaboration to support this effort in the future.  We look forward to contributing to the conversation.

Here is a section of the document:

Incorporate Security at the Design Phase

Security should be evaluated as an integral component of any network-connected device. While there are exceptions, in too many cases economic drivers or lack of awareness of the risks cause businesses to push devices to market with little regard for their security. Building security in at the design phase reduces potential disruptions and avoids the much more difficult and expensive endeavor of attempting to add security to products after they have been developed and deployed. By focusing on security as a feature of network- connected devices, manufacturers and service providers also have the opportunity for market differentiation. The practices below are some of the most effective ways to account for security in the earliest phases of design, development, and production.

What are the potential impacts of not building security in during design?
Failing to design and implement adequate security measures could be damaging to the manufacturer in terms of financial costs, reputational costs, or product recall costs. While there is not yet an established body of case law addressing IoT context, traditional tort principles of product liability can be expected to apply.

Cyber Resilience Business Value

Cyber security summits vs cyber resilience business value of collaboration

Cyber Resilience Business Value

Cyber security and cyber resilience business value must be understood by the entire organization in order to help rationalize support and behavior. We are helping people understand (through collaboration) the necessity of cyber resilience and cyber security to enable the business mission versus thinking of this as an expense. Collaboration is necessary to establish reasonable and prudent business behavior.  Taking advantage of the FTC Start with Security helps.

start with security

There is value in shifting cybersecurity and resilience considerations to to the strategy phase vs all the talk about “designing things in” or “security by design”. Let’s not discount these, but by focusing on the design phase we miss the value of taking advantage of overall business strategy. Looking holistically we can view the organizations: capability and capacity, what the customer really wants, the barriers to overcome, what is reasonable and prudent from a product or service point of view and the reasonable and prudent implications of security/resilience.

Security in this case has more then one meaning. Over a year ago I spoke

cyber resilience business value

What is the definition of security?

to both the congress and senate about the information my insurance company provided me while I was having a medical emergency while out of town. It might have been secure from a cybersecurity perspective but it was not secure from a consumer use perspective and the information put me close to death.  While making things cyber secure and resilient lets not lose this perspective of security while collaborating. We need to get the right people at the table from the start who represent and understand the implications across the enterprise.

Fun Cyber Security and Cyber Resilience Facts

as of 11/22/16

  • Google “cyber security summit” you will get 180,000 direct hits.
  • Google “cyber security business value” you will get ten. Four of these belong to this site.
  • Google “cyber resilience business value” you will get  five hits. All from this forum

We focus on cyber resilience business value. You will see a dramatic increase in the use of this term in the near future. Help us.

Cyber Resileince Business Value

Vehicle Cyber Security RFC

National Highway Traffic Safety Administration Request for Comment on Cybersecurity Best Practices for Modern Vehicles AGENCY: National Highway Traffic Safety Administration (NHTSA), Department of Transportation (DOT). ACTION: Request for public comment. SUMMARY: NHTSA invites public comment on its Cybersecurity Best Practices for Modern Vehicles. The document is available for a 30 day comment period here.

DATES: You should submit your comments early enough to ensure that Docket Management receives them no later than November 28, 2016. ADDRESSES: Comments should refer to the docket number above and be submitted by one of the following methods: •Federal Rulemaking Portal: http://www.regulations.gov. Follow the online instructions for submitting comments.

Mail: Docket Management Facility, U.S. Department of Transportation, 1200 New Jersey Avenue SE., West Building Ground Floor, Room W12–140, Washington, DC 20590–0001. •Hand Delivery: 1200 New Jersey Avenue SE., West Building Ground Floor, Room W12–140, Washington, DC, between 9 a.m. and 5 p.m. ET, Monday through Friday, except Federal Holidays.

Instructions: For detailed instructions on submitting comments and additional information on the rulemaking process, see the Public Participation heading of the SUPPLEMENTARY INFORMATION section of this document. Note that all comments received will be posted without change to http://www.regulations.gov, including any personal information provided.

Privacy Act: Anyone is able to search the electronic form of all comments received into any of our dockets by the name of the individual submitting the comment (or signing the comment, if submitted on behalf of an association, business, labor union, etc.). You may review DOT’s complete Privacy Act Statement in the Federal Register published on April 11, 2000 (65 FR 19477–78). For access to the docket to read background documents or comments received, go to http://www.regulations.gov or the street address listed above. Follow the online instructions for accessing the dockets.

FOR FURTHER INFORMATION CONTACT: For technical issues: Mr. Arthur Carter of NHTSA’s Office of Vehicle Crash Avoidance & Electronic Controls Research at (202) 366–5669 or by email at arthur.carter@dot.gov. For legal issues: Mr. Steve Wood of NHTSA’s Office of Chief Counsel at (202) 366– 5240 or by email at steve.wood@dot.gov. SUPPLEMENTARY INFORMATION: A top NHTSA priority is enhancing vehicle cybersecurity to mitigate cyber threats that could present unreasonable safety risks to the public or compromise sensitive data such as personally identifiable information. And, the agency is actively engaged in approaches to improve the cybersecurity of modern vehicles. The agency has been conducting research and actively engaging stakeholders to identify effective methods to address the vehicle cybersecurity challenges. For example, in January 2016, NHTSA convened a public vehicle cybersecurity roundtable meeting in Washington, DC to facilitate diverse stakeholder discussion on key vehicle cybersecurity topics. Over 300 individuals attended this meeting. These attendees represented over 200 unique organizations that included 17 Original Equipment Manufacturers (OEMs), 25 government entities, and 13 industry associations. During the roundtable meeting, the stakeholder groups identified actionable steps for he vehicle manufacturing industry to effectively and expeditiously address vehicle cybersecurity challenges. As a follow up, NHTSA held a meeting with other government agencies in February 2016 to discuss possibilities for collaboration among Federal partners to help the industry improve vehicle cybersecurity. As a result of the extensive public and private stakeholder engagement, NHTSA has developed a set of best practices for the automotive industry that the agency believes will further automotive cybersecurity. The agency notes that the Alliance of Automobile Manufacturers and the Association of Global Automakers, through the Auto Information Sharing and Analysis Center (Auto ISAC), released a ‘‘Framework for Automotive Cybersecurity Best Practices’’ on July 22, 2016.1The primary goal of the NHTSA best practices, therefore, is to not supplant the industry-led efforts, but, rather, to support this effort and provide the agency’s views on how the broader automotive industry (including those who are not members of the Auto ISAC) can develop and apply sound risk-based cybersecurity management practices to their product development processes. The document will also help the automotive sector organizations effectively demonstrate and communicate their cybersecurity risk management approach to both the public and internal and external stakeholders. NHTSA intends for the document to be updated with some frequency as new information, research, and practices become available. NHTSA invites public comments on all aspects of these best practices, including how to make the best practices more robust, what gaps remain and whether there is sufficient research and/or practices to address those gaps. Public Participation How do I prepare and submit comments? Your comments must be written and in English. To ensure that your comments are filed correctly in the docket, please include the docket number of this document in your comments. Your comments must not be more than 15 pages long (49 CFR 553.21). NHTSA established this limit to encourage you to write your primary comments in a concise fashion. However, you may attach necessary additional documents to your comments. There is no limit on the length of the attachments. Please submit one copy (two copies if submitting by mail or hand delivery) of your comments, including the attachments, to the docket following the instructions given above under ADDRESSES. Please note, if you are submitting comments electronically as a PDF (Adobe) file, we ask that the documents submitted be scanned using an Optical Character Recognition (OCR) process, thus allowing the agency to search and copy certain portions of your submissions. How do I submit confidential business information? If you wish to submit any information under a claim of confidentiality, you should submit three copies of your complete submission, including the information you claim to be confidential business information, to the Office of the Chief Counsel, NHTSA, at the address given above under FOR FURTHER INFORMATION CONTACT. In addition, you may submit a copy (two copies if submitting by mail or hand delivery), from which you have deleted the claimed confidential business information, to the docket by one of the methods given above under ADDRESSES. When you send a comment containing information claimed to be confidential business information, you should include a cover letter setting forth the information specified in NHTSA’s confidential business information regulation (49 CFR part 512). Will the agency consider late comments? NHTSA will consider all comments received before the close of business on the comment closing date indicated above under DATES. To the extent possible, the agency will also consider comments received after that date. How can I read the comments submitted by other people? You may read the comments received at the address given above under Comments. The hours of the docket are indicated above in the same location. You may also see the comments on the Internet, identified by the docket number at the heading of this notice, at http://www.regulations.gov. Please note that, even after the comment closing date, NHTSA will continue to file relevant information in the docket as it becomes available. Further, some people may submit late comments. Accordingly, the agency recommends that you periodically check the docket for new material. Anyone is able to search the electronic form of all comments received into any of our dockets by the name of the individual submitting the comment (or signing the comment, if submitted on behalf of an association, business, labor union, etc.). You may review DOT’s complete Privacy Act Statement in the Federal Register published on April 11, 2000 (65 FR 19477–78) or you may visit http://www.dot.gov/privacy.html. Authority: Sec. 31402, Pub. L. 112–141. Issued in Washington, DC on October 24, 2016 under authority delegated in 49 CFR part 1.95. Nathaniel Beuse, Associate Administrator for Vehicle Safety Research.

Baldrige Cybersecurity Excellence Builder

Please find a Draft copy of the Baldrige Cybersecurity Excellence Builder here.
We are very interested in this as a topic for collaboration associated with the use of the Cyber Security Framework.

We would like your input and participation in soon to be announced events.

Please Contact us via e-mail or call us at 202 839-5563.

itSMF USA Fusion Conference

Joan and Charlie are speaking at this years itSMF USA annual conference in Las Vegas, NV from November 1-4, 2016 jointly hosted by industry icons itSMF USA and HDI
To register for this event go to FUSION 2016 here…
About our session:

Advancing Cyber-Resilience Through Collaborative Innovation

Experience Level: Advanced
Facilitators: Joan Coolidge and Charlie Tupitza

Managing an effective response to cyber-attacks is one of the biggest challenges in today’s complex and interconnected world. It’s not enough to focus on cyber-security. This session will introduce ways you can lead organizations to reduce the impact of cyber-attacks at a manageable pace. Learn how to engage people to work together to find solutions, how to start the discussion from where participants are at the time of their meeting, and how to continue by strategically planning realistic approaches to greater cyber-resilience.