Presidents Commission on Cybersecurity

Presidents Commission on Cybersecurity

21 November 2016 Presidents Commission on Cybersecurity in the US conference call.
The  Commissions final report is to go to the president for review on 1 December.
The president has forty-five days to comment on the report. We are hoping the report will be made available to the public soon.

The commission will focus on the following in their 60-70 page report:

  1. Protecting the internet
  2. Innovation and R&D
  3. Consumer role in cybersecurity
  4. Workforce development
  5. Address the governments responsibility
  6. Global competitive business environment

They will address concrete actions short term and long term action items in both the public and private sectors.

presidents commission on cybersecurity
presidents commission on cybersecurity

Our Forum took the opportunity to comment and emphasized the importance of both public and private collaboration to determine reasonableness. We also mentioned the importance of looking at cyber resilience and cyber security as having a key roll enabling organizations to perform their missions.
We are excited they addressed the importance of cybersecurity (we wish they added resilience) in terms of a business differentiator vs a cost. This is at the core of the Global Forum for Advanced Cyber Resilience mission.  It is important for organizations to be able to articulate this value to customers and within the supply chain for both cyber resilient products and services.

The importance of addressing the workforce is critical as well.  We are happy they are taking a holistic view of people processes and technology solving cyber security and resilience.  The forum is a member of the NIST National Initiative for CyberSecurity Education (NICE).  This is great work and has recently made major advances.

They also addressed the Internet of Things and will will be very interested if they expand on the recent release from the Department of Homeland Security on Internet of Things Cybersecurity Strategy.

Thank you to the Presidents Commission on Enhancing Cybersecurity in the US!  We look forward to seeing their final report as a basis for public and private collaboration for mission driven cyber resilience and security.

Internet of Things DHS

DHS Strategic Principals for Security the Internet of Things has been released and can be found here. Internet of Things and the IOT Fact Sheet.

Internet of Things Guidance is a Start

It is great to see this perspective but we need to include the business. The DHS Strategic Principals for Security the Internet of Things need to shift one step further towards the left and consider the importance of the strategy phase. This was obviously written without collaboration with IT Service Management and other business perspectives.  The document suggests incorporating security during the “design phase”.  Our forum contends it is not reasonable or prudent to consider cyber security and resilience starting in the design phase.

We must start in the strategy phase for the creation of products and services.  Yes security must be “designed in” but there are a lot of considerations before starting to design.  Business value is not addressed in this document.  To move forward with anything cyber we must address business to be reasonable and prudent.

comparison of dhs internet of things strategy and forums addintion of strategy phase and continual improvement

Public Private Support of Internet of Things

Consider what the DHS National Cybersecurity and Communications Integration Center (NCCIC), the Dept of Defense Enterprise Service Management Framework (DESMF) which the DoD CIO Terry Halvorsen directs all DoD activities to conform to, Affordable Care (HHS), the IRS, NIST, and majority of federal IT service contracts along with a large portion of IT commercial organizations world wide do. They start with strategy before design, go to transition, then operation with continual improvement associated at each step using a IT service management best practice. We need to take advantage of this investment of taxpayer and commercial resources as much as possible.

Common Thread of Continual Improvement

Strategy, Design, Transition, and Operation have the common thread of continual improvement.  What is not discovered in Strategy can be picked up in Design, but the cost cost increases the further to the right you go before consideration of cyber security/resilience.  Our forum proves this point during collaboration.

Good News for IoT

The good news is there is a lot of great thought for a first cut at this and it will be easier for public and private collaboration to support this effort in the future.  We look forward to contributing to the conversation.

Here is a section of the document:

Incorporate Security at the Design Phase

Security should be evaluated as an integral component of any network-connected device. While there are exceptions, in too many cases economic drivers or lack of awareness of the risks cause businesses to push devices to market with little regard for their security. Building security in at the design phase reduces potential disruptions and avoids the much more difficult and expensive endeavor of attempting to add security to products after they have been developed and deployed. By focusing on security as a feature of network- connected devices, manufacturers and service providers also have the opportunity for market differentiation. The practices below are some of the most effective ways to account for security in the earliest phases of design, development, and production.

What are the potential impacts of not building security in during design?
Failing to design and implement adequate security measures could be damaging to the manufacturer in terms of financial costs, reputational costs, or product recall costs. While there is not yet an established body of case law addressing IoT context, traditional tort principles of product liability can be expected to apply.

Cyber Resilience Business Value

Cyber security summits vs cyber resilience business value of collaboration

Cyber Resilience Business Value

Cyber security and cyber resilience business value must be understood by the entire organization in order to help rationalize support and behavior. We are helping people understand (through collaboration) the necessity of cyber resilience and cyber security to enable the business mission versus thinking of this as an expense. Collaboration is necessary to establish reasonable and prudent business behavior.  Taking advantage of the FTC Start with Security helps.

start with security

There is value in shifting cybersecurity and resilience considerations to to the strategy phase vs all the talk about “designing things in” or “security by design”. Let’s not discount these, but by focusing on the design phase we miss the value of taking advantage of overall business strategy. Looking holistically we can view the organizations: capability and capacity, what the customer really wants, the barriers to overcome, what is reasonable and prudent from a product or service point of view and the reasonable and prudent implications of security/resilience.

Security in this case has more then one meaning. Over a year ago I spoke

cyber resilience business value

What is the definition of security?

to both the congress and senate about the information my insurance company provided me while I was having a medical emergency while out of town. It might have been secure from a cybersecurity perspective but it was not secure from a consumer use perspective and the information put me close to death.  While making things cyber secure and resilient lets not lose this perspective of security while collaborating. We need to get the right people at the table from the start who represent and understand the implications across the enterprise.

Fun Cyber Security and Cyber Resilience Facts

as of 11/22/16

  • Google “cyber security summit” you will get 180,000 direct hits.
  • Google “cyber security business value” you will get ten. Four of these belong to this site.
  • Google “cyber resilience business value” you will get  five hits. All from this forum

We focus on cyber resilience business value. You will see a dramatic increase in the use of this term in the near future. Help us.

Cyber Resileince Business Value

Vehicle Cyber Security RFC

National Highway Traffic Safety Administration Request for Comment on Cybersecurity Best Practices for Modern Vehicles AGENCY: National Highway Traffic Safety Administration (NHTSA), Department of Transportation (DOT). ACTION: Request for public comment. SUMMARY: NHTSA invites public comment on its Cybersecurity Best Practices for Modern Vehicles. The document is available for a 30 day comment period here.

DATES: You should submit your comments early enough to ensure that Docket Management receives them no later than November 28, 2016. ADDRESSES: Comments should refer to the docket number above and be submitted by one of the following methods: •Federal Rulemaking Portal: http://www.regulations.gov. Follow the online instructions for submitting comments.

Mail: Docket Management Facility, U.S. Department of Transportation, 1200 New Jersey Avenue SE., West Building Ground Floor, Room W12–140, Washington, DC 20590–0001. •Hand Delivery: 1200 New Jersey Avenue SE., West Building Ground Floor, Room W12–140, Washington, DC, between 9 a.m. and 5 p.m. ET, Monday through Friday, except Federal Holidays.

Instructions: For detailed instructions on submitting comments and additional information on the rulemaking process, see the Public Participation heading of the SUPPLEMENTARY INFORMATION section of this document. Note that all comments received will be posted without change to http://www.regulations.gov, including any personal information provided.

Privacy Act: Anyone is able to search the electronic form of all comments received into any of our dockets by the name of the individual submitting the comment (or signing the comment, if submitted on behalf of an association, business, labor union, etc.). You may review DOT’s complete Privacy Act Statement in the Federal Register published on April 11, 2000 (65 FR 19477–78). For access to the docket to read background documents or comments received, go to http://www.regulations.gov or the street address listed above. Follow the online instructions for accessing the dockets.

FOR FURTHER INFORMATION CONTACT: For technical issues: Mr. Arthur Carter of NHTSA’s Office of Vehicle Crash Avoidance & Electronic Controls Research at (202) 366–5669 or by email at arthur.carter@dot.gov. For legal issues: Mr. Steve Wood of NHTSA’s Office of Chief Counsel at (202) 366– 5240 or by email at steve.wood@dot.gov. SUPPLEMENTARY INFORMATION: A top NHTSA priority is enhancing vehicle cybersecurity to mitigate cyber threats that could present unreasonable safety risks to the public or compromise sensitive data such as personally identifiable information. And, the agency is actively engaged in approaches to improve the cybersecurity of modern vehicles. The agency has been conducting research and actively engaging stakeholders to identify effective methods to address the vehicle cybersecurity challenges. For example, in January 2016, NHTSA convened a public vehicle cybersecurity roundtable meeting in Washington, DC to facilitate diverse stakeholder discussion on key vehicle cybersecurity topics. Over 300 individuals attended this meeting. These attendees represented over 200 unique organizations that included 17 Original Equipment Manufacturers (OEMs), 25 government entities, and 13 industry associations. During the roundtable meeting, the stakeholder groups identified actionable steps for he vehicle manufacturing industry to effectively and expeditiously address vehicle cybersecurity challenges. As a follow up, NHTSA held a meeting with other government agencies in February 2016 to discuss possibilities for collaboration among Federal partners to help the industry improve vehicle cybersecurity. As a result of the extensive public and private stakeholder engagement, NHTSA has developed a set of best practices for the automotive industry that the agency believes will further automotive cybersecurity. The agency notes that the Alliance of Automobile Manufacturers and the Association of Global Automakers, through the Auto Information Sharing and Analysis Center (Auto ISAC), released a ‘‘Framework for Automotive Cybersecurity Best Practices’’ on July 22, 2016.1The primary goal of the NHTSA best practices, therefore, is to not supplant the industry-led efforts, but, rather, to support this effort and provide the agency’s views on how the broader automotive industry (including those who are not members of the Auto ISAC) can develop and apply sound risk-based cybersecurity management practices to their product development processes. The document will also help the automotive sector organizations effectively demonstrate and communicate their cybersecurity risk management approach to both the public and internal and external stakeholders. NHTSA intends for the document to be updated with some frequency as new information, research, and practices become available. NHTSA invites public comments on all aspects of these best practices, including how to make the best practices more robust, what gaps remain and whether there is sufficient research and/or practices to address those gaps. Public Participation How do I prepare and submit comments? Your comments must be written and in English. To ensure that your comments are filed correctly in the docket, please include the docket number of this document in your comments. Your comments must not be more than 15 pages long (49 CFR 553.21). NHTSA established this limit to encourage you to write your primary comments in a concise fashion. However, you may attach necessary additional documents to your comments. There is no limit on the length of the attachments. Please submit one copy (two copies if submitting by mail or hand delivery) of your comments, including the attachments, to the docket following the instructions given above under ADDRESSES. Please note, if you are submitting comments electronically as a PDF (Adobe) file, we ask that the documents submitted be scanned using an Optical Character Recognition (OCR) process, thus allowing the agency to search and copy certain portions of your submissions. How do I submit confidential business information? If you wish to submit any information under a claim of confidentiality, you should submit three copies of your complete submission, including the information you claim to be confidential business information, to the Office of the Chief Counsel, NHTSA, at the address given above under FOR FURTHER INFORMATION CONTACT. In addition, you may submit a copy (two copies if submitting by mail or hand delivery), from which you have deleted the claimed confidential business information, to the docket by one of the methods given above under ADDRESSES. When you send a comment containing information claimed to be confidential business information, you should include a cover letter setting forth the information specified in NHTSA’s confidential business information regulation (49 CFR part 512). Will the agency consider late comments? NHTSA will consider all comments received before the close of business on the comment closing date indicated above under DATES. To the extent possible, the agency will also consider comments received after that date. How can I read the comments submitted by other people? You may read the comments received at the address given above under Comments. The hours of the docket are indicated above in the same location. You may also see the comments on the Internet, identified by the docket number at the heading of this notice, at http://www.regulations.gov. Please note that, even after the comment closing date, NHTSA will continue to file relevant information in the docket as it becomes available. Further, some people may submit late comments. Accordingly, the agency recommends that you periodically check the docket for new material. Anyone is able to search the electronic form of all comments received into any of our dockets by the name of the individual submitting the comment (or signing the comment, if submitted on behalf of an association, business, labor union, etc.). You may review DOT’s complete Privacy Act Statement in the Federal Register published on April 11, 2000 (65 FR 19477–78) or you may visit http://www.dot.gov/privacy.html. Authority: Sec. 31402, Pub. L. 112–141. Issued in Washington, DC on October 24, 2016 under authority delegated in 49 CFR part 1.95. Nathaniel Beuse, Associate Administrator for Vehicle Safety Research.

Baldrige Cybersecurity Excellence Builder

Please find a Draft copy of the Baldrige Cybersecurity Excellence Builder here.
We are very interested in this as a topic for collaboration associated with the use of the Cyber Security Framework.

We would like your input and participation in soon to be announced events.

Please Contact us via e-mail or call us at 202 839-5563.

itSMF USA Fusion Conference

Joan and Charlie are speaking at this years itSMF USA annual conference in Las Vegas, NV from November 1-4, 2016 jointly hosted by industry icons itSMF USA and HDI
To register for this event go to FUSION 2016 here…
About our session:

Advancing Cyber-Resilience Through Collaborative Innovation

Experience Level: Advanced
Facilitators: Joan Coolidge and Charlie Tupitza

Managing an effective response to cyber-attacks is one of the biggest challenges in today’s complex and interconnected world. It’s not enough to focus on cyber-security. This session will introduce ways you can lead organizations to reduce the impact of cyber-attacks at a manageable pace. Learn how to engage people to work together to find solutions, how to start the discussion from where participants are at the time of their meeting, and how to continue by strategically planning realistic approaches to greater cyber-resilience.

Commerce Secretary on Collaboration

Our forum likes the speech the Commerce Secretary Penny Pritzker gave at the US Chamber of Commerce Cyber Security Summit Tuesday.

” Even though the internet is now ubiquitous in our lives Cyber is the only domain where we ask private companies to defend themselves against Russian, China, Iran, and other nation states. …..

Commerce Secretary penny pritzker
Commerce Secretary Penny Pritzker

Government has a solemn obligation   to protect our people against systemic threats to our national and economic security.

Cyber attacks can not be handled exclusively by our governments law enforcement, military and intelligent services, nor are federal regulations able to keep pace with ever evolving cyber threats. ….

Through  law and rule making congress and federal agencies intact solutions for our nations challenges Companies then react with compliance. ……

But laws and regulations alone cannot protect us from the emerging cyber threats….

Our cyber advisories constantly deploy new and evolving methods to exploit vulnerability’s and inflict harm on our country……

Just weeks ago the Pegasus attack represented an unprecedented attack on Apples iOS platform. No static checklist, no agency role, no reactive regulation alone is capable of thwarting a threat we can not foresee.

The federal government cannot regulate cyber risk out of existence.  What we can do is work with you. Business leaders, technical experts and cybersecurity professionals, to better manage cyber risk.

Commerce believes this requires a new proactive collaborative approach between government and industry. One not reliant on static requirements but on vigilant continuous cyber risk management.

We need is a joint defense posture with real public private partnerships.

These are nice words but actually how do we turn them into action and reliable protection.

We need government and industry to speak the same language of cyber risk because we can not work together without understanding each other.

We new laws to facilitate continuous candid collaboration between industries and agencies outside of the enforcement space.

We need to work together to counter threats and deploy technical solutions that bake securities into innovation.

The Cyber Security Framework is the primary tool to evaluate cyber security posture…

Last month the FTC used the Cyber Security Framework lexicon of Identify, Protect, Detect, Respond, and Recover. The FTC detailed over 60 enforcement actions for data-breaches in a manor that CEO’s and CIOS can easily plug them into their own operations to improve their cyber security…….”

Commerce Secretary, Penny Pritzker 27 September 2016
US Chamber of Commerce Annual Cyber Security Summit

 

 

 

 

National Cyber Incident Response Plan

This is the introduction for the Draft National Cyber Incident Response Plan dated September 22, 2016.

The National Cybersecurity Protection Act of 2014 (NCPA) mandates that “ the Department of Homeland Security (DHS) in coordination with appropriate entities and individuals, develop, regularly update, maintain, and exercise adaptable cyber incident response plans to address cybersecurity risks to critical infrastructure. ” Presidential Policy Directive white house office of management and budget412 (PPD – 41) titled U.S. Cyber Incident Coordination, sets forth principles governing the Federal Government’s response to any cyber incident, provides an architecture for coordinating the response to significant cyber incidents, and requires DHS to develop a National Cyber Incident Response Plan (NCIRP) to address cybersecurity risks to critical infrastructure. The NCIRP is p art of the broader National Preparedness System and establishes the strategic framework and doctrine for a whole community approach to mitigating, responding to and recovering from a cyber incident. This whole of nation approach includes and strongly relies on public and private partnerships to address major cybersecurity risks to critical infrastructure.   Find a copy here: Draft National Cyber Incident Response

  • Response Plan Purpose and Organization The purpose of the NCIRP is to provide guidance to enable a coordinated whole of Nation approach to response activities and coordination with stakeholders during a significant cyber incident impacting critical infrastructure. The 18 NCIRP set s common doctrine and a strategic framework for National, sector, and individual organization cyber operational plans.
  • Intended Audience – The NCIRP is intended to be used by the Nation as well as enhance our international partners’ understanding of the U.S. cyber incident coordination framework. This all-inclusive concept focuses efforts and enables the full range of stakeholders, individuals, the private and nonprofit sectors (including private and public owners and operators of infrastructure), state, local, tribal, territorial (SLTT), and the Federal Government to participate and be full partners in incident response activities. Government resources alone cannot meet all the needs of those affected by significant cyber incidents. All 28 elements of the community must be activated, engaged, and integrated to respond to a significant cyber incident.

21st Century Neighborhood Watch

Deputy Secretary of Homeland Security, Ali Mayorkas, referred to a 21st Century Neighborhood Watch coined by Jannet Manfra of DHS.  He

Ali Mayorkas 21st Century Neighborhood Watch
Ali Mayorkas DHS

suggests the DHS act as a center to gather cyber attack information they can share, in some cases declassify and share with others.  He suggests a Reverse Miranda for protection while collaborating. Ali was speaking at the US Chamber of Commerce Cyber Security Conference today.

 The department is working with the public and private sectors to mitigate cyberattacks, which starts by sharing information about cyber threats. Mr Mayorkas explained the importance of sharing cyber threat indicators in real time with the government and businesses using Automated Indicator Sharing (AIS) so that cyber-criminals don’t benefit from preying on multiple victims. Ali also discussed the DHS efforts to update the National Cyber Incident Response Plan (NCIRP).