securing the cyber homeland
DESCRIPTION
Research project examining the effectiveness of the United States Cyber Security posture. Created by Donnel A. Hinkins for HLS498 Homeland Security Capstone at Thomas Edison States College.TRANSCRIPT
1 | S E C U R I N G T H E C Y B E R H O M E L A N D
SECURING THE CYBER HOMELAND
Donnel A. Hinkins
2014FEB HLS-498-OL0009
Homeland Security Capstone
Mentor: Dr. Marian Leerburger
2 | S E C U R I N G T H E C Y B E R H O M E L A N D
ABSTRACT
This report focuses on the United States’ cyber security posture. This research was conducted
with the intention of determining if the United States is adequately prepared to thwart or respond
the cyber attacks. The qualitative research method was used. Data was gathered through a
combination of document review and open answer surveys by individuals working in the
Information Assurance and Cyber Security fields in the government and private sector. This
research examines the risks to critical infrastructure in the United States in regards to possible
cyber attacks. This research also examines the collaboration efforts being made between
government agencies and between government and the private sector. Lastly, the impact the
nation’s protection efforts have on civil liberties is examined to determine if it is effective.
3 | S E C U R I N G T H E C Y B E R H O M E L A N D
TABLE OF CONTENTS
Chapter 1: Introduction………………………………………………………..Page 1
Chapter 2: Literature Review……………………………………………….... Page 8
Chapter 3: Research Design and Methodology………………………………. Page 13
Chapter 4: Results of the Study or Creative Project…………………………. Page 18
Chapter 5: Summary and Discussion………………………………………… Page 25
References…………………………………………………………………… Page 31
Appendix……………………………………………………………………...Page 37
4 | S E C U R I N G T H E C Y B E R H O M E L A N D
CHAPTER 1: INTRODUCTION
The internet is a web of connected nodes that span the entire globe. The internet has
billions of users who use it for a variety of reasons, such as email, banking, ecommerce
transactions, education, and several other reasons. The unlimited possibilities of the internet
along with its global reach make it a potential target for criminal activity. A globally connected
internet also increases the possibly that an adversary can use the internet to target critical systems
of companies or other nations. As a nod to the increased risks of the global internet, the US
Defense Department named Cyberspace a new domain of warfare in 2011. William Lynn, US
Deputy Secretary of Defense, stated in 2010 that, “As a doctrinal matter, the Pentagon has
formally recognized cyberspace as a new domain of warfare. Although cyberspace is a man-
made domain, it has become just as critical to military operations as land, sea, air, and space. As
such, the military must be able to defend and operate within it (Aucsmith, 2012).”
As more people get online and as they rely more on the internet in our day to day lives it
is important to remain safe and secure in cyberspace. On home computers users use a
combination of antispyware or antivirus software to protect them from potential online threats.
However, an antivirus software residing on one computer can only go so far. The process of
identifying and mitigating potential exploitations is a continuous and important process. In
Homeland Security, the primary goal is exactly as it sounds- it is to protect the homeland. With
so many uses of the internet, it is imperative that the United States Government work to protect
its citizens and infrastructure in cyberspace as well. This leads to an important question. Is the
United States adequately prepared to thwart and respond to possible cyber security attacks?
As mentioned, the goal of Homeland Security is to protect the nation from the many
threats that it faces. Certainly national cyber security is important given the many threats that the
5 | S E C U R I N G T H E C Y B E R H O M E L A N D
USA faces in cyberspace. Government at times can be large and cumbersome, with many
agencies tasked with the same or similar functions. As we learned from the 9/11 Commission
Report, one of the biggest shortfalls that led to the failure of preventing and responding to the
attacks was agencies not working together efficiently. According to the 9/11 Commission
Report, “the Incident Command System did not function to integrate awareness among agencies
or to facilitate interagency response” (National Commission on Terrorist Attacks upon the
United States, 2004).
This report will investigate the current United States cyber security posture with the
intention of identifying successes and pitfalls in the national cyber security protection efforts. In
order to answer the main question there are a few other considerations that must be taken into
account. Is the United States’ critical infrastructure protected? This is important because
although rare, the United States power grid and water systems have components that reside in
cyberspace. Imagine if a hacker in another country an ocean away can successfully target
specific computer system that manages a key function of the power grid. It would not be the first
time that the internet was used militarily. The United States and Israel are accused of
successfully deploying a computer virus that targeted computer systems in Iran’s major nuclear
complexes. The Stuxnet virus is just an example of how the internet can be used militarily to
target and destroy infrastructure. The power grid and water systems are not the only targets for
internet based attacks. Any of the uses of the internet can be targeted for possible exploitation,
just think about the billions in monetary transactions conducted on in cyberspace every day.
Criminals don’t even need to leave their homes to conduct high profile heists.
Another key question to be asked is if the cyber security protection efforts are a
collaborative effort between all branches of the government. As mentioned earlier, the
6 | S E C U R I N G T H E C Y B E R H O M E L A N D
government can be large and cumbersome at times, with multiple agencies serving the same or
similar functions. Regardless, some government agencies have specific missions and capabilities
that others do not. For example, the intelligence communities may have signals intelligence that
would be helpful to uncover or thwart a cyber attack. It would be important that these agencies
share information and collaborate with one another in order to maximize the potential for
success. Preparing for and mitigating cyber security risks is not solely a job for government. Just
as in the emergency preparedness component of homeland security, cyber security protection
efforts must require that government and the private sector maintain a level of cooperation. This
brings up another very important question. Are government and private sector efforts effectively
coordinated? Individuals in the private sector may also possess skills that are not possessed by
those working in the government sector. Also the private sector consists of companies that
manufacture information technology equipment as well as software to protect against threats,
such as antivirus software. It is important that government and the private sector are in
collaboration on a frequent basis in order to share information on threats and work on possible
courses of action to resolve those threats. On another note, it is important that related information
is communicated efficiently to regular end users. The majority of internet connected systems in
America are at regular user’s homes and pockets. These devices are being used by people who
have varying skill sets when it comes to information technology. That being said, it is
nonetheless important that end users are aware of the risks they face online and that at a
minimum they know how to keep themselves protected in cyberspace.
A final, very important question that must be asked is whether or not a concerted effort is
made to protect civil liberties in the efforts to secure the nation’s cyber infrastructure? This is
important because the United States is a nation known for freedom. In the quest to secure the
7 | S E C U R I N G T H E C Y B E R H O M E L A N D
cyber homeland, protecting civil liberties is paramount. Any effort to secure infrastructure must
be met with an equal effort in ensuring that civil liberties aren’t violated. This means that policy
should reflect such a goal. An example of implementing such a strategy is the hiring of
individuals tasked with the sole responsibility of identifying potential violations of civil liberties
in cyber protection programs. This is especially true for the government sector because they
possess tools and techniques to gather signals intelligence that may not be public but may be
beneficial to the end goal. Those tools may help protect the cyber homeland but precautions must
be taken to ensure that they are not used in a way that infringes on the basic rights of privacy that
every American is guaranteed.
The internet is changing the world in more ways than one. The militarization of the
internet is inevitable in the future. There is a lack of international legislation that governs
exploration of the internet, much less the rights and freedoms a user on the internet possesses.
Much like the Moon Treaty and the Antarctic Treaty, the international community will
eventually have to recognize the internet as a sort of uncharted frontier that no person or nation
can claim ownership of and work to prevent the militarization. But regardless of any legislation,
there will be those who will use cyberspace to inflict digital terrorism. Therefore it is important
that the United States recognize that guarding against cyber attacks must be a high profile
homeland security goal. The questions asked in this paper will identify if the United States cyber
security posture if effective by examining the policies, procedures, and the major players that
shape it.
8 | S E C U R I N G T H E C Y B E R H O M E L A N D
CHAPTER 2: LITERARY REVIEW
Cyberspace is a digital realm that consists of interconnected computer systems and the
methods of transporting data between them. The term cyberspace is a more roughly used to
describe the internet and its various uses. The uses can range from conducting business to
communicating with family to playing video games with people from around the world. In
reality cyberspace is not a physical domain. Although cyberspace is not a physical place, it has
characteristics of a real world location. One can’t travel to cyberspace but with cyberspace, the
world is at your fingertips. The internet can be your bookstore, your movie theater, and even
your school. The uses and benefits of cyberspace elevate it to the level of a physical realm
simply because there are so many possibilities. Much like every other physical domain, there is
always opportunity for exploration. There is also the possibility of exploitation as well. As
nations work to implement strategies to mitigate the potential for terrorism, terrorists are forced
to adapt their strategies as well. This requires nations to balance their approach to cyberspace in
respect to exploration and the potential for exploitation by adversaries. While cyberspace offers
an unlimited potential for growth and introduction new capabilities, it also comes with
vulnerabilities and the potential that the benefits can be exploited. This leads to a very important
question. Is the United States adequately prepared to thwart and respond to possible cyber
security attacks?
In order to determine fully the effectiveness of the United States cyber security posture
one must identify all possible targets. The overall goal of terrorism is to promote fear amongst
the population. An attack on a symbolic site could have a psychological effect on the public. An
attack on critical infrastructure can cause widespread panic and ultimately it can be costly to the
nation. According to Sean Caldron, the government’s approach to protecting cyberspace focuses
on the concept of “critical infrastructure.” The USA PATRIOT Act of 2001 defines critical
9 | S E C U R I N G T H E C Y B E R H O M E L A N D
infrastructure as the “systems and assets, whether physical or virtual, so vital to the United States
that the incapacity or destruction of such systems and assets would have a debilitating impact on
security, national economic security, national public health or safety, or any combination of
those matters” (Condron, 2007). The term critical infrastructure can refer to transportation, the
water supply, communication systems, electrical distribution systems, financial systems, and a
few other assets. Collectively, all of these assets and their operations are important to the nation.
There are many assets that make up the nation’s critical infrastructure. For the purpose of
this paper, identifying the risk posed by adversaries utilizing cyberspace is of importance. If an
adversary can gain access and control of a critical system in cyberspace, their actions can affect
people in the real world. A connection to the public internet is not a requirement to infect a
computer. In fact, many critical systems such as those at water treatment plants and power grids
are rarely connected to the internet. Viruses and other malicious software can be delivered by
other means, such as a thumb drive or an unprotected computer with access to the internet.
Malicious software can then spread across the private intranet at those sites and infect other
computers or equipment. This scenario is exactly how the Stuxnet virus inadvertently spread
from Iranian sites to the internet. According to Vincent Manzo of The National Internet, “an
error in the code caused the worm to replicate itself and spread when an Iranian technician
connected an infected laptop computer to the internet” (Manzo, 2013). The effectiveness of
Stuxnet is indeed a milestone for the United States’ offensive cyber capabilities. However, the
unintended spread as well as the precedent its use set for using cyber warfare (or sabotage) to
influence a political dispute is something that the United States must take note of when updating
its cyber security posture. Using Stuxnet as a blueprint, the use of such technology offensively
could be an opening for other nations to justify using cyber weapons as well.
10 | S E C U R I N G T H E C Y B E R H O M E L A N D
In order to effectively use all of the tools and capabilities at the disposal of the United
States Government, there must be a collaborative effort between all branches of the government.
Relevant information must flow between all government players in order to maximize the
potential for success. In order to do so, policy must reflect the desire and agencies must work to
create a mutual framework for conducting joint operations. An example of such an agreement is
the Memorandum of Agreement between the Department of Defense and the Department of
Homeland Security. In 2010, Robert Gates and Janet Napolitano, Secretaries of Defense and
Homeland Security respectively, signed a Memorandum of Agreement between the two
agencies. The agreement’s purpose was to “set forth terms by which DHS and DoD will provide
personnel, equipment, and facilities in order to increase interdepartmental collaboration in
strategic planning for the Nation's cybersecurity, mutual support for cybersecurity capabilities
development, and synchronization of current operational cybersecurity mission activities” (Gates
& Napolitano, 2010). Overall, the US Government has realized the benefit of integrating certain
activities at an interagency level.
The President of the United States, Barack Obama, recognizes the importance of mutual
assistance in cyber security operations much like other Homeland Security functions. After
taking office in 2009, the President convened a Cyberspace Policy Review. The purpose of the
panel was to review “federal efforts to defend the U.S. information and communications
infrastructure and the development of a comprehensive approach to securing America’s digital
infrastructure” (Obama, 2009). The recommendations made by the Cyberspace Policy Review
were used to bolster the Comprehensive National Cybersecurity Iniative or CNCI that was
created during the Bush Administration. The overall purpose of the CNCI was to strengthen the
cyber security of the nation through a set of interdependent goals. However, the President
11 | S E C U R I N G T H E C Y B E R H O M E L A N D
recognized that the CNCI couldn’t achieve its goals without changing certain aspects of how the
government operated. In the past, infighting between different executive branch agencies did
more harm than good to the overall cyber security strategy. According to Jesse Emspak, Security
Contributor for Tech News Daily, “bureaucratic battles among federal agencies over primacy in
cybersecurity mostly between the Department of Homeland Security and the National Security
Agency seem to have settled into a working, if not always perfect, relationship” (Emspak, 2011).
Of those changes recommended by the Cyberspace Policy Review, interagency cooperation was
determined to be necessary to enhance the possibility of success. Agencies must work together,
because ultimately they are working to support the same customers- the American people.
In cyber security the government is not the only source of protection. The private sector
is important to the overall cyber security strategy as well. That being said, cooperation must not
only be between government agencies. Maintaining an effective cyber security posture means
bringing players from the private sector into the mix. This leads to another important question.
Are government and private sector efforts effectively coordinated? The hardware, software, and
means of communication that make up cyberspace are created by professionals the public sector.
Surely, it would be imperative to include software and hardware developers and others in the
private sector in the overall cyber security defense plan. After all, it is their software and
hardware that would be subject to exploitation. Policy wise, President Obama issued Executive
Order 13636 in February 2013. The title of the Executive Order was “Improving Critical
Infrastructure Cybersecurity”. The President, emboldened by the frequency of digital
encroachment on critical infrastructure, created Executive Order 13636. Section 4(a) of
Executive Order 13636 states that “it is policy of the United States Government to increase the
volume, timeliness, and quality of cyber threat information shared with U.S. private sector
12 | S E C U R I N G T H E C Y B E R H O M E L A N D
entities so that these entities may better protect and defend themselves against cyber threats”
(Obama, 2013). This is an indication that the administration realizes the importance of bringing
the public sector to the table.
As the nation improves its offensive and defensive cyber security tools, there must be a
concerted effort to insure that those tools aren’t used to infringe on the civil liberties that are a
way of life in America. The Constitution of the United States guarantees basic rights and
freedoms that must not be taken away. Even an effort to “provide for the common defense” is not
justification to infringe on those rights and freedoms. The desire to protect the privacy of
Americans must be engrained in law and in policy. Section 5(a) of Executive Order 13636
directs agencies to “coordinate their activities under the order with their senior agency officials
for privacy and civil liberties and ensure that privacy and civil liberties protections are
incorporated into such activities” (Obama, 2013). In addition to a protecting the nation from
cyber attacks, there must be an effort to insure that the nation does not stray away from the
values that its citizens hold so dear.
It is important that the United States develop and maintain capabilities to thwart, and
respond if necessary to cyber attacks. Protecting the critical infrastructure of the nation is of
utmost importance. Interagency cooperation and collaboration is important to the cyber defense
mission. Coordination between the government and the private sector is a crucial piece of the
puzzle. Lastly, the nation must not be so caught up in the pursuit of defense that it fails to meet
its moral obligations to the American people. Civil liberties must not take a backseat to any
program, even those intended to defend the nation.
13 | S E C U R I N G T H E C Y B E R H O M E L A N D
CHAPTER 3: RESEARCH DESIGN AND METHODOLOGY
Introduction
The purpose of this research is to determine if the United States is adequately prepared to
thwart and respond to possible cyber attacks? In order to answer the main question, there are
several related sub questions that must be answered. Is the United States’ critical infrastructure
protected? Are cyber security protection efforts a collaborative effort between all branches of the
government? Are government and private sector efforts effectively coordinated? Is a concerted
effort made to protect civil liberties in the efforts to secure the nation’s cyber infrastructure? By
answering these questions the researcher will be able to critique the current cyber security
posture. To maximize the effectiveness of this report and in order to answer each question,
specific research methods will be followed. Specific statistical information is not important to the
overall question which combined with the sub questions, is a matter of policy and procedural
effectiveness. Therefore, the qualitative research method will be the most suitable for this
project. This is because the qualitative research method uses words and pictures and focuses on
occurrences in natural settings. By following the qualitative research method, the researcher will
be able to determine the effectiveness of the United States’ cyber security posture.
Plan of Action
The plan of action for this research project will be structured in a manner that will allow
the researcher freedom to gather relevant data from multiple sources. The overall design of the
research will be that of a case study. According to the World English Dictionary, a case study is
“the act or an instance of analyzing one or more particular cases or case histories with a view to
making generalizations” (“case study”). This research project will use document review
extensively. The government has massive repositories documents related to past, current, and
14 | S E C U R I N G T H E C Y B E R H O M E L A N D
future plans for government policy. Researching laws, memorandums, Executive Orders, and
other documents will provide a wealth of information on the research topic. There will also be a
need to read and analyze white papers from cyber security professionals in the public arena. A
combination of structured and unstructured interviews will also be conducted. Informal
interviews with representatives from US-CERT and CYBERCOM will be helpful because those
individuals are responsible for the bulk of the United States cyber security planning and
enforcement. Information Assurance personnel across the military will also be utilized, because
they will, at least at a basic level have experience on external attacks against their systems and
the steps implemented to mitigate those risks. Interviews will be generally unstructured to allow
the participants freedom to discuss only the information they are comfortable with sharing. This
is because some of the cyber security work conducted by US-CERT and CYBERCOM is
classified. Classified information will be protected at all times and in no way will be used,
gathered, and discussed for this project. Participants will be required to obtain permission for
discussing their processes and procedures, even if they aren’t classified because they can still be
sensitive nonetheless and as with classified data, sensitive information will not be used, gathered
or discussed at all for the purpose of conducting this project. The only information that will be
used is information that would otherwise be considered to be public knowledge.
Research Methodology for Data Collection for Research and Applied Projects
Document review and secondary research will be the primary methods for gathering
information on the first sub question. That question deals with whether or not the United States’
critical infrastructure is protected. There may not be a massive amount of information on this
topic for obvious reasons. However, there are other individuals that have studied this topic
extensively. Their work will provide the basis for the secondary research. The specifics on which
15 | S E C U R I N G T H E C Y B E R H O M E L A N D
critical systems (if any) that reside on the internet may not be readily available. Therefore, the
researcher must look at the work of others to help answer this question. Also, there are articles
that cover the topic and incidents that have occurred already. In those articles there will be a lot
of lessons learned. Those lessons learned will in turn provide the researcher with an idea of
where the problems lay in securing critical infrastructure as well as provide information on what
the government plans to do to address those issues. The researcher will also need to pay attention
to new technology in the works such as the smart grid. The new technology specifications and
descriptions themselves may hint at problems that currently exist and provide insight on what is
being done to address those problems.
Document review will be the primary source of data for gathering information on the
second sub question. That question is, are cyber security protection efforts a collaborative effort
between all branches of the government? Document review will be primary because
memorandums and other directives will dictate the desire for such collaborative activities.
Furthermore, the policies and procedures for setting up and conducting interagency collaborative
activities will be dictated in documents such as memorandums of agreement or understanding
between the respective agencies. Interviews with information assurance and security personnel
will also be pertinent because they are the people tasked with managing risks related to the
transfer, storage, and usage of data. Information Assurance technicians should be aware of any
collaborative effort to secure information systems; at the very minimum those that are
government owned and reside on a government network. The combination of document review
and informal interviews should provide an idea of procedures, programs, and policies that
encourage interagency cooperation on cyber security.
16 | S E C U R I N G T H E C Y B E R H O M E L A N D
The third question will generally be answered by information gained through document
review. The purpose of the third question is to determine whether or not government and private
sector efforts are effectively coordinated. This question can be answered by a variety of means.
The researcher will need to look for evidence of government and private sector collaboration
across several spectrums. Are government agencies sharing data with technology companies that
make antivirus software or hardware manufacturers? Does the private sector share propriety
information with the government? Does the government work with the private sector to create
training programs for government information technology personnel? Each one of these
questions will be important to answer in order to answer the main question because if the
researcher can show the extent of government and private sector cyber security collaboration and
cooperation, the researcher will be in a better position to answer the question as to whether or not
that cooperation is effective.
The fourth and final question will be answered mainly by document review. The final
question is meant to analyze the government’s ability and commitment to protecting civil
liberties. The ability to adequately protect the cyber infrastructure means that the government
will have to apply special techniques and capabilities. This question seeks to determine if there is
an equal balance in the ability to protect the cyber infrastructure and the desire to simultaneously
ensure that the rights and liberties of citizens are protected. The researcher will need to analyze
appropriate documentation concerning personnel and procedures meant to address civil liberty
concerns. A desire to protect civil liberties would be reflected in policy and procedures. Does the
government employ individuals with the sole purpose of identifying and addressing civil liberty
concerns? What procedures are followed when violations are found? The answers to those
questions must be uncovered by the researcher in order to determine the answer to the question.
17 | S E C U R I N G T H E C Y B E R H O M E L A N D
Conclusion: Analysis and Organization of Data
Once the data is gathered it must be organized appropriately. The researcher must follow
a general outline when organizing the data. The main question will be answered by four sub
questions. Each of the sub questions are very distinct, specific, and important to answering the
main question. The data gathered by research must be organized in a manner that will effectively
answer the sub questions and therefore the main question. Information gathered by interviews
with cyber security experts will be used when such information exists on any specific topic.
However, government documents such as memorandums, laws, and Executive Orders will be
relied upon greatly in the project. The documents will provide great detail on where the nation
was, where it is currently, and where it is headed in respect to cyber security awareness and
protection. The researcher must be careful not to neglect new policies or laws when using the
government documents as references. This is because items, such as Executive Orders can be
rescinded by new administrations or replaced with new policies. Therefore, important attention
to detail must be given when citing those documents. Together the documentation review and
interviews will allow the researcher to determine whether or not the government is adequately
prepared to thwart and respond to cyber security incidents.
18 | S E C U R I N G T H E C Y B E R H O M E L A N D
CHAPTER 4: RESULTS OF THE STUDY
The purpose of this research project is to determine if the United States is adequately
prepared to thwart and respond to possible cyber attacks. There are several sub questions that
must be answered. Is the United States’ critical infrastructure protected? Are cyber security
protection efforts a collaborative effort between all branches of the government? Are government
and private sector efforts effectively coordinated? Is a concerted effort made to protect civil
liberties in the efforts to secure the nation’s cyber infrastructure? By answering these questions
the researcher will have enough information to determine if the current cyber security strategy is
working effectively. While conducting the research, specific research methods were followed.
The qualitative research method was followed when conducting the research for this project. The
qualitative research method was preferred because it uses words and pictures and focuses on
occurrences in natural settings. The combination of document reviews and informal interviews
were used in an attempt to determine the effectiveness of the United States’ cyber security
posture.
The data gathered from the first question was mainly through document reviews. The
question focuses on whether or not the United States’ critical infrastructure is protected. As
expected there was not a massive amount of data sources for this topic. The topic itself is a
sensitive one and there was no expectation that the answers to the question would be readily
available. Therefore, the research was focused on gathering information on past occurrences as
well as new technological advances. The idea was that by researching the past, the researcher
would be able to have an idea of where the nation was in respect to protecting critical
infrastructure. Also the research focused on emerging technology with the belief that those
innovations were triggered by the desire to update past flaws. Knowing those flaws was believed
to be important in determining current vulnerabilities.
19 | S E C U R I N G T H E C Y B E R H O M E L A N D
In order to determine if critical infrastructure is protected, one must know what critical
infrastructure is. The Department of Homeland Security defines critical infrastructure as “the
backbone of our nation's economy, security and health. Critical infrastructure are the assets,
systems, and networks, whether physical or virtual, so vital to the United States that their
incapacitation or destruction would have a debilitating effect on security, national economic
security, national public health or safety, or any combination thereof” (“critical infrastructure”).
That being said, critical infrastructure is agriculture, water, emergency services, defense industry,
banking, hazmat, energy, communications, and transportation and the systems that provide the
services. For this research project the focus was specifically centered on the critical infrastructure
with components that reside in cyberspace or those that can be exploited by cyber attacks.
According to a press release from Aegis London, a recently completed study determined that
there is a “shift from attacks focused on breaching sensitive data to those which target critical
infrastructure” (Freed, 2014). The study was commission by Aegis London and completed by
BAE Systems Applied Intelligence. The report found that cyber attacks were no longer solely
focused on information technology infrastructure. According to the Chairman of AEGIS London
Alan Maquire, “cyber terrorists have turned their attention to operational technologies and the
critical infrastructure they support” (Freed, 2014). One positive finding by the study was that
power companies are generally aware of the risks they face related to their technology systems.
Regardless, many experts in the energy sector feel that there remains a risk that will eventually
materialize in the unforeseen future. The development of the Smart Grid is meant to address the
issues of the current century old power grid. Resiliency against physical and cyber attacks is a
primary goal of the Smart Grid program.
20 | S E C U R I N G T H E C Y B E R H O M E L A N D
The second sub question to be answered was related to interagency cyber security
cooperation and whether or not it is effective. Data gathered to answer the second question was
gathered through document review and a basic survey (see Appendix, Figure 2). The survey
consisted of six open ended essay questions. The first six questions dealt with the respondent’s
opinions on interagency cyber security cooperation, cooperation with the private sector, and the
US cyber security posture in general. The survey also allowed the respondent to comment on
what he or she felt was lacking in the nation’s cyber security strategy. The survey was sent to
individuals representing cyber security operations in the government and private sector. The
respondents were obtained through professional networking, peers, and a listserv of IT personnel
across the DoD. The respondents consisted of a chief information officer, a cyber security expert
from US-CERT, and the CEO of a firm that provides cyber security training, just to name a few.
There were 12 respondents total to the survey.
There were varying opinions on the issue of interagency cooperation in regards to cyber
security. The majority of the respondents felt that there is not adequate collaboration between
governmental agencies. There were some respondents who argued that the reason interagency
collaboration was lacking was due to the fact that there was a lack of a system for facilitating
information sharing. And even in the cases that there was a system, the agencies would pick and
choose what information to share with one another either to keep it a secret or avoid
embarrassment that may be caused by negative disclosures. There were also respondents that felt
that efforts were being improved. However, there was a general theme that bureaucracy was to
blame for efforts not being properly coordinated. Curt Schadewald, a Cyber Security Analyst for
the National Guard Bureau elaborated on this topic further (see Appendix, Figure 3.11). Mr.
Schadewald noted that US-CERT does in fact have mechanisms in place to share data. However
21 | S E C U R I N G T H E C Y B E R H O M E L A N D
he believes that the success rests on the individual agency’s ability to report. Mr. Schadewald
mentioned Cyber Guard as an example of interagency collaboration. Cyber Guard was a
weeklong joint exercise between the National Guard, USCYBERCOM, NSA, and FBI and
focused on defensive cyber security efforts amongst the various agencies. Another intended
purpose of the Cyber Guard exercise was to build working relationships between the cyber
security professionals in those agencies.
Policy wise, the collaboration of governmental agencies on cyber security matters is
considered to be a major goal of the Comprehensive National Cybersecurity Initiative. The
Comprehensive National Cybersecurity Initiative or CNCI specifically identifies information
sharing as a core necessity of maintaining effective cyber security efforts. A key initiative of the
CNCI is to “to establish a front line of defense against today’s immediate threats by creating or
enhancing shared situational awareness of network vulnerabilities, threats, and events within the
Federal Government—and ultimately with state, local, and tribal governments and private sector
partners—and the ability to act quickly to reduce our current vulnerabilities and prevent
intrusions” (“CNCI”). The CNCI identifies other initiatives that are meant to reinforce the
national cyber security strategy. The CNCI is being developed as the main policy for US cyber
security efforts.
The third question pertains to the effectiveness of collaboration between government and
private sector entities. The participants of the survey were asked if they felt that the efforts
between government and private sector were effectively coordinated. This was another question
that resulted in varying answers. There were some respondents who felt that there was no need
for government and private sector collaboration, and there were those who felt that there should
be a limited amount of collaboration between the two. Mr. Collins Orizu, an Information
22 | S E C U R I N G T H E C Y B E R H O M E L A N D
Security Network Analyst with US-CERT noted in his survey that US-CERT uses software
called EINSTEIN that helps in the efforts to collaborate with the private sector (see Appendix,
Figure 3.12). As a result of EINSTEIN “US-CERT has greater situational awareness and can
more effectively develop and more readily share security relevant information with network
defenders across the U.S. Government, as well as with security professionals in the private sector
and the American public” (Obama, 2013). The general consensus reached by examining the
responses to the question, was that there is a level of collaboration. However each side has its
own reasons as to why they don’t share all data with each other. The government is believed to
share only information that is not classified and the private sector only shares information that is
necessary. That being said the belief is that the government’s reluctance to share information
with the private sector is related to the desire to control the disclosure of sensitive information or
the means for obtaining such information. The private sector’s reluctance is believed to be
related to the pursuit of profits and the overall fear of government interference in corporate cyber
security efforts. There is information sharing and collaboration between the government and
public sector but government policy and procedures are seen as hampering the ability for the two
to truly cooperate.
As a matter of policy the administration of President Barack Obama is focused on
bringing all players in the cyber security arena to the table. Executive Order, 13636 signed by
President Obama is an example of such a desire. Executive Order 13636 directs the National
Institute of Standards and Technology to develop a voluntary framework meant to foster
cooperation between public and private entities in regards to cyber security. According to a Press
Release by the White House, through the Framework for Improving Critical Infrastructure Cyber
Security “industry and government are strengthening the security and resiliency of critical
23 | S E C U R I N G T H E C Y B E R H O M E L A N D
infrastructure in a model of public-private cooperation” (Obama, 2013). The development of the
framework itself is an example of government and private sector collaboration and cohesion, as
NIST compiled recommendations from across the cyber security spectrum when creating the
framework. NIST is still accepting recommendations and lessons learned from organizations and
individuals to ensure that the framework is continuously up to date.
The final question to be answered is related to the government efforts to protect the civil
liberties of Americans while securing the nation in cyberspace. In order to answer this question
the researcher must examine policy to determine if there is a desire. Furthermore, it is important
to know what is being done to ensure that civil liberties aren’t violated. When developing the
Framework for Improving Critical Infrastructure Cyber Security, the President “directed that
these activities be conducted in a way that is consistent with ensuring the privacy rights and civil
liberties guaranteed in the Constitution and cherished by all Americans” (Obama, 2013). Privacy
experts across the government were said to have been consulted during the development of the
Framework. The Memorandum of Agreement between the Departments of Homeland Security
and Defense states that “the agreement will focus national cybersecurity efforts, increasing the
overall capacity and capability of both DHS' s homeland security and DoD's national security
missions, while providing integral protection for privacy, civil rights, and civil liberties” (Gates
& Napolitano, 2010). There are jobs in the government that exist for the purpose of advancing
privacy and civil liberties and investigating violations. Accordingly, it is evident that there is a
desire to protect civil liberties while protecting the cyber homeland.
In conclusion, through the application of various research methods and procedures,
information has been gathered to assist in determining the effectiveness of the United States’
cyber security posture. The government is working to identify and secure the nation’s critical
24 | S E C U R I N G T H E C Y B E R H O M E L A N D
infrastructure. There is collaboration and joint cyber operations between governmental agencies.
There is also a level of cooperation between the federal government and the private sector. The
opinion of the effectiveness of that cooperation is one that varies depending on who you ask.
Lastly, the government is continuing to work to protect the civil liberties of citizens of the United
States. Lessons learned are being used to enhance all aspects of the United States cyber security
efforts.
25 | S E C U R I N G T H E C Y B E R H O M E L A N D
CHAPTER 5: SUMMARY AND DISCUSSION
Introduction:
A globally connected network of computers presents a variety of benefits to the users.
However the global reach makes it a potential target for criminal activity. As more people get
online and as people rely more on the internet in our day to day lives it is important to remain
safe and secure in cyberspace. In Homeland Security, the primary goal is protect the homeland.
With so many uses of the internet, it is imperative that the United States Government work to
protect its citizens and infrastructure in cyberspace as well. This leads to an important question.
Is the United States adequately prepared to thwart and respond to possible cyber security attacks?
It is obvious that national cyber security is important given the many threats that exist in
cyberspace. The purpose of this report was to investigate the current United States cyber security
posture with the intention of identifying successes and pitfalls in the national cyber security
protection efforts.
Statement of Problem
As mentioned above, the purpose of this research project was to determine if the United
States is adequately prepared to thwart and respond to possible cyber security attacks. Several
sub questions were answered in with the intention of providing information that would be helpful
to determining if the United States’ cyber security posture is adequate. Is the United States’
critical infrastructure protected? Are cyber security protection efforts a collaborative effort
between all branches of the government? Are government and private sector efforts effectively
coordinated? Is a concerted effort made to protect civil liberties in the efforts to secure the
nation’s cyber infrastructure? Those were the four sub questions that form the basis of this
research project.
26 | S E C U R I N G T H E C Y B E R H O M E L A N D
Review of Methodology
Specific research methods were followed to gather relevant data. Specific statistical
information was not important to the overall question. The main question combined with the sub
questions, is a truly matter of policy and procedural effectiveness. Because of this, the qualitative
research method was determined to be the most suitable for this project. The qualitative research
method uses words and pictures and focuses on occurrences in natural settings. By following the
qualitative research method, the data was effectively gathered they would aid in the
determination as to the effectiveness of the United States’ cyber security posture.
Summary of Results
Is the United States’ critical infrastructure protected?
Through research it was determined that steps have been taken to ensure that critical
infrastructure is protected. The research determined that contrary to popular belief, there is only a
small percentage of operational hardware related to the power grid that is connected to the public
internet. Computers on the same internal network that get infected can still infect other machines
on that network. Therefore, these systems still present a risk to critical infrastructure. There have
been alleged instances of the US government using defensive cyber weapons, such as the Stuxnet
virus. The virus crippled Iranian centrifuges and weakened their ability to create nuclear
material. There have also been instances of cyber attacks on critical systems in the United States
such as the attack in which foreign hackers caused a pump to fail in a water treatment pump in
Illinois. There have been many more cyber attacks, but this was the first confirmed instance of
27 | S E C U R I N G T H E C Y B E R H O M E L A N D
critical infrastructure being damaged through cyber warfare against the United States
(Nakashima, 2011). It is to be mentioned that hackers are continuously refocusing their efforts
from attempts to steal information to targeting infrastructure. The US Government is working to
create and implement the smart grid which will decrease the risk of a cyber attack on the US
power grid.
Are cyber security protection efforts a collaborative effort between all branches of the
government?
The research uncovered programs and policies in place to share information and foster
collaboration and cooperation between government agencies. There are programs such as
EINSTEIN which allow the analysts from US-CERT to monitor the network gateways of various
government agencies for unauthorized traffic. Executive branch level departments such as the
Department of Homeland Security and Department of Defense have signed agreements that
linked personnel, equipment, and expertise in support of the nation’s cyber security efforts. The
National Guard, USCYBERCOM, NSA, and the FBI have performed a joint cyber security
exercise called Cyber Guard with the intention of building professional relationships with one
another in respect to cyber security. The Comprehensive National Cybersecurity Initiative
created during the Bush Administration is being updated and is serving as the primary model for
the nation’s cyber security policy.
Are government and private sector efforts effectively coordinated?
There is collaboration between the government and private sector. However this is
sometimes limited by the government’s laws and regulations and desire to protective sensitive
28 | S E C U R I N G T H E C Y B E R H O M E L A N D
information. The public sector is reluctant to share information with the government because of
fears that it can cost them money. The private sector is also concerned about the government
imposing rules and regulations on them or otherwise interfering in the operations of their
businesses. The Administration of President Barack Obama has taken steps to bring all cyber
security experts to the table. The President signed Executive Order 13636, titled Improving
Critical Infrastructure Cybersecurity. Executive Order 13636 sets up the stage for the National
Institute of Standards and Technology to prepare a voluntary framework that among other things
will “increase the volume, timeliness, and quality of cyber threat information shared with U.S.
private sector entities so that these entities may better protect and defend themselves against
cyber threats” (Obama, 2013). Executive Order 13636 also improves a program that allows
personnel from outside of the federal government access to classified information whether it be
private sector or local and state officials with a need to know regarding risks to critical
infrastructure.
Is a concerted effort made to protect civil liberties in the efforts to secure the nation’s cyber
infrastructure?
Privacy and civil liberties are fundamental rights in the United States of America. The
government has taken steps to insure that those rights are violated by their cyber security
protection efforts. The government has personnel employed that assess and respond to possible
violations to civil liberties. When developing the Comprehensive National Cybersecurity
Initiative, the policy was reviewed by a multitude of individuals with expertise in privacy and
civil liberty matters.
29 | S E C U R I N G T H E C Y B E R H O M E L A N D
Discussion of Results
The results of this project were enlightening. The United States’ cyber security posture
was examined across the board in excruciating detail. Protection of critical infrastructure is
important because the critical infrastructure is important in all aspects of life. The events on
September 11, 2001 changed how business was conducted. Effective interagency
communications and information sharing were the biggest failures that led to the inability to
thwart the attacks. The emergence of the internet is opening up new opportunities for exploration
and exploitation as well. Information sharing and effective communications between government
agencies is important in cyberspace operations. Communication and collaboration with the
private sector is important as well. Information must be gathered, processed, and disseminated to
relevant parties in a quick and efficient manner and free of government bureaucracy.
Conclusions
The significance of this project is the fact that it looks at many aspects to determine if the
cyber security posture of the United States is adequate. The answer to whether or not the United
States is adequately prepared to respond or thwart a cyber attack varies depending on who is
asked. The United States’ can respond to a cyber attack appropriately. Because the United States
Department of Defense views cyberspace as a new domain of war, the US is not limited to
responding to a cyber attack with another cyber attack. The US reserves the right to respond
militarily to a cyber attack. This is an indication on how serious the United States is about cyber
security. Collaboration between governmental agencies and private sector is not the sole
determination of effectiveness. The protection of civil liberties are important as well because the
United States is a nation with a history of freedom and democracy and all programs undertaken
30 | S E C U R I N G T H E C Y B E R H O M E L A N D
should reflect that goal. Through the data gathered during this project it is safe to say that the
United States’ cyber security posture is effective, although with all things it should always
continue to be updated to remain relevant.
31 | S E C U R I N G T H E C Y B E R H O M E L A N D
REFERENCES
Aucsmith, D. (2012, May 26). Cyberspace is a domain of war. Retrieved from
http://cyberbelli.com/2012/05/26/cyberspace-is-a-domain-of-war/
This article explains why cyberspace is now viewed as a domain of war by the United
States Department of Defense. The article supports the argument by identifying three sets
of facts to support the claim. It identifies cyberspace as a domain of war by doctrine,
definition, and contestation. The article uses testimony from American cyber security
policy makers in the DoD to bolster its arguments.
case study. (n.d.). Collins English Dictionary - Complete & Unabridged 10th Edition. Retrieved
April 20, 2014, from Dictionary.com website:
http://dictionary.reference.com/browse/case study
The definition of case study is given from a variety of dictionaries.
Condron, S. (2007). Getting it right: Protecting America's critical infrastructure in cyberspace.
20(2), 406. doi: Harvard Journal of Law & Technology
This journal entry discusses the simplicity of gaining technology to conduct a cyber
attack. It also identifies figures related to cyber security incidents. Examples of specific
attacks by other nations and against other nations are included in the paper. Critical
infrastructure is defined by the United States in the US PATRIOT ACT. This paper
32 | S E C U R I N G T H E C Y B E R H O M E L A N D
compares and contrasts homeland security and defense. International law as it applies to
cyber security is also referenced in this paper.
Emspak, J. (2011, August 31). Feuding government agencies agree to disagree on cybersecurity.
Tech News Daily, Retrieved from http://www.technewsdaily.com/7123-9-11-govt-
agencies.html
This article discusses the disagreements between the Department of Homeland Security
and the National Security Agency related to who is responsible for the nations cyber
security. The article gives hypothetical scenarios meant to bring forth a discussion on
what agency would be in charge in a given scenario. The article also discusses various
cyber security units in several executive branch agencies and sub agencies and their
overall functions.
Freed, A. (2014, April 14). Attacks Shift from Data Breaches to Targeting of Critical
Infrastructure - The State of Security. The State of Security. Retrieved April 21, 2014,
from http://www.tripwire.com/state-of-security/top-security-stories/attacks-shift-from-
data-breaches-to-targeting-of-critical-infrastructure/
This article describes the evolution of cyber crimes. Hackers are turning their efforts from
stealing information to activities meant to target critical infrastructure. The article
discusses foreign government sponsored cyber attacks based on statistics from US-
33 | S E C U R I N G T H E C Y B E R H O M E L A N D
CERT. This article also references a study conducted by Aegis London in order to
strengthen their argument.
Gates, R., & Napolitano, J. Department of Homeland Security, National Protection and Programs
Directorate. (2010). Memorandum of agreement between the Department of Homeland
Security and the Department of Defense regarding cybersecurity. Washington, DC:
United States Government.
The Memorandum of Agreement is between the Department of Homeland Security and
the Department of Defense. It establishes a framework for cyber security cooperation
between the two agencies. The agencies map out everything from information sharing to
joint personnel. The roles and responsibilities of each agency are explained in full detail.
Oversight requirements are listed in the document as well as methods for modifying the
order.
Homeland Security. (n.d.). What Is Critical Infrastructure?. Retrieved April 21, 2014, from
http://www.dhs.gov/what-critical-infrastructure
Department of Homeland Security overview on what critical infrastructure refers to.
Manzo, V. (2013, January 29). Stuxnet and the dangers of cyberwar. The National Interest,
Retrieved from http://nationalinterest.org/commentary/stuxnet-the-dangers-cyberwar-
8030
34 | S E C U R I N G T H E C Y B E R H O M E L A N D
Vincent Manzo breaks down Operation Olympic Games and the development and
deployment of the Stuxnet virus. Stuxnet is described as the world’s first cyber
superweapon, completing a task that would normally require military actions and
conventional weapons. The intended purpose of Stuxnet is described as well as the
method in which Stuxnet spread from Iranian computers to those in other nations
inadvertently. Mr. Manzo also discusses the pros and cons of the US deploying a
cyberweapon, such as the fact that it could possibly allow other nations to justify
attempting a similar feat.
Nakashima, E. (2011, November 18). Foreign hackers targeted U.S. water plant in apparent
malicious cyber attack, expert says. Washington Post. Retrieved April 25, 2014, from
http://www.washingtonpost.com/blogs/checkpoint-washington/post/foreign-hackers-
broke-into-illinois-water-plant-control-system-industry-expert-
says/2011/11/18/gIQAgmTZYN_blog.html
This article describes the first known cyber attacked against the United States that was
intended to damage critical infrastructure. Foreign hackers targeted and broke a water
pump at an Illinois water treatment plant. This article discusses the evolution of computer
hackers. It also describes how the attack was traced to Russia.
National Commission on Terrorist Attacks upon the United States. (2004). The 9/11 commission
report: Final report of the National Commission on Terrorist Attacks upon the United
35 | S E C U R I N G T H E C Y B E R H O M E L A N D
States. Washington, DC: National. Commission on Terrorist Attacks upon the United
States.
The 9/11 Commission Report was created to identify the shortcomings that led to the
failure to prevent the attacks against the United States on September 11, 2001. The
evolution of counterterrorism is also discussed. Al Qaeda’s initial attacks that led up to
those of 9/11 are discussed. This report covers the attacks on September 11 in great detail
as it identifies the pitfalls and successes of all players responsible from the airline crew to
the first responders. Recommendations for policy changes are made in an effort to
prevent such an attack from happening again.
Obama, B. (2009, May). In Robert Gibbs (Chair). Remarks by the President on securing our
nation's cyber infrastructure. Presentation delivered in East Room of the White House
Daily press briefing, Washington, DC. Retrieved from www.whitehouse.gov/the-press-
office/remarks-president-securing-our-nations-cyber-infrastructure
This source is a readout of President Barack Obama’s press conference on May 29, 2009.
The President’s topic was securing the nation’s cyber infrastructure. The President
discussed the efforts his administration made over his first 4 months in office related to
cyber security. He discussed the pros and cons of the internet. The President also outlines
his goals from protecting the nation’s cyber infrastructure while insuring that privacy and
civil liberties are protected.
36 | S E C U R I N G T H E C Y B E R H O M E L A N D
Obama, B. The White House, Office of the Press Secretary. (2013, February 12). Executive order
-- improving critical infrastructure cybersecurity (Executive Order 13636). Retrieved
from website: http://www.whitehouse.gov/the-press-office/2013/02/12/executive-order-
improving-critical-infrastructure-cybersecurity
Executive Order 13636 was signed by President Barack Obama in February 2013. This
Executive Order sets the cyber security policy of the executive branch. Critical
infrastructure is defined within the order. The order identifies a mechanism for
information sharing, policy coordination, protection of privacy and civil liberties. The
order also directs the National Institute of Standards and Technology to create a
voluntary cybersecurity framework.
The Comprehensive National Cybersecurity Initiative. (n.d.). The White House. Retrieved April
25, 2014, from http://www.whitehouse.gov/issues/foreign-policy/cybersecurity/national-
initiative
This article discusses the Comprehensive National Cybersecurity Initiative. The
Comprehensive National Cybersecurity Initiative , or CNCI was a product of the Bush
administration. However after taking office President Barack Obama convened a review
of cyber security policies which resulted in the updating of the CNCI. The CNCI is being
shaped to become the primary policy for the United States cyber security operations.
37 | S E C U R I N G T H E C Y B E R H O M E L A N D
APPENDIX
Figure 1: Survey Consent Page
38 | S E C U R I N G T H E C Y B E R H O M E L A N D
Figure 2: Survey Questions
39 | S E C U R I N G T H E C Y B E R H O M E L A N D
40 | S E C U R I N G T H E C Y B E R H O M E L A N D
Figure 3.1: Respondent 1 Survey Answers
41 | S E C U R I N G T H E C Y B E R H O M E L A N D
Figure 3.2: Respondent 2 Survey Answers
42 | S E C U R I N G T H E C Y B E R H O M E L A N D
Figure 3.3: Respondent 3 Survey Answers
43 | S E C U R I N G T H E C Y B E R H O M E L A N D
Figure 3.4: Respondent 4 Survey Answers
44 | S E C U R I N G T H E C Y B E R H O M E L A N D
Figure 3.5: Respondent 5 Survey Answers
45 | S E C U R I N G T H E C Y B E R H O M E L A N D
Figure 3.6: Respondent 6 Survey Answers
46 | S E C U R I N G T H E C Y B E R H O M E L A N D
Figure 3.7: Respondent 7 Survey Answers
47 | S E C U R I N G T H E C Y B E R H O M E L A N D
Figure 3.8: Respondent 8 Survey Answers
48 | S E C U R I N G T H E C Y B E R H O M E L A N D
Figure 3.9: Respondent 9 Survey Answers
49 | S E C U R I N G T H E C Y B E R H O M E L A N D
Figure 3.10: Respondent 10 Survey Answers
50 | S E C U R I N G T H E C Y B E R H O M E L A N D
Figure 3.11: Respondent 11 Survey Answers
51 | S E C U R I N G T H E C Y B E R H O M E L A N D
Figure 3.12: Respondent 12 Survey Answers