these regions, NCSD has facilitated a tabletop exercise designed to raise awareness of infrastructure interdependencies and to identify ways to improve regional preparedness. Collaboration with State/local government and private sector companies has been instrumental in the success of our regional efforts in the Gulf Coast and Pacific Northwest. Through direct interaction and collaboration during exercises in these regions, NCSD has developed significant partnerships with the public and private sectors to better prepare for and become more capable of preventing, responding to, and recovering from a major cyber incident. Cyber exercises provide the environment to develop, coordinate, rehearse, and refine key processes; integrate infrastructure protection activities within other national-level plans; establish mechanisms for coordination and information exchange; and identify interdependencies, overlaps, and gaps so that all the critical infrastructure stakeholders at every level are better prepared for and more capable of preventing, responding to, and recovering from a major cyber incident, thereby reducing exposure to cyber vulnerabilities. Q1c. How do you decide what is "secure enough"? Alc. Determining a sufficient level of security is variable depending on the specific needs of an organization and the specific assets involved, their risk tolerance, and the availability of resources. By following established set standards such as International Organization for Standardization (ISO) 17799, an international security standard that includes a comprehensive set of controls comprising best practices in information security, as well as conducting risk assessments, entities may determine their ideal security level. This determination must be based upon the results of a risk assessment in which government and the private sector respectively, can reasonably decide what level of risk is acceptable or what areas need improvement and additional effort. Entities will make the determination regarding whether or not improvements and additional effort are necessary, based on availability of resources concerning their risk assessments and acceptable levels of risk. Qld. Are government mandates needed to increase the Nation's progress on securing information systems and to get to “secure enough"? Ald. Government mandates would likely not increase the Nation's progress on securing systems to reach a state of "secure enough." This is largely due to the fact that a state of "secure enough" will differ for each entity utilizing information systems and the fact that it would be very difficult to formulate a mandate that enhances security in a way that can evolve with the dynamic security and technology environment. Each operating environment is different and each entity, public or private, must determine what is needed to continue their individual critical operations based on their distinct environment. These case-specific needs will evolve over time. A comprehensive awareness program to include the promotion of a risk management approach, as well as accepted best practices and standards, is a more effective tool for enhancing cyber security and achieving a greater state of security. Under the NIPP framework, metrics are being developed to improve the measurement of cyber security across critical infrastructure sectors. Q2. Information Sharing Q2a. What information would Department of Homeland Security (DHS) find most helpful to receive from critical infrastructure and information technology companies? What do you, or would you, do with this information, and how would you protect sensitive information? A2a. Industry information can allow NCSD (in partnership with other government entities and the private sector) to identify critical assets and interdependencies, vulnerabilities, and problematic cyber incidents and activity, assess cyber risk and prioritize measures to reduce vulnerabilities and cyber risk, generally, and minimize the severity of cyber attacks by timely warnings and by increased awareness and outreach efforts to improve the cyber security of critical infrastructures. DHS has established mechanisms, such as the Protected Critical Infrastructure Information program (PCII), to encourage industry to submit proprietary/sensitive information that will be protected and exempt from public disclosure as determined by the PCII program. In addition, entities may securely submit information through the United States Computer Emergency Readiness Team (US-CERT) secure website. Industry and government can provide many forms of information that are beneficial to NCSD. First, identification of cyber points of contact within organizations allows the US-CERT to disseminate information on cyber threats and vulnerabilities to the appropriate parties. Second, industry reporting of any cyber incidents (e.g., worms, viruses, attacks, etc.) to the US-CERT provides NCSD the ability to enhance cyber situational awareness across all sectors as well as to provide alerts and warnings back to the public. In addition, of particular importance from the private sector is information about major impacts that affect critical infrastructure operations. Third, the sharing of vulnerability assessment information with NCSD, including methodologies used, consequences of loss, and interdependencies, can assist NCSD in the identification of multi-sector cyber vulnerabilities and in collecting best practices that can be shared across sectors. Information on the cyber vulnerabilities the private sector is most concerned about, tactics that might be used to exploit these vulnerabilities, or the likelihood from their perspective that these vulnerabilities could be exploited, will assist NCSD in determining the state of cyber security for the IT Sector and the Nation. Fourth, it is important for NCSD to receive information on current protective measures, business continuity plans, and current levels of resources applied to cyber security. Insight into this information can enable NCSD to work even more effectively with industry to address vulnerabilities and further enhance protective measures. Fifth, NCSD is working with critical infrastructure owners and operators, vendors, and other security partners to promote control systems security. Information on control system architectures, protective measures, metrics, and research and development will further enhance NCSD's situational awareness and understanding of the state of control systems security and the ability to provide protective measures that are relevant and meaningful to the industry. Q2b. Are you currently receiving the information you need? What are the principal barriers to information sharing? Are changes in legislation or regulations needed to overcome these barriers? A26. While NCSD does receive information from various stakeholders, we believe that we can improve upon our current level of analysis with more information. We continue to encourage companies, government agencies, and others to share information as described above. Perhaps the greatest barrier to private sector information sharing with the government is concern about the possible release of shared information to the public, either unintentionally or by legal statute, such as the Freedom of Information Act (FOIA). There is a concern that the release of shared information by either means could potentially lead to the exploitation of any disclosed vulnerabilities by malicious actors, cause damage to corporate reputation, and/or result in legal consequences. DHS, through the PCII program office, is pursuing ways to make the resulting program as effective as possible in furthering information sharing between the public and private sectors by providing industry protections and assurances through statutory exemption categories, as afforded by Congress. Q3. Response to Cyber Attacks Q3a. If the information systems of a critical infrastructure company were attacked today, is the U.S. prepared to detect the attack and repel it or repair the systems quickly? A3a. Approximately eighty-five percent of the information infrastructure is owned and operated by the private sector; consequently, the majority of response activities reside with the private sector. In the case of attack on private sector infrastructure, NCSD's role includes providing support to the private sector in the form of warnings, incident response coordination, technical support, and coordination with lawenforcement as warranted. In addition, NCSD's US-CERT provides a national coordination center that links public and private response capabilities to facilitate information sharing across all infrastructure sectors and to help protect and maintain the continuity of our nation's cyber infrastructure. US-CERT serves as a 24x7x365 cyber watch, warning, and incident response center, and provides coordinated response to cyber incidents, a web portal for secure communications with private and public sector stakeholders, a daily report, a public website (http://www.us-cert.gov/), and a National Cyber Alert System, which provides timely, actionable information to the public on both technical and non-technical bases. US-CERT also conducts malicious code analysis, provides malware technical support, and conducts cyber threat and vulnerability analysis. US-CERT works to advance relationships with infrastructure owners and operators to confirm attacks and enhance coordinated response activities. In addition, if the attack rises to the level of a cyber incident of national significance, the National Cyber Response Coordination Group (NCRCG) will help to coordinate the federal response, including law enforcement and the intelligence com munity, with that of the private sector. NCSD co-chairs the NCRCG with the Department of Justice and the Department of Defense. An additional thirteen federal agencies with a statutory responsibility for and/or specific capability toward cyber security, including the intelligence community, are members. NCSD serves as the Executive Agent and point of contact for the NCRCG. As directed by Homeland Security Presidential Directives 5 and 8, NCSD helped to create a Cyber Annex to the National Response Plan (NRP)1 that provides a framework for responding to cyber incidents of national significance. The Cyber Annex establishes the NCRCG as the principal Federal Government cyber response body. The government is prepared to respond to major cyber incidents in coordination with the private sector and is working to formalize incident response coordination by ensuring that standard operating procedures work in unison. NCSD is also working to facilitate, enhance, and ensure public-private coordination during major cyber incidents. Q3b. What about if it were an attack on the Internet? A36. As stated above, because approximately 85 percent of the information infrastructure is owned and operated by private industry, the majority of mitigation and restoration activity is borne by private industry. In this regard, NCSD's US-CERT is enhancing relationships with Internet owners, operators, and other associated industries to aide in incident coordination and communications with all players to facilitate rapid response to a significant cyber event or incident. Specifically, the USCERT maintains regular communications with the Information Technology Information Sharing and Analysis Center (ISAC) and the Telecommunications ISAC. Additionally, US-CERT has established relationships with the Financial and Multi-State ISACS and is well coordinated with the ISAC Council that includes ISACS from other critical infrastructures. US-CERT is prepared to reach out and alert those within the ISAC communities and affected infrastructure sectors when necessary. A large-scale attack on the infrastructure of the Internet may constitute a cyber incident of national significance that would activate the NCRCG. The NCRCG is also building a more robust partnership with the IT sector, with Internet Service Providers, and through NCSD's responsibilities for the cyber component of the National Infrastructure Protection Plan (NIPP) to enable a collaborative, coordinated approach to attack mitigation and recovery. The NCSD also co-chairs the Internet Disruption Working Group (IDWG) with the National Communications Systems (NCS). The IDWG was established by the NCSD and NCS to form a strategic partnership with other key government agencies. Its focus is to identify and detail actions that can be taken in the near-term to enhance Internet resilience. An initial goal of the IDWG was to reach out to private sector stakeholders. A one-day IDWG Forum was conducted on November 29, 2005 as an initial undertaking to bring subject matter experts together around a common concern: Internet disruption and hardening with a focus on gathering feedback on the most likely risk scenarios facing the Internet infrastructure today. Emphasis was placed on discussing immediate near-term needs and requirements for industry-government coordination in preparation for or during an Internet disruption of national significance. The IDWG will analyze outcome data from the forum to develop nearterm action plans for risk preparedness, vulnerability mitigation, and response and reconstitution. Information will be provided to the NCS, NCRCG and the US-CERT for consideration as input to the update of the NRP/ESF-2 which is the overarching National plan for communications recovery/reconstitution activities. Near-term action plans are scheduled to be completed by the end of the 2nd quarter, FY06. Q3c. What role can and should DHS and other public and private organizations play in these response activities? A3c. Although the private sector owns and operates such a large part of the information infrastructure, and that infrastructure represents a critical national asset, response activities reside with both the private sector and the government. DHS's role is to ensure the coordination and effectiveness of government preparedness and response efforts in partnership with the private sector. US-CERT is the operational arm for DHS's coordinated cyber preparedness and response and collaborates with affected parties to assist with rapid response. USCERT also builds situational awareness, provides malicious code and vulnerability analysis, disseminates timely alerts and warnings, participates in exercises, develops and refines standard operating procedures, and provides training. 1 http://www.dhs.gov/dhspublicldisplay?theme=15&content=4269 As discussed above, the Cyber Annex to the National Response Plan (NRP), which provides a framework for responding to cyber incidents of national significance, establishes the NCRCG as the principal Federal Government response body. The NCRCG will engage the applicable private sector entities to ensure both the feasibility and comprehensiveness of the mitigation and recovery strategy. Q3d. What are the barriers to DHS, companies, or other organizations providing a quick, effective, and coordinated response? A3d. NCSD views the current challenges to include clearly defined roles and responsibilities for response activities. Delineating roles and responsibilities between the public and private sectors with regard to response is well underway. The USCERT Concept of Operations (CONOPS) provides federal agency reporting and coordination, while the NCRCG CONOPS provides response to a cyber incident of national significance. US-CERT and NCRCG continue to refine draft Standard Operating Procedures (SOPS) to ensure systemization and coordination of response actions. Also, as stated above, NCSD is working to facilitate, enhance, and ensure public-private coordination during major cyber incidents. NCSD's Cyber Storm exercise seeks to test whether in the event of an incident, the public and private sectors are prepared to act in a coordinated fashion. By examining homeland security cyber response and recovery mechanisms, NCSD can evaluate the existing resources and procedures to recommend improvements to information sharing, processes, and policies for a more coordinated and robust national cyber incident preparedness and response. Specifically, Cyber Storm will provide the opportunity for the lead agencies in the Federal Government to examine their SOPS and CONOPS in a controlled environment and make revisions based on the outcome of the exercise. Q4. Cyber Security R&D Q4a. What are the biggest technology gaps, or areas where research and development (R&D) are most needed, that you see in trying to protect information systems across critical infrastructure sectors? A4a. For cyber security research and development (R&D) within the Department of Homeland Security, the Science and Technology (S&T) Directorate coordinates with the National Cyber Security Division (NCSD). NCSD collects, develops, and submits cyber security R&D requirements to provide input for the S&T Directorate's cyber security research priorities and to the federal cyber security R&D community. The most significant technology gaps where R&D is needed to protect information systems across critical infrastructure sectors fall into three categories: (1) technologies that are applicable to standard network-based information systems, [the Department of Homeland Security's (DHS) Science and Technology (S&T) Directorate is addressing some of these through existing and planned programs within the Cyber Security portfolio]; (2) technologies that are applicable to distributed control systems [the S&T Directorate is addressing these issues through existing programs within the Critical Infrastructure portfolio—see Q02935]; and (3) technologies that are relevant when enterprise information systems are directly connected to distributed control systems. Technologies needing further R&D related to distributed control systems are: Methods for testing and verification of solutions to retrofit existing systems Efficient, low-cost encryption technologies Improved technologies for non-intrusive testing methods for secondary (supervisory) instrumentation systems. Improved technologies needing further R&D related to enterprise systems connected to distributed control systems, but are not currently commercially available are: System-wide intrusion detection and prevention systems Intelligent firewalls Multi-level security systems High-level auditing and reporting systems The Federal Plan for Cyber Security and Information Assurance Research and Development (CSIA R&D Plan) marks the Federal Government's first step toward de veloping an agenda for the R&D listed above. The Plan responds to significant drivers for improved federal cyber security and information assurance R&D arising from current federal priorities, as outlined in the 2005 report of the President's Information Technology Advisory Committee (PITAC) and, additionally, the following documents: the OSTP/OMB Memorandum on Interagency R&D Priorities for FY 2007; Cyber Security: A Crisis of Prioritization, the 2003 National Strategy to Secure Cyberspace; and the 2002 Cyber Security Research and Development Act (Public Law 107-305). The purpose of the Plan is to provide baseline information and an initial technical framework for a coordinated multi-agency R&D effort in cyber security and information assurance. The Plan was developed by the Cyber Security and Information Assurance Interagency Working Group (ČSIA IWG) of the National Science and Technology Council (NSTC). The CSIA R&D Plan has been coordinated, and is consistent with the National Critical Infrastructure Protection Research and Development Plan, developed by OSTP and the S&T Directorate. The CSIA IWG was established by the Subcommittee on Infrastructure and the Subcommittee on Networking and Information Technology Research and Development (NITRD). The purpose of the IWG is to coordinate policy, programs, and budgets for cyber security and information assurance (CSIA) R&D. This includes identifying and integrating requirements, conducting joint program planning, and developing joint strategies for the CSIA R&D programs conducted by agency members of the Subcommittees. For the purposes of this document, CSIA includes fundamental and applied R&D, technology development and engineering, demonstrations, testing and evaluation, and education and training; and "agencies" refers to federal departments, agencies, directorates, institutes, and other organizational entities. The following federal agencies are represented on the IWG: • Department of Commerce: National Institute of Standards and Technology • Department of Defense: Office of the Deputy Under Secretary of Defense for Science & Technology Defense Information Systems Agency Defense Advanced Research Projects Agency Departments of the Air Force, Army, and Navy National Security Agency Technical Support Working Group (joint with Department of State) Q4b. What federal R&D programs exist in these areas and what are their funding levels? A46. We refer you to the Federal Plan for Cyber Security and Information Assurance Research and Development (CSIA R&D Plan) for a consolidated list of R&D programs in the areas listed above, broken out by federal agency. The Plan also includes detailed funding information for each of the programs. The federal agency funding information gathered during the CSIA Plan process was pre-decisional and of varying granularity; it was collected only to provide a pre |