This is part of a continuing series on the Philosophy of
Cybersecurity Legislation. With all of the calls for improving cybersecurity
and the increasing sense that legislation is necessary this series will try to
define the necessary parameters for effective cybersecurity legislation. The
earlier post in the series was:

Part
1: What to Regulate

Flexibility Needed

The most common complaint about calls for cybersecurity
legislation over the last ten years or so has been that the cybersecurity field
changes so quickly that any legislative effort is doomed to being out-of-date
by the time that it is enacted. New types of threats, the expanding scope of
cyber operations in daily life and the ever-changing variety of tools used by
both defenders and attackers all make it hard for the crafters of legislation
to provide laundry lists of do’s and don’ts in their legislative efforts.

Having said that, there are four key areas that any
successful cybersecurity program is going to have to address:

• Identify critical cyber
components,

• Limit access to those components,

• Monitor those components for
signs of compromise, and

• Have a plan in place to recover
operations.

I am not trying to say that an organization can afford to
ignore the security of non-critical cyber components, but national-level
cybersecurity legislation is going to have to focus on critical operations (CO)
of private-sector critical-infrastructure (PSCI). There is just not enough
time, money or personnel available to the federal government to worry about the
cybersecurity infrastructure of each and every component of the economy.

Identify Critical Cyber Components

The task of identifying the 3Cs, ‘critical cyber components’
is going to be the key to a successful national critical infrastructure
cybersecurity program, and it is going to be the most difficult process to
define for this legislative effort. Each critical
infrastructure sector
is going to have different types of economic output
that are going to have to be protected and each facility is going to have a
different set of cyber controls in place that guides the completion of that
output.

The goal of a successful critical infrastructure
cybersecurity bill is not going to be to define what the 3Cs are for each and
every facility in the United States. The task would be monumental, it would
never be complete, and there would be too much resistance from every sector of
the economy to ever allow the bill to pass. No, that task is going to have to
be passed to the regulators at the Sector Specific Agencies
(SSA) that oversee federal efforts to help protect each of the 16 CI sectors.

Even these regulators are going to have a tough time defining
how each facility identifies its own 3Cs. One thing is certain however, the regulatory
definitions are going to have to be operational in nature, basing the criteria
on what systems are absolutely necessary for the continued output of whatever
product or service that makes the facility critical infrastructure in the first
place.

For example, in the Chemical Facility Anti-Terrorism
Standards (CFATS) program DHS defines critical cyber systems as those that
directly impact the safe/secure storage, handling or shipping of one or more of
the DHS chemicals of interest at the facility which are the basis for the
facility being covered by the CFATS regulations. Only those critical cyber
systems have to be addressed in the facility’s site security plan. Facilities
would probably want to protect their other cyber systems, but that is not the
worry of the CFATS program.

Limit Access to 3Cs

Limiting access to 3Cs is one of those areas that
legislative efforts are going to have to be carefully directed away from
requiring specific types of technology for solving the access problem. The
systems across the 16 critical infrastructure sectors are just too diverse for
a single solution to be effective. While encrypted communications and
two-factor authentication (2FA) will certainly be widely used in securing
critical cyber components, requiring their use will be self-defeating when the
next adversarial tool defeats 2FA or a new cybersecurity upstart comes up with
an easier more effective way to address remote operations.

No, what a national legislative solution to protecting
CO-PSCI from cyber-attacks is going to have to do is to authorize the
regulators to establish processes by which regulated facilities can propose
methodology to limit access to their 3Cs. If those methods achieve the four
goals listed below then regulators would be required to accept the methodology:

• Systems in place to
administratively identify those who are authorized access to 3Cs,

• Systems in place to confirm that
a person attempting access is authorized for that level of access,

• Systems in place to alert
appropriate authorities when an unauthorized access is attempted, and

• Systems in place to prevent
unauthorized person from manipulating the controls of, or information transiting,
a 3C component.

Notice that protecting access to information in a 3C
component is not one of the four goals of limiting access. Where a primary purpose
of a 3C component is the protection of information from unauthorized access the
SSA should be authorized by this legislation to include ‘residing in or’ between
the words ‘information’ and ‘transiting’ in the fourth goal above.

Monitoring for Signs of Compromise

This has always been one of those areas of cybersecurity
that has caused multiple problems in the past. If the definition of attack is
too broad (pinging a connection for instance) there are too many compromises to
effectively deal with and if they are too narrow (publication of compromised
data for example) then the attacker has had way too much access to the system
for effective mitigation.

But again, if we limit the systems of concern to just the
3Cs and limit access in the way’s describe above we can have a better handle on
defining signs of compromise. A simple definition could be the transit of data
or command into or out of the defined system either via an unauthorized mode of
communication, or to/from an unauthorized source or destination.

Another sign of compromise has been suggested by the Coast
Guard in a recent Marine Safety Information Bulletin (MSIB 02-21) where it
required any MTSA covered vessel or facility to report a breach of security if:

• They have downloaded the
trojanized SolarWinds Orion plug-in (see FBI Private Industry
Notification 20201222-001 https://www.ic3.gov/Media/News/2020/201229.pdf);
or
• They note any system with a critical security function displaying any signs
of compromise,
including those that may have not originated from the SolarWinds Orion
compromise but utilize
similar TTPs (see CISA
Alert AA20-352A
).

Thus, we could include a requirement to include checking for
indicators of compromise published by CISA, the FBI, NSA, the SSA for the PSCI,
or the applicable industry or sector information sharing and analysis center
(ISAC).

Again, how systems were monitored would be a regulatory
matter for the SSA crafting the implementing regulations.

Recover Operations

One thing that is obvious from the SolarWinds breach is that
any organization can be breached given an adversary with the appropriate
resources and desire. Thus, any cybersecurity plan must contain a response plan
for how the system will be recovered when a successful attack does occur.
Again, since the scope of a response plan is going to vary from sector to
sector, the legislation would not be expected to describe the acceptable
parameters of a cyber response plan beyond the goal of returning to operation
those parts of the business that are deemed to be the critical operations that
were responsible for the facility being regulated as a CO-PSCI.

One thing that the recovery plan will have to include is the
identification of outside resources that the facility will need to recover from
a successful cyber-attack. SSA’s should be required to compile those lists from
CO-PSCI across the sector and periodically report to Congress on those recovery
assets that facilities would have to have assistance from the government to
obtain in the event of a worst-case attack. FEMA could then be given the task
of stockpiling the appropriate assets to aid recovery operations.

Part 3 to this series will address information sharing.

Go to Source of this post
Author Of this post: PJCoyle

By admin