By Gary Warner
In 1996, Section 1053 of the Department of Defense Authorization bill tasked the President with providing a report to Congress to explain the national policy on protecting our critical infrastructure from strategic attack. President Clinton formed the President’s Commission on Critical Infrastructure Protection. The result of the work of that commission, unveiled on May 22, 1998, was Presidential Decision Directive 63 (PDD-63), which established our policy on Critical Infrastructure Protection.
When I joined the FBI’s InfraGard program in 2001, the National Infrastructure Protection Center established in PDD-63 was in full swing, coordinating communications with the North American Electric Reliability Council (NERC), the Association of Metropolitan Water Authorities (AMWA), the Financial Services Information Sharing and Analysis Center (FS-ISAC), and many other fledgling ISACs who were at that time each working with their PDD-63 assigned Federal agency. As an IT Director in an Oil and Gas company, I became involved with the Energy ISAC just as it was transitioning from the Department of Energy to the newly formed Department of Homeland Security (DHS).
As PDD-63 was interpreted and adjusted to DHS, we saw a real push to identify just what the critical infrastructure and key assets in each state and county were, so that we could work together to ensure that each had appropriate plans for prevention, detection, and response to the various threats (both physical and cyber) that they may face. DHS assigned Protective Security Advisors (PSAs) to help with that process, and I will never forget some of the challenges my friends among the PSAs were facing as we watched the Alabama Fusion Center come online. In some counties, small local businesses were being declared “critical” because of the number of employees they had relative to their local community; in other counties, enormous shopping centers and football stadiums were being ignored because the locals were using a checklist of the Official Critical Infrastructure Sectors and did not see how a 90,000-seat football stadium fit into any of those boxes. I remember one PSA telling me, “If a problem in your facility can kill 10,000 people tomorrow, then it is critical. Otherwise, I’ll get back to you next year!”
Homeland Security Presidential Directive 7 (HSPD-7), President Bush’s version of PDD-63, perhaps said that a bit more kindly. It instructed the Secretary of Homeland Security to coordinate protection activities for each Critical Infrastructure Sector (information technology; telecommunications; chemical; transportation systems, including mass transit, aviation, maritime, ground/surface, and rail and pipeline systems; emergency services; and postal and shipping) and Key Resources (dams; government facilities; and commercial facilities). However, it left the door open for expansion with the phrase, “the Department shall also evaluate the need for and coordinate the coverage of additional critical infrastructure and key resources categories over time.”
President Obama’s Presidential Policy Directive on Critical Infrastructure Security and Resilience (PPD-21) was not the anti-terrorism directive of his predecessors. While Clinton focused on “non-traditional attacks” by nations, groups, or individuals, and Bush focused on Terrorism with a capital T (terrorist, terrorists, or terrorism appear in HSP-7 twelve times!), President Obama’s directive makes it clear that “Critical infrastructure must be secure and able to withstand and rapidly recover from all hazards” and that these hazards may be “natural disasters, cyber incidents, industrial accidents, pandemics, acts of terrorism, sabotage, and destructive criminal activity targeting critical infrastructure.”
This week, President Obama unveiled a set of guidelines issued by the National Institutes of Standards and Technology and a new public-private partnership program called the Critical Infrastructure Cyber Community (C3) Voluntary Program. These guidelines came about as a result of Executive Order 13636, “Improving Critical Infrastructure Cybersecurity,” issued February 12, 2013. One year later, NIST unveiled “Cybersecurity Framework Version 1.0” and the accompanying “NIST Roadmap for Improving Critical Infrastructure Cybersecurity.” While I join with others in applauding Mr. Obama’s creativity in making progress in protecting our nation’s cyber infrastructure, despite our Congressional deadlock, it is important to note what is and what is not being addressed by these guidelines.
Where, for example, does the Target Breach fall?
If we refer to the DHS guidelines to CI/KR sector identification, we won’t find large retail chains. Does that mean the Cybersecurity Rules for Critical Infrastructures don’t apply? That would be a tragic mistake! If we go back to the somewhat blunt comment from my PSA friend and ask, “How many Americans will die today because Target lost their credit card stripe data,” the answer would be zero. But does that really mean that it is not important? Under PPD-21, cyber criminals are part of the risk being addressed, and as President Obama stated, the theft of intellectual property is also in scope. The “how many die?” question is not really the objective any longer, but our definition of critical infrastructure has not caught up to this reality.
Who is being invited to participate in the “C-Cubed Voluntary Program?” DHS says:
“The United States depends on critical infrastructure every day to provide energy, water, transportation, financial services, and other capabilities that support our needs and way of life. (…) DHS is partnering with the critical infrastructure community to establish a voluntary program to encourage use of the Framework to strengthen critical infrastructure cybersecurity.”
So where does that leave not only Big Retail, but corporate America in general? Some of the high priority items from the NIST Roadmap would certainly benefit Big Retail, but others are hard to make effective without some realization or declaration that Big Retail is part of critical infrastructure. The Roadmap lists:
Authentication – Reading, “Poor authentication mechanisms are a commonly exploited vector of attack by adversaries,” it specifically references the Verizon 2013 Data Breach Investigations Report, which studied 621 confirmed data breaches during calendar 2012. Surely that would be applicable to Target, Neiman Marcus, and other retailers.
Automated Indicator Sharing – The Roadmap reads that “the automated sharing of indicator information can provide organizations with timely, actionable information that they can use to detect and respond to cybersecurity events as they are occurring.” In many industries, such as the FS-ISAC for Financial Services companies, the necessary trust, as well as the impetus to do the sharing, is driven by strong suggestions if not requirements that the government must share alert data to these companies because they are part of critical infrastructure. But Target is not. What status change would be necessary to allow the new freedom to share sensitive cyber threat information with companies that are not currently defined as part of the critical infrastructure?
This has been one of the debates in the Congress that Executive Order 13636 was intended to bypass when bills such as H.R. 624, Mike Roger’s “Cyber Intelligence Sharing and Protection Act,” was unable to be acted upon in the current Congress. EO13636 specifically addresses this need for information sharing in Section 4, “Cybersecurity Information Sharing,” but in nearly every point, it does so “to assist the owners and operators of critical infrastructure in protecting their systems from unauthorized access, exploitation, or harm” or “include the dissemination of classified reports to critical infrastructure entities authorized to receive them.”
If Big Retail is not a critical infrastructure, will it benefit from this information? PPD-21 has moved us beyond the assumption that our largest threat is terrorism and has admitted that cybercrime and intellectual property theft are items we must address. In order for this to take place, however, we must expand our definition of “Critical Infrastructure” to include, at a minimum, the large retailers who are capable of losing information on 40 million credit cards and 70 million sets of identity information.
Gary Warner (Twitter: @GarWarner) is the Director of Research in Computer Forensics at the UAB Center for Information Assurance and Joint Forensics Research. Warner also serves as CTO for Malcovery Security.