EDUCAUSE | Department of Homeland Security

DHS and NCSA Launch National Cyber Security Awareness Month with National Press Club Event

Rodney — Thu, 02 Oct 2008 21:05:52 -0500

The fifth annual National Cyber Security Awareness Month (NCSAM) was kicked off earlier today at an event held at the National Press Club in Washington, D.C. The event featured a panel including DHS Assistant Secretary for Cyber Security and Communications Gregory Garcia, National Cyber Security Alliance (NCSA) Executive Director Michael Kaiser, and Symantec Senior Director for Public Affairs Adam Rak.

Secretary Garcia described DHS efforts to improve cybersecurity and emphasize it as A Shared Responsibility. He cited increased government investment as a sign of the high priority given to cybersecurity by the federal government. The NCSA's Kaiser urged Americans to "keep up your defenses and hone your instincts". He explained that the NCSA will undertake a new "www" campaign in the coming months advising consumers to ask: who is asking for your information, what are they asking for, and why do they need it.

The event also featured the release of a new cyber security study by the NCSA and Symantec, makers of Norton security software. According to a press release, "a large number of Americans still fail to use basic Internet security tools and there remains a substantial gap between the protections people think they have and what is actually installed on their computers." Most notable is the finding that more than 80 percent of Americans claim to have a firewall -- designed to prevent hackers and criminals from stealing personal information -- installed on their computer. Yet, in reality only 42 percent had adequate firewall protection. More details about the study are provided in a Fact Sheet.

The NCSA targets home users, small businesses, k-12 schools, and higher education for its awareness campaigns. The EDUCAUSE/Internet2 Security Task Force takes the leadership for awareness efforts at our nations colleges and universities. A press release that described Cybersecurity Awareness A Priority for Higher Education was issued last week in advance of NCSAM.

DHS Releases IT Security Essential Body of Knowledge

vvogel — Thu, 02 Oct 2008 10:42:24 -0500

The U.S. Department of Homeland Security (DHS) has published the IT Security Essential Body of Knowledge (EBK). A Glossary of Key Terms used in the EBK is also provided.

According to the overview on the US-CERT website:

The IT Security EBK conceptualizes IT security skill requirements in a new way to address evolving IT security challenges. The EBK characterizes the IT security workforce and provides a national baseline representing the essential knowledge and skills that IT security practitioners should have to perform specific roles and responsibilities.

The EBK was featured in a November 2007 EDUCAUSE Live! presentation when DHS was accepting comments on a draft version of the document.

DHS Releases IT Security Essential Body of Knowledge

Rodney — Wed, 01 Oct 2008 18:38:14 -0500

The U.S. Department of Homeland Security (DHS) has published the IT Security Essential Body of Knowledge (EBK). A Glossary of Key Terms used in the EBK is also provided.

According to the overview on the US-CERT website:

The IT Security EBK conceptualizes IT security skill requirements in a new way to address evolving IT security challenges. The EBK characterizes the IT security workforce and provides a national baseline representing the essential knowledge and skills that IT security practitioners should have to perform specific roles and responsibilities.

The EBK was featured in November 2007 on EDUCAUSE Live! presentation when DHS was accepting comments on a draft version of the document.

Top 10 Challenges Facing Next Secretary of Homeland Security

Rodney — Wed, 24 Sep 2008 10:46:57 -0500

In anticipation of an administration change following the next presidential election, the Homeland Security Advisory Council has issued a report entitled Top Ten Challenges Facing The Next Secretary of Homeland Security. The report concluded:

Ultimately, homeland security is about synchronizing efforts with multiple partners across the landscape of America. The ability to successfully establish and maintain meaningful partnerships at all levels of government and society for the purpose of securing the homeland may be the greatest, ongoing challenge facing the next Secreatary, as well as his or her successors.

The key challenges and recommendations follow:

#1: Homeland security is more than just a single cabinet Department.
#2: Quickly get an inventory of the Department's commitments and deadlines and work with Congress to achieve a rational system of oversight.
#3: Continue to improve intelligence and information sharing.
#4: Build a cadre of homeland security leadership through a unified national system of training and education.
#5: Build the strong research and development, procurement and acquisition process necessary to support the Department's various missions.
#6: The work of strengthening our Nation's disaster response capabilities is not complete.
#7: Lead the building of a resilient America.
#8: Find the right balance between secure borders and open doors to travelers, students, and commerce.
#9: Improve risk management and risk communications for homeland security.
#10: Sustainability of our Nation's homeland security efforts.

In discussing the role for academia, the report also observes:

Over 200 colleges and universities are now providing degrees in homeland security and related fields. For a homeland security degree to mean something, however, people must know what a homeland security degree means. [The Department of Homeland Security] must lead an effort to align curriculum, develop education standards, define the loose boundaries of the profession, and support the academic foundation of a homeland security education system. The concept of the Homeland Security University System must be expanded to include a systematic, national approach to homeland security education.

Soliciting Higher Education Input to the Commission on Cyber Security for the 44th Presidency

Rodney — Thu, 06 Mar 2008 15:31:21 -0600

The Center for Strategic and International Studies (CSIS) has established a Commission on Cyber Security for the 44th Presidency – the administration that will take office in January 2009. The goal of the nonpartisan Commission is to develop recommendations for a comprehensive strategy to improve cyber security in federal systems and in critical infrastructure.

The EDUCAUSE/Internet2 Security Task Force has been invited to provide input to the Commission and welcomes your comments in the following areas:

What role has the Federal government played to improve cybersecurity these past few years that has been useful for the higher education sector?
Are there ways in which the Federal government has hindered progress? If so, please describe.
Are there new initiatives you would like to see from the Federal government help to improve cybersecurity?

Please comment by Wednesday, March 12th, 2008, by using the "Post new comment" section below or sending your comments to Security-Task-Force@educause.edu

Congress Expresses “Apprehension” About DHS Framework for Cybersecurity

Rodney — Thu, 01 Nov 2007 17:01:42 -0500

In a hearing before the U.S. House of Representatives Homeland Security Committee Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology, subcommittee chair Rep. James R. Langevin (Dem.-RI) said, “I have great apprehension about the current framework DHS is creating with the sector specific plans (SSP’s) as they relate to cybersecurity.” He continued, “The Federal government and the American people want to ensure there is a high level of cybersecurity protections on our critical infrastructure.

Dr. Lawrence A. Gordon, a professor from the University of Maryland, testified regarding ways of encouraging investments (i.e., incentives) that are directed at improving cybersecurity in profit-oriented organizations. “The most powerful incentive for an organization in the private sector to invest in cybersecurity activities is the motivation to increase the organization’s value to its owners,” he said. “A fundamental problem in coming up with estimates of the benefits derived from cybersecurity investments is that the most important potential losses are due to unobservable lost customers resulting from cyber breaches and the potential liabilities associated with cyber breaches.” Sally Katzen, a visiting professor of law at George Mason University (GMU) and senior consultant to the GMU Critical Infrastructure Protection (CIP) Program, observed in her testimony that the key to addressing cybersecurity both within and across sectors is the integration of various existing standards into Enterprise Risk Management (ERM) principles and techniques. She remarked, “ERM shines a light on cyber-CIP risks and all other enterprise risks at very high levels of accountability, including the boardroom.”

The hearing, “Enhancing and Implementing the Cybersecurity Elements of the Sector Specific Plans”, was designed to highlight the cyber elements of the plans submitted by the critical infrastructure sectors as required by the National Infrastructure Protection Plan. Although higher education cyber systems are not considered “critical infrastructure” according to the Federal government’s current framework, the U.S. Department of Education has submitted an SSP on behalf of “educational facilities” that references the need to maintain the security of college and university cyber systems. A report issued by the Government Accountability Office concluded that the sector specific plans varied in how comprehensively they addressed the cyber security aspects of their sectors.

Congressional Resolution Introduced in Support of National Cyber Security Awareness Month

Rodney — Fri, 12 Oct 2007 17:11:40 -0500

The U.S. House of Representatives has introduced H. Res. 716 "expressing the sense of Congress with respect to raising awareness and enhancing the state of computer security in the United States, and supporting the goals and ideals of National Cyber Security Awareness Month." The resolution was presented by Rep. James R. Langevin (Dem-RI), chair of the Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology of the House Homeland Security Committee.

While introducing the resolution on the House floor, Rep. Langevin said:

Each year, the National Cyber Security Division, NCSD, of the Department of Homeland Security, DHS, joins with the National Cyber Security Alliance, NCSA, the Multi-State Information Sharing and Analysis Center, MS-ISAC, and other partners to support National Cyber Security Awareness Month. The goal of National Cyber Security Awareness Month is to show everyday Internet users that by taking simple steps, they can safeguard themselves from the latest online threats and respond to potential cyber-crime incidents.

He also commented that cybersecurity issues have been largely ignored and misunderstood for too long. "The oversight that the Homeland Security Committee is undertaking will help change that," he observed, "but much work remains to be done."

National Cyber Security Awareness Month is organized by the National Cyber Security Alliance (www.StaySafeOnline.org) and is supported by the EDUCAUSE/Internet2 Computer and Network Security Task Force. For more information about how educational institutions can get involved, see the Resource Kit for NCSAM developed by the task force.

IT Security Essential Body of Knowledge: Federal Register Notice Request for Comments

Rodney — Tue, 09 Oct 2007 11:20:50 -0500

A Federal Register Notice has been published for the Department of Homeland Security's "Information Technology (IT) Security Essential Body of Knowledge (EBK): A Competency and Functional Framework for IT Security Workforce Development." The deadline for comments is December 7, 2007.

According to the Notice:

The EBK is not an additional set of DHS guidelines, and it is not intended to represent a standard, directive, or policy by DHS. Instead, it further clarifies key IT security terms and concepts for well-defined competencies, identifies notional security roles, defines four primary functional perspectives, and establishes an IT Security Role, Competency, and Functional Matrix.

More information, including a downloadable version of the IT Security EBK, is available at http://www.us-cert.gov/ITSecurityEBK/

There will be a briefing for the higher education sector with Brenda Oldfield from DHS as part of an EDUCAUSE Live on November 14, 2007, at 1 p.m.

2007 Federal Computer Security Report Card

Rodney — Thu, 21 Jun 2007 09:57:44 -0500

The 7th Annual Computer Security Report Card at Federal Departments and Agencies gave the government an overall grade of C- which is up from a D+ the previous two years. Other notable changes include:

NSF received an A+ in 2006, rebounding sharply from a C+ it received in 2004
NASA received a D- in 2006 - the same grade it received in 2003 and 2004 - although its grade temporarily jumped to a B- in 2005
The Department of Defense and Department of Education both received an F in 2006
The Department of Veterans Affairs, infamous for its lost laptop that exposed the records of 26.5 million veterans in 2006, failed to submit a FY06 FISMA Report. The VA had received an F in the previous two years.

The full report is attached or available at http://republicans.oversight.house.gov/Media/PDFs/FY06FISMA.pdf

DHS on Its Own Cybersecurity: "Do As I Say, Not As I Do"

Rodney — Thu, 21 Jun 2007 09:28:04 -0500

The Emerging Threats, Cybersecurity, and Science and Technology Subcommittee of the Homeland Security Committee in the U.S. House of Representatives held a hearing yesterday on the topic of “Hacking the Homeland: Investigating Cybersecurity Vulnerabilities at the Department of Homeland Security”. Chairman Rep. James Langevin (Dem-RI) commented, "It was a shock and disappointment to learn that the Department of Homeland Security - the agency charged with being the lead in our national cybersecurity - has suffered so many significant security incidents on its networks."

The full committee chairman, Rep. Bennie Thompson (Dem-Miss), asked:

How can the Department of Homeland Security be a real advocate for sound cybersecurity practices without following some of its own advice? How can we expect improvements in private infrastructure cyberdefense when DHS bureaucrats aren’t fixing their own configurations? How can we ask others to invest in upgraded security technologies when the Chief Information Officer grows the Department’s IT security budget at a snail’s pace? How can we ask the private sector to better train employees and implement more consistent access controls when DHS allows employees to send classified emails over unclassified networks and contractors to attach unapproved laptops to the network?

Witnesses which included the CIO from DHS and representatives of the Government Accountability Office were cautious to acknowledge that progress is being made despite shortcomings in DHS information security program. Rep. Thompson remarked, "The American people are tired of hearing that getting a 'D' is a security improvement," referring to the recent Annual Report Card on Computer Security for Federal Departments and Agencies.

More information regarding the hearing, including witness testimony and a recorded webcast, is available at http://homeland.house.gov/hearings/index.asp?ID=65