EDUCAUSE | National Strategy to Secure Cyberspace

Soliciting Higher Education Input to the Commission on Cyber Security for the 44th Presidency

Rodney — Thu, 06 Mar 2008 15:31:21 -0600

The Center for Strategic and International Studies (CSIS) has established a Commission on Cyber Security for the 44th Presidency – the administration that will take office in January 2009. The goal of the nonpartisan Commission is to develop recommendations for a comprehensive strategy to improve cyber security in federal systems and in critical infrastructure.

The EDUCAUSE/Internet2 Security Task Force has been invited to provide input to the Commission and welcomes your comments in the following areas:

What role has the Federal government played to improve cybersecurity these past few years that has been useful for the higher education sector?
Are there ways in which the Federal government has hindered progress? If so, please describe.
Are there new initiatives you would like to see from the Federal government help to improve cybersecurity?

Please comment by Wednesday, March 12th, 2008, by using the "Post new comment" section below or sending your comments to Security-Task-Force@educause.edu

Congress Expresses “Apprehension” About DHS Framework for Cybersecurity

Rodney — Thu, 01 Nov 2007 17:01:42 -0500

In a hearing before the U.S. House of Representatives Homeland Security Committee Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology, subcommittee chair Rep. James R. Langevin (Dem.-RI) said, “I have great apprehension about the current framework DHS is creating with the sector specific plans (SSP’s) as they relate to cybersecurity.” He continued, “The Federal government and the American people want to ensure there is a high level of cybersecurity protections on our critical infrastructure.

Dr. Lawrence A. Gordon, a professor from the University of Maryland, testified regarding ways of encouraging investments (i.e., incentives) that are directed at improving cybersecurity in profit-oriented organizations. “The most powerful incentive for an organization in the private sector to invest in cybersecurity activities is the motivation to increase the organization’s value to its owners,” he said. “A fundamental problem in coming up with estimates of the benefits derived from cybersecurity investments is that the most important potential losses are due to unobservable lost customers resulting from cyber breaches and the potential liabilities associated with cyber breaches.” Sally Katzen, a visiting professor of law at George Mason University (GMU) and senior consultant to the GMU Critical Infrastructure Protection (CIP) Program, observed in her testimony that the key to addressing cybersecurity both within and across sectors is the integration of various existing standards into Enterprise Risk Management (ERM) principles and techniques. She remarked, “ERM shines a light on cyber-CIP risks and all other enterprise risks at very high levels of accountability, including the boardroom.”

The hearing, “Enhancing and Implementing the Cybersecurity Elements of the Sector Specific Plans”, was designed to highlight the cyber elements of the plans submitted by the critical infrastructure sectors as required by the National Infrastructure Protection Plan. Although higher education cyber systems are not considered “critical infrastructure” according to the Federal government’s current framework, the U.S. Department of Education has submitted an SSP on behalf of “educational facilities” that references the need to maintain the security of college and university cyber systems. A report issued by the Government Accountability Office concluded that the sector specific plans varied in how comprehensively they addressed the cyber security aspects of their sectors.

Independent Commission to Examine Cyber Security for the 44th President

Rodney — Thu, 01 Nov 2007 14:37:01 -0500

Rep. Jim Langevin (Dem.-RI) and Rep. Michael McCaul (Rep.-TX) along with The Center for Strategic and International Studies (CSIS) have announced the formation of a bipartisan Commission on Cyber Security for the 44th Presidency – the administration that will take office in January 2009. This nonpartisan Commission will develop recommendations for a comprehensive strategy for organizing and prioritizing efforts to secure America’s computer networks and critical infrastructure. Rep. Langevin is the chair and Rep. McCaul the ranking member of the Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology of the Homeland Security Committee of the U.S. House of Representatives. Scott Charney, corporate vice president for trustworthy computing at Microsoft and retired Navy Admiral Bobby Inman, Lyndon B. Johnson National Policy Chair at the University of Texas at Austin will co-chair the Commission.

The Commission promises to conduct the most comprehensive review of the issues since the release of the National Strategy to Secure Cyberspace in February 2003. The drafters of the 2003 cybersecurity strategy have been widely criticized for the lack of execution upon the recommendations in the plan, especially given the Federal resources that have been applied to the formation of the National Cyber Security Division in the U.S. Department of Homeland Security. The EDUCAUSE/Internet2 Security Task Force prepared the Higher Education Contribution to the National Strategy to Secure Cyberspace and expects to work closely with the new Commission to report on both the progress and remaining challenges to addressing cybersecurity at our nation’s colleges and universities.

Scott Charney, corporate vice president for trustworthy computing at Microsoft and retired Navy Admiral Bobby Inman, Lyndon B. Johnson National Policy Chair at the University of Texas at Austin will co-chair the Commission.

A press release concerning the Commission is available from the offices of Rep. Langevin and Rep. McCaul.

Inaugural Meeting of Critical Infrastructure Partnership Advisory Council

Rodney — Tue, 24 Jul 2007 17:51:24 -0500

The Critical Infrastructure Partnership Advisory Council (CIPAC) held its first open session since its establishment in March of 2006. The CIPAC, co-chaired by Robert B. Stephan, Assistant Secretary for Infrastructure Protection in the U.S. Department of Homeland Security, and Michael Wallace, President of the Constellation Generation Group, represents a partnership between government and critical infrastructure/key resource (CI/KR) owners and operators and provides a forum in which they can engage in a broad spectrum of activities to support and coordinate critical infrastructure protection.

Among the charges for the CIPAC is implementation of the National Infrastructure Protection Plan (NIPP) that establishes a Risk Management Framework for addressing human, physical, and cyber risks. Although higher education is not specifically identified as a critical infrastructure, the “cyber risk” components of the NIPP are the equivalent concerns that are addressed by the EDUCAUSE/Internet2 Computer and Network Security Task Force. The Security Task Force collaborates closely with the Communications Sector and Information Technology Sectors, who are represented in the CIPAC, because of their focus and expertise on cybersecurity matters. Additionally, the Security Task Force is represented on the Cross-Sector Cyber Security Working Group which is working closely with all of the CI/KR owners and operators.

More information about the CIPAC, including the agenda and presentations from the inaugural plenary meeting, is available at http://www.dhs.gov/cipac

DHS on Its Own Cybersecurity: "Do As I Say, Not As I Do"

Rodney — Thu, 21 Jun 2007 09:28:04 -0500

The Emerging Threats, Cybersecurity, and Science and Technology Subcommittee of the Homeland Security Committee in the U.S. House of Representatives held a hearing yesterday on the topic of “Hacking the Homeland: Investigating Cybersecurity Vulnerabilities at the Department of Homeland Security”. Chairman Rep. James Langevin (Dem-RI) commented, "It was a shock and disappointment to learn that the Department of Homeland Security - the agency charged with being the lead in our national cybersecurity - has suffered so many significant security incidents on its networks."

The full committee chairman, Rep. Bennie Thompson (Dem-Miss), asked:

How can the Department of Homeland Security be a real advocate for sound cybersecurity practices without following some of its own advice? How can we expect improvements in private infrastructure cyberdefense when DHS bureaucrats aren’t fixing their own configurations? How can we ask others to invest in upgraded security technologies when the Chief Information Officer grows the Department’s IT security budget at a snail’s pace? How can we ask the private sector to better train employees and implement more consistent access controls when DHS allows employees to send classified emails over unclassified networks and contractors to attach unapproved laptops to the network?

Witnesses which included the CIO from DHS and representatives of the Government Accountability Office were cautious to acknowledge that progress is being made despite shortcomings in DHS information security program. Rep. Thompson remarked, "The American people are tired of hearing that getting a 'D' is a security improvement," referring to the recent Annual Report Card on Computer Security for Federal Departments and Agencies.

More information regarding the hearing, including witness testimony and a recorded webcast, is available at http://homeland.house.gov/hearings/index.asp?ID=65