Examining Cooperative Strategies through Cyber Exercises

Similar documents
Member of the County or municipal emergency management organization

Today s cyber threat landscape is evolving at a rate that is extremely aggressive,

National Policy and Guiding Principles

Overview of the Federal Interagency Operational Plans

Brussels, 19 May 2011 COUNCIL THE EUROPEAN UNION 10299/11 TELECOM 71 DATAPROTECT 55 JAI 332 PROCIV 66. NOTE From : COREPER

The challenges of the NIS directive from the viewpoint of the Vienna Hospital Association

Alternative Fuel Vehicles in State Energy Assurance Planning

Long-Term Power Outage Response and Recovery Tabletop Exercise

COUNTERING IMPROVISED EXPLOSIVE DEVICES

The Republic of Korea. economic and social benefits. However, on account of its open, anonymous and borderless

STRATEGY ATIONAL. National Strategy. for Critical Infrastructure. Government

Table of Contents. Sample

Emergency Support Function #2 Communications Annex INTRODUCTION. Purpose. Scope. ESF Coordinator: Support Agencies: Primary Agencies:

Statement for the Record

Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013

National Incident Management System and National Response Plan. Overview

ISAO SO Product Outline

Implementing Executive Order and Presidential Policy Directive 21

Bradford J. Willke. 19 September 2007

Community-Based Water Resiliency

Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure

DHS Cybersecurity. Election Infrastructure as Critical Infrastructure. June 2017

December 10, Statement of the Securities Industry and Financial Markets Association. Senate Committee on Banking, Housing, and Urban Development

Cybersecurity governance in Europe. Sokratis K. Katsikas Systems Security Laboratory Dept. of Digital Systems University of Piraeus

National Cyber Incident Response - Architectural Concepts

DHS Cybersecurity: Services for State and Local Officials. February 2017

Advanced Cyber Risk Management Threat Modeling & Cyber Wargaming April 23, 2018

Testimony. Christopher Krebs Director Cybersecurity and Infrastructure Security Agency U.S. Department of Homeland Security FOR A HEARING ON

Infrastructure Interdependencies Tabletop Exercise BLUE CASCADES. Final Report. Executive Summary

From Hyogo to Sendai. Anoja Seneviratne Disaster Management Centre

NATIONAL CAPITAL REGION HOMELAND SECURITY STRATEGIC PLAN SEPTEMBER 2010 WASHINGTON, DC

Critical Infrastructure Protection (CIP) as example of a multi-stakeholder approach.

Defining Computer Security Incident Response Teams

NATIONAL CYBER SECURITY STRATEGY. - Version 2.0 -

Implementing the Administration's Critical Infrastructure and Cybersecurity Policy

EARTH Ex 2017 Middle Planning Conference

Emergency Support Function #12 Energy Annex. ESF Coordinator: Support Agencies:

THE WHITE HOUSE. Office of the Press Secretary. EMBARGOED UNTIL DELIVERY OF THE PRESIDENT'S February 12, 2013 STATE OF THE UNION ADDRESS

National Preparedness System (NPS) Kathleen Fox, Acting Assistant Administrator National Preparedness Directorate, FEMA April 27, 2015

Quadrennial Homeland Security Review (QHSR) Ensuring Resilience to Disasters

Outreach and Partnerships for Promoting and Facilitating Private Sector Emergency Preparedness

Special Action Plan on Countermeasures to Cyber-terrorism of Critical Infrastructure (Provisional Translation)

Business Resilience & Incident Response Are You Ready?

Netherlands Cyber Security Strategy. Michel van Leeuwen Head of Cyber Security Policy Ministry of Security and Justice

Emergency Management Response and Recovery. Mark Merritt, President September 2011

National Counterterrorism Center

Resolution adopted by the General Assembly on 21 December [on the report of the Second Committee (A/64/422/Add.3)]

DHS Election Task Force Updates. Geoff Hale, Elections Task Force

Boston Chapter AGA 2018 Regional Professional Development Conference Cyber Security MAY 2018

Evaluating and Improving Cybersecurity Capabilities of the Electricity Critical Infrastructure

National Cyber Security Strategy - Qatar. Michael Lewis, Deputy Director

SECURITY CODE. Responsible Care. American Chemistry Council. 7 April 2011

Control Systems Cyber Security Awareness

UNCLASSIFIED. National and Cyber Security Branch. Presentation for Gridseccon. Quebec City, October 18-21

Emergency Operations Center Management Exercise Evaluation Guide

Homeland Security Institute. Annual Report. pursuant to. Homeland Security Act of 2002

ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)

Cyber Security Program

NGA Governor s Energy Advisors Energy Policy Institute Resiliency Panel

Business continuity management and cyber resiliency

New Guidance on Privacy Controls for the Federal Government

PD 7: Homeland Security Presidential Directive 7: Critical Infrastructure Identification, Prioritization, and Protection

ISRAEL NATIONAL CYBER SECURITY STRATEGY IN BRIEF

Plan of action for Implementation of the Sendai Framework for Disaster Risk Reduction in Central Asia and South Caucasus Region

The Office of Infrastructure Protection

NATIONAL DEFENSE INDUSTRIAL ASSOCIATION Homeland Security Symposium

COMMISSION RECOMMENDATION. of on Coordinated Response to Large Scale Cybersecurity Incidents and Crises

Regulatory Update Cyber Security

Cybersecurity-Related Information Sharing Guidelines Draft Document Request For Comment

Regional Resilience: Prerequisite for Defense Industry Base Resilience

Cybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com

STRATEGIC PLAN. USF Emergency Management

Australian Government Cyber-security Activities in the Pacific

Department of Homeland Security Updates

Section 1 Metrics: Community Adoption

Thailand Initiatives and Challenges in Cyber Terrorism

ENISA s Position on the NIS Directive

National Preparedness System. Update for EMForum June 11, 2014

Security and resilience in Information Society: the European approach

Cyber Resilience. Think18. Felicity March IBM Corporation

Cyber Security Strategic Level Landscape in Poland. Krzysztof Silicki NASK Institute, Poland ENISA MB, EB

Cyber Security & Homeland Security:

Strategy for information security in Sweden

FEMA Region III Cyber Security Program

Cybersecurity A Regulatory Perspective Sara Nielsen IT Manager Federal Reserve Bank of Kansas City

The Office of Infrastructure Protection

Resolution: Advancing the National Preparedness for Cyber Security

COUNTERING IMPROVISED EXPLOSIVE DEVICES

Directive on Security of Network and Information Systems

Her Majesty the Queen in Right of Canada, Cat. No.: PS4-66/2014E-PDF ISBN:

Greg Garcia President, Garcia Cyber Partners Former Assistant Secretary for Cyber Security and Communications, U.S. Department of Homeland Security

GridEx IV Initial Lessons Learned and Resilience Initiatives

PIPELINE SECURITY An Overview of TSA Programs

Bad Idea: Creating a U.S. Department of Cybersecurity

Cyber Security Experts Association of Nigeria (CSEAN) CYBER SECURE NIGERIA 2016 Conference

Session 5: Business Continuity, with Business Impact Analysis

Provisional Translation

Cyber Security Summit 2014 USCENTCOM Cybersecurity Cooperation

FEMA Update. Tim Greten Technological Hazards Division Deputy Director. NREP April 2017

Cyber Intelligence Professional Certificate Program Booz Allen Hamilton 2-Day Seminar Agenda September 2016

Transcription:

Examining Cooperative Strategies through Cyber Exercises Presented to March Technical Colloquium Forum for Incident Response and Teams (FIRST) Ernest W. Drew, III March 26,2008 Tokyo, Japan

Cyber Conflict A Difficult Problem for Nations and s The conduct of large scale, politically motivated conflict based on the use of offensive and defensive capabilities to disrupt digital systems, networks, and infrastructures, including the use of cyberbased weapons or tools by nonstate/ transnational actors in conjunction with other forces for political ends Definition adopted by the Cyber Conflict Studies Association www.cyberconflict.org Mulvenon, James Toward a Cyberconflict Studies Research Agenda, IEEE SECURITY & PRIVACY JULY/AUGUST 2005

Observations Lack of Cyber Situational Awareness: There does not appear to be an organization at national levels responsible for providing cyber situational awareness to: Government Agencies Private Sector s Who is in Charge?: What National Agency or Private Sector is responsible for taking the lead in response to a Cyber Attack? Whose laws apply? Whose regulations apply? Is it just a civilian problem or will militaries become involved?

Roadblocks to Coordination Laws restrict what an can do to defend against attack Privacy concerns limit the sharing of information Regulators place constraints on information sharing Cooperation among Nations - Treaty requirements The problem of Attribution The number of devices and the number of human interactions create complex environments

Complexity Structural complexity is based upon the number of parts in a system. The larger the number of independent parts in a system, the greater its structural complexity. Interactive complexity is based upon the behavior of the parts and the resulting interactions between them. The greater the freedom of action of each individual part and the more linkages among the components, the greater is the system s interactive complexity. The U.S. Army Commander s Appreciation and Campaign Design, TRADOC Pamphlet 525-5-500, January 2008 http://www-tradoc.army.mil/tpubs/pams/p525-5-500.pdf

A Simple Complexity Illustration SECTOR SECTOR SECTOR SECTOR SECTOR SECTOR Non State Actor Government A Government B ISP ISP ISP ISP COG COG INTERNET Nation A Nation B

The Complexity of the Internet Lanet-vi program of I. Alvarez-Hamelin et al.

Cyber Conflict Response: a Wicked Problem Horst Rittel, a professor of Design at UC Berkeley, in1972 stated that characteristics of socially complex problems, were as he defined; Wicked Problems not wicked in the sense of evil, but rather extremely difficult The response to Cyber Conflict, because of its complexity, can be defined as a Wicked Problem Horst W. J. Rittel, On the Planning Crisis: Systems Analysis of the First and Second Generations, Bedriftsøkonomen 8 (1972), pp. 392-393 http://www.uctc.net/mwebber/rittel+webber+dilemmas+general_theory_of_planning.pdf

Properties of a Wicked Problem 1. There is no definitive formulation of a wicked problem. 2. Wicked problems have no stopping rule. 3. Solutions to wicked problems are not true-or-false, but better or worse. 4. There is no immediate and no ultimate test of a solution to a wicked problem. 5. Every solution to a wicked problem is a "one-shot operation"; because there is no opportunity to learn by trial-and-error, every attempt counts significantly. 6. Wicked problems do not have an enumerable (or an exhaustively describable) set of potential solutions, nor is there a well-described set of permissible operations that may be incorporated into the plan. 7. Every wicked problem is essentially unique. 8. Every wicked problem can be considered to be a symptom of another problem. 9. The existence of a discrepancy representing a wicked problem can be explained in numerous ways. The choice of explanation determines the nature of the problem's resolution. 10. The planner has no right to be wrong (planners are liable for the consequences of the actions they generate). Horst W. J. Rittel and Melvin M. Webber, Dilemmas in a General Theory of Planning, Policy Sciences 4 (1973), pp. 155-169. Elsevier Scientific Publishing Company, Amsterdam http://www.uctc.net/mwebber/rittel+webber+dilemmas+general_theory_of_planning.pdf

Representative Types of Cyber Attacks Consequence Nation State attack against government and infrastructure Terrorist attack against sector Terrorist attack against control systems Terrorist attack against companies/local government Criminal activity against companies Criminal activity against individuals Spam, viruses, worms 0 Probability 100

Representative Responders for Cyber Attacks Strategic Government Consequence FIRST, CERTs, Telcom-ISAC, ISPs, Anti-Virus Software Companies Tactical Law Enforcement Network Operation Centers 0 Probability 100

Definition of a Cyber Exercise An activity that replicates disruption of computers and information systems to stimulate the decision-making processes of participants. The participants make decisions based on their plans, policies and procedures, the decisions will then impact the course of events. A specialized emergency preparedness exercise designed to look at emergencies caused by disruption of the IP infrastructure. These disruptions can be man-made, the result of a natural disaster, or the infrastructure coming under attack by hackers, criminals, terrorists, or other governments

Cyber Storm Findings 1 of 4 Finding 1: Interagency Coordination. While the Interagency Incident Management Group (IIMG)1 and National Cyber Response Coordination Group (NCRCG) activated and interacted constructively during the exercise, further refinement is needed for operations and coordination procedures. Broader understanding, both within government and in the private sector, of the thresholds and ramifications of activation of these bodies will also improve interagency coordination. Specifically the cyber community needs to better understand the readiness and security postures to be considered based on such activations, as well as the level of Federal engagement they imply. http://www.dhs.gov/xlibrary/assets/prep_cyberstormreport_sep06.pdf

Cyber Storm Findings 2 of 4 Finding 2: Contingency Planning, Risk Assessment, and Roles and Responsibilities. Formal contingency planning, risk assessment, and definition of roles and responsibilities across the entire cyber incident response community must continue to be solidified. Responses were timely and well coordinated where existing process procedures were clear and fully understood by players. Finding 3: Correlation of Multiple Incidents between Public and Private Sectors. Correlation of multiple incidents across multiple infrastructures and between the public and private sectors remains a major challenge. The cyber incident response community was generally effective in addressing single threats/attacks, and to some extent multiple threats/attack. However, most incidents were treated as individual and discrete events. Players were challenged when attempting to develop an integrated situational awareness picture and cohesive impact assessment across sectors and attack vectors.

Cyber Storm Findings 3 of 4 Finding 4: Training and Exercise Program. An established training and exercise program will strengthen awareness of organizational cyber incident response, roles, policies, and procedures. Finding 5: Coordination Between Entities of Cyber Incidents. Response coordination became more challenging as the number of cyber events increased, highlighting the importance of cooperation and communication across the community. Finding 6: Common Framework for Response and Information Access. A synchronized, continuous flow of information available to cyber incident stakeholders created a common framework for response, impact development, and discussions. Early and ongoing information access strengthened the information-sharing relationship between domestic and international cyber response communities.

Cyber Storm Findings 4 of 4 Finding 7: Strategic Communications and Public Relations Plan. Public messaging must be an integral part of a collaborated contingency plan and incident response to provide critical information to the response community and empower the public to take appropriate individual protective or response actions consistent with the situation. Finding 8: Improvement of Processes, Tools and Technology. Improved processes, tools, and training focused on the analysis and prioritization of physical, economic, and national security impacts of cyber attack scenarios would enhance the quality, speed, and coordination of response. This is particularly true in the case of integrated or cascading attacks or consequences.

Cyber Exercise - Outcomes Outcomes may include strategies and planning frameworks to: Coordinate responses and consequence management to cyber-attacks among: Governments Organizations s Maintain continuity of operations within participating organizations and COG Sustain confidence in government information networks during a cyber-attack and, if necessary, regain public confidence.

Backup Slides

Design Requirements for Cyber Exercises Sponsor Determines Need Determine Objectives Sponsor Determines Participants Determine Objectives (Participant) Understand Environments Business/Network Plans, Policies and Procedures Define Opposition Define Attacks/Disruptions Define Scenario Define MSEL Phase 1 Phase 2 Phase 3 Phase 4 Documents TTX EXERCISE Control AAR

Types of Cyber Exercises Tabletop Exercises Tabletop Exercises involve senior staff and other key personnel in an informal setting to discuss simulated situations. This type of exercise is intended to stimulate discussion of various issues regarding a hypothetical situation. It can be used to assess plans, policies, and procedures. Functional Exercises The Functional Exercise (FE) is designed to test and evaluate individual capabilities, multiple functions or activities within a function, or interdependent groups of functions.. The objective of the FE is to execute specific plans and procedures and apply established policies, plans, and procedures under crisis conditions, within or by a particular function team(s). Full-Scale Exercises In a Full-Scale Exercise (FSE), prevention and response elements are required to mobilize and deploy to a designated site or locale in response to a simulated attack, generally for an extended period. It involves testing a major portion of Operations Plans and organizations under field conditions Homeland Exercise and Evaluation Program Volume I: Overview and Doctrine http://www.crcpd.org/homeland_/hseepv1.pdf

Participants In a Cyber Exercise players come from many organizations. They are usually representatives who have active roles in the daily management, operations, and security of their information networks, systems, and infrastructure. These participants play key roles in responding and managing the consequences of the significant cyber disruption presented in the scenario injects. Participation is usually voluntary, however depending on the objectives of the exercise, it may be necessary to make participation mandatory for designated personnel. The exercise may have Private Sector enterprises, ISP s, Managed Providers, law enforcement, regulatory agencies, and governments both local and national.

Role of Opposition Team An opposition team should develop their assumptions, determine their resources, and planned their specific attacks The opposition team is normally an extension of control and should take into account the objectives of the sponsor in order that specific attacks will stimulate a response that can be tied back to an objective

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback