Building Trust Among Cyber Tribes: A National Cybersecurity Center for Yemen

Enabling Yemen to Flourish in the International Community Though Cybersecurity Infrastructure and Workforce Development

By: Chris Blask and David Alley

Sixty thousand years ago, a small group crossed the shallow Red Sea at the Bab Al-Mandeb and began the human emigration from Africa into Yemen, leading to the spread of mankind around the world. This first “Out of Africa” tribe flourished in this new land and gave rise to all other tribes throughout the Arabian Peninsula, Asia, Europe and the Americas.

At the interfaces of these tribes, an exchange of information allowed each tribe to judge the trustworthiness of the others. Where neighboring tribes consistently honored commitments, the trade of goods and ideas flowed. When trust was broken, trade soured and violence loomed.

Today, a new form of tribe, the cyber tribe, has spread around the world in a matter of decades versus the millennia necessary for the original tribes to populate the world. Cyber tribes include states, corporations, international bodies, ethnic communities, religious groups, non-governmental organizations, criminal gangs and other non-state actors.  Indeed, any group of like-minded individuals can form or dissolve a cyber tribe in a matter of minutes.  The central component being a shared interest that the tribe pursues collectively in cyberspace, which may or may not have any relation to events in the physical world.

Relations in cyberspace are often described using the vocabulary of interstate relations; however, this terminology is often insufficient as cyberspace is normally free of physical limitations imposed by geography or legal limitations imposed by treaties and the rule of law.  The complex interaction of cyber groupings, or cyber tribes, is further complicated by the notion that individuals can belong to multiple tribes simultaneously and affiliations can change instantaneously. Interactions in cyberspace are much more reminiscent of Hobbes’ “State of Nature” than a society governed by complex legal institutions that provide safe space for collective action.

While some may call for an immediate implementation of legal frameworks to regulate cyberspace, this is unlikely to happen within the foreseeable future. The current weaponization of cyberspace – illustrated by the Stuxnet attack against the Iranian nuclear facility at Natanz; the Shamoon attack against the Armaco oil facilities in Saudi Arabia; and another Shamoon attack against the Ras Gas natural gas facilities in Qatar – will cause states desiring to exploit this capability to demur on such frameworks.

In the cyber era, the world’s cyber tribes are distributed around the globe and measure the distance between themselves using the metrics of trust rather than geography. Today, in cyber terms, Japan lies close by America’s shores yet far from China, while Saudi Arabia shares a border with France but is separated by a broad and challenging cyber ocean from Yemen. The poor tiny African nation of Djibouti is a major transit hub for digital communications between Asia and Europe. Just across the Bab Al Mandeb, Yemen is accelerating its connectivity with the rest of the world.

In Yemen’s capital Sana’a, the Old City has been encircled by strong high walls for a thousand years. The Bab al-Yemen (Yemen Gate), securing the entrance of those walls since antiquity, has provided assurances near and far that commerce and culture could flow safely, protected by the rule of law and custom, in and out of this portal. The Bab al-Yemen was a symbol of security and trustworthiness that allowed Sana’a to engage in trade and growth for centuries.

Today, nations of the world communicate trustworthiness and the security of their markets to neighbors through displays of strength no differently than the gates of ancient cities communicated a similar message. A primary form of this display in the cyber age is a national CERT (Computer/Cyber Emergency Readiness/Response Team). A well-founded CERT lets other cyber tribes know that rule of law is respected within a nation’s cyber realm and that their interests will be respected. Economic, human and intellectual capital in the modern world follow routes defined by these cyber gates and the harbors of stability they protect, just as trade has done since the dawn of civilization.

The CERT Coordination Center (CERT/CC) was established in November 1988 at Carnegie Mellon University in response to the first Internet-distributed malware (the Morris Worm). Since then, it has acted continuously to provide a clear signal that the American cyber tribe took seriously its responsibility to enable other cyber tribes to engage without undue concern for their security. CERT/CC has become the model for nations wishing to demonstrate their own cyber stability and trustworthiness.

National CERTs have been established in forty eight countries according to the Forum of Incident Response and Security Teams (FIRST). An additional one hundred and fifty eight FIRST members represent CERTs from law enforcement, business and academia. Modern cyber tribes who lack the symbolism and function of a CERT can find themselves bypassed by the routes of international commerce as wary traders seek other tribes who can be trusted.

Yemen does not currently have a national center – or even a body that is formally tasked and resourced to undertake such responsibilities – to provide those assurances of trustworthiness. As Yemen stands at the threshold of a new era, the Bab al-Yemen provides a tangible signpost pointing to the nation’s future.  Yemen needs to establish a Bab al-Yemen on its cyber frontier to attract the merchants and academics of the world to partake in the exchange of value its burgeoning population can offer. It is in the interest of the international community to assist Yemen in its endeavor to integrate itself into the collective cybersecurity framework as a part of the strategic effort to prevent the country from becoming a haven for cybercrime and cyberterrorism.

In November 2012, we met with national business, education and government leaders in Sana’a to discuss the establishment of a Yemen CERT (Y-CERT). These leaders expressed support for the creation of the center without delay. Lawmakers also voiced a willingness to push cyber legal frameworks to the forefront, as Yemen currently has no cyber law on its books. This enthusiasm among the nation’s leadership provides an opportunity for the international community to offer the support and guidance necessary to help Yemen become a role model for other developing nations in the area of cybersecurity.

By establishing Y-CERT, Yemen achieves more than entry into the global cyber community. It provides an epicenter around which its youth can build high-value careers, addressing a key concern among internal and external stakeholders for increased employment opportunities. Y-CERT will provide Yemeni companies opportunities to develop cybersecurity businesses and staff them with skilled local talent, and a safe haven for cyber businesses to flourish.  Both of these outcomes will contribute to the economic stability that is desperately needed to buttress a tenuous political transition.

The leadership of Sana’a University graciously provided a forum to present a lecture on the opportunity Yemen has to enhance both its internal stability as well as its international standing through the development of cybersecurity skills and structures. Establishing Y-CERT was highlighted as a central component in providing the foundation for stability and economic opportunity the country’s youth demand. Over four hundred students and faculty spent two and a half hours in the session and dozens stayed afterwards to learn how they could participate. These students and their professors can provide the skills to operate Y-CERT and perform associated research.

U.S. interests in the region are predicated on regional stability within and among states. Today, Yemen teeters on the cusp of a successful transition on the one hand and failed-statehood on the other.  For scant investment of human or financial capital, the United States and the international community have the opportunity to forward their policy goals through the implementation of a strong cyber defense. Encouraging greater cyber cooperation between Yemen and its immediate neighbors could lower tensions and mistrust.  All sides could benefit from such a positive development in their regional relations.

The U.S. administration should support groups in Yemen who are willing to build the country’s digital Bab al-Yemen. American resources in the public and private sectors can easily be vectored to provide the technical, organizational and financial support to establish Yemen’s center of excellence in cybersecurity by sharing skills and knowledge gained during the creation of similar capabilities in the United States. Working with partners such as Saudi Arabia, Qatar and the United Arab Emirates (UAE) who have already created national CERTs, the United States can leverage existing regional interests to accelerate Yemen’s ability to actively participate in the global cyber economy as a verifiably trusted actor. Qatar’s Q-CERT stands poised with highly developed tools and Arabic language training which can be used to build a world-class center. The UAE, with its GCC-leading cyber infrastructure, CERT-AE, and a National Cyber Security Agency is exceptionally well- equipped to assist in cyber defense. By providing support for a Yemeni center, the United States increases its ability to achieve its policy goals of improving the Yemen’s accountability to regional and global trading partners; creating new economic opportunities; and mitigating the risks of a rogue cyber tribe.

American policy goals are further enhanced by supporting cybersecurity workforce development capabilities. More than half of the Yemeni population is under the age of 15. This young population is rapidly becoming familiar with the world of electronic communications. Cell phone usage has exploded and Internet connectivity is increasing exponentially. Enabling Yemen’s youth to find productive roles in society through the development of high-value/high-demand cybersecurity skills helps reduce the risk of instability related to their economic disenfranchisement.

Improving the communications infrastructure of the nation may also encourage Yemen’s youth to remain in the country by enabling them to export their skills without having to migrate to richer nations. As Yemeni graduates and workers find it possible to build careers at home, the risk of brain-drain is reduced while needed capital is brought into the country. International businesses and governments should be encouraged to help build the fiber and wireless networks an educated workforce will need to apply their skills to the task of creating domestic job opportunities.  With a modern infrastructure, Yemen’s youth will be more likely to develop their career opportunities in-country as opposed to being forced to leave to and pursue education and careers elsewhere.

Building trust among cyber tribes benefits all members of the global collective. America and the international community are currently presented with the opportunity to invest in the stability of a critical cyber tribe in a critical geographic region. Providing this small amount of investment in the future of Yemen presents the possibility of global economic and geopolitical returns of significant reward.  Failing to do so could contribute to the country’s further economic marginalization.

The risks of instability in Yemen caused by cybercrime and cyberterrorism are real.  Several recent events poignantly highlight these risks. Tele-Yemen, one of Yemen’s leading telecommunications companies and its only international gateway, was hacked in the summer of 2012.  This cybercrime resulted in over $20 million of lost revenue that would have accrued to the government.  For this amount of money, Y-CERT could have been built and manned many times over. Also in the summer of 2012, Yemen’s Central Bank suffered numerous Distributed Denial of Service attacks and its websites have been infected numerous times with malware such at the Zeus Trojan botnet. The Zeus Trojan specifically focuses on financial institutions around the world with the aim of stealing money from banks. In 2010, according to the F.B.I., over $70 million was stolen from banks in the United States using the Zeus Trojan. Yemen can ill-afford a similar loss. In November 2012, a suspected Al-Qaeda in the Arabian Peninsula (AQAP) operative was arrested after phone call intercepts revealed that he was planning to conduct a cyber-attack on Yemen’s oil infrastructure in retaliation for the government’s attacks against AQAP. As Yemen depends on the oil sector for nearly 70% of its revenue, a successful attack on this industry would be incredibly destabilizing for its fragile economy. For these reasons, establishing Y-CERT should be at the top of the list of priorities for the Yemeni government and the international community.

As Yemen faces the converging challenges of food insecurity, water scarcity, oil depletion, economic decline and political instability, cybersecurity can be seen a relative newcomer to the list of national challenges. Nevertheless, cybersecurity must be addressed now in the form of Y-CERT in order to mitigate the risks of cybercrime, cyberterrorism, and further economic deterioration. Indeed, a robust cybersecurity infrastructure in Yemen could provide a springboard for the country to address some of these challenges by employing Yemenis to address these cybersecurity issues while accruing valuable ancillary benefits such as increased educational and employment opportunities for its people.

Now is the time for the cyber tribes of the world to work with the people of Yemen to lay the foundation for the nation’s Bab al- Cyber.

Chris Blask is the Chair of the Industrial Control Systems-Information Sharing and Analysis Center (ICS-ISAC) in the United States

David Alley is the Senior Advisor for Itex Solutions in Sana’a, Yemen

Posted in News

Response to Dale Peterson’s Article: “How DHS Can Best Help ICS Security”.

Dale Peterson at Digital Bond posted a thoughtful piece this Monday on his blog titled: “How DHS Can Best Help ICS Security”. As always, Dale’s commentary is well informed and provides voice to points many experts in industry share.

I have added the following comment to the conversation following Dale’s blog post. We encourage interested parties to share their thoughts here or on the Digital Bond blog.


Hey Dale,

The solution is not an either/or choice of what information to share how and with who, but nonetheless your primary point is correct: the maximum value returned from information sharing at this point will be found where it moves C-Level actions.

In many ways the very act of issuing the Executive Order is just that. It is also the kind of Small Data information sharing that is appropriate for C-Level use. Executives don’t process information like “you need to develop a comprehensive identification and remediation strategy for vulnerable devices on your process control system” (much less anything deeper). Conversely, they are very good at processing information such as:

“The nation’s CEO is looking at you (and he’s pissed).”

The President and his bully-pulpit can perform that sort of single-packet information sharing very well. Much more effectively than those of us with more granular opinions and smaller megaphones. The purpose, though, is not to make those same C-Level executives then listen to the detailed solution – which they won’t do and wouldn’t understand – but rather to cause them to turn to their subordinates and share a similarly simple packet of information which junior executives are well versed in processing:

“The President of the United States is pissed off at me. Make it stop.”

This “Public Sector Executive to Private Sector Executive” information sharing needs to support the more detailed information sharing that folks like ourselves can accomplish by encouraging more of the right people to engage. We see this effect already both in the activity of the ICS-ISAC as well as other conversations we engage in. The increase in ICS-ISAC membership and attendance at the center’s public briefings since the Executive Order is mirrored in other groups’ briefings we have attended since.

Executive-to-Executive information sharing needs to support the more detailed information sharing that you mention above, though, not replace it. Inasmuch as the Executive-to-Executive information sharing is successful there needs to be not less but rather more opportunities for sharing of the pointillistic information that will satisfy the simple mandates facility executives roll downhill to their staffs.

The details of that granular information sharing among operational peers is the subject of other conversations, but the fact that those conversations are now getting more involvement is an indication that the Executive-to-Executive efforts are having the desired impact. What folks like your team and our team and the various groups and individuals who have comprised the information sharing activity to date need to do is continue to escalate those efforts, leveraging the seismic shifts caused by the Administration.

Any lack of success to date is well-shared among all involved. The combined efforts of all involved have not been completely unsuccessful, though. In the twenty years since these issues first crossed my own bow there has been a consistent growth in understanding among all involved. It may have been a long, low slope for much of that time, but the curve has continued to steepen and is following a predictable path leading to a foreseeable future.

The work that you and others have done has created the environment that leads to the President of the United States taking his recent action, an accomplishment worthy of a measurable amount of praise. Laurels are not for resting on, though. The general shape of what we all need to do going forward is clear, and a large part of it will include sharing more information with more people with more precise aim and craftsmanship.



Posted in News

Presidential Executive Order on Cybersecurity

On February 12, 2013 United States President Barack Obama issued an Executive Order (EO) titled “Improving Critical Infrastructure Cybersecurity”. This Executive Order provides national guidance for efforts to secure critical infrastructure.

It can be assumed that the content of this Executive Order is based on available knowledge and perspective of the combined United States Federal government. This Executive Order will certainly impact how public and private sector entities work independently and jointly to address the threats posed to cyber infrastructure. It is therefore valuable to examine the mechanisms and intention of the guidance spelled out in the document.

Below is initial analysis of and commentary on the Executive Order. Links have been added to referenced programs and laws. All emphasis is our own.

Summary of Analysis

This Executive Order is an inevitable result of the failure to date to enact legislation addressing cybersecurity threats to infrastructure. It has always been unlikely that the US federal government would take no significant action to increase pressure on itself and the private sector to address associated risks.

This Executive Order provides potentially positive structure to improving the sharing of related knowledge between the public and private sectors. It is important to note, however, that the vast majority of information which can be practically applied by private sector organizations is in the hands of other private sector organizations. Therefore, while public/private knowledge sharing is an important part of securing infrastructure it remains the incumbent responsibility of private organizations to improve knowledge sharing inside the private sector.

The NIST Cybersecurity Framework is a crucial component of the consequences of this Executive Order. The private sector will be very well served to be as actively engaged in the development of this Framework as possible. In the worst possible case the Framework will be developed with little private sector input or with highly-biased input from a small number of powerful private sector entities. All purposes are better served inasmuch as a very broad range of expertise and interest from the private sector is involved in the creation of the Framework.

Privacy concerns are relatively well represented in this Executive Order. Existing legal and operational structures are directly referenced and the Administration appears to be clearly signalling an understanding that excessive government intrusion into private sector information is one of the greatest impediments to success.

Information Sharing and the involvement of the Private Sector are foundational themes of this Executive Order. We take this as a positive indication on the part of the Administration that it understands the principles upon which the ICS-ISAC was founded.

Executive Order — Improving Critical Infrastructure Cybersecurity
– – – – – – –

By the authority vested in me as President by the Constitution and the laws of the United States of America, it is hereby ordered as follows:

Section 1. Policy. Repeated cyber intrusions into critical infrastructure demonstrate the need for improved cybersecurity[1]. The cyber threat to critical infrastructure continues to grow and represents one of the most serious national security challenges we must confront[2]. The national and economic security of the United States depends on the reliable functioning of the Nation’s critical infrastructure in the face of such threats. It is the policy of the United States to enhance the security and resilience of the Nation’s critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties[3]. We can achieve these goals through a partnership with the owners and operators of critical infrastructure to improve cybersecurity information sharing and collaboratively develop and implement risk-based standards[4].

[1] This statement provides validation that – based on knowledge held within the US federal government – attacks against infrastructure are in fact happening and increasing. Much of this knowledge is in the public domain, however this statement could be read as a confirmation that any additional unshared knowledge the federal government may have supports this hypothesis.

[2] The Administration is stating the official belief that cyber threats to infrastructure “represents one of the most serious national security challenges”. Given the perspective possible from the position held by the President and his staff, this can be taken as a validation of the level and imminence of these threats, something that private sector entities may want to factor into their internal prioritization of resources.

[3] By this order it becomes the official  policy of the United States federal government to “enhance the security and resilience” of infrastructure. And to do so in a way which “promot(es) “business confidentiality, privacy, and civil liberties”. Therefore the balance of public sector diligence in maintaining national security is explicitly balanced against private sector concern with private sector concerns regarding excessive government intrusiveness.

[4] As is often stated, 85% or greater of the national infrastructure is owned and operated by the private sector. This statement can be taken as explicit understanding that the nation will only be able to address these threats with the involvement of and cooperation with the private sector.

Sec. 2. Critical Infrastructure. As used in this order, the term critical infrastructure means systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.

The official designation of “Critical Infrastructure” as used by the Department of Homeland Security had been focused on 18 sectors based on Presidential Policy Directive 7 (PPD-7) from 2003. PPD-21, which supersedes PPD-7, now defines critical infrastructure as the following 16 sectors:

  • Chemical
  • Commercial Facilities
  • Communications
  • Critical Manufacturing
  • Dams:
  • Defense Industrial Base
  • Emergency Services
  • Energy
  • Financial Services
  • Food and Agriculture
  • Government Facilities
  • Healthcare and Public Health
  • Information Technology
  • Nuclear Reactors, Materials, and Waste
  • Transportation Systems
  • Water and Wastewater Systems

Sec. 3. Policy Coordination. Policy coordination, guidance, dispute resolution, and periodic in-progress reviews for the functions and programs described and assigned herein shall be provided through the interagency process established in Presidential Policy Directive-1 of February 13, 2009 (Organization of the National Security Council System), or any successor.

PPD-1 was issued on February 13, 2009 and defines the structure of the National Security Council (NSC), the NSC Principals Committee (NSC/PC), NSC Deputies Committee (NSC/DC) and NSC Interagency Policy Committees (NSC/IPCs).

Sec. 4. Cybersecurity Information Sharing. (a) It is the policy of the United States Government to increase the volume, timeliness, and quality of cyber threat information shared with U.S. private sector entities[5] so that these entities may better protect and defend themselves against cyber threats. Within 120 days of the date of this order[6], the Attorney General, the Secretary of Homeland Security (the “Secretary”), and the Director of National Intelligence shall each issue instructions consistent with their authorities and with the requirements of section 12(c) of this order to ensure the timely production of unclassified reports of cyber threats to the U.S. homeland that identify a specific targeted entity. The instructions shall address the need to protect intelligence and law enforcement sources, methods, operations, and investigations.

[5] “It is the policy of the United States Government to increase the volume, timeliness, and quality of cyber threat information shared with U.S. private sector entities”.  The National Infrastructure Advisory Council (NIAC) released a report in January. 2012 calling for a change in US government information sharing policy from a Cold War “need to know” basis to a more active “need to share” premise. This statement of policy in this Executive Order formalizes this intent as US policy.

[6] June 13, 2013

(b) The Secretary and the Attorney General, in coordination with the Director of National Intelligence, shall establish a process that rapidly disseminates the reports produced pursuant to section 4(a) of this order to the targeted entity. Such process shall also, consistent with the need to protect national security information, include the dissemination of classified reports to critical infrastructure entities authorized to receive them. The Secretary and the Attorney General, in coordination with the Director of National Intelligence, shall establish a system for tracking the production, dissemination, and disposition of these reports.

This section mandates the creation of a process within the federal government that “rapidly disseminates” knowledge from the public to private sector. This formalized structure should in theory support the “need to share” nature of such information.

(c) To assist the owners and operators of critical infrastructure in protecting their systems from unauthorized access, exploitation, or harm, the Secretary, consistent with 6 U.S.C. 143 and in collaboration with the Secretary of Defense, shall, within 120 days of the date of this order, establish procedures to expand the Enhanced Cybersecurity Services program to all critical infrastructure sectors. This voluntary information sharing program will provide classified cyber threat and technical information from the Government to eligible critical infrastructure companies or commercial service providers that offer security services to critical infrastructure.

6 U.S.C. 143 specifies the sharing of both information – “analysis and warnings” – and resources – ” crisis management support” and “technical assistance” – from the federal government to the private sector as well as State, Local, Tribal and Territorial (SLTT) entities.

The Enhanced Cybersecurity Services (ECS) program is the mechanism the federal government uses to share such information with entities such as the ICS-ISAC. This system was originally created as a very limited program involving only a small number of private sector organizations from the Defense Industrial Base (DIB) sector. This Executive Order expands the ECS significantly.

(d) The Secretary, as the Executive Agent for the Classified National Security Information Program created under Executive Order 13549 of August 18, 2010 (Classified National Security Information Program for State, Local, Tribal, and Private Sector Entities), shall expedite the processing of security clearances to appropriate personnel employed by critical infrastructure owners and operators, prioritizing the critical infrastructure identified in section 9 of this order.

Certainly the ability of private sector entities to obtain security clearances which enable their representatives access to classified information could have a positive impact on information sharing. Most private entities are unlikely to have the resources or capacity to have employees go through this process, however, so the extent of the practical benefit will remain to be seen.

(e) In order to maximize the utility of cyber threat information sharing with the private sector, the Secretary shall expand the use of programs that bring private sector subject-matter experts into Federal service on a temporary basis. These subject matter experts should provide advice regarding the content, structure, and types of information most useful to critical infrastructure owners and operators in reducing and mitigating cyber risks.

Again it is a positive sign to see intent on behalf of the Administration to gather input and expertise from the private sector. The availability of subject matter experts, their willingness to enter temporary Federal service, and the impact of budgetary restraints due to political conditions such as the ‘Sequester’ currently in place may mitigate the effectiveness of this effort.

Sec. 5. Privacy and Civil Liberties Protections. (a) Agencies shall coordinate their activities under this order with their senior agency officials for privacy and civil liberties and ensure that privacy and civil liberties protections are incorporated into such activities. Such protections shall be based upon the Fair Information Practice Principles and other privacy and civil liberties policies, principles, and frameworks as they apply to each agency’s activities.

(b) The Chief Privacy Officer and the Officer for Civil Rights and Civil Liberties of the Department of Homeland Security (DHS) shall assess the privacy and civil liberties risks of the functions and programs undertaken by DHS as called for in this order and shall recommend to the Secretary ways to minimize or mitigate such risks, in a publicly available report, to be released within 1 year of the date of this order. Senior agency privacy and civil liberties officials for other agencies engaged in activities under this order shall conduct assessments of their agency activities and provide those assessments to DHS for consideration and inclusion in the report. The report shall be reviewed on an annual basis and revised as necessary. The report may contain a classified annex if necessary. Assessments shall include evaluation of activities against the Fair Information Practice Principles and other applicable privacy and civil liberties policies, principles, and frameworks. Agencies shall consider the assessments and recommendations of the report in implementing privacy and civil liberties protections for agency activities.

(c) In producing the report required under subsection (b) of this section, the Chief Privacy Officer and the Officer for Civil Rights and Civil Liberties of DHS shall consult with the Privacy and Civil Liberties Oversight Board and coordinate with the Office of Management and Budget (OMB).

(d) Information submitted voluntarily in accordance with 6 U.S.C. 133 by private entities under this order shall be protected from disclosure to the fullest extent permitted by law.

6 U.S.C. 133 allows such information shared with the government to be exempt from disclosure even under Freedom of Information Act (FIFA) requests, “including the identity of the submitting person or entity”. This should provide a level of protection from repercussions related to information sharing.

While the private sector is well served to continue to exercise diligence in protecting private information, it is generally positive that the Administration is placing explicit emphasis on privacy issues.

Sec. 6. Consultative Process. The Secretary shall establish a consultative process to coordinate improvements to the cybersecurity of critical infrastructure. As part of the consultative process, the Secretary shall engage and consider the advice, on matters set forth in this order, of the Critical Infrastructure Partnership Advisory Council; Sector Coordinating Councils; critical infrastructure owners and operators; Sector-Specific Agencies; other relevant agencies; independent regulatory agencies; State, local, territorial, and tribal governments; universities; and outside experts.

Again, it is encouraging that this Executive Order continues to  seek to enable involvement by private sector representatives.

Sec. 7. Baseline Framework to Reduce Cyber Risk to Critical Infrastructure. (a) The Secretary of Commerce shall direct the Director of the National Institute of Standards and Technology (the “Director”) to lead the development of a framework to reduce cyber risks to critical infrastructure (the “Cybersecurity Framework”). The Cybersecurity Framework shall include a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks. The Cybersecurity Framework shall incorporate voluntary consensus standards and industry best practices to the fullest extent possible. The Cybersecurity Framework shall be consistent with voluntary international standards when such international standards will advance the objectives of this order, and shall meet the requirements of the National Institute of Standards and Technology Act, as amended (15 U.S.C. 271 et seq.), the National Technology Transfer and Advancement Act of 1995 (Public Law 104-113), and OMB Circular A-119, as revised.

The Cybersecurity Framework being formulated by NIST under direction of this Executive Order is perhaps the greatest source of concern among the private sector. Many have voiced concern that a possible result could be regulations which foster compliance rather than security.

NIST has issued a Request For Information to solicit input into the development of this framework. NIST is holding a workshop on April 3, 2013 on the Framework. ICS-ISAC leadership will be attending this workshop.

We encourage our membership to engage with the ICS-ISAC or other groups in responding to the Framework RFI, and/or to engage directly with NIST.

(b) The Cybersecurity Framework shall provide a prioritized, flexible, repeatable, performance-based, and cost-effective approach, including information security measures and controls, to help owners and operators of critical infrastructure identify, assess, and manage cyber risk[]. The Cybersecurity Framework shall focus on identifying cross-sector security standards and guidelines applicable to critical infrastructure. The Cybersecurity Framework will also identify areas for improvement that should be addressed through future collaboration with particular sectors and standards-developing organizations. To enable technical innovation and account for organizational differences, the Cybersecurity Framework will provide guidance that is technology neutral and that enables critical infrastructure sectors to benefit from a competitive market for products and services that meet the standards, methodologies, procedures, and processes developed to address cyber risks. The Cybersecurity Framework shall include guidance for measuring the performance of an entity in implementing the Cybersecurity Framework.

A principle methodology ICS-ISAC leadership will be promoting for inclusion in the Framework is Situational Awareness capabilities. It is a fundamental principle of the ICS-ISAC that infrastructure facilities can utilize available tools and techniques to establish visibility into normal behavior of their Industrial Control Systems and with reasonable effort detect alterations to this behavior indicative of compromise.

(c) The Cybersecurity Framework shall include methodologies to identify and mitigate impacts of the Cybersecurity Framework and associated information security measures or controls on business confidentiality, and to protect individual privacy and civil liberties.

(d) In developing the Cybersecurity Framework, the Director shall engage in an open public review and comment process. The Director shall also consult with the Secretary, the National Security Agency, Sector-Specific Agencies and other interested agencies including OMB, owners and operators of critical infrastructure, and other stakeholders through the consultative process established in section 6 of this order. The Secretary, the Director of National Intelligence, and the heads of other relevant agencies shall provide threat and vulnerability information and technical expertise to inform the development of the Cybersecurity Framework. The Secretary shall provide performance goals for the Cybersecurity Framework informed by work under section 9 of this order.

(e) Within 240 days of the date of this order, the Director shall publish a preliminary version of the Cybersecurity Framework (the “preliminary Framework”). Within 1 year of the date of this order, and after coordination with the Secretary to ensure suitability under section 8 of this order, the Director shall publish a final version of the Cybersecurity Framework (the “final Framework”).

October 10, 2013, date of delivery for the preliminary Framework. Final version to be in place February 12, 2014.

(f) Consistent with statutory responsibilities, the Director will ensure the Cybersecurity Framework and related guidance is reviewed and updated as necessary, taking into consideration technological changes, changes in cyber risks, operational feedback from owners and operators of critical infrastructure, experience from the implementation of section 8 of this order, and any other relevant factors.

Sec. 8. Voluntary Critical Infrastructure Cybersecurity Program. (a) The Secretary, in coordination with Sector-Specific Agencies, shall establish a voluntary program to support the adoption of the Cybersecurity Framework by owners and operators of critical infrastructure and any other interested entities (the “Program”).

(b) Sector-Specific Agencies, in consultation with the Secretary and other interested agencies, shall coordinate with the Sector Coordinating Councils to review the Cybersecurity Framework and, if necessary, develop implementation guidance or supplemental materials to address sector-specific risks and operating environments.

(c) Sector-Specific Agencies shall report annually to the President, through the Secretary, on the extent to which owners and operators notified under section 9 of this order are participating in the Program.

(d) The Secretary shall coordinate establishment of a set of incentives designed to promote participation in the Program. Within 120 days of the date of this order, the Secretary and the Secretaries of the Treasury and Commerce each shall make recommendations separately to the President, through the Assistant to the President for Homeland Security and Counterterrorism and the Assistant to the President for Economic Affairs, that shall include analysis of the benefits and relative effectiveness of such incentives, and whether the incentives would require legislation or can be provided under existing law and authorities to participants in the Program.

(e) Within 120 days of the date of this order, the Secretary of Defense and the Administrator of General Services, in consultation with the Secretary and the Federal Acquisition Regulatory Council, shall make recommendations to the President, through the Assistant to the President for Homeland Security and Counterterrorism and the Assistant to the President for Economic Affairs, on the feasibility, security benefits, and relative merits of incorporating security standards into acquisition planning and contract administration. The report shall address what steps can be taken to harmonize and make consistent existing procurement requirements related to cybersecurity.

The “Voluntary Critical Infrastructure Cybersecurity Program” is certain to have a given number of teeth to it, implicit or explicit. Section (c) requires federal agencies to report whether notified organizations are participating, for example.

Participation by private sector organizations in knowledge sharing systems such as vertical or horizontal ISACs may be one means of demonstrating voluntary involvement.

Sec. 9. Identification of Critical Infrastructure at Greatest Risk. (a) Within 150 days of the date of this order, the Secretary shall use a risk-based approach to identify critical infrastructure where a cybersecurity incident could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security. In identifying critical infrastructure for this purpose, the Secretary shall use the consultative process established in section 6 of this order and draw upon the expertise of Sector-Specific Agencies. The Secretary shall apply consistent, objective criteria in identifying such critical infrastructure. The Secretary shall not identify any commercial information technology products or consumer information technology services under this section. The Secretary shall review and update the list of identified critical infrastructure under this section on an annual basis, and provide such list to the President, through the Assistant to the President for Homeland Security and Counterterrorism and the Assistant to the President for Economic Affairs.

(b) Heads of Sector-Specific Agencies and other relevant agencies shall provide the Secretary with information necessary to carry out the responsibilities under this section. The Secretary shall develop a process for other relevant stakeholders to submit information to assist in making the identifications required in subsection (a) of this section.

(c) The Secretary, in coordination with Sector-Specific Agencies, shall confidentially notify owners and operators of critical infrastructure identified under subsection (a) of this section that they have been so identified, and ensure identified owners and operators are provided the basis for the determination. The Secretary shall establish a process through which owners and operators of critical infrastructure may submit relevant information and request reconsideration of identifications under subsection (a) of this section.

This process is certain to have positive as well as negative implications. Business interests will drive some infrastructure owners to work to avoid designation as critical infrastructure and thereby limit associated costs and perceived risks.

It is important for infrastructure owners to recognize the practical risks of compromise to their systems regardless of official designation as critical infrastructure, however. Threat actors do not follow official guidelines created by others, and they must be expected to behave according to their own motivations.

Sec. 10. Adoption of Framework. (a) Agencies with responsibility for regulating the security of critical infrastructure shall engage in a consultative process with DHS, OMB, and the National Security Staff to review the preliminary Cybersecurity Framework and determine if current cybersecurity regulatory requirements are sufficient given current and projected risks. In making such determination, these agencies shall consider the identification of critical infrastructure required under section 9 of this order. Within 90 days of the publication of the preliminary Framework, these agencies shall submit a report to the President, through the Assistant to the President for Homeland Security and Counterterrorism, the Director of OMB, and the Assistant to the President for Economic Affairs, that states whether or not the agency has clear authority to establish requirements based upon the Cybersecurity Framework to sufficiently address current and projected cyber risks to critical infrastructure, the existing authorities identified, and any additional authority required.

(b) If current regulatory requirements are deemed to be insufficient, within 90 days of publication of the final Framework, agencies identified in subsection (a) of this section shall propose prioritized, risk-based, efficient, and coordinated actions, consistent with Executive Order 12866 of September 30, 1993 (Regulatory Planning and Review), Executive Order 13563 of January 18, 2011 (Improving Regulation and Regulatory Review), and Executive Order 13609 of May 1, 2012 (Promoting International Regulatory Cooperation), to mitigate cyber risk.

(c) Within 2 years after publication of the final Framework, consistent with Executive Order 13563 and Executive Order 13610 of May 10, 2012 (Identifying and Reducing Regulatory Burdens), agencies identified in subsection (a) of this section shall, in consultation with owners and operators of critical infrastructure, report to OMB on any critical infrastructure subject to ineffective, conflicting, or excessively burdensome cybersecurity requirements. This report shall describe efforts made by agencies, and make recommendations for further actions, to minimize or eliminate such requirements.

(d) The Secretary shall coordinate the provision of technical assistance to agencies identified in subsection (a) of this section on the development of their cybersecurity workforce and programs.

(e) Independent regulatory agencies with responsibility for regulating the security of critical infrastructure are encouraged to engage in a consultative process with the Secretary, relevant Sector-Specific Agencies, and other affected parties to consider prioritized actions to mitigate cyber risks for critical infrastructure consistent with their authorities.

This section speaks pointedly to the concern many private sector entities have regarding mandatory regulations. Over the two-year period leading up to February 12, 2015 regulatory regimes will be reviewed for necessity and effectiveness. Wherein private sector entities and industries do not find means to address risks to their cyber infrastructures they can assume that the public sector will impose regulations to force them to do so.

Sec. 11. Definitions. (a) “Agency” means any authority of the United States that is an “agency” under 44 U.S.C. 3502(1), other than those considered to be independent regulatory agencies, as defined in 44 U.S.C. 3502(5).

(b) “Critical Infrastructure Partnership Advisory Council” means the council established by DHS under 6 U.S.C. 451 to facilitate effective interaction and coordination of critical infrastructure protection activities among the Federal Government; the private sector; and State, local, territorial, and tribal governments.

(c) “Fair Information Practice Principles” means the eight principles set forth in Appendix A of the National Strategy for Trusted Identities in Cyberspace.
(d) “Independent regulatory agency” has the meaning given the term in 44 U.S.C. 3502(5).

(e) “Sector Coordinating Council” means a private sector coordinating council composed of representatives of owners and operators within a particular sector of critical infrastructure established by the National Infrastructure Protection Plan or any successor.

(f) “Sector-Specific Agency” has the meaning given the term in Presidential Policy Directive-21 of February 12, 2013 (Critical Infrastructure Security and Resilience), or any successor.

Sec. 12. General Provisions. (a) This order shall be implemented consistent with applicable law and subject to the availability of appropriations. Nothing in this order shall be construed to provide an agency with authority for regulating the security of critical infrastructure in addition to or to a greater extent than the authority the agency has under existing law. Nothing in this order shall be construed to alter or limit any authority or responsibility of an agency under existing law.

(b) Nothing in this order shall be construed to impair or otherwise affect the functions of the Director of OMB relating to budgetary, administrative, or legislative proposals.

(c) All actions taken pursuant to this order shall be consistent with requirements and authorities to protect intelligence and law enforcement sources and methods. Nothing in this order shall be interpreted to supersede measures established under authority of law to protect the security and integrity of specific activities and associations that are in direct support of intelligence and law enforcement operations.

(d) This order shall be implemented consistent with U.S. international obligations.

(e) This order is not intended to, and does not, create any right or benefit, substantive or procedural, enforceable at law or in equity by any party against the United States, its departments, agencies, or entities, its officers, employees, or agents, or any other person.


Posted in News

ICS Cybersecurity CEO Lectures at Sana’a University, Yemem

Mr. Blask will be delivering a lecture on Cybersecurity in Modern Industrial Systems at Sana’a University in Sana’a, Yemen on November 13.


Posted in News

ICS Cybersecurity CEO Chris Blask in TechTarget

Anthony Freed wrote the following article on TechTarget regarding the Positive Technologies Security “SCADA Safety In Numbers” paper.

“While Joel is exactly correct as to the consequences of vulnerable devices being harder to define than the act of simply finding vulnerable devices themselves, the research itself does provide value by providing additional evidence for the existence of exposed systems,” Blask said.

Posted in News

ICS-ISAC Realtime Knowledge Sharing Demo at ICSJWG Denver, Oct 16

ICS Cybersecurity CEO and ICS-ISAC Chair Chris Blask will be presenting a demonstration of the realtime knowledge sharing implemented by the ICS-ISAC along with SAIC Chief Cybersecurity Technologist at the DHS ICSJWG conference in Denver, Colorado on October 16 at 10:30am.

Enabling realtime knowledge sharing between asset owners, researchers, service providers and vendors has been one of the initial goals of the ICS-ISAC. During the session in Denver the form and functionality of the system as implemented with be outlined and demonstrated.

Posted in News

Weekly Intro to ICS-ISAC Webinar: Tuesdays 1pmET

To accommodate interest in the Industrial Control System Information Sharing and Analysis Center (ICS-ISAC) ICS Cybersecurity, Inc. is holding a 45-minute informational overview and Q&A session each Tuesday at 1pm Eastern Time.

The session is held using GoToMeeting, attendees can call in using the numbers below and/or join using the free GoToMeeting client. Using the client will enable attendees to see slides presented, demonstrations of the center’s functionality and other visual aids.

Following this link a few minutes prior to the session will provide the opportunity to install the GoToMeeting client if necessary:

Access Code: 544-968-190

Australia: +61 2 8355 1030
Belgium: +32 (0) 28 08 4296
France: +33 (0) 182 880 462
Germany: +49 (0) 811 8899 6925
Netherlands: +31 (0) 208 080 384
Switzerland: +41 (0) 225 3314 54
United Kingdom: +44 (0) 207 151 1804
United States: +1 (626) 521-0010

Posted in News

Seán Paul McGurk on: “60 Minutes Overtime, Stuxnet copycats: Let the hacking begin”

“At its core, Stuxnet was an elegant and novel weapon, one that could be reverse-engineered and repurposed,” says [60 Minutes producer Graham] Messick. 60 Minutes Overtime explores the possibility of Stuxnet-style catastrophe on American soil.

Watch the video here.

Posted in News

La guerre virtuelle d’Obama

La Presse Interview – June 18, 2012

Nicolas Bérubé
La Presse

“(Los Angeles) De mystérieux virus informatiques 50 fois plus puissants que les virus connus sont déployés par les États-Unis et Israël contre l’Iran et d’autres pays au Moyen-Orient.

Lancée sous George W. Bush, reprise et bonifiée par le président Obama, l’opération baptisée «Olympic Games» entraîne les États-Unis en territoire inédit – et potentiellement dangereux, rapporte notre correspondant.”

Nicolas Bérubé of La Presse interviews ICS Cybersecurity CEO, Chris Blask.

Read more

Posted in News

Can Stuxnet be turned against US organizations?

New revelations from investigative journalist David Sanger of the New York Times identify the US executive branch’s involvement in directing the creation and use of Stuxnet, the malware targeted at Iranian nuclear plants.

Since then, Duqu, and Flame have been discovered. Once malware is in the wild, the code quickly becomes available to security researchers, as well as potential attackers who could repurpose the code.

ICS Cybersecurity expert Sean Paul McGurk discusses the implications for US industrial control operators on public radio. Listen here.

Posted in News