TOP-SECRET – DHS Cybersecurity Order 13636

Executive Order 13636: Improving Critical Infrastructure Cybersecurity Cyber-Dependent Infrastructure Identification Working Group (CDIIWG)

20 pages
For Official Use Only
March 11, 2013Executive Order 13636: Improving Critical Infrastructure Cybersecurity Cyber-Dependent Infrastructure Identification Working Group (CDIIWG)

20 pages
For Official Use Only
March 11, 2013
Executive Order 13636: Improving Critical Infrastructure Cybersecurity Cyber-Dependent Infrastructure Identification Working Group (CDIIWG)

20 pages
For Official Use Only
March 11, 2013

Download

Overview of Executive Order 13636

– Executive Order (EO) 13636, Improving Critical Infrastructure Cybersecurity was released on February 12, 2013
– Relies on public-private collaboration to improve critical infrastructure cyber posture
– Includes elements to enhance information sharing, develop a cybersecurity framework, and create a voluntary cybersecurity program
– Requires the Department of Homeland Security (DHS) to identify the “critical infrastructure where a cybersecurity incident could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security”

DHS will work with CIPAC to execute Section 9 of the EO

“Within 150 days of the date of this order, the Secretary shall use a risk-based approach to identify critical infrastructure where a cybersecurity incident could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security.” (EO 13636, Section 9)

Apply consistent, objective criteria

Stakeholders include:
– Critical Infrastructure Partnership Advisory Council (CIPAC)
– Sector Specific Agencies (SSA)
– Sector Coordinating Councils (SCC)
– Government Coordinating Councils (GCC)
– Critical infrastructure owners and operators

The list of identified critical infrastructure will be reviewed and updated on an annual basis

Execution of Section 9 will be led by the Cyber-Dependent Infrastructure Identification Working Group (CDIIWG)

Overview of CDII Approach (1 of 2)

Only a small subset of U.S. infrastructure will fall under the focus of the EO activity
– Owners and operators will have the opportunity to provide relevant information
– A review process will be established for the identification as critical infrastructure

Focus is on critical infrastructure that could be compromised through cyber exploitation and which, if incapacitated, could result in catastrophic national, public health, or economic consequences
– Higher standard than debilitating, which is what is used in the base definition to define critical infrastructure
– The Secretary of DHS will provide a list of critical infrastructure most at risk in the context of a cyber incident within 150 days of EO release
– Commercial IT products and consumer information technology services will not be directly designated under the EO as infrastructure most at risk

All sectors will be engaged –through engagement and initial analysis it may be determined that a sector does not have any infrastructure that meets the threshold, the focus of the initial list will not be on that sector(s)

Sectors with existing CI identification processes and lists should be leveraged where appropriate

Functions-based approach to identify critical infrastructure
– Accounts for the virtual and distributed nature of cyber infrastructure
– Focuses on the critical activities, services, or products being produced or provided by a sector, subsector, or mode
– Functions are identified based on the national or regional level consequences that can result from a disruption or exploitation of the infrastructure
– Does not identify a specific organization’s assets, networks, or systems; focus is on sector functions and the types of systems that support them

Requires the application of criteria that will be used to screen the infrastructure that aligns to the critical functions
– Consistently applied within sectors and, where possible, across sectors as well

Stakeholder engagement will be conducted throughout this effort
– CDIIWG will work with sectors (SSAs, SCCs, GCCs) via the CIPAC partnership framework

Download

Overview of Executive Order 13636

– Executive Order (EO) 13636, Improving Critical Infrastructure Cybersecurity was released on February 12, 2013
– Relies on public-private collaboration to improve critical infrastructure cyber posture
– Includes elements to enhance information sharing, develop a cybersecurity framework, and create a voluntary cybersecurity program
– Requires the Department of Homeland Security (DHS) to identify the “critical infrastructure where a cybersecurity incident could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security”

DHS will work with CIPAC to execute Section 9 of the EO

“Within 150 days of the date of this order, the Secretary shall use a risk-based approach to identify critical infrastructure where a cybersecurity incident could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security.” (EO 13636, Section 9)

Apply consistent, objective criteria

Stakeholders include:
– Critical Infrastructure Partnership Advisory Council (CIPAC)
– Sector Specific Agencies (SSA)
– Sector Coordinating Councils (SCC)
– Government Coordinating Councils (GCC)
– Critical infrastructure owners and operators

The list of identified critical infrastructure will be reviewed and updated on an annual basis

Execution of Section 9 will be led by the Cyber-Dependent Infrastructure Identification Working Group (CDIIWG)

Overview of CDII Approach (1 of 2)

Only a small subset of U.S. infrastructure will fall under the focus of the EO activity
– Owners and operators will have the opportunity to provide relevant information
– A review process will be established for the identification as critical infrastructure

Focus is on critical infrastructure that could be compromised through cyber exploitation and which, if incapacitated, could result in catastrophic national, public health, or economic consequences
– Higher standard than debilitating, which is what is used in the base definition to define critical infrastructure
– The Secretary of DHS will provide a list of critical infrastructure most at risk in the context of a cyber incident within 150 days of EO release
– Commercial IT products and consumer information technology services will not be directly designated under the EO as infrastructure most at risk

All sectors will be engaged –through engagement and initial analysis it may be determined that a sector does not have any infrastructure that meets the threshold, the focus of the initial list will not be on that sector(s)

Sectors with existing CI identification processes and lists should be leveraged where appropriate

Functions-based approach to identify critical infrastructure
– Accounts for the virtual and distributed nature of cyber infrastructure
– Focuses on the critical activities, services, or products being produced or provided by a sector, subsector, or mode
– Functions are identified based on the national or regional level consequences that can result from a disruption or exploitation of the infrastructure
– Does not identify a specific organization’s assets, networks, or systems; focus is on sector functions and the types of systems that support them

Requires the application of criteria that will be used to screen the infrastructure that aligns to the critical functions
– Consistently applied within sectors and, where possible, across sectors as well

Stakeholder engagement will be conducted throughout this effort
– CDIIWG will work with sectors (SSAs, SCCs, GCCs) via the CIPAC partnership framework

DownloadExecutive Order 13636: Improving Critical Infrastructure Cybersecurity Cyber-Dependent Infrastructure Identification Working Group (CDIIWG)

20 pages
For Official Use Only
March 11, 2013

Download

Overview of Executive Order 13636

– Executive Order (EO) 13636, Improving Critical Infrastructure Cybersecurity was released on February 12, 2013
– Relies on public-private collaboration to improve critical infrastructure cyber posture
– Includes elements to enhance information sharing, develop a cybersecurity framework, and create a voluntary cybersecurity program
– Requires the Department of Homeland Security (DHS) to identify the “critical infrastructure where a cybersecurity incident could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security”

DHS will work with CIPAC to execute Section 9 of the EO

“Within 150 days of the date of this order, the Secretary shall use a risk-based approach to identify critical infrastructure where a cybersecurity incident could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security.” (EO 13636, Section 9)

Apply consistent, objective criteria

Stakeholders include:
– Critical Infrastructure Partnership Advisory Council (CIPAC)
– Sector Specific Agencies (SSA)
– Sector Coordinating Councils (SCC)
– Government Coordinating Councils (GCC)
– Critical infrastructure owners and operators

The list of identified critical infrastructure will be reviewed and updated on an annual basis

Execution of Section 9 will be led by the Cyber-Dependent Infrastructure Identification Working Group (CDIIWG)

Overview of CDII Approach (1 of 2)

Only a small subset of U.S. infrastructure will fall under the focus of the EO activity
– Owners and operators will have the opportunity to provide relevant information
– A review process will be established for the identification as critical infrastructure

Focus is on critical infrastructure that could be compromised through cyber exploitation and which, if incapacitated, could result in catastrophic national, public health, or economic consequences
– Higher standard than debilitating, which is what is used in the base definition to define critical infrastructure
– The Secretary of DHS will provide a list of critical infrastructure most at risk in the context of a cyber incident within 150 days of EO release
– Commercial IT products and consumer information technology services will not be directly designated under the EO as infrastructure most at risk

All sectors will be engaged –through engagement and initial analysis it may be determined that a sector does not have any infrastructure that meets the threshold, the focus of the initial list will not be on that sector(s)

Sectors with existing CI identification processes and lists should be leveraged where appropriate

Functions-based approach to identify critical infrastructure
– Accounts for the virtual and distributed nature of cyber infrastructure
– Focuses on the critical activities, services, or products being produced or provided by a sector, subsector, or mode
– Functions are identified based on the national or regional level consequences that can result from a disruption or exploitation of the infrastructure
– Does not identify a specific organization’s assets, networks, or systems; focus is on sector functions and the types of systems that support them

Requires the application of criteria that will be used to screen the infrastructure that aligns to the critical functions
– Consistently applied within sectors and, where possible, across sectors as well

Stakeholder engagement will be conducted throughout this effort
– CDIIWG will work with sectors (SSAs, SCCs, GCCs) via the CIPAC partnership framework

Overview of Executive Order 13636

– Executive Order (EO) 13636, Improving Critical Infrastructure Cybersecurity was released on February 12, 2013
– Relies on public-private collaboration to improve critical infrastructure cyber posture
– Includes elements to enhance information sharing, develop a cybersecurity framework, and create a voluntary cybersecurity program
– Requires the Department of Homeland Security (DHS) to identify the “critical infrastructure where a cybersecurity incident could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security”

DHS will work with CIPAC to execute Section 9 of the EO

“Within 150 days of the date of this order, the Secretary shall use a risk-based approach to identify critical infrastructure where a cybersecurity incident could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security.” (EO 13636, Section 9)

Apply consistent, objective criteria

Stakeholders include:
– Critical Infrastructure Partnership Advisory Council (CIPAC)
– Sector Specific Agencies (SSA)
– Sector Coordinating Councils (SCC)
– Government Coordinating Councils (GCC)
– Critical infrastructure owners and operators

The list of identified critical infrastructure will be reviewed and updated on an annual basis

Execution of Section 9 will be led by the Cyber-Dependent Infrastructure Identification Working Group (CDIIWG)

Overview of CDII Approach (1 of 2)

Only a small subset of U.S. infrastructure will fall under the focus of the EO activity
– Owners and operators will have the opportunity to provide relevant information
– A review process will be established for the identification as critical infrastructure

Focus is on critical infrastructure that could be compromised through cyber exploitation and which, if incapacitated, could result in catastrophic national, public health, or economic consequences
– Higher standard than debilitating, which is what is used in the base definition to define critical infrastructure
– The Secretary of DHS will provide a list of critical infrastructure most at risk in the context of a cyber incident within 150 days of EO release
– Commercial IT products and consumer information technology services will not be directly designated under the EO as infrastructure most at risk

All sectors will be engaged –through engagement and initial analysis it may be determined that a sector does not have any infrastructure that meets the threshold, the focus of the initial list will not be on that sector(s)

Sectors with existing CI identification processes and lists should be leveraged where appropriate

Functions-based approach to identify critical infrastructure
– Accounts for the virtual and distributed nature of cyber infrastructure
– Focuses on the critical activities, services, or products being produced or provided by a sector, subsector, or mode
– Functions are identified based on the national or regional level consequences that can result from a disruption or exploitation of the infrastructure
– Does not identify a specific organization’s assets, networks, or systems; focus is on sector functions and the types of systems that support them

Requires the application of criteria that will be used to screen the infrastructure that aligns to the critical functions
– Consistently applied within sectors and, where possible, across sectors as well

Stakeholder engagement will be conducted throughout this effort
– CDIIWG will work with sectors (SSAs, SCCs, GCCs) via the CIPAC partnership framework

Advertisements

PUBLIC INTELLIGENCE – Air Force Office of Special Investigations Publishes Report on Military Sextortion Scams

An image taken from the cover of a February 2013 U.S. Air Force Office of Special Investigations report on cybersex extortion scams.

Public Intelligence

The U.S. Air Force Office of Special Investigations (AFOSI) is warning military personnel to avoid becoming victims of online sextortion scams that use “sexual images (obtained either through enticement or malicious code)” to extort money from unsuspecting victims.  “Cyber sextortion” is described as a growing problem among the military services with incidents being reported by “all Military Criminal Investigative Organizations” involving service members stationed in Europe, Asia and the U.S. The AFOSI report, released in February on a restricted basis, was recently posted online on the document-sharing website Scribd.

After reviewing Department of Defense statistics, the AFOSI found that cyber sextortion cases across the military services are primarily “webcam sextortion scams” where they DoD personnel were “enticed to engage in online sexual activities which were secretly recorded” and “money was then extorted from the victims in order to prevent the release of compromising video material.”  Though it is “unclear whether perpetrators are specifically targeting US military members”, the report describes DoD members as potentially “vulnerable to blackmail and extortion” because of the expectation that they maintain “a professional appearance” and the strict requirements for maintaining a security clearance.

According to the AFOSI report, the Naval Criminal Investigative Service (NCIS) has identified four similar cases of cyber sextortion (two on Guam, one in Japan, and one in Bahrain) involving Navy members between August 2012 and November 2012. The U.S. Army Criminal Investigation Command (USACIDC) also reported three cases involving soldiers located in South Korea, Germany, and Texas.  The AFOSI itself has identified multiple cases involving U.S. Air Force members in Japan, South Korea, Alaska, Portugal and Guam.

Many of the incidents reportedly originated from a criminal sextortion ring based in the Philippines.  In a public affairs notice posted earlier this month on the Air Force website, a spokesperson for the AFOSI said that the ring involved “21 employees of a Philippines-based web portal solutions company” who reportedly “targeted hundreds of U.S. Army and Navy members for a period of more than a year”.

To protect against potential sextortion scams, the AFOSI recommends protecting personal information and limiting what information is divulged on social networking sites.  The report also recommends not responding to “unsolicited e-mails or chat requests”, particularly when the communication involves a “request to exchange provocative pictures or videos”.

MORE HERE:

https://publicintelligence.net/afosi-sextortion-scams/

TOP-SECRET – CIA Chief Technology Officer Big Data and Cloud Computing Presentations

The following are presentation slides for talks given by Ira A. “Gus” Hunt, the CIA’s Chief Technology Officer, on the topic of “big data” and cloud computing.  A presentation given by Hunt at the GigaOM Structure:Data conference last week garnered significant attention for his discussion of the CIA’s desire to “collect everything and hang on to it forever.”  Hunt’s presentation was similar to several he has given before, many of which share the same slides, including one which states: “It is really very nearly within our grasp to be able to compute on all human generated information.”

Beyond Big Data: Riding the Technology Wave March 2012 33 pages Download
Big Data Challenges and Opportunities March 2012 23 pages Download
Big Data Operational Excellence Ahead in the Cloud October 2011 24 pages Download

SECRECY NEWS – A LOOK BACK AT CONGRESSIONAL OVERSIGHT OF INTELLIGENCE, 2011-2012

Several nuggets of interest are presented in the latest biennial report
from the Senate Select Committee on Intelligence, summarizing the
Committee's oversight activities in the 112th Congress:

        http://www.fas.org/irp/congress/2013_rpt/srpt113-7.html

*        The Director of National Intelligence abruptly cancelled a multi-year
effort to establish a single consolidated data center for the entire
Intelligence Community a year or so ago, in favor of a migration to cloud
computing.

*        Under criticism that the number of intelligence contractor personnel has
grown too high, too fast, intelligence agencies have been cutting the
number of contractors they employ or converting contractors to government
employees.  But some of those agencies have continued to hire additional
contractors at the same time, resulting in net growth in the size of the
intelligence contractor workforce.

*        A written report on each covert action that is being carried out under a
presidential finding is provided to the congressional committees every
quarter.

The March 22 report also provides some fresh details of the long-awaited
and still unreleased Committee study on CIA's detention and interrogation
program.  That 6,000 page study, which was completed in July 2012 and
approved by the Committee in December 2012, is divided into three volumes,
as described in the report:

"I. History and Operation of the CIA's Detention and Interrogation
Program. This volume is divided chronologically into sections addressing
the establishment, development, and evolution of the CIA detention and
interrogation program."

"II. Intelligence Acquired and CIA Representations on the Effectiveness of
the CIA's Enhanced Interrogation Techniques. This volume addresses the
intelligence attributed to CIA detainees and the use of the CIA's enhanced
interrogation techniques, specifically focusing on CIA representations on
how the CIA detention and interrogation program was operated and managed,
as well as the effectiveness of the interrogation program. It includes
sections on CIA representations to the Congress, the Department of Justice,
and the media."

"III. Detention and Interrogation of Detainees. This volume addresses the
detention and interrogation of all known CIA detainees, from the program's
inception to its official end, on January 22, 2009, to include information
on their capture, detention, interrogation, and conditions of confinement.
It also includes extensive information on the CIA's management, oversight,
and day-to-day operation of the CIA's detention and interrogation program,"
according to the report's description.

"I have read the first volume, which is 300 pages," said CIA Director John
O. Brennan at his February 7 confirmation hearing.  "There clearly were a
number of things, many things, that I read in that report that were very
concerning and disturbing to me, and ones that I would want to look into
immediately, if I were to be confirmed as CIA Director."

"It talked about mismanagement of the program, misrepresentations of the
information, providing inaccurate information," Mr. Brennan said then. "And
it was rather damning in a lot of its language, as far as the nature of
these activities that were carried out."

The Committee said it is awaiting comments on the study from the White
House, the CIA and other executive branch agencies, and that it will then
"discuss the public release of the Study."

On February 15, 2013, Republicans who were members of the Committee in the
last Congress formally filed dissenting comments opposing the study and its
conclusions, the report said.

For its first couple of decades, the Senate Intelligence Committee held
that "even secret activities must be as accountable to the public as
possible," as Sen. Daniel Inouye stated in the Committee's first biennial
report in 1977, and that "as much information as possible about
intelligence activities should be made available to the public," as
Senators Richard Shelby and Bob Kerrey wrote in the 1999 version of the
report.

But in the past decade, the Committee seems to have reconceptualized its
relationship with the public.  It no longer promises to make "as much
information as possible about intelligence activities" available to the
public.  The notion that "secret activities" could be "accountable to the
public" is now evidently considered a contradiction in terms (although
release of the report on CIA interrogation practices, if it ever came to
pass, would nullify and transcend that contradiction).  

Today, as the latest report states, the Committee aims merely "to provide
as much information as possible to the American public about its
intelligence oversight activities."  (Intelligence Oversight Steps Back
from Public Accountability, Secrecy News, January 2, 2013).

Even within the narrowed horizons to which it has limited itself, however,
the report presents a rather attenuated, "skim milk" account of the
Committee's work. Judging from the new report, intelligence oversight
consists of frequent briefings, followed by numerous "evaluations" and
"reviews."

The report provides no indication of any conflict between the Committee
and the intelligence agencies. Consequently, there are no significant
victories (though the successful passage of four consecutive intelligence
authorization bills is a notable achievement), and no meaningful defeats.

At the Brennan confirmation hearing on February 7, Committee chair Sen.
Dianne Feinstein said: "I have been calling, and others have been
calling--the Vice Chairman and I--for increased transparency on the use of
targeted force for over a year, including the circumstances in which such
force is directed against U.S. citizens and noncitizens alike."  And to its
credit, the Committee conscientiously posed a pre-hearing question on
classification reform to Mr. Brennan (which he deflected).

But the new report does not identify any such effort by Committee
leadership to promote increased transparency on targeted killing during the
past Congress.  It does not reference the failure to accomplish the
declassification of Foreign Intelligence Surveillance Court opinions, as
the Committee had been promised in 2011.  Nor does the report address the
abuse of classification authority or cite what the President called "the
problem of overclassification" at all.

_______________________________________________
Secrecy News is written by Steven Aftergood and published by the
Federation of American Scientists.

The Secrecy News Blog is at:
     http://www.fas.org/blog/secrecy/

To SUBSCRIBE to Secrecy News, go to:
     http://www.fas.org/sgp/news/secrecy/subscribe.html

To UNSUBSCRIBE, go to
     http://www.fas.org/sgp/news/secrecy/unsubscribe.html

OR email your request to saftergood@fas.org

Secrecy News is archived at:
     http://www.fas.org/sgp/news/secrecy/index.html

Support the FAS Project on Government Secrecy with a donation:
     http://www.fas.org/member/donate_today.html

_______________________
Steven Aftergood
Project on Government Secrecy
Federation of American Scientists
web:    www.fas.org/sgp/index.html
email:  saftergood@fas.org
voice:  (202) 454-4691
twitter: @saftergood

TMZ – Brad Pitt & Angelina Jolie — NOT Married!

 

Angelina Jolie has just made it crystal clear … she and Brad Pitt did NOT secretly get married — despite rumors that she and Brad had a wedding on the DL.