Countering cybercrime is a daunting challenge, not only because there are so many cybercriminals but also because they are so technically sophisticated. A 2014 ZDNet article stated that organized cybercrime groups have technical capabilities equal to (or in some cases superior to) those of nation-states, and pull in more than $400 billion per year — more than the GDP of numerous countries, including Ireland, Israel, the Philippines and Denmark. The article quotes a report from McAfee: “’These groups have repeatedly shown they can overcome almost any cyber defense. Financial crime in cyberspace now occurs at industrial scale.’”
While the bulk of cybercrime is for profit, espionage and sabotage against infrastructure and industry, while less frequent, are vitally important — and, as pointed out in a previous article, are frequently the work of nation states. In July the Department of Homeland Security reported that Russian hackers had installed malware in the control systems of electric utilities all over the United States, and had put themselves in a position to cause widespread blackouts at will. The threat is ongoing, DHS says, and many utilities are apparently unaware that they have been infiltrated.
So what is government doing about it? This article will take a look at some of the efforts by government agencies to counter cybercrime, especially against infrastructure and industry, although there is considerable overlap with ordinary cybercrime. An in-depth examination of all aspects would fill a book, but this should give an overall outline of what’s going on. A later article will examine what industry itself is doing.
DHS
The Department of Homeland Security hosts the National Cybersecurity and Communications Integration Center (NCCIC), which is, in the agency’s words, “a 24×7 cyber situational awareness, incident response, and management center that is a national nexus of cyber and communications integration for the Federal Government, intelligence community, and law enforcement.” Also, “The NCCIC shares information among public and private sector partners to build awareness of vulnerabilities, incidents, and mitigations. Cyber and industrial control systems users can subscribe to information products, feeds, and services at no cost.”
The NCCIC has four branches: the NCCIC Operations and Integration (NO&I); the United States Computer Emergency Readiness Team (US-CERT); the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) and the National Coordinating Center for Communications (NCC). Of these, the two of most interest to readers are probably ICS-CERT and US-CERT.
One useful product available from US-CERT is the Cyber Security Evaluation Tool (CSET) — “a desktop software tool that guides users through a step-by-step process to assess their control system and information technology network security practices against recognized industry standards.”
ICS-CERT has a number of useful products available. These include Alerts, which provide timely notification to critical infrastructure owners and operators concerning threats to critical infrastructure networks; Advisories, which provide timely information about current security issues, vulnerabilities, and exploits; the ICS-CERT Monitor, a newsletter for those engaged in the protection of critical infrastructure assets; and a variety of Other Reports, including Technical Information Papers (TIPs), Annual Reports (Year in Review), and 3rd-party products that ICS-CERT believes are of interest to persons engaged in protecting industrial control systems.
Industrial control system users and others wishing to become more involved with ICS CERT can join the ICS Community of Interest on the Homeland Security Information Network.
DHS also operates the Stop.Think.Connect, a campaign, which aimed at teaching the pubic at large how to guard against cyber threats of all types. Included in this is the Stop.Think.Connect Toolkit, which contains materials useful to everyone, as well as a set specifically tailored to industry.
FBI
Protecting against cyber- and other high-tech crimes is one of the FBI’s ten top priorities. Its Criminal, Cyber, Response, and Services Branch, which investigates many types of crime, also oversees computer-based crime related to counterterrorism, counterintelligence, and criminal threats against the United States.
Organized in 2008, the National Cyber Investigative Joint Task Force includes members from more than 20 agencies from across law enforcement, the intelligence community, and the Department of Defense. In coordinating cyber threats investigations, it also liaises with the CIA, DoD, DHS and NSA.
The National Cyber-Forensics and Training Alliance (NCFTA) is a cooperative venture of academia, industry and law enforcement that exchanges information and expertise, and provides training. It deals with malicious computer viruses, stock manipulation schemes, telecommunication scams, and other financial frauds perpetrated by organized crime groups.
DoD
The United States Cyber Command (USCYBERCOM) is a sub-unified command under the U.S. Strategic Command (USSTRATCOM) with four major components: the U.S. Army Cyber Command, the U.S. Fleet Cyber Command (FCC)/U.S. 10th Fleet, Air Forces Cyber (AFCYBER) and The Marine Corps Cyberspace Warfare Group (MCCYWG). While the wording varies, the missions of all four cover three strategic priorities: aggressively operate and defend the DOD information network; deliver effects against our adversaries; and design, build and deliver integrated capabilities for the future fight. The Cyber command includes a strong offensive component (you can’t have defense without guns, after all) that, as described by DoD, “when directed, conduct full spectrum military cyberspace operations in order to enable actions in all domains, ensure US/Allied freedom of action in cyberspace and deny the same to our adversaries.”
NSA
The National Security Agency’s primary mission is foreign intelligence and protecting U.S. government systems against intrusion; it also conducts research and training and works with other branches like the DoD and the intelligence community, and with industry through a Technology Transfer Program (TTP).
Much of what NSA does is classified, and the fact that it has a Web site is a considerable change from the days when it denied its existence. The official line was that the initials stood for “no such agency” — and employees checking into hotels would put down “Department of Agriculture” or the like.
NIST
The Department of Commence, as one would expect of a cabinet-level department, has multiple entities devoted to cybersecurity reporting to each other, but the one that most concerns industry is NIST.
Major components of NIST’s cybersecurity effort include the Computer Security Resource Center (CSRC), the NIST Cybersecurity Framework, the National Cybersecurity Center of Excellence (NCCoE), the Trusted Identities Group (TIG), the National Initiative for Cybersecurity Education (NICE), and the NIST Privacy Framework.
The CSRC provides access to NIST’s cybersecurity- and information security-related projects, publications, news and events.
The NIST Cybersecurity Framework is voluntary guidance consisting of standards, guidelines, and practices to promote the protection of critical infrastructure, and is intended for use by all industries. The current version, 1.1 was made public in April of this year.
Established in 2012 in partnership with the State of Maryland and Montgomery County, MD, the NCCoE is a collaborative hub where industry organizations, government agencies, and academic institutions work together to address businesses’ cybersecurity issues. This public-private partnership enables the creation of practical cybersecurity solutions for specific industries, as well as for broad, cross-sector technology challenges. Through consortia under Cooperative Research and Development Agreements (CRADAs), including technology partners—from Fortune 50 market leaders to smaller companies specializing in IT security—the NCCoE applies standards and best practices to develop modular, easily adaptable example cybersecurity solutions using commercially available technology. The NCCoE documents these example solutions in the NIST Special Publication 1800 series, which maps capabilities to the NIST Cyber Security Framework and details the steps needed for another entity to recreate the example solution.
The TIG, which is part of NIST’s Applied Cybersecurity Division under the NIST Information Technology Laboratory (one of the countless nested levels of bureaucracy) is another public/private partnership whose goal is “advancing measurement science, technology, and standards adoption to improve digital identity for individuals and organizations alike.”
The NIST Privacy Framework in its own words aims to create, “a voluntary, enterprise-level tool that could provide a catalog of privacy outcomes and approaches to help organizations prioritize strategies that create flexible and effective privacy protection solutions, and enable individuals to enjoy the benefits of innovative technologies with greater confidence and trust,” modeled on the Cybersecurity Framework. “It should assist organizations to better manage privacy risks within their diverse environments rather than prescribing the methods for managing privacy risk. The framework should also be compatible with and support organizations’ ability to operate under applicable domestic and international legal or regulatory regimes.”
While there is undeniably considerable duplication across all these agencies, one can hope that their efforts will help industry to protect itself. The next article will go over cybersecurity standards and practices developed by industrial organizations.
