53 Questions for Developing the National Strategy to Secure Cyberspace
The Board has identified 53 questions to be used in developing the National Strategy.
The Questions are divided into five levels:
Level 1 - The Home User and Small Business
Level 2 - Major Enterprises
Level 3 - Sectors of the National Information Infrastructure
Level 4 - National Level Institutions and Policies
Level 5 - Global
Level 1 - The Home User and Small Business
1.1. Awareness: What kind of awareness program and assistance should
be available to help the home user and small businesses learn about and
deal with their cybersecurity needs?
1.2. Assistance: What can be done to make it easier for home users and
small businesses to safe guard their systems? Should internet service
providers (ISPs) perform more of the cybersecurity functions for the home
user and small business?
1.3. Disclosure: What disclosure of risk should ISPs, software vendors,
and hardware vendors make to home users and small businesses?
1.4. Emerging Technology: What emerging technologies (e.g. wireless area
networks for the home, wireless connectivity of the home to the internet,
broadband connectivity to the home) pose additional security risks to
the home users and small business; what can be done to address those risks?
1.5. Broadband Initiative: If the Federal Government acts to facilitate
more rapid deployment of broadband connectivity to the home user and small
business, what cyberspace security requirements should be a condition
of Federal support?
Back To Levels ^
|
Back To Top ^
Level 2 - Major Enterprises
2.1. Responsibility: Who in an enterprise should be responsible for IT
security? How often should that person brief the CEO? What role should
the Board of Directors play in oversight of IT security? Should the Board
require an outside audit and, if so, how often and from whom?
2.2. Best Practices: Where should the CEO, Board and/or auditors obtain
guidance on best practices or standards to use in IT security self-evaluations
and IT security policy development?
2.3. Disclosure: What information about IT security should the corporation
disclose to its stockholders, to its creditors, to its auditors, to its
Board
2.4. Enterprise Wide It Security Policy: Should enterprises be required
by their Boards of Directors or Auditors to have a regularly updated policy
statement on IT security practices? Should enterprises be required by
Boards and Auditors to employ software to enforce their IT policy?
2.5. Awareness: Should enterprises require employee participation in
regular IT security awareness training? Where should enterprises obtain
assistance in developing such training?
2.6. Insider Threats: How can a balance be struck between preventing
insiders from damaging the enterprise by mis-using its IT systems, and
respecting the legitimate privacy concerns of employees?
2.7. Partners and Supply Chain: What IT security risks does an enterprise
run from its relationships with its partners and supply chain? How can
those relationships enhance or degrade IT security?
2.8. Event Reporting: What IT security events should an enterprise report
and to whom?
2.9. Threat and Vulnerability Information: How should an enterprise learn
about and decide how to react to IT security threats and vulnerabilities?
How can an enterprise evaluate the numerous software "patches"
distributed to it by its IT vendors?
2.10 . IT Vendors: To what extent should an enterprise "out source"
its IT security functions? How can IT security vendors be evaluated? How
can an enterprise act to improve the security of the IT products and services
it procures?
2.11. Risk Management and Insurance: How can an enterprise evaluate the
appropriate level of IT security spending or the return on investment
in IT security? What role can insurance play in IT security for an enterprise?
Back To Levels ^
|
Back To Top ^
Level 3 - Sectors of the National Information Infrastructure
3.A. The Federal Government
3.A.1. Best Practices and Standards: Should there be a set of IT security
best practices, policies, and/or standards for various types of agencies
and/or various types of functions supported by IT systems? How should
they be developed, how detailed should they be, and should compliance
with some of them be required by law or regulation?
3.A.2. Accountability, Responsibility, and Oversight: What regular auditing
of Federal agencies' IT security should be performed? By whom? To whom
should it be reported? What should be done with the results? How can appropriate
levels of timely remediation be best linked to such audits? How can sustain
interest by senior levels of department management be best achieved?
3.A.3. Funding: Is the IT security performance level of many Federal
agencies such that many agencies will be unable to adequately remedy their
performance within normal annual budgetary practices? Is a funding initiative
similar to the approach used in Federal Government Y2k remediation required
and, if so, how would that work?
3.A.4. Cross-Department Activity: What IT security functions should be
performed at the departmental level and what should be performed centrally?
How could there be greater collaboration among agencies and departments
to achieve economies of scale in operating some IT security related functions?
3.A.5. Connecting Critical Functions to the Internet: How should we best
address the security risks arising from critical Federal functions being
performed on networks that have routers and other systems vulnerable to
denial of service and other cyber attacks from the internet?
3.A.6. IT Security Personnel: What is the extent of the Federal Government's
shortfalls in qualified IT security personnel? How can the Federal government
improve its recruitment, education, in-service training, and retention
of qualified IT security personnel?
3.A.7. Procurement: What role should procurement policy have in improving
Federal IT security?
3.A.8. Awareness: How should IT security awareness training be addressed
for most Federal employees?
3.A.9. Event Reporting: How can the Federal government achieve better
compliance with the requirement that departments and agencies report malicious
activity on their cyber networks and systems? What should be done with
such reporting?
3.A.10. Warning, Analysis, Incident Response and Recovery: What system
and capabilities should the Federal government have and what should individual
agencies have to warn, perform analysis, and respond to IT security incidents?
3.A.11. Organization: What, if any, further organizational changes are
required to improve Federal IT security?
3.A.12. National Security: Are there additional IT security programs,
structures, or capabilities required especially for national security
related departments or agencies?
3.B. The Private Sector
3.B.1. Sectors: What IT security roles should be performed by similar
enterprises acting together on a sectoral level? How should such sectoral
activities be organized?
3.B.2. Information Sharing: What is the role of the Information Sharing
and Analysis Centers (ISACs) and how can their performance be enhanced?
How can the Federal government improve IT security information sharing
with the private sector concerning vulnerabilities, threats, warnings,
and analysis?
3.B.3. Best Practices and Standards: What should be the role of best
practices and standards at the sectoral level?
3.B.4. Incident Response and Recovery: What sectoral level cooperation
mechanisms should exist for incident response and recovery?
3.B.5. Digital Control Systems: What unique security threats are related
to digital control systems and SCADA systems and how should they be addressed?
3.B.6. Connecting Critical Functions to the Internet: Are there sectors
that perform critical functions which could achieve greater security and
reliability by operating networks unconnected to the internet and other
public switch, open systems?
3.B.7 There will be individual sections at this point in the strategy
dealing with the unique issues and plans arising in specific sectors,
including:
- Banking and Finance
- Energy
- Transportation
- Telecommunications
- Information Technology
- General Manufacturing
- Chemical Manufacturing
3.C. State and Local Government
3.C.1. Organization: Should state governments organize IT security organizations
for information sharing and incident management at a state level? If so,
should such organizations include state agencies and departments? city
and county agencies? critical infrastructure related private sector entities
in the state? Should state and local governments have a national mechanism
to partner on IT security related activities? What should be the Federal
role with such organizations?
3.C.2. Law Enforcement and Emergency Services: In addition to other state
and local government IT security requirements and activities, what unique
problems and requirements do law enforcement and emergency services agencies
confront and how should they be best addressed?
3.D. Higher Education
3.D.1. Preventing attacks from Universities: How can academic freedom
of inquiry be maintained while at the same time preventing the large scale
computing power of universities from being hijacked for denial of service
attacks and other malicious activity directed at other sites?
3.D.2. Preventing attacks within Universities: What functions on a university
system require high levels of IT security (e.g. medical records, research
trials, patents) and how is that best achieved within the context of an
academic setting?
3.D.3. Organization: How can universities best organize to address the
IT security questions they face in common? Should best practices or standards
be agreed on a national level? Should there be a mechanism for information
sharing on threats and vulnerabilities among university CIOs and systems
administrators?
Back To Levels ^
|
Back To Top ^
Level 4 - National Level Institutions and Policies
4.1. Training and Education: How should the nation deal with the lack
of trained IT security personnel? What are adequate numbers of personnel
with various levels of training and how do we achieve those levels? Is
the H-1B visa program part of the overall solution or are there roles
that must be performed by UIS citizens?
4.2. Highly Secure /Trustworthy Computing: In addition to addressing
the vulnerabilities in currently deployed software and hardware, should
greater research emphasis be placed on developing entirely new and significantly
more secure approaches to operating system software, computer hardware
and the interface between the two? How should such efforts be funded?
How should procurement of such systems be encouraged?
4.3. Securing the Mechanics of the Internet: Can the traffic control
systems of the internet (Domain Name Servers, Border Gateway Protocols)
be made more secure? Can routers be made more secure by separating control
functions from the general traffic channel? How can major denial of service
attacks be mitigated? What problems arise in deploying more secure systems,
how should they be overcome, and how should such improvements be funded?
4.4. Securing Emerging Systems: What types of information technologies
and systems will increase in numbers and complexity in the next three
to five years and how can their vulnerabilities be predicted in advance
and avoided? How can enhanced security measures be widely incorporated
into wireless networks and wireless internet connections? What security
problems arise from significant growth in the number and functionality
of wireless, internet enabled, semi-autonomous devices? What security
problems arise from "ad hoc networks" that use multiple wireless
connections to reach the internet?
4.5. Privacy: What risks to privacy could arise from some approaches
to achieving IT security? How can those risks be eliminated?
4.6. Interdependency: How can we determine in what ways the various critical
infrastructures are dependent upon one another and what vulnerabilities
in one infrastructure could pose major problems for another? How should
the burdens of addressing interdependency vulnerabilities be apportioned?
4.7. Regulation and Market Forces: What is the role of state and federal
regulation in achieving IT security? How can market forces be further
stimulated to achieve improved IT security as an alternative to regulation?
What role can be played by corporate disclosures policies, by internal
and external auditors, by Boards of Directors, by the insurance industry,
by liability law, by tax policy?
4.8. Research: What should be the national IT security research priorities?
How can those priorities best be addressed between and among corporate
research departments, universities, national laboratories, and federally
funded research and development centers? How should the research costs
be apportioned?
4.9. Information Sharing: What additional IT security information sharing
should occur among and between federal government agencies, state and
local governments, corporations, and the public? What are the barriers
to such greater sharing and how can greater sharing best be achieved?
How can data about attempted unauthorized penetrations and other malicious
activity best be aggregated and analyzed? What system or systems should
exist for issuing IT security warnings?
4.10. Vulnerability Remediation: What role should individuals and corporations
have in identifying IT security vulnerabilities? To whom should they report
such vulnerabilities? How and when should users be informed? How could
vendors or large scale enterprise users distribute "patches"
in such a way as to insure their rapid utilization? How should critical
infrastructure operators and the government identify and remove logic
bombs, Trojan horses, and other malicious code that may have already been
covertly installed on systems and networks?
4.11. Certification: Should software, hardware, and IT security consultants
be certified, and if so, how and by whom?
4.12. Continuity of Operations, Recovery, and Reconstitution: What plans,
capabilities, and arrangements should exist at a national level to respond
to the wide spread outage of IT systems in one or more sectors?
4.13. Crime: What role should the criminal justice system play in achieving
IT security in government and in critical infrastructures? Are current
state/local or federal criminal justice capabilities adequate? Are current
legal prohibitions and penalties adequate to deter?
4.14. National Security: What policy and operational differences arise
if the source of malicious activity in cyberspace is a nation state?
Back To Levels ^
|
Back To Top ^
Level 5 - Global
5.1. Information Sharing: What arrangements should exist for sharing
information about vulnerabilities and malicious activity among institutions
in various nations?
5.2. Cooperation Standards: Should there be internationally accepted
standards about what malicious activity in cyberspace should be considered
criminal, what the penalties should be, and what investigatory cooperation
should be mutually afforded participating nations?
Back To Levels ^
|
Back To Top ^