Cybersecurity Public Sector Threats and Responses OTHER INFORMATION SECURITY BOOKS FROM AUERBACH Building an Enterprise-Wide Business Intelligent Video Surveillance: Continuity Program Systems and Technology Kelley Okolita Edited by Yunqian Ma and Gang Qian ISBN 978-1-4200-8864-9 ISBN 978-1-4398-1328-7 Critical Infrastructure: Homeland Security Managing an Information Security and and Emergency Preparedness, Privacy Awareness and Training Program, Second Edition Second Edition Robert Radvanovsky and Allan McDougall Rebecca Herold ISBN 978-1-4200-9527-2 ISBN 978-1-4398-1545-8 Data Protection: Governance, Mobile Device Security: A Comprehensive Risk Management, and Compliance Guide to Securing Your Information in David G. Hill a Moving World ISBN 978-1-4398-0692-0 Stephen Fried ISBN 978-1-4398-2016-2 Encyclopedia of Information Assurance Edited by Rebecca Herold and Marcus K. Rogers Secure and Resilient Software Development ISBN 978-1-4200-6620-3 Mark S. Merkow and Lakshmikanth Raghavan ISBN 978-1-4398-2696-6 The Executive MBA in Information Security John J. Trinckes, Jr. Security for Service Oriented ISBN 978-1-4398-1007-1 Architectures Bhavani Thuraisingham FISMA Principles and Best Practices: ISBN 978-1-4200-7331-7 Beyond Compliance Patrick D. Howard Security of Mobile Communications ISBN 978-1-4200-7829-9 Noureddine Boudriga ISBN 978-0-8493-7941-3 HOWTO Secure and Audit Oracle 10g and 11g Security of Self-Organizing Networks: Ron Ben-Natan MANET, WSN, WMN, VANET ISBN 978-1-4200-8412-2 Edited by Al-Sakib Khan Pathan ISBN 978-1-4398-1919-7 Information Security Management: Concepts and Practice Security Patch Management Bel G. Raggad Felicia M. Nicastro ISBN 978-1-4200-7854-1 ISBN 978-1-4398-2499-3 Information Security Policies and Security Risk Assessment Handbook: Procedures: A Practitioner’s Reference, A Complete Guide for Performing Security Second Edition Risk Assessments, Second Edition Thomas R. Peltier Douglas Landoll ISBN 978-0-8493-1958-7 ISBN 978-1-4398-2148-0 Information Security Risk Analysis, Security Strategy: From Requirements Third Edition to Reality Thomas R. Peltier Bill Stackpole and Eric Oksendahl ISBN 978-1-4398-3956-0 ISBN 978-1-4398-2733-8 Information Technology Control and Audit, Vulnerability Management Third Edition Park Foreman Sandra Senft and Frederick Gallegos ISBN 978-1-4398-0150-5 ISBN 978-1-4200-6550-3 AUERBACH PUBLICATIONS www.auerbach-publications.com To Order Call: 1-800-272-7737 • Fax: 1-800-374-3401 E-mail: [email protected] Cybersecurity Public Sector Threats and Responses Kim Andreasson CRC Press Taylor & Francis Group 6000 Broken Sound Parkway NW, Suite 300 Boca Raton, FL 33487-2742 © 2012 by Taylor & Francis Group, LLC CRC Press is an imprint of Taylor & Francis Group, an Informa business No claim to original U.S. Government works Version Date: 20111027 International Standard Book Number-13: 978-1-4398-4664-3 (eBook - PDF) This book contains information obtained from authentic and highly regarded sources. Reasonable efforts have been made to publish reliable data and information, but the author and publisher cannot assume responsibility for the validity of all materials or the consequences of their use. The authors and publishers have attempted to trace the copyright holders of all material reproduced in this publication and apologize to copyright holders if permission to publish in this form has not been obtained. If any copyright material has not been acknowledged please write and let us know so we may rectify in any future reprint. Except as permitted under U.S. Copyright Law, no part of this book may be reprinted, reproduced, transmit- ted, or utilized in any form by any electronic, mechanical, or other means, now known or hereafter invented, including photocopying, microfilming, and recording, or in any information storage or retrieval system, without written permission from the publishers. For permission to photocopy or use material electronically from this work, please access www.copyright. com (http://www.copyright.com/) or contact the Copyright Clearance Center, Inc. (CCC), 222 Rosewood Drive, Danvers, MA 01923, 978-750-8400. CCC is a not-for-profit organization that provides licenses and registration for a variety of users. For organizations that have been granted a photocopy license by the CCC, a separate system of payment has been arranged. Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are used only for identification and explanation without intent to infringe. Visit the Taylor & Francis Web site at http://www.taylorandfrancis.com and the CRC Press Web site at http://www.crcpress.com To those without whom this book would not have been possible. My wife, Diane, my parents, Kenth and Gullvi, and my friend, Meital, all of whom provided ongoing support. All book chapter authors and the publisher, of course, provided editorial contributions. I am grateful to all. Contents Preface ix KAREN S. EVANS IntroductIon xiii the edItor xxvii contrIbutor bIograPhIes (In order of aPPearance) xxix chaPter 1 the global rIse of e-government and Its securIty ImPlIcatIons 1 JEREMY MILLARD chaPter 2 understandIng cyber threats 27 DEBORAH L. WHEELER chaPter 3 cybersecurIty In east asIa: JaPan and the 2009 attacks on south korea and the unIted states 55 MOTOHIRO TSUCHIYA chaPter 4 toward a global aPProach to cybersecurIty 77 MARCO OBISO AND GARY FOWLIE chaPter 5 the cybersecurIty PolIcy challenge: the tyranny of geograPhy 109 ELAINE C. KAMARCK vii viii Contents chaPter 6 u.s. federal cybersecurIty PolIcy 127 DANIEL CASTRO chaPter 7 euroPean cybersecurIty PolIcy 159 NEIL ROBINSON chaPter 8 a local cybersecurIty aPProach: the case of catalonIa 193 IGNACIO ALAMILLO DOMINGO AND AGUSTÍ CERRILLO-I-MARTÍNEZ chaPter 9 securIng government transParency: cybersecurIty PolIcy Issues In a gov 2.0 envIronment and beyond 223 GREGORY G. CURTIN AND CHARITY C. TRAN chaPter 10 the cIvIlIan cyber IncIdent resPonse PolIcIes of the u.s. federal government 255 CHRIS BRONK chaPter 11 cybersecurIty health check: a framework to enhance organIzatIonal securIty 275 SHIH MING PAN, CHII-WEN WU, PEI-TE CHEN, YUN TING LO, AND PEI WEN LIU chaPter 12 beyond PublIc–PrIvate PartnershIPs: leadershIP strategIes for securIng cybersPace 293 DAVE SULEK AND MEGAN DOSCHER chaPter 13 Is there a conclusIon to cybersecurIty? 327 KIM ANDREASSON Preface Karen S. evanS “When we first started this process…agencies didn’t know what they didn’t know.” Karen S. Evans Administrator for E-Government and Information Technology, Office of Management and Budget, In testimony before the House Committee on Homeland Security, February 28, 2008 In the fast-paced and ever-changing world of cybersecurity, no one can afford to miss a learning opportunity. So no matter where or when such an opportunity arises, you and your team had best be ready, because how you handle it may play a critical role in how successfully you manage risk and protect your enterprise now and into the future. Just such a learning opportunity presented itself to me in 1996. It profoundly affected not only my own perspective but also my team’s performance in managing information technology resources and ser- vices. At the time, all federal departments and agencies were asked to create a website to make services available to the public online. It was when e-mail was becoming the norm and the World Wide Web was ix x PrefaCe bursting onto the scene. Our team was to take the “basement” opera- tion of the Department of Justice’s (DOJ’s) Internet services and move them into a production environment. The weekend before the move, however, the DOJ website was hacked. As we worked to restore services, we had to brief top lead- ers, provide information to law enforcement, and figure out what had gone wrong and how we would fix it. The events shaped my views on risk management, policies, certification, and accreditation, as well as the ability of an agency to “respond” versus “react.” In that one week- end, I learned the importance of backup, communications, response plans, configuration management, and policies. Policies should actually carry a capital “P,” because I learned the importance of effective policies on a practical level cannot be under- estimated. The DOJ had policies in place and we were duly pushing the necessary documents out in support of them. But we were essen- tially producing drafts, not final documents, because we focused on the technology often to the exclusion of other critical elements of risk assessment. I learned that in order to develop policies that effectively and constantly assess risk, you have to use a more holistic approach that simultaneously studies all of the elements involved, including produc- tion, technology, and risk associated with the services being provided. All of this then begs the question: “What is risk”? What amount of security controls is senior leadership willing to live with in the process of providing services? Is there a compensating control? How will you respond when an incident occurs? For me—as the Office of Management and Budget’s (OMB’s) Administrator for E-Government and Information Technology and as a manager and chief information officer—these questions were critical in evaluating potential services, programs, investments, policies, and statutes. Being able to articulate the technical risk to senior leadership is critical to success, whether you are talking to a department head in the federal government or the chief executive officer (CEO) of a company. They need to know that the risk has been identified, how you intend to manage it, and what plans you have in place if services are compromised. The federal government has statutes that govern the development of information resources management, such as the Computer Security Act of 1987, the Government Information Resources Security Act (which later became the Federal Information Security Management