Cybercrime and DHS: Policies and Challenges

The safeguarding of critical infrastructures is crucial to the Department of Homeland Security (DHS) in fulfilling its vital role of protecting the United States against threats. However, in order to effectively carry out this mission, DHS must ensure the protection of its own systems from the growing threat of cybercrime. The rising global trend of cybercrime has become increasingly impactful, as evidenced by the implementation of policy and federal regulations. This article delves into the liabilities that are associated with DHS, the federal and agency-specific rules that are put in place to safeguard its resources from cybercrime, and the effects of policy on the attribution of such crimes.

INTRODUCTION

Cybercrime poses a new and pervasive threat that targets nearly all organizations and individuals, including wire fraud, identity theft, and intellectual property theft, using a range of techniques from worms and viruses to distributed denial of service attacks. These threats can originate from inside or outside U.S. borders and may be motivated by financial, political, or personal reasons, making various government agencies, possibly the most prominent targets in the country. Security incidents against federal systems have increased sharply, as evidenced by the U.S. Computer Emergency Readiness Team's (US-CERT) report, which indicates a 206% increase in security incidents between 2006 and 2008 (Government Accountability Office [GAO], 2009). These figures highlight the critical need for security in U.S. government systems.

The DHS's Cybersecurity division is one of the agencies at risk of cybercrime threats. The DHS's mission is to protect the nation from various threats, with a broad range of employees from aviation and border security to emergency response, cybersecurity analysis, and chemical facility inspection. Their overarching goal is to maintain national security.

To effectively counter these threats, the DHS must have a comprehensive plan in place to safeguard its assets. This includes establishing regulations and policies and being accountable for liabilities and the complexities associated with cyber attack attribution. Protecting itself against cybercrime is essential for the DHS to successfully defend the nation.

LIABILITIES

The DHS Cybersecurity division has the responsibility of protecting the nation against individuals and groups that have malicious intent, such as criminals, terrorists, and nation-states perpetuating cyber attacks (GAO, 2008). In the past six years, the U.S. Government Accountability Office (GAO) has published three reports highlighting the areas that require action or improvement. These reports provide valuable insights into the primary policies that govern decision-making within the DHS Cybersecurity division.

In 2003, President Bush issued the National Strategy to Secure Cyberspace, which tasked the DHS with securing computer systems supporting the nation's 18 critical infrastructures. This included developing a comprehensive national plan for critical infrastructure protection, enhancing national cyber analysis and warning capabilities, providing incident response and recovery planning, identifying and reducing cyber threats and vulnerabilities, and strengthening international cyberspace security (GAO, 2009).

The DHS has implemented several initiatives to accomplish these goals, such as creating US-CERT to provide response support and defense against cyber attacks for the Federal Civil Executive Branch and fostering collaboration with state and local government, industry, and international partners (US-CERT, 2011). The National Cyber Alert System, implemented in 2004, addresses computer security vulnerabilities and provides mitigation strategies, security tips, and best practices for personal computers (US-CERT, 2011).

Despite these initiatives, the DHS has not fully met its cybersecurity responsibilities. According to David Powner, the Director for Information Technology Management Issues for the GAO, "DHS has yet to fully satisfy its cybersecurity responsibilities designated by the strategy" (GAO, 2009).

The GAO has provided over 25 recommendations to the DHS, including developing a national strategy that clearly articulates strategic objectives, goals, and priorities, establishing White House responsibility and accountability for leading and overseeing national cybersecurity policy, improving public/private partnerships, and addressing global aspects of cyberspace (GAO, 2009).

Until these goals are achieved, the critical infrastructure of the United States remains a high-risk target for cybercrime. Federal regulations and agency-specific policies are in place to assist in securing DHS systems and fulfilling its essential responsibilities.

REGULATIONS

The DHS Cybersecurity Division, like all federal agencies, must comply with laws and regulations that are designed to raise the bar for cybersecurity in the face of increasingly complex and frequent cyber attacks. These regulations are crucial to addressing specific problem areas but can become less effective and marginalized if not updated to reflect changes in the threat landscape.

The Federal Information Security Management Act of 2002 (FISMA) is a risk-based approach that forces organizations to consider the value proposition of their protection methods. It is guided by the National Institute of Standards and Technology's (NIST) Federal Information Processing Standards (FIPS) and the Special Publication (SP) 800-53 (National Institute of Standards and Technology [NIST], 2010).

FIPS-199 sets security categories based on the organizational mission and the impact of exploitation or compromise of data, and FIPS-200 outlines the minimum security requirements for federal information and information systems. NIST SP800-53 provides guidance on the selection of security controls to establish a baseline security posture while still providing flexibility for organizations to choose additional protection mechanisms when necessary.

The DHS initially struggled to comply with FISMA, receiving failing grades for the first few years that the House Committee on Government Reform assessed compliance. The agency worked steadily to improve its standing, receiving a passing grade in 2007, followed by an average grade in 2008. However, critics argue that FISMA has increased paperwork and moved the focus away from ensuring that systems are genuinely secure.

Regardless of criticisms, the DHS has used the findings as an opportunity to allocate resources to specific areas for improvement. Adhering to policies, standards, and regulations helps the DHS take a more consistent, holistic approach to information security. Nevertheless, regulations must continue to evolve with the threat landscape to remain effective in protecting critical infrastructure.

DHS IT SECURITIES AND POLICIES

To complement FISMA regulations, the DHS has its agency-specific policy, DHS Policy 4300A, which outlines specific techniques, procedures, and baseline security requirements for the various organizations within the DHS. It sets requirements for security controls, such as using approved baseline configurations for all connected units, ensuring all hardware is certified and accredited, and providing C&A, remediation, and reporting for systems involving Personally Identifiable Information (PII).

To facilitate policy enforcement and compliance with federal regulatory requirements, the Information Assurance & Cyber Security Division (IAD) was created, which consists of two branches: Audit & Business Management and Compliance & Policy. The Audit & Business Management branch conducts independent reviews of IT security controls to ensure data protection, while the Compliance & Policy branch consists of several groups responsible for ensuring FISMA and DHS policy compliance.

The Certifier Services group, Compliance group, and Policy and Communications team each have specific responsibilities related to C&A for IT systems, risk management, and developing, reviewing, and maintaining IT security policies, standards, and procedures, respectively. The Cyber Security Awareness and Outreach group is responsible for all security awareness training, communication, and outreach activities, as required under FISMA guidelines.

While policies and regulations have helped to fortify DHS information systems, no system can be entirely secure as technologies evolve and cyber criminals become more sophisticated. In case of a breach or attack, the response during and after the incident must be explored.

ATTRIBUTION

Identifying the source of a cyber-attack is a complex process, known as attribution. The goal of attribution is to determine the identity or location of an attacker or intermediary. This information can be used to plan and deliver a counterattack, disrupt an attack in progress, create a system of deterrence, and improve cybersecurity defense and strategies. However, cyber-attack attribution faces significant difficulties due to the anonymity and vast reach of the internet, increased sophistication among attackers, and gaps in policy.

The DHS should investigate and respond to attacks, but attribution cannot be achieved through technological means alone. Adequate attribution may include information such as identifying the individual(s) responsible for the attack, the originating email address, or the IP address of the host that set off the attack. While technological challenges can hinder attribution, gaps in policy also contribute to the overall problems with attribution.

The nature of the internet makes it likely that attribution will cross legal or organizational lines. Thus, a policy for information sharing between the DHS and other government agencies or the private sector is necessary if the agency is in the midst of an attack. The Critical Infrastructure Partnership Advisory Council (CIPAC) is a public-private sector partnership developed by DHS to encourage the flow of information for the protection of critical infrastructures, including IT networks.

Collaboration with the private sector can yield valuable information for attribution and counterattacks, but there are obstacles to overcome. As a business, companies are hesitant to share information that may hurt profits. There is a lack of trust that may be rectified if a reasonable policy agreeable to both sides was put in place that would satisfy the goals of national security for DHS and profitability for the private sector.

Activity may originate or be routed through different countries, requiring coordination on a global scale. The differences in each country, in terms of ethics and definitions for crime, make it difficult to agree to a universal policy on attribution for cyber attacks. If an attacker is identified outside of the US, there is no set agreement on punishment, liability, or whether the attack is considered a crime. Attribution can become tricky if an attacker is state-sponsored.

Despite these challenges, it is necessary to address policy issues associated with cyber-attack attribution, as cybercrime trends increase around the world.