Assignment: (IT)/Cyber Sector

As required by Presidential Policy Directive 21 (PPD-21), the current version of the National Infrastructure Protection Plan (NIPP 2013-also referred to as the National Plan) provides a unifying structure to define a single program for integrating critical infrastructure and key resources (CI/KR) protection. PPD-21 also assigned a federal agency as the lead Sector-Specific Agency (SAA) for each of the 16 critical infrastructures identified in PPD-21. Each SSA is responsible for developing and implementing an updated Sector-Specific Plan (SSP) for its sector. The original SSPs were published in 2010 based on a Letter of Agreement in the 2009 version of the NIPP, but were updated in 2015. The SSPs detail the application of the NIPP concepts to the unique characteristics and conditions of each sector.

A growing number of hacking incidents or cyber attacks in recent years has raised concerns about the adequacy of the SSP to address major threats or hazards in our IT sector and cyber space. This includes major hacking into credit card records or other IT/data systems at Lockheed Martin (a major defense contractor), RSA the security division of a major data storage company for financial institutions), SONY, major banking institutions, Target Stores, and the even the U.S. State Department. In fact, in 2010 alone, the U.S. government was subject to over 300,000 cyber attacks on its infrastructure. There were also suspicions that hacking into Google e-mail (gmail) accounts for high-ranking U.S. officials could be traced to China, and the CIA Web site was hacked. Many other incidents have occurred since then. There are also ongoing investigations about Russian hacking into the 2016 Presidential election process.

The IT sector is inextricably linked with the Communications sector, and interdependencies exist with all other CI/KR sectors. Technological advances and rapid development or modernization of a wide variety of systems and processes that depend on a secure IT system, including the Internet and the "cloud," ensure that IT/cyber security will demand increasing attention in the future. Ensuring IT and cybersecurity is incredibly complex and challenging due to technological complexities and our global interconnectedness, which make it very difficult to detect, deter, trace, defend against, prosecute or counter cyber attacks and hacking.

You and the members of your team should assume the role of senior government officials representing DHS and other federal agencies and entities with responsibilities for ensuring the security of the U.S. IT sector and cyber space. Threats and hazards in this vital CI/KR sector carry potentially enormous consequences to our national economy, to national security and defense, to privacy, and to confidence in our government.

President Trump has asked about the security of our IT sector and cyber space and protection from intentional terrorist or espionage attacks, criminal or malicious hackers, or from disruptions due to technological failures or natural disasters. Our modern industrial society and economy have become absolutely dependent information technology, the Internet and cyber space. It is therefore imperative that our IT sector be protected.

Could terrorists, foreign governments or criminal hackers exploit vulnerabilities in our IT system, the Internet or cyber space to steal vital government or corporate records, sensitive defense or security information, or other data that could disrupt our society, economy and national defense? Could they introduce "worms," computer viruses or other spyware or malware that could lead to devastating IT system failures and compromise national security? Are there effective risk assessment, risk management or mitigation measures that can reduce the threat or the consequences of hacking and cyber attacks? This crisis situation illustrates how our critical infrastructures are interrelated and interdependent.

President Obama issued a Presidential Policy Directive -21 for Critical Infrastructure Security and Resilience, and an Executive Order for improving Critical Infrastructure Cybersecurity in 2013, and President Trump issued an Executive Order in 2017 on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure. However, to follow up and promote faster progress in this area of concern, he has requested a study of the Federal government's role to ensure IT security and cybersecurity. Senior DHS and national security officials are concerned that terrorists will escalate efforts to attack us through this sector. Your team has been invited to participate on the Presidential Action Team, which has an opportunity to help shape the President's agenda to further improve the protection of this particular CI/KR sector.

Your presentation should address the roles, responsibilities, capabilities and challenges or limitations of the Federal government in ensuring a secure IT system and cyber space. Is the SSP an adequate guide to prevent future major incidents, either from natural/accidental causes or from terrorist activity? Does the SSP need changes to account for lessons learned from recent hacking or cyber attack incidents? Are linkages needed between the IT SSP and the others to address the cybersecurity issue? How does the IT SSP relate to the Executive Orders and PPD-21? If actions are necessary beyond those in the SSP, provide specific recommendations with supporting evidence or logical argument for the President. Is the government organized effectively to address the threats, risks and vulnerabilities in this sector?

The actual output of the Project is a PowerPoint presentation for the President.

CONTENT :

Your presentation might address the following for the U.S. Information Technology (IT) sector and cyber space:

" What is included in the U.S. IT System?

o Does the SSP limit its actions to specific or narrowly focused elements or aspects of the IT system, such as the Internet?

o Does the SSP address potential impacts on other critical infrastructures?

" Analysis of the IT system and cyber space using the SSP template for protecting the critical infrastructure:

o Define the IT sector and cyber space vulnerabilities.

o Specify protective measures to address these threats.

o Discuss risk management considerations (threats vs. vulnerabilities).

o Identify dependencies with other agencies, departments, and other organizations.

o Identify shortfalls in the current system.

" Are there lessons to be learned from any major hacking or cyber attack incidents that could drive changes to the SSP?

" Does the SSP need better linkages to the other SSPs?

" How does the IT SSP relate to President Obama's Executive Order and PPD-21 of 2013, or President Trump's Executive Order of 2017?

" Provide specific recommendations to the President for actions to improve the security posture of the U.S. in the context of this sector.

" Recommend any changes or elements that should be included in the updated version of the SSP for the IT sector.

Bottom line: This is your opportunity in about 20 slides/viewgraphs to inform the President on how to improve the security and protection of the U.S. IT sector and cyber space. The successful project will advise the President on how to improve the IT/cyber security using the SSP as a framework for defining the solutions.

FORMAT :

Each team will prepare a short PowerPoint (or Prezi or Google Docs) presentation (approximately 20 slides) along with any relevant notes - either as notes on the slides or as a separate Word document.