This article is meant for you as a voting citizen, rather than you as a home user or business owner. Nationally, for our own security, we need to make changes to the way our IT infrastructure is managed.
Proposal
Nationally, identify potential computer impacts in a tier structure. Each utility, large company, and government agency is expected to report this yearly. The idea is to measure the worst impact a complete information systems disruption could cause if it is unavailable for three weeks. Based on the tier, the U.S. government would enforce increasing security measures with the intention of reducing risk of disruption/attack.
This should be done per segment of the enterprise. For example, a power utility has a minimum of four segments: a) the actual power grid b) the customer-facing payment portal c) the internal network for communications and planning d) coordination communications to other power utilities. If these segments were taken down entirely, they would have vastly different impacts.
Tiers:
1st tier: Isolated economic hardship, alternatives exist. This is a service which can be temporarily ignored or bypassed. Think of customer facing payment portals, small and medium business outages.
Security requirement for 1st level: No requirement. Businesses will evaluate their own threat profile to determine whether high security is necessary.
2nd tier: Economic hardship, no alternatives. This is a service which can cause harm to our national economy or severe disruption to consumers if it is unavailable for more than a day. A cell phone network could fit this definition, or a complete outage of Amazon.
Security requirement for 2nd level: Security engagement and Continuity Of Operations Plan (COOP) is required. The COOP plan should describe a way to restore service from backups or other storage that would be unaffected by a malicious software attack on the main system.
3rd tier: Potential death toll of 1-10,000. This is a service which supports food/water, health, shelter, or emergency services, but which has readily available alternatives. An example would be a large pharmacy or hospital system – critical patients may not be able to transition in time but the majority of patients would survive. Or loss of 911 service. Or intersection lights becoming un-synchronized. Using some imagination, there are many information systems that could cause deaths.
Security requirement for 3rd level: Network separation or warm secondary system, active security review is required. Network separation means no communication between casual networks (such as the Internet or back-office network) and the critical system. This dramatically reduces the chance of widespread network based attacks and makes intentional hacking extremely difficult. For systems that cannot be separated, the alternative is to run warm secondary systems that can take over in case of outage. The warm systems should be designed to be resistant to the spread of network based attacks. It does no good to have a secondary system that is compromised at the same time as the primary system. Active security review means that the U.S. Government performs annual security audits against the network to find weaknesses, and requires that the organization fixes these weaknesses.
4th tier: Catastrophic death toll 10,000+. This is a service which supports food/water, health, shelter, or emergency services which does not have alternatives. Power grid or water failures fit into this category, especially if they can cascade across more than one local region. Outages which prevent our military/government from responding to national threats also count.
Security requirement for 4th level: Segmented network separation and second-set-of-eyes rule. Segmented network separation means that not only is there an air-gap between the critical system and casual networks, but wherever possible the critical system should be segmented into independent pieces too. For example, a power grid control network should be designed to be independently-operable in each geographic region. The idea is to prevent cascading outages like the one that cut off power to the entire NorthEast United States and part of Canada in 2003. Second-set-of-eyes rule is an extreme security measure which is intended to prevent all insider and outsider threats. Essentially, any time the critical system is altered (such as a patch or update), the package code should be reviewed by a minimum of two people for unintended functionality such as backdoors or time bombs. This rule requires the critical system to be very simple (think UNIX) and single-purpose, since it would be impossible to review the code on complex systems like Microsoft Servers.
What do you think?