Framing a True National Cybersecurity Strategy

Abstract
Most policymakers agree that a comprehensive and integrated approach is needed in order to secure cyberspace and protect critical systems from attack. However, despite lengthy publications on the matter, the US government has failed to develop a plan that provides strategic goals, priorities, or a clear delineation of responsibilities. A new, risk-based approach is needed to clarify priorities and to develop practical responses on a strategic, operational, and tactical level. The strategy suggested in this paper strives to utilize existing assets and solidify coordinating entities. The approach consolidates the organizations responsible for public-private partnerships on cybersecurity, increasing the stake of private critical infrastructure through a practical blend of regulation and incentives. Furthermore, it looks to promote security testing on all levels in addition to securing network-level vulnerabilities. While this strategy is merely a beginning, it provides a framework and concepts meant to stimulate discussion on practical goals to secure cyberspace.

INTRODUCTION

Persistent and escalating cyber attacks pose a significant threat to the federal government, the states, and private industry. The increasing interconnectedness of government and private management systems has made them vulnerable and could broaden the effects of a potentially devastating cyber attack. Cyber threats can originate from an array of sources ranging from large nation-states to individual hackers or activists using hacking techniques (hacktivists). A broad range of attacks is similarly possible, from devastating physical or digital attacks on our national infrastructure to theft of personal information and corporate secrets.

A comprehensive and mobile solution is necessary due to the expansive and evolutionary nature of the problem. Despite efforts to identify and assess the vulnerabilities of critical infrastructure and government systems, a comprehensive national strategy that develops clear priorities, adequately assesses risk and threats, delineates responsibilities, and addresses all system levels has yet to be devised. This white paper is not intended to be comprehensive, but it provides an overview of what a complete cybersecurity strategy and framework should resemble.

BACKGROUND

In 1998, Presidential Decision Directive 63 (PDD-63) established a structure under White House leadership to coordinate department and private sector activities to address vulnerabilities in critical infrastructure.1 In 2000, the Clinton administration published the first national plan to protect cyberspace. Similarly, President Bush in 2003 issued the National Strategy to Secure Cyberspace for the purpose of specifying key elements of how the nation is to secure essential, computer-based systems. The strategy delineated five national priorities: improve cyber incident response, reduce threats and vulnerabilities, conduct security awareness and training, secure government cyberspace, and facilitate national and international cooperation.2

The strategy provided the Department of Homeland Security (DHS) a lead role that was further augmented by Homeland Security Presidential Directive 7 (HSPD-7). HSPD-7 tasked DHS with coordinating Critical Infrastructure Protection (CIP), including cyber infrastructure.3 In January 2008, President Bush began to implement initiatives referred to as the Comprehensive National Cybersecurity Initiative (CNCI) to assist DHS and other federal agencies in protecting against intrusions and anticipating future threats. In 2009,President Obama commissioned a 60-day review of US policies and structures for cybersecurity. The Cyberspace Policy Review requires an updated national strategy, public-private partnerships, incident response capabilities, and education programs. The primary difference between the National Strategy to Secure Cyberspace and the Cyberspace Policy Review is that the Obama review recommends a White House cyber coordinating position with ties to both the National Security Council (NSC) and the National Economic Council (NEC). It also places more emphasis on civil liberty protection and interagency function clarification.4

To date, no comprehensive cybersecurity legislation has passed the United States Congress and been signed into law. While there are dozens of cybersecurity bills in Congress, the most comprehensive and likely to gain traction is the Cybersecurity and Internet Freedom Act of 2011 (S. 413), sponsored by the heads of the Senate Committee on Homeland Security and Government Affairs. The legislation essentially codifies and elevates the position of the White House Cyber Coordinator, creates a new National Center for Cybersecurity and Communications (NCCC) at DHS, updates the Federal Information Security Management Act (FISMA), creates risk-based performance requirements for critical systems, and requires that security be a consideration in federal procurement.5

NATIONAL STRATEGY

All of these plans value risk-based analysis with regards to protecting critical systems, but none prioritize and develop coherent national objectives to achieve “secure cyberspace.” Each plan treats all insecurities in cyberspace the same. The theft of an individuals’ credit card number is not detrimental to national security, but a hacker who changes a shipment of weapons to Afghanistan to a shipment of toothbrushes is interfering with national security. A national strategy should differentiate between threats to national security and threats to personal security. Furthermore, no plan adequately assesses the threat environment. Terrorists may wish to disrupt the US power grid, but do they have the capabilities to do so?

The national strategy being presented assesses vulnerabilities and responses on three levels: strategic, operational, and tactical. This military terminology better illustrates the different levels of analysis. After applying a risk-based analytical approach to vulnerabilities, this strategy offers responses to counter these vulnerabilities in the realm of cyber defense. Since many of the previous plans offer good tactical suggestions but fall short on higher-level planning, this white paper will focus on strategic and operational level threats and responses.

STRATEGIC LEVEL
Vulnerabilities
According to the Government Accountability Office (GAO), the CNCI fails to provide strategic goals and priorities.6 The Bush plan develops a broad priority list with no indication of what is most vulnerable, what the threats are, and what the immediate and long-term strategic goals should be. The Obama plan mentions short-term and long-term goals but contains no priority list or threat assessment. In addition, all sectors and vulnerabilities are treated with equal importance despite acknowledgement of the need for a risk-based approach. There is also no clear delineation of agency and private sector responsibilities. Although DHS is the intended focal point, other organizations in the intelligence community that have more developed capabilities in cybersecurity continue to dominate the effort.7

On the strategic level, the two central questions are: What are the biggest threats to national security in cyberspace, and what would cause the most harm to national security if compromised?

• Federal Government – The federal government provides for the common defense and overall economic well-being of the nation. While global economic ties and fear of a conventional response discourage a capable nation-state from conducting a destructive digital attack now, we must prepare for the possibility in case there is a future conflict. A national strategy should prioritize first and foremost networks to ensure our war-making capabilities. As the most capable, the US must prioritize attacks from nation-states looking to leave “backdoors” for future access and then attacks from individual hackers and potential terrorists. The next tier of vulnerability is attacks on regulators: in particular, agencies, like the Federal Reserve, who prevent economic crises in confidence. The third tier is espionage threats, and the last tier is threats to civilian agencies. The federal government sets the standard for cybersecurity. Even if a successful attack on a branch of the federal government was not catastrophic, the attack would harm confidence in the ability of the US to address this threat.

• Critical United States Infrastructure – Threats to the energy, defense, and transportation sectors should be prioritized. Massive damage to these systems would compromise the ability of the US to respond to attacks and could cause a security crisis at home. The next priority is public works, such as a clean and safe water supply. Tampering with the water supply could cause floods, massive damage, or a water shortage. The third priority is the banking and finance sector. An attack on this sector could have severe economic repercussions, but it also has some of the best digital protections and is a less likely target for digital attack. Priority should be given to state threats, as they are the most capable and likely to utilize cyber weapons in a conflict. However, physical threats to digital systems from terrorists are a close second.

• State Governments – State governments provide services to constituents that may not be directly related to national security but could be integral in the case of a national emergency. States and local governments manage emergency services such as a police force, fire department, and first responders. These emergency response systems are also vulnerable to attack, particularly in conjunction with a physical attack.

• Communications Infrastructure – Communications damage is a concern because other infrastructures are reliant upon it. Banking, transportation, energy and defense all rely upon information infrastructure to carry out their core functions. It is the lowest priority since damage to peripheral networks does not affect the whole system, even though damage to the Internet backbone could cause broader outages. Communications infrastructure is also the lowest priority because protection can best be achieved through long-term goals such as the development of more secure communication technologies, protocols, and a global approach to securing these systems.

Response

First, protection of defense and federal civilian networks should be concentrated in US Cyber Command, as part of the Department of Defense (DOD), and DHS should maintain authority in CIP and serve as the private sector liaison. As GAO noted, the National Security Agency (NSA) and DOD as a whole have the budget, team, and capabilities to protect their highly sensitive digital network. US Cyber Command became operational on May 21, 2010 for the purpose of fusing and centralizing command of DOD’s full spectrum of cyberspace operations.8 Rather than fully recreate these capabilities at DHS, the government should harness the expertise DOD has already gained by protecting its own network and expand these capabilities to the rest of the federal government.

The intent of concentrating federal network protection within DOD is not to militarize cyberspace. Attacks on federal systems are a direct threat to national security, and the purpose of DOD is to ensure continuity of government functions. DHS and DOD currently have a Memorandum of Agreement (MOA) to improve coordination between the two agencies.9 In particular, the MOA establishes a DHS Director located at NSA that also acts as the DHS cybersecurity representative at US Cyber Command. A similar official from NSA is designated to serve at DHS. This is a good beginning to better coordination between two of the most important entities in cybersecurity. However, the position in both agencies should be elevated and manage more than just the joint planning between the two organizations. It would be a means to integrate the other agency’s expertise in strategic and operational planning. This is particularly important at US Cyber Command, where key civilian officials from DHS should be directly assisting the military commander, so as to provide the civilian perspective in protecting federal networks.

The Office of Management and Budget (OMB) should retain jurisdiction over budget functions, as it does with other agencies. However, a more capable body should make performance metrics and compliance determinations. Currently, the Director of National Intelligence (DNI) manages the Joint Inter-Agency Cyber Task Force (JIACTF), which oversees compliance with CNCI. This task force could be elevated to oversee compliance of the government as a whole and work with the Chief Information Officers (CIO) Council to develop performance metrics. Similar to the recommendation by the Center for Strategic and International Studies (CSIS), the new Cyber Coordinator should play a role in assisting agencies in meeting their goals.10 JIACTF can report findings to the Cyber Coordinator, and the two entities can work with agencies to improve and craft their budget submissions to OMB.

At DHS, cybersecurity and CIP are both managed within the Directorate of National Protection and Programs in two separate offices. Rather than just codify the cyber office in S. 413, for example, DHS should merge the two offices into the National Cybersecurity and Critical Infrastructure Protection Directorate. The Director could report to the Secretary and focus purely on CIP while also acting as a cyber liaison to private industry. A large component will be to continue serving as the central location for cyber incident response and outreach. US-CERT should remain the operational arm under the control of the new, elevated directorate. In addition, since cybersecurity and CIP are so closely intertwined, a shared office between the two entities within the directorate could be established. The office could be the single contact point for the private sector for all threat reporting. From there, the shared office could delegate responsibility depending on the type of threat and facilitate information sharing between cybersecurity and CIP.

There should also be an interagency council headed by the Cyber Coordinator for the purpose of sharing resources and information for CIP and protection of federal networks. The council would be comprised of US Cyber Command and the new DHS office. Since threats may probe both private and government infrastructure, it is essential for there to be coordination between DOD and DHS efforts. In addition, since DHS does not have the same capabilities, the council would provide a mechanism to harness DOD capabilities under the auspices of DHS.

The public-private partnership framework is currently confusing and comprised of multiple councils and organizations from both the private sector and the public sector. There needs to be some consolidation within the sectors to ensure a coordinated effort. For example, consolidate the Sector Coordinating Council (SCC) with the related Information Sharing and Analysis Center (ISAC) Council and Government Coordinating Council (GCA). Maintain one partnership council under the head of the Sector Specific Agency (SSA) with representatives from the private sector, the SSA, DHS, and state governments. DHS and the Critical Infrastructure Partnership and Advisory Council (CIPAC) could still oversee the framework. CIPAC could take more of a leadership role, integrating the different sector partnerships and working with DHS to implement the National Infrastructure Protection Plan (NIPP).

Since DHS will be heading the private effort, this will provide superior authority to the Secret Service to coordinate with US-CERT on the operational aspects of cyber response. Similar to the DOD-DHS MOA, there should be an MOA with FBI to harness their investigative skills for cyber attacks. The MOA could place FBI investigators as employees within DHS to coordinate response, but DHS should have clear authority on the issue.

OPERATIONAL LEVEL

Vulnerabilities

The Federal Government has not succeeded in developing an acquisition strategy that adequately takes security into consideration. In addition, the law governing agency compliance with information security, FISMA, needs to be updated to facilitate compliance and meaningful adherence to security goals. With regards to the private sector, critical infrastructure and key resources (CIKR) have not been given a strong direction on what their responsibility is or what security measures should be taken.

In 2007, GAO reported that nearly half of the sector-specific plans required by the NIPP were not comprehensive and did not address incentives to encourage private owners to conduct risk assessments.11 A strategy, risk analysis, and compliance incentives are key as most CIKR industries are privately owned, unregulated, and compliance with NIPP is voluntary. In addition, only one of the private sector plans included an assessment of all three categories of assets: physical, cyber, and human. Assessing all three is important as these sector-specific plans were intended to provide the foundation upon which to conduct risk analysis and develop approaches to address vulnerabilities. There is little incentive provided to the private sector for broad participation in information sharing collaborations and even less to enact security measures that may be costly. Private sector partnerships that do exist are not inclusive enough and still have not conducted a broad education effort to reach beyond the sectors’ top-level players. The Homeland Security Information Network (HSIN) has been criticized for lacking a clearly defined purpose and scope, whereas the Protected Critical Infrastructure Information (PCII) program causes concern among private entities about data security and future liabilities.12 Lastly, both the government and private sector are facing disincentives to test their security and the security of products upon which they rely. They are concerned about the cost, liabilities and revelation of system weaknesses.

Response

Half the challenge in securing government systems is ensuring that both hardware and software are of high quality and have security mechanisms built in during the initial design phase. This is not a new concept and was first addressed in CNCI, which initiated an OMB mandate that all federal agencies standardize the configuration of settings on operating systems and applications.13 In addition, the National Information Assurance Partnership (NIAP) was established so as to assess IT products according to agreed-upon international standards. Unfortunately, acquisition reform efforts have been difficult to implement. Moreover, NIAP does not evaluate composite systems, which can still retain vulnerabilities.

CSIS and S. 413 both rightly suggest the need for security standards in Federal Acquisition Regulation (FAR). The federal government is one of the largest consumers of IT products. It has the ability to make specifications, similar to DOD procurement. The government should include security requirements in requests for proposals (RFPs) and continue the configuration standardization process so as to reduce per unit costs. Moreover, a risk-based approach would prioritize the reform process. Consultations should occur with US Cyber Command and the National Institute for Standards and Technology (NIST) to determine appropriate specifications. Agencies like DOD and the Department of Energy (DOE) could begin to include IT system specifications in contracts with the private sector for the long-term goal of strengthening anti- espionage efforts. 

The need for a reformed FISMA is also not a new concept. Currently the legislation intended to guide secure government IT creates incentives for document review rather than improved network security. It relies too much on process rather than quality, and the scorecard does not provide a comprehensive representation of security.14 While suggestions to streamline reporting are merited, having NIST develop guidance and requiring agencies to develop plans and conduct assessments is a fundamentally sound process. However, the reporting mechanisms tend to produce automated security measures, instead of ensuring that agencies understand the system complexities and how different network components work in concert. The focus should then be adequate auditing, testing, and security reviews.

One of the keys to ensuring quality security measures would be the creation of a “white hat” entity that will actually test security measures and standards within the federal government. A large part of the challenge would be creating a culture where testing and improvement is welcomed. To reform the culture, FISMA or NIST guidelines could be updated to improve scorecard ratings if agencies make the effort to test their security systems. Rather than insource, this could also be a contract with a private security agency. Either way, it is important to make the organization “roving” to reduce costs and prevent one agency from exerting total control. Essentially, this entity could benefit from being controlled by the joint council where DOD and DHS merge on cybersecurity. Security testing is also a critical component of CIKR protection in the private sector and on the state level. The government could lend use of the “white hat” entity based on a prioritization scheme where the services would be more readily available and low cost for extremely high-risk systems. 

Another important component is developing the appropriate methods and responsibilities to protect CIKR by utilizing the proposed, consolidated SCCs to their fullest extent. As much as the sectors inherently object to firm standards, this must be done through a combination of regulation and incentives to meet the specific needs of the sector being protected. The key challenges are soliciting wide-spread participation, encouraging meaningful and comprehensive security reviews, facilitating secure information sharing that does not affect the sectors’ bottom line, and ensuring continued assessments and follow-up. The NIPP risk management framework is not flawed. It correctly requires an assessment of assets, risks, security goals, and threats.

Currently, NIPP depends on voluntary participation, but sector-specific security regulations are not unfounded for many of these sectors. General, sector-specific mandates that target communications, energy, defense, and transportation focusing on terrorist and state threats are first priority. Since banking and finance regulators are already covered through federal initiatives, the private sector is a somewhat less pressing priority. Security performance metrics would be decided by SCCs in a collaborative approach that sets realistic standards for the private sector—standards that are not static or one-size-fits-all. Development of regulation will increase interest in participation in SCCs by making NIPP development of financial interest to companies. In addition, law could codify the framework, mandating a diverse council composition to achieve a more balanced approach. Another important initiative would be outreach efforts to generate membership and to garner awareness. Previous efforts have had limited success; DHS should be clarified as having the main responsibility for conducting outreach and ensuring fair industry representation in SCCs. Lastly, funding could be provided to DHS for the purpose of mitigating costs for SCCs, particularly for state, local, and small organizations.

Incentives to the private sector should be provided for scoring well on follow-up assessments. Incentives could range from easing private sector liability for incidents to tax credits for high security ratings. DHS could work with other agencies, like the Small Business Administration (SBA) or the Department of Energy (DOE), to provide better loan terms or repayment assistance for smaller entities meeting security standards. Similar to other state-run programs, DHS could manage cost-sharing agreements and grants to states or high-risk organizations for security initiatives. DHS technical assistance and tax credits for receiving security assessments and implementing those specific recommendations could be an add-on to sector-specific plans. Another simple solution would be providing CIKR companies and entities with access to the General Services Administration (GSA) IT schedule 70. Essentially, this would provide access to discounted IT products that in the future will be fully vetted by federal experts and will meet higher security standards than for consumer products. 

Lastly, there needs to be a clear and established relationship built on trust to enable true information sharing. For clarity, HISN and PCII should be consolidated into one clear information sharing network with CIKR. A critical aspect of PCII is the anonymity and safeguards it provides to submissions. These protections should be clarified, strengthened, and codified. While no information can be used in civil action, unauthorized releases of information should provide a private right of action against DHS. DHS should be held accountable for the security of its information network and develop a “need-to-know” basis for sensitive proprietary information or information that could cause financial harm to entities.

TACTICAL LEVEL

Vulnerabilities

Computer and network security are becoming increasingly intertwined. Operating system (OS) security, which can be compromised at a higher level if the layer below is attacked, is a key vulnerability. For example, encryption functions in a word processor do not matter if the operating system can be compromised.15 In addition to hacking vulnerabilities, computers are vulnerable to malicious software (malware) such as viruses, worms, and Trojan horses. This software can surreptitiously infiltrate critical systems to detonate “payloads” or ensure future access to malicious actors. Digital systems are also subject to hardware tampering and attacks on the microchips that power these machines. This is because the increasingly sophisticated integrated circuits that power IT systems are too complex to be understood completely by any one team of engineers; parts are designed all over the world and complexity makes exhaustive testing impossible.16 

The architecture for the Internet is considered a CIKR in its own right. Many other critical infrastructures rely upon the communications system in order to operate. The Internet architecture is comprised of switches, routers, and network connections owned by Internet Service Providers (ISPs) and communication carriers.17 There are central hubs and asset collection in telecom hotels, points of presence, and collocation sites that are extremely vulnerable to attack and could cause interconnected system failure. To give an example of interconnected system failure, in 2003 one power plant caused a cascading electrical power outage in the northeastern United States, which took nearly 2,500 networks completely offline. Similarly, the September 11th attacks prevented several counties outside New York City from connecting to police networks due to failure of an interconnected network.18

Distributed Denial of Service (DDoS) attacks are an increasingly utilized method of attack against nation-states.19 These attacks prevent a computer or network from providing regular service, usually by flooding the network with traffic. It is one of the most common threats to the Internet, revealing a major vulnerability not only in specific applications but also in the entire TCP/IP protocol suite. Attackers often gain control of compromised computers that can be redirected to conduct DDoS attacks.

Response

A similar incentive approach to security could also be applied on the tactical level. In particular, a restructuring of liability for cyber attacks would encourage a more vested interest in improving the security of software and hardware. Currently, there are no repercussions for having poor security functions or bad quality software. Developers of low-level software, such as operating systems, could be held accountable for exploitable vulnerabilities if no reasonable attempt was made to produce a secure product.20 This is a simple concept but a difficult one to implement. This concept would be challenging for the government to enforce and stifling for innovation if it applied to small software application developers. Determinations would have to be made as to what is essential software and what security best practices should be used to determine if there is negligence. Moreover, while this solution does not solve the problem of different system integrations presenting different security challenges, it would be a start in creating more secure software.

The courts have similarly interpreted the law as severely restricting the liability of ISPs for the spread of malicious software. They have done so on precedent established in the Communications Decency Act of 1996, which does not make ISPs responsible as a publisher of Internet content.21 Additionally, the Digital Millennium Copyright Act (DMC) limits the liability of service providers for copyright infringement when they serve as a conduit for incriminating material.22 As the gateway for cyber attacks, ISPs should have some liability, like other organizations, for negligence in the spread of malware. The purpose would be to encourage ISPs to adopt precautions they can implement more efficiently than individuals can while still maintaining personal accountability.

In order to prevent widespread leaks and damage as systems are compromised, the Intelligence Community has a policy of compartmentalization. Part of the tactical solution is running different server applications on separate virtual machines operating on a single piece of hardware.23 This would create the digital equivalent of compartmentalization to contain intrusions and damage. This concept can work on the application, server, or client PC levels. It could be a means to create a more secure OS or to limit damage in the current OS environment.

Regarding hardware vulnerability, the Defense Advanced Research Projects Agency (DARPA) has pursued a Trust in Integrated Circuits program to ensure all steps in the design and manufacturing chain are with trustworthy companies. This is a good start in ensuring secure acquisition of key IT components. At the same time, expansion of this program could be cost prohibitive, and technical solutions would need to be developed to mitigate damage to hardware attacks. For example, efforts could be made to design and utilize “secure circuits” that can identify attacks as they occur and attempt to minimize the damage.

Lastly, while DDoS attacks can have psychological and economic costs, they do not tend to cause widespread damage like other types of cyber attacks could. However, DDoS attacks during war, in conjunction with other cyber attacks or accompanying a national crisis, could be costly and warrant protective measures. Because of the distributed nature of the attacks, countermeasures could utilize distributed defense mechanisms deployed at various nodes and organized into a network.24 A collaborative relationship with ISPs is needed to prevent IP spoofing attacks by filtering forged addresses. DDoS attack detection systems could also filter malicious packets, though it is often difficult to make the distinction.

CONCLUSION

To conclude, a comprehensive and integrated approach is needed for cybersecurity that clearly delineates responsibilities and levels of analysis. In addition, it is critical to take a risk-based approach on all levels that assesses vulnerabilities and develops responses to address those vulnerabilities. This paper succeeds at developing a priority structure on the strategic, operational, and tactical levels where other strategies have failed to apply risk-based prioritization. It also develops common sense responses to security dilemmas that clearly delineate public and private responsibilities, blend incentives and regulation for compliance, and emphasize a dynamic model for testing and standards. The complexity of the digital infrastructure and threat makes this paper far from exhaustive. However, the strategy presented here offers a new framework for viewing defensive measures to secure cyberspace and discusses possibilities for new short- and long-term goals.

1 The White House. Cyberspace Policy Review: Assuring a Trusted and Resilient Information and Communications Infrastructure. (May 29, 2009) http://www.whitehouse.gov/assets/…/Cyberspace_Policy_Review_final.pdf: 4.

2 The White House. The National Strategy to Secure Cyberspace. (Feb. 2003). http://www.us-cert.gov/reading_room/cyberspace_strategy.pdf: X.

3 The White House, Cyberspace Policy Review, 4.

4 The White House, Cyberspace Policy Review, 9.

5 Cybersecurity and Internet Freedom Act of 2011, S. 413, 112th Cong. (2011). http://thomas.loc.gov.

6 US Government Accountability Office. National Cybersecurity Strategy: Key Improvements are Needed to Strengthen the Nation’s Posture, GAO-09-432T (March 10, 2009). http://www.gao.gov/products/GAO-09-432T: 8.

7 GAO, National Cybersecurity Strategy, 9.

8 US Department of Defense. US Cyber Command. U.S. Cyber Command Fact Sheet.

(Oct. 13, 2010). http://www.defense.gov/home/features/2010/0410_cybersec/.

9 U.S. Department of Homeland Security and U.S. Department of Defense. Memorandum of Agreement Between the Department of Homeland Security and the Department of Defense Regarding Cybersecurity. (Sept. 27, 2010). http://www.dhs.gov/xlibrary/assets/20101013-dod-dhs-cyber-moa.pdf.

10 CSIS Commission on Cybersecurity for the 44th Presidency, “Security Cyberspace for the 44th Presidency.” Center for Strategic and International Studies. (December 2008): 40.

11 U.S. Government Accountability Office. Critical Infrastructure Sector Plans Complete and Sector Councils Evolving, GAO-07-1075T. (July 12, 2007). http://www.gao.gov/products/GAO-07-1075T: 4.

12 GAO, Critical Infrastructure, 18.

13 CSIS, Securing Cyberspace for the 44th Presidency.

14 Deb Radcliff, “Government Vertical: Is FISMA Working?” Nov. 1, 2007. SC Magazine. http://www.scmagazineus.com/government-vertical-is-fisma- working/article/58396/.

15 Bruce Schneier, Secrets & Lies: Digital Security in a Networked World (Indianapolis: Wiley, 2004), 127.

16 John Villasenor, “The Hacker in Your Hardware,” Scientific American 303, no. 2: 82- 87, Academic Search Premier, EBSCOhost.

17 Paul A. Strassmann, “The Internet’s Vulnerabilities are Built into its Infrastructure,” Signal Online, November 2009, http://www.afcea.org/signal/articles/templates/SIGNAL_Article_Template.asparticleid=2109&zoneid=32.

18 Tony H. Grubesic and Alan T. Murray, “Vital Nodes, Interconnected Infrastructures, and the Geographies of Network Survivability,” Annals of the Association of American Geographers 96, no. 1 (Mar. 2006): 68, JSTOR.

19 B.B. Gupta, R. C. Joshi, and Manoj Misra, "Defending against Distributed Denial of Service Attacks: Issues and Challenges," Information Security Journal 18, no. 5 (September 2009): 225 Academic Search Premier, EBSCOhost.

20 Schneier, Secrets & Lies, XIV.

21 Doug Lichtman and Eric Posner, “Holding Internet Service Providers Accountable,”

Supreme Court Economic Review, 14 (2006): 223, JSTOR.

22 Lichman, Holding ISPs Accountable, 223.

23 Steve Mansfield-Devine, “Security Through Isolation,” Computer Fraud & Security

2010, no. 5 (May 2010): 8-11. Academic Search Premier, EBSCOhost.

24 Gupta, Defending Against Distributed Denial of Service Attacks, 230.