Cybertelecom :: Cybersecurity Notes

Cybertelecom
Federal Internet Law & Policy
An Educational Project

Cybersecurity Notes

Cybersecurity
- Agencies
- - White House
- - DHS
- - NIST
- - NTIA
- - FCC
- Reference
- Cryptography

Crimes Against Network
- Worms, Viruses, Attacks
- Hackers
- DOS
- WiFi Security
- Cyberwar
- Network Reliability
- Infrastructure Protection
- - Kill Switch

Crimes Over Network
- CyberStalking
- Fraud
- - Auctions
- - Phishing
- Gambling
- ID Theft
- Offensive Words

Info Gathering
- Wiretaps
- CALEA
- ECPA
- FISA
- Forensics
- Carnivore
- Patriot Act
- Data Retention
- Safe Web Act

Emergency
- EAS
- Assessment
- Reliability
- Vulnerabilities

Supply Chain

See 5G Security

Federal Acquisition Supply Chain Security Act of 2018

“Securing the Information and Communications Technology and Services Supply Chain” Executive Order (E.O.) 13873 May 15, 2019

U.S. Department of Commerce, Securing the Information and Communications Technology and Services Supply Chain, Proposed Rule, 84 Fed. Reg. 65316 (Nov. 27, 2019) (implementing Exec. Order No. 13,873, Securing the Information and Communications Technology and Services Supply Chain, 84 Fed. Reg. 22,689 (May 15, 2019))

FCC, Protecting Against National Security Threats to the Communications Supply Chain Through FCC Programs, Report and Order, Further Notice of Proposed Rulemaking, and Order, 34 FCC Rcd 11423 (2019)

Confidentiality, Integrity, Accessibility CIA

Spectrum Frontiers Report and Order, 31 FCC Rcd 8106, para. 263 n.672

Communications Security, Reliability, and Interoperability Council (CSRIC), Working Group 21: Cyber Security Best Practices Final Report at 35 (2011) (utilizing the same definitions of these terms).

Techopedia, CIA Triad of Information Security

44 USC § 3552(b) (3) (defining “confidentiality,” “integrity,” and “availability” (CIA) as the constituent elements of “information security”; collectively, the terms are sometimes referred to as the “CIA principles”);

Office of Management and Budget, Circular No. A-130, Managing Information as a Strategic Resource at 36 (2016), (defining “[s]ecurity control” as “the safeguards or countermeasures prescribed for an information system or an organization to protect the confidentiality, integrity, and availability of the system and its information”).

Confidentiality

Confidentiality refers to protecting data from unauthorized access and disclosure. ATIS, ATIS Telecom Glossary: Confidentiality

See Identity and Authentication

Integrity

Integrity refers to protecting data from unauthorized modification or destruction, both at rest and in transit. ATIS, ATIS Telecom Glossary: Integrity .

Availability

availability refers to whether a network provides timely, reliable access to data and information services for authorized users. ATIS, ATIS Telecom Glossary: Availability

Cybersecurity Incentives

DDOS as externalities

Device owners dont care

Barely slows down their internet service

Device still functions normally

Dont know victims

Vendors dont care

Not liable for damage

Only marginally affects their business reputation

ISPs dont care

Individual not much load

Hard to combat

Havent adopted BCP38 (egress address filtering)

Solutions / Incentives to promote cybersecurity

Insurance Companies

Legal / Regulatory Requirements

Procurement Requirements

Federal Agency Compliance

Funded Research

DHS

NSF

NIST

National Cybersecurity Center of Excellence (NCCoE)

Tax Incentives

Certification Program

FCC considered certification program as part of the National Broadband Plan

Tort Liability

"The only specific case that a commenter cited involved a consumer electronics company, and the plaintiff lost that case.58 Commerce is not aware of any tort claims against critical infrastructure providers for loss resulting from a cyber attack. The record also lacked examples of other areas in which limiting liability helped to align companies incentives with investment in additional precautions to reduce the risk of harm arising from hazards akin to cyber attacks." [NTIA Discussion 14 2013]

References

Tyler Moore, Introducing the Economics of Cybersecurity: Principles and Policy Options, Proceedings of a Workshop on Deterring CyberAttacks: Informing Strategies and Developing Options for U.S. Policy. Committee on Deterring Cyberattacks: Informing Strategies and Developing Options National Research Council. (2010), http://www.nap.edu/read/12997/chapter/3.

Herb Lin, National Research Council, Market Incentives to Improve Cybersecurity,

NTIA

NTIA, Comments on Incentives To Adopt Improved Cybersecurity Practices NOI (April 29, 2013)

NTIA, Discussion of Recommendations to the President on Incentives for Critical Infrastructure Owners and Operators to Join a Voluntary Cybersecurity Program,

Dept of Treasury, Report to the President on Cybersecurity Incentives, Per EO 13636

Johannes Bauer, Michel J. G. van Eeten, Cybersecurity: Stakehold incentives, externalities, and policy options, J. Telecom. Pol. Vol. 33 Iss. 10-11, Nov. 2009, Pages 706-719

Terrence August, Robert August, Hyoduk Shin, Designing User Incentives for Cybersecurity, ACM 2014

Steven Furnell, Why users cannot use security, Science Direct, June 2005,

Kox, H and B Straathof, Economic Aspects of Internet Security, CPB Background Document, Netherlands Bureau for Economic Policy Analysis, March 7, 2013.