National Cyber Security Division (NCSD): Approved Overview Briefing Wednesday, July 1, 2003

A secure and robust national cyber infrastructure is vital to the protection of the nation’s critical infrastructure and key assets CRITICAL INFRASTRUCTURE ASSET CATEGORIES CRITICAL INFRASTRUCTURE SECTORS Agriculture Food Water Public Health Emergency Services Defense Industry Base Information and Telecommunications Energy Banking & Finance Chemical Industry & Hazardous Materials Postal & Shipping KEY ASSETS National Monuments & Icons Nuclear Power Plants Dams Government Facilities Commercial Assets Strategy CYBER ASSETS PEOPLE ASSETS PHYSICAL ASSETS

The Homeland Security Act and national strategies direct DHS to take the lead on cyber security Homeland Security Act of 2002 Directed IAIP to develop a national plan for protecting key resources and critical infrastructure of the United States and the physical and technological assets that support such systems Directed IAIP, in cooperation with other Federal agencies, state and local government, and the private sector, to recommend measures necessary to protect the key resources and critical infrastructure Directed IAIP to provide analysis related to the threats or vulnerabilities to critical information systems and provide crisis management support to threats to or attacks on critical information systems National Strategy to Secure Cyberspace (February, 2003) Designated the Department of Homeland Security as the agency primarily responsible for the implementation of the strategic objectives of the strategy National Strategy for Homeland Security (July, 2002) Established “securing cyberspace” as a major initiative in protecting critical infrastructures and key assets

The National Strategy to Secure Cyberspace articulates five priorities Priority Implication National Cyberspace Security Response System Rapid identification, information exchange, and remediation can mitigate damage Response system will involve public and private institutions and cyber centers to perform analyses, conduct watch and warning, enable information exchange, and facilitate restoration efforts National Cyber Security Threat and Vulnerability Reduction Program Coordinated national efforts by government and private sector to identify and remediate serious cyber vulnerabilities through collaborative activities, such as sharing best practices and evaluating and implementing new technologies Also: raise awareness, increase criminal justice activities, and develop national security programs to deter cyber threats National Cyberspace Security Awareness and Training Program Promote comprehensive national awareness program to empower all Americans – businesses, workforce, and general population to secure their own parts of cyberspace Foster adequate training and education programs to support Nation’s cyber-security needs Increase efficiency of existing federal training Promote private support for independent certification of cybersecurity professionals Securing Governments’ Cyberspace Federal Government: Continuously assess threats and vulnerabilities to cyber systems Agency-specific processes Identify and document enterprise architecture Continuously assess threats and vulnerabilities Implement security controls and remediation efforts

The National Strategy to Secure Cyberspace articulates five priorities (cont’d.) Priority Implication Securing Governments’ Cyberspace (cont’d.) Additional Government-wide Challenges Authenticate and maintain authorization for users of Federal systems Secure Federal wireless local area networks Improve security in government outsourcing and procurement Develop specific criteria for independent security reviews and reviewers and certification State and local governments: With increasing dependence on integrated systems, state, local and Federal agencies must collectively combat cyber attacks Information sharing to protect systems is important foundation for ensuring government continuity DHS will work with state and local govts. And encourage their efforts to establish IT security programs and participate in ISACs with similar governments International Cyberspace Security Cooperation Ensuring America’s national security Strengthen counterintelligence efforts in cyberspace Improve attack attribution and prevention capabilities Improve coordination for responding to cyber attacks in national security community Reserve right to respond in an appropriate manner International cooperation Work with international organizations and industry to facilitate and promote global “culture of security” Develop secure networks Promote North American cyberspace security Foster establishment of national and intern’tl watch-and-warning networks to detect and prevent cyber attacks as they emerge

Security Division (NCSD) As a result, DHS established the National Cyber Security Division (NCSD) as the dedicated Federal focal point for cyber security Information Analysis and Infrastructure Protection (IAIP) Directorate “This new division will be focused on the vitally important task of protecting the nation’s cyber assets so that we may best protect the nation’s critical infrastructure assets” DHS Secretary Tom Ridge Information Analysis Infrastructure Protection Risk Assessment Division Indications and Warning Division Infrastructure Coordination Division Infrastructure Protection Division National Cyber Security Division (NCSD) KEY FUNCTIONS: Risk, Threat, & Vulnerability Identification and Reduction Cyber Security Tracking, Analysis & Response Center (CSTARC) Outreach, Awareness & Training

Current NCSD operations are organized into three functional areas Elements of the NCSD Mission Key NCSD Functional Areas The mission of the NCSD is to implement the National Strategy to secure cyberspace and to provide a centralized coordination point for the collection and dissemination of protective measures to reduce vulnerabilities and risks to the cyber infrastructure National Cyber Security Division (NCSD) is the National focal point for addressing cyber security issues in the United States Partnerships with public and private stakeholders are critical to achievement of the NCSD mission NCSD responsibilities include: Identifying, analyzing and reducing threats and vulnerabilities Disseminating threat warning information Coordinating incident response Providing technical assistance in continuity of operations and recovery planning Risk, Threat, Vulnerability Identification & Reduction Cyber Security Tracking, Analysis, & Response Center (CSTARC) Outreach, Awareness, & Training

These three key mission areas are in alignment with the National Strategy to Secure Cyberspace and highlight the execution focus of the NCSD Three Key Mission Areas of NCSD Risk, Threat, & Vulnerability Reduction Cyber Security Tracking, Analysis, & Response Center (CSTARC) Outreach, Awareness, & Training National Strategy to Secure Cyberspace Strategic Objectives of the National Strategy to Secure Cyberspace Prevent cyber attacks against America’s Critical Infrastructure Reduce National vulnerability to cyber attacks Minimize damage and recovery time from cyber attacks that do occur A National Cyberspace security response system Critical Priorities of the National Strategy to Secure Cyberspace A National Cyberspace security threat & vulnerability reduction program A National Cyberspace security awareness training program Securing Governments’ cyberspace National Security & International Cyberspace Security Cooperation

Functional Area Description The NCSD is leveraging relationships with and capabilities of public and private sector partners to support current operations Partnerships Functional Area Description Organizations with functions that are now resident in NCSD NIPC FedCIRC* NCS CIAO Government entity partners Law enforcement Federal, State and Local government organizations NASCIO HSA ISIP Private sector partners Software vendors Hardware vendors Security vendors Key industry associations and groups IT outsourcers Risk, Threat, Vulnerability Identification & Reduction Leverage, design, and lead implementation of methodologies and best practices with our partners to assess risks and threats, and to reduce vulnerabilities to attacks Cyber Security Tracking, Analysis & Response Center Implement CSTARC by consolidating government organizations and leveraging our National and international leadership and expertise across the public sector, the private sector, and academia Outreach, Awareness & Training Design and lead implementation of training and awareness efforts and campaigns that use a multi-level approach to education industry, government, and the public on the importance of their roles in National cyber security

Although operational on June 6th, a Planning Team has been established to assist in developing the final NCSD business process optimization and organization design NCSD announced and “Day One” capabilities functioning on June 6th NCSD Planning team established Select group of key individuals (with contractor support) with background and experience are working to consolidate, streamline and improve processes to support NCSD operations Responsible for identifying the structure and relationships to support those processes Organization design and processes rely heavily on the identification of key stakeholders and partners in the cyber security industry In addition to the “day-to-day” work associated with each of the functions, work is being done in each of the functional areas to establish processes for effective operations Risk, Threat, Vulnerability Identification & Reduction Cyber Security Tracking, Analysis & Response Center Outreach, Awareness & Training

…with an ultimate goal of developing long-term robust capability in cyber security Current Capabilities Future Capabilities Analytic capability to support cyber alerts and warning process for threats and vulnerabilities Consolidated list of effective practices for cyber security including best practices risk mitigation of cyber vulnerabilities Tracking of threats, vulnerabilities, and incidents via information exchange and dissemination of alerts and warnings to Government and the private sector Coordinated operations of 24 X 7 cyber watch centers Public awareness, training, and education campaigns including Stay Safe On-Line and others Process to improve and expand international cyber security relationships Lead the implementation of a standardized National risk, threat, and vulnerability assessment methodology Correlate data to assist the critical infrastructure sectors to generate metrics on cyber security readiness and capability on a periodic basis Build a mature capability over time that utilizes interdependency analysis (physical and cyber) and adaptive protection to prevent effective attacks Implement and operate a single National 24x7 CSTARC for cyberspace security in partnership with the public and private sectors Establish standardized and efficient information sharing processes to provide real-time information and warning capabilities across the Nation’s cyber landscape Complete the implementation of a comprehensive multi-level campaign to promote cyber security awareness and readiness Create public/private outreach groups to assist the entire spectrum of customers in securing their systems through implementation of “effective security practices”

Continue to protect the Nation’s cyber security infrastructure Next Steps… {This slide should be completed by presenter based on obj. of presentation and audience} Continue to protect the Nation’s cyber security infrastructure Continue to build strong partnerships within the public and private sectors Questions? Contact Information

Appendix: Other slides and graphics that may be used in briefings

The strategy of DHS, as defined by the Nation Strategy for Homeland Security, consists of three key objectives Three Key Objectives of the National Strategy for Homeland Security Key Objective I Key Objective II Key Objective III Prevent terrorist attacks within the United States Reduce America’s vulnerability to terrorism Minimize the damage and recover from attacks that do occur

IAIP is aligned with these key objectives through four key execution strategies: Evaluation, Communication, Coordination, and Protection Key Objective I Key Objective II Key Objective III Prevent terrorist attacks within the United States Reduce America’s vulnerability to terrorism Minimize the damage and recover from attacks that do occur Alignment through Evaluation, Communication, Coordination, & Protection Evaluation of terrorist threats Communication of warnings and information about terrorist threats Coordination and implementation of protective measures and reporting to prevent terrorist attacks Protection of the critical infrastructure through implementation and adaptation of protective measures Evaluation of threats, risks, and vulnerabilities Communication of information about terrorist capabilities and priorities Coordination and implementation of protective measures Protection through analysis of cross-sector and cross-asset interdependencies Evaluation of impact of attacks Communication of cross-sector and cross-asset impacts and responses Coordination of event response across sectors, assets, and across DHS groups responding to attacks Protection against future attacks or repeat attacks through lessons learned, forensics, and protective measures

The Infrastructure Protection mission is to rapidly implement protective measures with our partners to reduce the vulnerabilities of America’s critical infrastructure IP Mission Statement IP, in partnership with IA and federal, state, local, private, and international entities protects America’s critical infrastructures.

17 The IAIP goal, as defined in the HSA, executes across 13 sectors, five key assets, and three asset categories, in alignment with the National Strategy Information Analysis/Information Protection Mission Strategy Continuum Key Activities Matrix Critical Infrastructure Sectors Key Assets Asset Categories Evaluation: Assessing Value & Prioritizing Capabilities Identify critical infrastructures, threats, & incidents Agriculture Food Water Public Health Emergency Services Government Defense Industry Base Information and Telecommunications Energy Transportation Banking & Finance Chemical Industry & Hazardous Materials Postal & Shipping National Monuments & Icons Nuclear Power Plants Dams Government Facilities Commercial Assets Physical Assets Assess & analyze risks and vulnerabilities Develop protective measures Communication: Disseminating Value & Sharing Capabilities Leverage operational expertise Administer warning capability People Assets Coordination: Extracting Value & Leveraging Capabilities Correlate threat information, monitor and report status Coordinate with industry/federal partners Track and respond to legislative trends Support implementation of protective measures Protection: Preserving Value & Maintaining Capabilities Cyber Assets Assist EP&R in incident response

To IAIP has implemented a dedicated National Cyber Security Division (NCSD) within IP, that will lead protection of the Nation’s critical cyber assets across three key mission areas Three Key Mission Areas of the NCSD Risk, Threat, & Vulnerability Identification & Reduction Cyber Security Tracking, Analysis,& Response Center (CSTARC) Outreach, Awareness, & Training Leverage, design, and lead implementation of methodologies and best practices with our partners to assess risks and threats, and to reduce vulnerabilities to attacks Implement CSTARC by consolidating government organizations and leveraging our National and international leadership and expertise across the public sector, the private sector, and academia. Design and lead implementation of training and awareness efforts and campaigns that use a multi-level approach to educate industry, government, and the public on the importance of their roles in National cyber security Partnerships – The critical enabler of all of the key activities With partnerships as the foundation for implementation, the NCSD will immediately drive design and implementation of protective measures to reduce America’s vulnerability to cyber attack

NCSD Mission Statement The National Cyber Security Division mission statement NCSD Mission Statement The National Cyber Security Division (NCSD) is the National focal point for addressing cyber security issues in the United States. The NCSD mission includes identifying, analyzing and reducing threats and vulnerabilities; disseminating threat warning information; coordinating incident response; and providing technical assistance in continuity of operations and recovery planning. The NCSD also serves as the single National point of contact for the public and private sector regarding cyber security issues, including outreach, awareness, and training.

The implementation plan for the NCSD focuses on delivering capabilities immediately, while building a streamlined team and business process, using a staged three-phased approach Phase I: IMPLEMENT IMMEDIATE OPERATING CAPABILITY Phase II: IMPLEMENT INTERIM OPERATING CAPABILITY Phase III: IMPLEMENT FULL OPERATING CAPABILITY 1 Apr 2003 1 Jun 2003 1 Oct 2003 1 Mar 2004 Activities: Implement coordinated cyber-security program within DHS/IAIP Formally announce new organization and recruit a leadership team Continue to deliver “Day One” capabilities Activities: Complete organization and process streamlining and consolidation design Validate and implement streamlined organization and processes Complete hiring of permanent leadership team Deliver “180-day” capabilities Activities: Complete implementation of streamlined organization and processes Operation of “180-day” capabilities under way Deliver strategic “full operational” capabilities

Design of consolidated and streamlined organization and processes The engagement plan uses a phased approach to show results quickly and to add value throughout the execution of the project Analysis to determine gaps and overlaps in functions, processes, capabilities, and organizations Design of consolidated and streamlined organization and processes Implementation plan to mitigate risks associated with the new organization and processes Assessment of Current functions, processes, capabilities, and organizations June 15 July 30 August 15 August 30 September 15 Activities: Identify and inventory existing organizations, functions, capabilities, and organizations Interview stakeholders and leaders and members of these organizations and review work products and documentation Develop complete inventory of current cyber security functions, processes, capabilities, and organizations Activities: Analyze inventory of functions, processes, capabilities, and organizations from assessment task to determine duplications or overlaps in responsibility Analyze inventory of functions, processes, capabilities, and organizations from assessment task to determine gaps in critical required capabilities as defined by the NCSD strategy and the National Strategy Activities: Formulate “to be” business process model for new streamlined and consolidated organization Design organizational structure to support streamlined business process Validate design with key stakeholders Activities: Develop implementation plan and current function and organization transition plan Validate implementation and transition plan with key stakeholders Develop key implementation risks and risk mitigation plans Deliverables: Interview templates, schedule, and project plan Complete inventory of stakeholders Interview documentation Description key activities, processes, products and services for each organization represented. Deliverables: Current process diagram and model including key activities, processes, products and services for each organization represented. Overlap and gap analysis of current Federal Government cyber security functions, processes, capabilities, and organizations including communication processes with the private sector Deliverables: Options for “To be” streamlined and consolidated business process model Options for organizational structure to implement new streamlined and consolidated cyber security capability Recommendations and selection criteria for options and recommendations Deliverables: Validated implementation and transition plan Validated risk mitigation plan Executive decision briefing for NCSD leader and Assistant Secretary of IP

NCSD Products & Services Supplier Products & Services The methodology for the engagement uses supply chain analysis to evaluate the activities, products, and processes of the NCSD NCSD Mission Supplier Channels NCSD Products & Services NCSD Key Activities Supplier Products & Services Customer Channels Suppliers Customers Key Question: How do suppliers send/provide products, and services to the NCSD? Key Question: What products and services does the NCSD produce to protect America’s critical infrastructure? Key Question: What products and services do the suppliers give to the NCSD to enable its mission? Key Question: How does the NCSD deliver products and services to its customers? Key Question: What organizations provide the products and services required by the NCSD? Key Question: Who are the customers and recipients of NCSD products and services?

A preliminary list of stakeholders has been identified for the NCSD from all of the critical infrastructure sectors across a wide spectrum of public and private organizations Preliminary DRAFT List Academia Federal & Civilian Agencies (non-DHS/DoD) State & Local Governments Department of Homeland Security Department of Defense Private Sector International Government & NGOs CERT/CC GA Tech JHU Purdue Dartmouth I3P NIST OMB CIO Council HSC FedCIRC OSTP NSC USSS DOJ FBI CSIRC NSF IGs Congress NASCIO Governor Executive Offices Law enforcement (state) Law enforcement (local) HSA Local government organizations Multi-state ISAC ISIP Congress IAIP Divisions S&T EP&R Homeland Security Center NCS JTF-CNO DoD-CERT NSIRC NorthCOM ASD/C3I NSA DOD-IG STRATCOM Sector ISACs Software vendors Hardware vendors Security vendors IT outsourcers Key industry associations and groups ISAC Council DNS root operators ISA ISO International CERTs This list must be quickly validated and completed by the beginning of the interview process

To execute the assessment, the team must first interview several key players within the NCSD, DHS, DoD, and industry and then solicit wider input Task 1 – Interview Key Players and Formalize Questionnaires for other Players Task 2 – Solicit Input from Other Players through Briefings & Questionnaires Task 3 – Follow up Briefings and Questionnaires with Phone Calls/In-person Meetings NCSD subgroups: VTRRIA CSTARC OA&T FedCIRC OMB HSC CERT-CC JTF-CNO/DoD-CERT IAIP/ICD IAIP/IPD “Top 5” industry associations “Top 5” security vendors Academia Other industry associations Other federal agencies State and local governments NORTHCOM etc.. Academia Other industry associations Other federal agencies State and local governments NORTHCOM etc.. The result will be a complete inventory of the suppliers, products, channels, and customers in the cyber security protection supply chain. This inventory will allow us to quickly assess overlaps and gaps in the supply chain and to quickly prioritize actions for mitigating gaps and eliminating overlaps.