Vol. 11 No. 4
March 2008



The Constellation of Public Policy Measures Impacting the
Cartesian Coordinates Circumscribing Resiliency Assurance


Critical Questions

• Are public.private partnerships succeeding in protecting the critical infrastructure?
  
• What is the definition of resilience?
  
• What are the challenges facing the ctritical infrastructure?
  
• What public policy measures can be considered?
  
• What is the framework for resiliency?
  
• How do public policy measures impact the aspects of resiliency?
  
• How is evidence-based assurance of resiliency assessed?
  
  
  
  
  
  
  
  
  
  
  
  

Background
To date the approach to protecting the nation's critical infrastructure has been to rely on public/private partnerships. There is now a concern that this approach is proving to be ineffective, as those involved in assuring this protection have adopted a “go along, get along” posture.

For example, if the electrical grids fail, that failure impacts the communications systems, which in turn can hamper financial networks . We need only to ask about the state of the coordinated recovery time objectives among the industry sectors of the critical infrastructure. Here we learn that the financial sector is required to meet a recovery time objective of four hours, but the dependent telecommunication and energy sectors are not committed to compatible recovery time objectives. As a result, the financial sector simply claims compliance with the four-hour mandate using a footnoted assumption of telecommunication and energy availability. Simply put, the emperor has no clothes.

If we intend to elevate the protection of the critical infrastructure to an issue of national security, more is needed. Rather than simply focusing on protection and assurance measures as a response to known vulnerabilities and threats, it is necessary to elevate the focus to resiliency. There is a paradigm shift in moving away from Critical Infrastructure Protection (CIP) and towards Critical Infrastructure Resilience (CIR). Here protection as a security strategy is insufficient; however, protection as a tactic may provide a cost effective means to reduce costs .

Security vendors and suppliers have concentrated on delivering protection and have succeeded in commoditizing this space with cost effective offerings since protection continues to be viewed as a cost. On the other hand, consumers who are users of software and Information Technology need resilience not just protection. Resilience is considered an investment and consumer CEO's must take ownership for the enterprise Cyber Security solutions that are needed to extend defense in depth to business continuity, system survivability, and system of systems resilience.

Base Definition of Resiliency
The attribute of resiliency is an emerging property of large complex software-intensive systems. Resiliency is the ability to avoid, minimize, withstand, and recover from the effects of adversity, whether natural or manmade, under all circumstances of use. Resiliency applied to the nation's critical infrastructure is trustworthiness under stress and spans high availability, continuous operations, and disaster recovery. The operations within the industry sectors of the critical infrastructure are diverse and complex. These operations are evolving into large systems of systems. In normal times these operations may operate satisfactorily in a loosely coupled arrangement. However, for these operations to be resilient under stress, more than a loosely coupled arrangement is needed.

A defined engineering challenge of adopting resilience throughout the nation's critical infrastructure is needed. The recovery time objectives among industry sectors must be coordinated, interoperability of information sharing and platform operations must be assured, distributed supervisory control protocols must be in place, and operation sensing and monitoring must be embedded. These capabilities cannot be expected to evolve in a loosely coupled environment. They must be holistically specified, architected, designed, implemented, and tested if they are to operate with resilience under stress. A management, process, and engineering maturity framework is necessary to advance the assurance of software security, business continuity, system survivability, and system of system resiliency capabilities.

Critical Infrastructure Challenges
The critical infrastructure spanning the systems in the financial, electrical, telecommunications, transportation and medical sectors comprises an accidental system of systems whose sector systems operated dependently but without a plan or design in advance. Each sector system was constructed in accordance with its own context and culture, but in operation as members of a system of systems these sector systems inadvertently extend their own context and culture onto others resulting in clashes with uncertain and unintended operational results. Context and culture are the blended result of multiple dimensions that include application domain engineering approaches, the processes for management and engineering, fielding and operating practices, governmental regulations, and public expectation and confidence.
1. Industry sector practice varies widely in its domain engineering approaches resulting in diversity in architecture, models, and patterns including their representation. Formality within an architectural framework facilitates the imposition of distributed supervisory control, interoperability, and operation sensing and monitoring protocols.
2. Industry sector maturity in management and engineering processes varies widely resulting in diversity in configuration management, frequency of release, conformance to requirements, and traceability among life cycle artifacts. Strong code management practices facilitate reconfiguration and reconstitution.
3. Industry sector practice varies widely in fielding and operating practices resulting in diversity in accountability and control, supply chain management, civility and pushback, and willingness to expend off the clock effort. Exercising strong control over the workforce facilitates business continuity and survivability.
4. Industry sector impacts from government regulation vary with respect to export control, tax policy, intellectual property, privacy, and antitrust litigation. Exercising strong government control facilitates compliance for the benefit of the commons at the expense of initiative for the self-interest.
5. Industry sector public expectation and confidence vary with respect to trust, loyalty, and satisfaction. The financial and medical sectors depend on public trust. The electrical and telecommunication sectors depend on customer loyalty and satisfaction.

Public Policy Measures Impacting on Resiliency
Assuring the critical infrastructure calls for more than public/private partnerships; it demands signing onto a management, process, and engineering maturity framework for resiliency. With such a framework, we would be in a position to move beyond a mere voluntary approach to critical infrastructure security to a managed strategic approach of management, process, and engineering capabilities and solutions employing a constellation of public policy measures spanning market-driven tactics, self-help remedies, targeted investment, insurance mechanisms, import tariffs, tax policy, guiding regulations, and targeted legislation.

Public Policy Measures
It is too simple to view public policy as regulation. Instead public policy is driven by the political process, fluctuating between hands off and hands on control. These fluctuations are realized by altering the mix of public policy tactics applied. Some public policy tactics that stimulate innovation and technology and that eliminate shortfall in its deployment include the following:

1. Market driven tactics are centered around industry standards activities, voluntary compliance, and public-private collaboration for information sharing.
2. Self-help remedies are government sanctioned, low cost actions whose practitioners are usually accorded the benefit of a doubt. For example, consider the electronic repossession of a vehicle by satellite signal shut down after it violates terms of agreement for speed or location.
3. Targeted investment and funding can be used to stimulate research in critical areas.
4. Insurance mechanisms can be used to reduce business resistance where unknown or low probability of occurrence events are involved.
5. Import tariffs on offshore outsourcing have been considered by some. Tariffs would be used to produce revenue to fund domestic software research and education. In addition, tariffs would be structured to even the playing field for the domestic software workforce.
6. Tax policy, such as, the Research and Engineering Tax Credit, can be powerful, but it is difficult to get all stakeholders on the same page. These include the creators of technology, the users of technology, the legislative community, the legal profession, and the judicial arm.
7. Guiding regulations are useful as mid-course corrections to achieve policy goals and as clarifications where they are needed, such as, export controls and antitrust litigation.
8. Targeted legislation appears attractive, however, Congressional leaders often lack a sufficient understanding of technology and software issues. Consequently, legislation enacted for one purpose may possess side effects that lead to unintended consequences. Examples include H1B High Tech Immigration Visa Program, UCITA, Clinger Cohen Act, Freedom of Information Act, Health Insurance Portability and Accountability Act (HIPPA), Gramm-Leach-Bliley Act (GLBA), and the Controlling the Assault of Non-Solicited Pornography and Marketing Act.

Maturity Framework for Assuring Resiliency Under Stress
The nation's critical infrastructure is vulnerable to natural disasters and Cyber Security attacks. The Maturity Framework for Assuring Resiliency Under Stress is intended to drive the business case and enterprise commitment towards the assurance of software security, business continuity, system survivability, and system of systems resiliency. Achieving maturity in the assurance of resiliency throughout the critical infrastructure will help safeguard the nation's critical infrastructure.

Assurance is demonstrated through model-based business, technical, and operational claims spanning management, process, and engineering arguments and model-based evidence. An enterprise claiming to have achieved maturity in assuring enterprise resiliency under stress is expected to present correct and complete arguments that justify belief in the claim along with clear and convincing evidence buttressing each argument.

To achieve maturity in the assurance of resiliency under stress, the enterprise must satisfy the argument at each level.

Level 1 Ad Hoc
o State of Affairs: Inability to advance and exhibiting evidence of apathy, denial, management inaction, and lack of engineering know how

Level 2 Enterprise Security Commitment Management
o Goal: Demonstrate commitment to security assurance through strategic management, internal processes, and defense in depth.

Level 3 Enterprise Business Continuity Process Maturity
o Goal: Demonstrate business continuity assurance through compliance management, external processes, and product engineering.

Level 4 System Survivability Engineering
o Goal: Demonstrate the achievement of system survivability through the management of faults and failures, sustainability processes, and RMA engineering.

Level 5 System of Systems Resiliency Engineering
o Goal: Demonstrate the achievement of system of systems resiliency through the management of external interactions and dependencies, the control of distributed supervisory processes, and the practice of Next Generation software engineering.

Framing Public Policy to Impact Resiliency
Now is the time to address the resiliency of the critical infrastructure. It hasn't been done in the past, and the future may be increasingly more uncertain. Complacency and vulnerability are a dangerous combination. A constellation of public policy measures should be rolled out to increase focus on the assurance of resilience.

What are the Cartesian Coordinates circumscribing the assurance of resiliency?
a. Commitment to security
b. Security in depth
c. Business continuity
d. System survivability
e. System of systems resiliency

What is the Constellation of public policy measures?
a. Market-driven tactics
b. Self-help remedies
c. Targeted investment
d. Insurance mechanisms
e. Import tariffs
f. Tax policy
g. Guiding regulations
h. Targeted legislation

Where do the opportunities to impact resiliency with public policy measures lie?
a. Cartesian Coordinates circumscribing the assurance of resiliency
b. Constellation of public policy measures

Notes:
A- Transparent assessment of commitment
B- Commoditized protection
C- Audited process
D- Certified engineering
E- Research and engineering

Market-driven tactics may assist in promoting enterprise commitment to security. Self-help remedies may assist in promoting security in depth. Targeted investment may assist in promoting system survivability and systems of systems resiliency. Insurance mechanisms may assist in promoting security in depth, business continuity, system survivability, and system of systems resiliency. Import tariffs may assist in promoting global sourcing aspect of business continuity. Tax policy may assist in promoting security in depth, business continuity, system survivability, and system of systems resiliency. Guiding regulations may assist in promoting system survivability and system of systems resiliency. Targeted legislation may assist in promoting system of systems resiliency.

Public Policy Candidates by Public Policy Measure

a. Market driven tactics are centered around industry standards activities, voluntary compliance, and public-private collaboration for information sharing. These tactics assist in promoting enterprise commitment to security and promote competitiveness and security assessment results, Security Return on Investment results, incident management results, Chief Security Officer (CSO) Leadership Program, security assurance operations, and aspect oversight and assessment.

b. Self-help remedies are government sanctioned, low cost actions whose practitioners are usually accorded the benefit of a doubt. These remedies assist in promoting commoditized protection associated with security in depth and are based on access control, identity management, authorization management, and accountability management.

c. Targeted investment and funding can be used to stimulate research in critical areas. These investments assist in promoting certified engineering associated with system survivability when directed at resistance, recognition, recovery, and reconstitution and research and engineering associated with systems of systems resiliency when directed at operation sensing and monitoring, distributed supervisory control, information and data recovery, and Next Generation Software Engineering.

d. Insurance mechanisms can be used to reduce business resistance where unknown or low probability of occurrence events are involved. These mechanisms assist in promoting commoditized protection associated with security in depth, audited process associated with business continuity, certified engineering associated with system survivability, and research and engineering associated with system of systems resiliency.

e. Import tariffs on offshore outsourcing have been considered by some to assist in promoting global sourcing aspect of business continuity.

f. Tax policy, such as, the Research and Engineering Tax Credit, can be powerful. Tax policy assists in promoting commoditized protection associated with security in depth, audited process associated with business continuity and global sourcing, certified engineering associated with system survivability and resistance, recognition, recovery, and reconstitution, and research and engineering associated with system of systems resiliency and operation sensing and monitoring, distributed supervisory control, information and data recovery, and Next Generation Software Engineering.

g. Guiding regulations are useful as mid-course corrections to achieve policy goals and as clarifications where they are needed, such as, export controls and antitrust litigation. These regulations assist in promoting certified engineering associated with system survivability and research and engineering associated with system of systems resiliency. Regulations are needed to align security assurance operations, configuration management, encryption, identity management, access control, authorization management, accountability management, regulatory compliance, global sourcing, coordinated Recovery Time Objectives, and interoperability of data and information exchange.

h. Targeted legislation appears attractive, however, Congressional leaders often lack a sufficient understanding of technology and software issues. This legislation assists in promoting research and engineering with system of systems resiliency and operation sensing and monitoring, distributed supervisory control, information and data recovery, and Next Generation Software Engineering.


Applicable Public Policy Measures for Leading Indicators
Competitiveness Versus Security Assessment and Tradeoff [a, h]
a. Market-driven tactics to promote assessment results
h. Targeted legislation to require assessments

Security Return on Investment [a, d]
a. Market-driven tactics to promote Security Return on Investment results
d. Insurance mechanisms based on Security Return on Investment results

Incident Management [a, d]
a. Market-driven tactics to promote incident management results
d. Insurance mechanisms based on incident management results

Chief Security Officer (CSO) Leadership Program [a, d, h]
a. Market-driven tactics to promote Chief Security Officer (CSO) Leadership Program
d. Insurance mechanisms based on Chief Security Officer (CSO) Leadership Program
h. Targeted legislation to require Chief Security Officer (CSO) Leadership Program

Security Assurance Operations [d, g, h]
d. Insurance mechanisms based on security assurance operations
g. Guiding regulation to align security assurance operations
h. Targeted legislation to require security assurance operations

Configuration Management [d, g, h]
d. Insurance mechanisms based on configuration management
g. Guiding regulation to align configuration management
h. Targeted legislation to require configuration management

Encryption [g, h]
g. Guiding regulation to align encryption
h. Targeted legislation to require encryption

Identity Management [b, g, h]
b. Self-help remedies based on identity management
g. Guiding regulation to align identity management
h. Targeted legislation to require identity management

Access Control [b, g, h]
b. Self-help remedies based on access control
g. Guiding regulation to align access control
h. Targeted legislation to require access control

Authorization Management [b, g, h]
b. Self-help remedies based on authorization management
g. Guiding regulation to align authorization management
h. Targeted legislation to require authorization management

Accountability Management [d, h]
b. Self-help remedies based on accountability management
g. Guiding regulation to align accountability management
h. Targeted legislation to require accountability management

Regulatory Compliance [d, g, h]
d. Insurance mechanisms based on regulatory compliance
g. Guiding regulation to align regulatory compliance
h. Targeted legislation to require regulatory compliance

Aspect Oversight & Assessment [a, b]
a. Market-driven tactics to promote aspect oversight and assessment
b. Self- help remedies based on aspect oversight and assessment

Global Sourcing [b, d, e, f, g, h]
b. Self-help remedies based on global sourcing
d. Insurance mechanisms based on global sourcing
e. Import tariffs to promote global sourcing
f. Tax policy to promote global sourcing
g. Guiding regulation to align global sourcing
h. Targeted legislation to require global sourcing

Risk Management [b, d]
b. Self-help remedies based on risk management
d. Insurance mechanisms based on risk management

Crisis Management [b, d]
b. Self-help remedies based on crisis management
d. Insurance mechanisms based on crisis management

Open Source [a, b]
a. Market-driven tactics to promote open source
b. Self-help remedies based on open source

Commercial Off the Shelf [a]
a. Market-driven tactics to promote commercial off the shelf

Security Assurance Evaluation Tools [d]
d. Insurance mechanisms based on security assurance evaluation tools

Incident Management [a, d]
a. Market-driven tactics to promote incident management results
d. Insurance mechanisms based on incident management

Cyber Forensics [a, d]
a. Market-driven tactics to promote cyber forensics results
d. Insurance mechanisms based on cyber forensics

Management of Defects, Faults, and Failures [a, d]
a. Market-driven tactics to promote management of defects, faults, and failures results
d. Insurance mechanisms based on management of defects, faults, and failures

Resistance [a, b, c, d, f]
a. Market-driven tactics to promote resistance results
b. Self-help remedies based on resistance
c. Targeted investment directed at resistance
d. Insurance mechanisms based on resistance
f. Tax policy to promote resistance

Recognition [a, b, c, d, f]
a. Market-driven tactics to promote recognition results
b. Self-help remedies based on recognition
c. Targeted investment directed at recognition
d. Insurance mechanisms based on recognition
f. Tax policy to promote recognition

Recovery [a, b, c, d, f]
a. Market-driven tactics to promote recovery results
b. Self-help remedies based on recovery
c. Targeted investment directed at recovery
d. Insurance mechanisms based on recovery
f. Tax policy to promote recovery

Reconstitution [a, b, c, d, f]
a. Market-driven tactics to promote reconstitution results
b. Self-help remedies based on reconstitution
c. Targeted investment directed at reconstitution
d. Insurance mechanisms based on reconstitution
f. Tax policy to promote reconstitution

Reliability Engineering [d]
d. Insurance mechanisms based on Reliability Engineering

Availability Engineering [d]
d. Insurance mechanisms based on Availability Engineering

Maintainability Engineering [d]
d. Insurance mechanisms based on Maintainability Engineering

Coordinated Recovery Time Objectives [g, h]
g. Guiding regulation to align coordinated Recovery Time Objectives
h. Targeted legislation to require coordinated Recovery Time Objectives

Interoperability of Data and Information Exchange [g. h]
g. Guiding regulation to align interoperability of data and information exchange
h. Targeted legislation to require interoperability of data and information exchange

Operation Sensing and Monitoring [b, c, f]
b. Self-help remedies based on operation sensing and monitoring
c. Targeted investment directed at operation sensing and monitoring
f. Tax policy to promote operation sensing and monitoring

Distributed Supervisory Control [b, c, f]
b. Self-help remedies based on distributed supervisory control
c. Targeted investment directed at distributed supervisory control
f. Tax policy to promote distributed supervisory control

Information and Data Recovery [b, c, f]
b. Self-help remedies based on information and data recovery
c. Targeted investment directed at information and data recovery
f. Tax policy to promote information and data recovery

Next Generation Software Engineering [c, f]
c. Targeted investment directed at Next Generation Software Engineering
f. Tax policy to promote Next Generation Software Engineering


Evidence-Based Assurance Assessment
Through its one-sided focus on protection, the Department of Homeland Security has signaled that resilience is not yet within its wheelhouse. The Department of Commerce and NIST should be assigned the lead role and be accountable for producing a trustworthy framework for resiliency and the assessment mechanism that can be used to drive commitment and compliance among critical infrastructure enterprises and organizations.

The purpose of Assurance Assertion Management (AAM) is to reason about the emergent properties of large complex software-intensive systems and to take action to steer enterprise commitment towards their assurance and to guide buyers, users, and the public in setting their level of confidence in these systems and systems of systems. An assurance assertion is a statement that inspires confidence. Assurance assertions are useful in assisting reasoning about the emergent properties of large complex software-intensive systems. These product properties transcend the rigorous and precise methods of assessing essential compliance beyond those used in process conformance and product testing. Some attribute and aspect examples of emergent properties associated with software products, systems, and system of systems include safety, security, resiliency, privacy, and trustworthiness. The assurance claim and five arguments for the attribute of resiliency are shown in the diagram. The following assessment questions provide the basis for collecting the evidence-based assurance needed to verify the arguments.

Assurance assertions themselves are subject to validation and verification. The claim-argument segment of the assurance assertion chain is validated when the correspondence between a claim and its arguments is shown to be clear and convincing with respect to completeness and correctness. The argument-evidence segment of the assurance assertion chain is verified according to the degree of correspondence between the evidence and the argument. Four levels of confidence are identified:
1. The evidence in support of the argument is insufficient.
2. The preponderance of the evidence supports the argument, e.g., through assessment, interviews, testimony, and inspection.
3. The evidence in support of the argument is clear and convincing, e.g., measurement and static analysis.
4. The evidence in support of the argument is beyond the shadow of a doubt, e.g., demonstration and dynamic analysis.

Resiliency Assurance Assessment Questions
A- Transparent assessment of commitment
1. Is there a demonstrated inability to advance enterprise security assurance?
1.1 Has no evidence of apathy through interview questions and answers been exhibited?
1.2 Has no evidence of denial through interview questions and answers been exhibited?
1.3 Has no evidence of management inaction through interview questions and answers been exhibited?
1.4 Has no evidence of lack of engineering know how through interview questions and answers been exhibited?

B- Commoditized protection
2. Is there a demonstrated enterprise commitment to security assurance through strategic management, internal processes, and defense in depth?
2.1 Has a global software competitiveness assessment been conducted using criteria and questions resulting in findings and recommendations?
2.2 Has a competitiveness versus security tradeoff been conducted using criteria resulting in findings?
2.3 Has a Security Return on Investment with input parameters and computed result for initial determination and verification through actual results been conducted?
2.4 Has a Chief Security Officer (CSO) leadership program been established with explicit commitments, training, and defined activities?
2.5 Has a security assurance operations infrastructure with initiation, process enactment, and oversight artifacts been instituted?
2.6 Is configuration management with traceability to changes utilized?
2.7 Is encryption utilized?
2.8 Is identity management utilized?
2.9 Is access control utilized?
2.10 Is authorization management utilized?
2.11 Is accountability management utilized?

C- Audited process
3. Is there demonstrated business continuity assurance through compliance management, external processes, and product engineering?
3.1 Is regulatory compliance for specified policies managed?
3.2 Is aspect oversight and assessment for specified attributes conducted?
3.3 Is global sourcing for each node in the supply chain and its management, process, and engineering aspects managed?
3.4 Is risk of management, process and engineering aspects managed?
3.5 Is crisis management readiness exercises spanning people, process, technology infrastructure, connectivity, and interoperability for the enterprise and its dependent partners managed?
3.6 Are open source trustworthiness and security aspects managed?
3.7 Are commercial off the shelf trustworthiness and security aspects managed?
3.8 Are security assurance evaluation tools for legacy software, new development, outsourced, open source, and commercial off the shelf software utilized?

D- Certified engineering
4. Is there demonstrated achievement of system survivability through the management of faults and failures, sustainability processes, and RMA engineering?
4.1 Are incidents managed?
4.2 Are Cyber forensics monitored?
4.3 Are defects, faults, and failures managed?
4.4 Is resistance engineered?
4.5 Is recognition engineered?
4.6 Is recovery engineered?
4.7 Is reconstitution engineered?
4.8 Is reliability engineering performed?
4.9 Is availability engineering performed?
4.10 Is maintainability engineering performed?

E- Research and engineering
5. Is there demonstrated achievement of system of systems resiliency through the management of external interactions and dependencies, the control of distributed supervisory control processes, and the practice of Next Generation software engineering?
5.1 Are recovery time objectives coordinated?
5.2 Is interoperability of data and information exchange coordinated?
5.3 Is operation sensing and monitoring applied?
5.4 Is distributed supervisory control applied?
5.5 Is information and data recovery applied?
5.6 Is Next Generation software engineering exploited?

4364 words