|
|
|
||||||||
Vol. 11 No. 6 
July 2008
Public Policy Strategy for Deploying Resiliency in the
Critical Infrastructure
Critical Questions
Global Software Competitiveness Studies
Sponsored by the
Center for National Software
Studies (CNSS)
http://www.CNsoftware.org
Conducted by Don O’Neill
ONeillDon@aol.com
(301) 990-0377
@Copyright Don O’Neill, 2008, used by the NSC
with permission
Public Policy Strategy for Deploying Resiliency in the
Critical Infrastructure
Microeconomics and Software
The discussion of public policy begins with a review of macroeconomics and software. The knowledge, skills, and behaviors of the software profession and its practitioners provide the backdrop for a unique application of public policy in the critical infrastructure.
On the one hand, the commoditized software and information technology used to construct the system of systems that operate the critical infrastructure provide an unplanned integrating element that links and entwines these systems and their industry sectors. The result is a common vulnerability.
On the other hand, the context and culture of these industry sectors are diverse. The industry sectors comprising the critical infrastructure have deeply ingrained stove piped orientations stemming from unique application domain engineering approaches, the processes for management and engineering, fielding and operating practices, governmental regulations, and public expectation and confidence.
The consequences and effects of this unplanned integration are reviewed in the context of macroeconomics.
Barrier to Entry
The barrier to entry into the software industry is low. It is dependent only on a highly skilled, low wage workforce.
While barriers for entry into software may be low, the ownership of a software niche brings with it a winner take all dimension. Software niches are usually narrow and well defined. Typically a new entrant chooses an established niche with existing competitors and imitates the product or service already being provided. By adding innovative features and capabilities to its offerings, the new entrant seeks to distinguish himself from the competition with the ultimate objective to dominate the niche to the exclusion of all others.
Complementary Products
The potential for complementary products is high. Software operates in systems and systems of systems where coordination and cooperation among parts are essential.
As software value points become strategic components of larger systems within the industry sectors of the critical infrastructure, software products and systems are increasingly becoming complementary products in power plants and electric distribution systems, banking operations and financial markets, transportation management and control systems, medical research and health delivery systems, and homeland security and defense systems.
Software is more than a productivity aid when used within large complex systems and systems of systems, which are becoming commonplace in every industry sector. It is a unique source for strategic discrimination. Used in information systems, software permits the integration of information that supplies the knowledge in the knowledge age. Used in networks, software provides the collaboration tools that underlie the worldwide operation of an enterprise and shrink the globe. Used in business and e-commerce, software supplies the speed of adaptation necessary to achieve time to market advances over the competition.
Contingent Behavior
The potential for contingent behavior is high. Standards are used to ensure harmonious cooperation among complementary components and products and interoperability among software products. Users place a high value on standards compliance.
As software systems become systems of systems, a network of contingent behaviors emerges. The behavior of one system triggers behaviors in other systems. Not all the behaviors of a system are intended or even fully understood, and the behaviors of systems of systems cannot be fully understood.
Multiplier Effect
The potential for experiencing a multiplier effect is high. Fielding an interoperable, packaged suite has the potential for achieving an uncountably large customer base.
A small change can trigger a multiplier effect that results in large changes and unexpected changes downstream. With behaviors of systems not fully understood and behaviors of systems of systems simply not understood, multiplier effects are a growing possibility and concern. As the population of users increases, network effects become the engine for business success, the source of technology breakdown, and the trigger for social calamity.
Price Elasticity
The potential for price elasticity is high. Software products usually contain innovative features and capabilities that deliver value not available elsewhere. Users have even shown a willingness to buy value in the presence of defects.
The value of software lies in its ability to increase returns to scale. The products of software are data, information, and knowledge. Producing the software product itself involves a defined expense. Using the software product to produce data, information, and knowledge usually involves a minimum recurring cost. Distributing the product and its data, information, and knowledge involves a near zero cost. Hence, the value of software lies in its ability to increase returns to an uncountably large scale.
External Effects
The potential for external effects is high. When software vendors ship products with known defects, the cost burden shifts from the vendor to the user increasing the total cost of ownership. Defects that cause the user to reboot have been shown to be largely tolerated with little push back. Defects that expose security vulnerabilities and push patch management costs onto users have crossed the line and are now generating substantial push back.
When scarce resources appear to be free, it may be that the real cost is born not by the individual but by the broader community. For example, the Internet operates at a near zero cost in dollars. However, it brings with it a social cost, a risk to financial security, and a risk to personal privacy.
Free Riders
The potential for free rider is high. The Internet is a near zero cost item. Proposals to tax Internet activities have been met with stiff resistance. The acceptance and use of free and open source software is increasing. Essentially the entire community of Internet users are free riders and wish to remain so.
The software industry and the Internet provide a free market of opportunity. However, a company that fails to exercise due diligence and professional responsibility and instead ships products with known defects is operating as a free rider on the good will of users and the public placing in jeopardy the entire industry.
Problems of the Commons
The potential for problems of the commons is high. Security vulnerabilities and incidents continue to plague the Internet commons. Invasion of privacy and loss of identity are commonplace. Spammers operate undetected in unregulated free space. Both businesses and individuals are experiencing an increased feeling of helplessness when it comes to security, privacy, and spam.
The Internet has become the common grazing area. Here there exists a culture of cooperation and a hands off policy by the government. The result is transactions on the Internet are not burdened by an Internet tax. But spam is not under control, privacy of personal information is unprotected, piracy of intellectual property is unabated, and security vulnerabilities expose the critical infrastructure to widespread terrorism.
Unintended Consequences
The potential for unintended consequences is high. With the high potential for complementary products, contingent behaviors, and multiplier effects, unintended consequences are likely. Not all behaviors of a system are intended or fully understood; consequently, the behaviors of systems of systems can not be fully understood and bring with them surprises.
Public Policy Measures Impacting on Resiliency
Analyzed in the context of market design principles, resiliency in the critical infrastructure suffers three fatal flaws. First the market for resiliency lacks thickness, that is, there is not a sufficient proportion of potential market participants coming together to transact. Second faced with adversity, the operation of the critical infrastructure may be impacted by congestion resulting from the crosscutting cascading and propagating effects of system of systems. Third participants do not find the market safe and choose instead to operate outside the marketplace to avoid moral hazard, that is, to transact in public/private partnerships which become dysfunctional due to the “go along, get along” culture. The role of public policy is to eliminate these fatal flaws by incentivizing a sufficient proportion of potential market participants to come together through tax policy and insurance mechanisms and by indemnifying participants for a reasonable range of consequences against the concerns of moral hazards of self-help remedies.
The Theory of Expected Utility [Poulton 94] favors outcomes that obtain the most benefit and incur the least loss. However, an enterprise has an obligation and a fiduciary responsibility to apply due diligence on behalf of its customers, its stockholders, and the public. Public policy measures for assuring the resiliency of the critical infrastructure need to be considered in the broad context of barriers and incentives for security economics [ENISA 08].
1. Inexpert executives often operate in an information vacuum and refuse to pay a premium for quality resulting in cheap products that drive out good solutions.
2. Free riders rely on the security investments of others in the public commons with exposure resting on third party users. Also free riders may be reluctant to share information.
3. Risk management practices focus more on avoiding the consequences of liability than on fielding secure systems, for example, the shrink wrap disclaimers of software suppliers.
4. Commoditized solutions morph into widespread single point failures, for example, the Internet, Microsoft, and GPS.
5. The legal framework for Cyber Security protection and enforcement is sparsely populated and immature with the issue of personal privacy unresolved and impacting information sharing.
The reluctance to share information is maintained through barriers to sharing security information that include loss of reputation and trust, risk of liability, negative effects on financial markets, and signal of weakness to adversaries. Nevertheless, those that possess superior knowledge and use it to insulate themselves from risk are subject to moral hazard when they refuse to share information and leave others to suffer the consequences. Such is the case when the executives in the private sector associated with the critical infrastructure refuse to share sufficient information to identify and assess the consequences of cross cutting issues. A key example of a moral hazard is the refusal to coordinate recovery time objectives among the industry sectors of the critical infrastructure when failure to do so obscures foreseeable consequences to customers and the public. In applying due diligence on behalf of its customers, its stockholders, and the public, the enterprise has an obligation to tell the truth, the whole truth, and nothing but the truth.
Assuring the resiliency of the critical infrastructure calls for more than public/private partnerships; it demands signing onto a management, process, and engineering maturity framework for resiliency. With such a framework, we would be in a position to move beyond a mere voluntary approach to critical infrastructure security to a managed strategic approach of management, process, and engineering capabilities and solutions employing a constellation of public policy measures spanning market-driven tactics, self-help remedies, targeted investment, insurance mechanisms, import tariffs, tax policy, guiding regulations, and targeted legislation.
It is too simple to view public policy as regulation. Instead public policy is driven by the political process, fluctuating between hands off and hands on control. These fluctuations are realized by altering the mix of public policy tactics applied. While complacency and neglect within the private sector have opened the door for regulation, the public policy goal is to accord as much self-determination as possible and invoke as little government regulation as necessary. The intricacies of these public policy measures suggest a staged rollout of alternating incentives and regulations following the natural progression of the framework. Balancing the duality of market driven incentives and regulatory measures is a challenge, one that requires a high degree of sophistication.
For example, suppose the Banking and Finance sector took it upon itself to back up its electrical and telecomm dependencies in some innovative but nonstandard way that satisfied some critical customer but not others and that complied with some regulatory provisions but not others, would indemnification be useful in opening the way to such innovation?
Public Policy Measures
Some public policy tactics that stimulate innovation and technology and that eliminate shortfall in its deployment include the following:
1. Market driven tactics are centered around industry standards activities, voluntary compliance, and public-private collaboration for information sharing.
2. Self-help remedies are government sanctioned, low cost actions whose practitioners are usually accorded the benefit of a doubt. For example, consider the electronic repossession of a vehicle by satellite signal shut down after it violates terms of agreement for speed or location.
3. Targeted investment and funding can be used to stimulate research in critical areas.
4. Insurance mechanisms can be used to reduce business resistance where unknown or low probability of occurrence events are involved.
5. Import tariffs on offshore outsourcing have been considered by some. Tariffs would be used to produce revenue to fund domestic software research and education. In addition, tariffs would be structured to even the playing field for the domestic software workforce.
6. Tax policy, such as, the Research and Engineering Tax Credit, can be powerful, but it is difficult to get all stakeholders on the same page. These include the creators of technology, the users of technology, the legislative community, the legal profession, and the judicial arm.
7. Guiding regulations are useful as mid-course corrections to achieve policy goals and as clarifications where they are needed, such as, export controls and antitrust litigation.
8. Targeted legislation appears attractive, however, Congressional leaders often lack a sufficient understanding of technology and software issues. Consequently, legislation enacted for one purpose may possess side effects that lead to unintended consequences. Examples include H1B High Tech Immigration Visa Program, UCITA, Clinger Cohen Act, Freedom of Information Act, Health Insurance Portability and Accountability Act (HIPPA), Gramm-Leach-Bliley Act (GLBA), and the Controlling the Assault of Non-Solicited Pornography and Marketing Act.
Public Policy as an Instrument of Deployment
The current public/private partnership approach to Cyber Security is stalled with its participants adopting a "go along, get along" posture. Suppliers and security vendors seem to cling to the Critical Infrastructure Protection (CIP) paradigm at the expense of consumers and the public who need Critical Infrastructure Resilience (CIR).
To what extent is the current impasse due to a lack of commitment or to a lack of know how?
1. If the shortfall is commitment, then we need the carrot and stick to energize the community.
2. If the shortfall is know how, then we need research and engineering and targeted investment to enlighten the community.
Either way, we need to expand our thinking on public policy measures for Cyber Security beyond commoditized protection to higher ground that includes audited processes, certified engineering, and research and engineering.
Both government and industry have responsibilities to reconcile the conflicting factors falling along the following lines:
1. While the government cannot make us safe from a Cyber Attack, it can tilt the business calculation toward security through tax credits, insurance mechanisms and indemnification designed to reward security readiness.
2. Since the industry's software products make us vulnerable to a Cyber Attack, industry must make the sacrifices needed to achieve security by rebalancing its cost effectiveness tactics and ensuring the readiness and survivability of software products.
Deployment of the maturity framework is accelerated by selecting the right mix of public policy measures. The right mix of public policy accords as much self-determination as possible and invokes as little regulation as necessary [Figure 1]. Public policy needs to tilt towards market driven incentives.
Figure 1. Market Driven Incentives vs. Regulatory Measure
Public Policy Principles for Assuring Resiliency
While business interests and fiduciary responsibilities trump the public interest, the innovative challenge for government policy makers is to structure a constellation of public policy measures in such a way as to permit private industry executives the freedom to align their fiduciary responsibilities with the public interest through market driven incentives. Reluctance to fully cooperate centers around legal, financial, and competitiveness issues [NDU 08].
What are the public policy principles for assuring Cyber Security resiliency within the critical infrastructure?
1. Each sector enterprise must be free to animate or attenuate its reputation whether it is based on public trust, customer loyalty, or customer satisfaction.
2. Each sector enterprise must be free to adopt innovative, nonstandard approaches with indemnification for a reasonable range of consequences.
3. Each sector enterprise must receive assistance to invest in demonstrating the achievement of system survivability and the achievement of system of systems resiliency.
4. Each sector enterprise must be offered insurance benefits tied to its demonstrated commitment to security assurance and defense in depth, calculation of security return on investment report, and business continuity and supply chain management.
5. Each sector enterprise must be offered tax benefits including Research and Engineering Tax Credits for demonstrating business continuity through supply chain management, demonstrating the achievement of system survivability, and demonstrating the achievement of system of systems resiliency.
6. Import tariffs on offshore outsourcing have been considered by some to assist in promoting the global sourcing aspect of business continuity.
7. Each sector enterprise must accept guiding regulations associated with defense in depth, business continuity assessment, system survivability, and system of systems resiliency.
8. Each sector enterprise is mandated to publish an annual assessment report of its security assurance assertions, validating arguments, and verifying evidence associated with demonstrating commitment to security and security in depth, demonstrating business continuity and compliance management, demonstrating achievement of system survivability, and demonstrating achievement of system of systems resiliency.
Framing Public Policy to Impact Resiliency
Now is the time to address the resiliency of the critical infrastructure. It hasn't been done in the past, and the future may be increasingly more uncertain. Complacency and vulnerability are a dangerous combination. A constellation of public policy measures should be rolled out to increase focus on the assurance of resilience [Table 1].
What are the Cartesian Coordinates circumscribing the assurance of resiliency?
a. Commitment to security
b. Security in depth
c. Business continuity
d. System survivability
e. System of systems resiliency
What is the Constellation of public policy measures?
a. Market-driven tactics
b. Self-help remedies
c. Targeted investment
d. Insurance mechanisms
e. Tax policy
f. Import tariffs
g. Guiding regulations
h. Targeted legislation
Where do the opportunities to impact resiliency with public policy measures lie?
a. Cartesian Coordinates circumscribing the assurance of resiliency
b. Constellation of public policy measures
Table 1. Cartesian Coordinates of Resiliency and Constellation of Public Policy
|
Public Policy Measures |
Commitment to security | Security in depth | Business continuity | System survivavbility | System of systems resiliency |
| a. Market-driven tactics |
A |
||||
|
b. Self-help remedies |
B |
C |
D |
E |
|
|
c. Targeted investment |
D |
E |
|||
|
d. Insurance mechanisms |
B |
C |
D |
E |
|
|
e. Tax policy |
C |
D |
E |
||
|
f. Import tariffs |
C |
||||
|
g. Guiding regualtions |
D |
E |
|||
|
h. Targeted legislation |
E |
Notes:
A- Transparent assessment of commitment B- Commoditized protection
C- Audited process D- Certified engineering E- Research and engineering
The deployment of the Maturity Framework for Assuring Resiliency Under Stress would be accelerated by selecting the right mix of public policy measures that promote market driven incentives as much as possible and invoke regulatory measures only where necessary to lock in the gains. Balancing the duality of market driven incentives and regulatory measures is a challenge, one that requires a high degree of sophistication. Let's explore these intricacies.
Reading table 1 by Public Policy Measure:
1. Market-driven tactics may assist in promoting enterprise commitment to security.
2. Self-help remedies may assist in promoting security in depth, business continuity, system survivability, and system of systems resiliency.
3. Targeted investment may assist in promoting system survivability and system of systems resiliency.
4. Insurance mechanisms may assist in promoting security in depth, business continuity, system survivability, and system of systems resiliency.
5. Tax policy may assist in promoting business continuity, system survivability, and system of systems resiliency.
6. Import tariffs may assist in promoting the global sourcing aspect of business continuity.
7. Guiding regulations may assist in promoting system survivability and system of systems resiliency.
8. Targeted legislation may assist in promoting system of systems resiliency.
Reading table 1 by Cartesian Coordinate:
1. Commitment to security depends on the transparent assessment of commitment assisted by market driven tactics.
2. Security in depth depends on commoditized protection assisted by self-help remedies and insurance mechanisms.
3. Business continuity depends on audited processes assisted by self-help remedies, insurance mechanisms, tax policy, and import tariffs.
4. System survivability depends on certified engineering assisted by self-help remedies, targeted investment, insurance mechanisms, tax policy, and guiding regulations.
5. System of systems resiliency depends on research and engineering assisted by self-help remedies, targeted investment, insurance mechanisms, tax policy, guiding regulations, and targeted legislation.
A planned program of deployment is organized by the natural adoption order inherent in the levels of maturity and balanced by incentives and regulatory aspects inherent in the public policy measures.
1. Public policy measures possessing inherent incentives include market-driven tactics, self-help remedies, targeted investment, insurance mechanisms, tax policy, and indemnification.
2. Public policy measures possessing inherent regulatory aspects include import tariffs, guiding regulations, and targeted legislation.
Deployment begins by overcoming resistance and instilling the will to achieve resiliency. First, inertia must be impacted by a mandate requiring each enterprise throughout the nation's critical infrastructure to conduct an assessment of resiliency assurance maturity and to publicly report the results.
1. Level 2 calls for commitment to security and security in depth, and these are reinforced by incentives including self-help remedies and insurance mechanisms.
2. Level 3 calls for business continuity and this is reinforced by incentives including self-help remedies, insurance mechanisms and tax policy and offset by the regulatory aspect of import tariffs.
3. Level 4 calls for system survivability, and this is reinforced by self-help remedies, indemnification, targeted investment, insurance mechanisms, and tax policy and offset by the regulatory aspect of guiding regulations.
4. Level 5 calls for system of systems resiliency, and this is reinforced by self-help remedies, indemnification, targeted investment, insurance mechanisms, and tax policy and offset by the regulatory aspect of guiding regulations and targeted legislation.
Table 2 portrays the public policy incentives for increasing levels of confidence assigned to the evidence supporting the arguments at each maturity level. These incentives reward telling the truth, the whole truth, and nothing but the truth during a resiliency assurance maturity assessment. The maximum incentives are reserved for arguments backed up by evidence that is considered beyond the shadow of a doubt. When Level 2 demonstrates management commitment and commoditized security in depth, the enterprise may access insurance mechanisms. When level 3 demonstrates business continuity and necessary compliance, the enterprise may access additional insurance mechanisms and tax benefits. When level 4 and 5 demonstrate necessary engineering and innovation, the enterprise may access targeted investment, self-help remedies are backed up by indemnification, and additional insurance mechanisms and tax benefits are available.
Table 2. Public Policy Incentives for Increasing Levels of Confidence
|
Maturity Levels |
Preponderance of the Evidence |
Clear and Convincing Evidence |
Evidence Beyond the Shadow of a Doubt |
|
Level 2 |
Self-help Remedies |
Self-help Remedies |
Self-help Remedies |
|
Level 3 |
Self-help Remedies |
Self-help Remedies |
Self-help Remedies |
|
Level 4 |
Self-help Remedies |
Self-help Remedies |
Self-help Remedies |
|
Level 5 |
Self-help Remedies |
Self-help Remedies |
Self-help Remedies |
Staging Public Policy Rollout
Organizing and ordering incentives and timing regulatory measures demand sophistication. How well can the government position itself as a player within a market-driven system? Above all, it is necessary to preserve market-driven freedom to enhance the reputation of the enterprise. Self-help remedies, insurance mechanisms, and tax policy then become the catalyst for the early incentives needed to trigger and encourage widespread adoption. Once there is traction, the resiliency maturity assessment mandate can be introduced as a means to stimulate competition among peers to improve resiliency maturity assurance. With adoption moving well beyond early adopters and momentum building, the more heavy-duty incentives kick in including indemnification for self-help remedies, targeted investment, and additional insurance and tax benefits. Finally guiding regulations are introduced to achieve the best possible alignment among all focus areas and all industry sectors.
Sequencing the rollout of public policy measures is governed by the natural progression of the Resiliency Maturity Framework and guided by the need to stage incentives and regulations in a way to obtain and sustain the engagement of the critical infrastructure community.
Applying the public policy principles for assuring resiliency, a four-stage public policy rollout sequence flow is produced [figure 2]. These stages feature alternating incentives and regulations.
1. Stage 1 provides the incentives to adopt the Resiliency Maturity Framework levels 2 and 3 through self-help remedies, insurance mechanisms, and tax policy.
2. Stage 2 introduces the regulatory mandate to conduct annual assessments throughout the critical infrastructure to obtain a baseline of measured results.
3. Stage 3 provides additional incentives to adopt the Resiliency Maturity Framework including indemnification for self-help remedies, and targeted investment, insurance, and tax policy for levels 4 and 5.
4. Stage 4 introduces the late stage guiding regulations needed to harmonize the operations of the critical infrastructure.
Figure 2. Four-Stage Public Policy Rollout
See Appendix B for an association of Public Policy Candidates by Public Policy Measure. See Appendix C for an enumeration of Applicable Public Policy Measures for Leading Indicators.
APPENDICES
Appendix A. Resiliency Assurance Assessment Questions
A- Transparent assessment of commitment
1. Is there a demonstrated inability to advance enterprise security assurance?
1.1 Has no evidence of apathy through interview questions and answers been exhibited?
1.2 Has no evidence of denial through interview questions and answers been exhibited?
1.3 Has no evidence of management inaction through interview questions and answers been exhibited?
1.4 Has no evidence of lack of engineering know how through interview questions and answers been exhibited?
B- Commoditized protection
2. Is there a demonstrated enterprise commitment to security assurance through strategic management, internal processes, and defense in depth?
2.1 Has a global software competitiveness assessment been conducted using criteria and questions resulting in findings and recommendations?
2.2 Has a competitiveness versus security tradeoff been conducted using criteria resulting in findings?
2.3 Has a Security Return on Investment with input parameters and computed result for initial determination and verification through actual results been conducted?
2.4 Has a Chief Security Officer (CSO) leadership program been established with explicit commitments, training, and defined activities?
2.5 Has a security assurance operations infrastructure with initiation, process enactment, and oversight artifacts been instituted?
2.6 Is configuration management with traceability to changes utilized?
2.7 Is encryption utilized?
2.8 Is identity management utilized?
2.9 Is access control utilized?
2.10 Is authorization management utilized?
2.11 Is accountability management utilized?
C- Audited process
3. Is there demonstrated business continuity assurance through compliance management, external processes, and product engineering?
3.1 Is regulatory compliance for specified policies managed?
3.2 Is aspect oversight and assessment for specified attributes conducted?
3.3 Is global sourcing for each node in the supply chain and its management, process, and engineering aspects managed?
3.4 Is risk of management, process and engineering aspects managed?
3.5 Is crisis management readiness exercises spanning people, process, technology infrastructure, connectivity, and interoperability for the enterprise and its dependent partners managed?
3.6 Are open source trustworthiness and security aspects managed?
3.7 Are commercial off the shelf trustworthiness and security aspects managed?
3.8 Are security assurance evaluation tools for legacy software, new development, outsourced, open source, and commercial off the shelf software utilized?
D- Certified engineering
4. Is there demonstrated achievement of system survivability through the management of faults and failures, sustainability processes, and RMA engineering?
4.1 Are incidents managed?
4.2 Are Cyber forensics monitored?
4.3 Are defects, faults, and failures managed?
4.4 Is resistance engineered?
4.5 Is recognition engineered?
4.6 Is recovery engineered?
4.7 Is reconstitution engineered?
4.8 Is reliability engineering performed?
4.9 Is availability engineering performed?
4.10 Is maintainability engineering performed?
E- Research and engineering
5. Is there demonstrated achievement of system of systems resiliency through the management of external interactions and dependencies, the control of distributed supervisory control processes, and the practice of Next Generation software engineering?
5.1 Are recovery time objectives coordinated?
5.2 Is interoperability of data and information exchange coordinated?
5.3 Is operation sensing and monitoring applied?
5.4 Is distributed supervisory control applied?
5.5 Is information and data recovery applied?
5.6 Is Next Generation software engineering exploited?
Appendix B. Public Policy Candidates by Public Policy Measure
Market-driven tactics may assist in promoting enterprise commitment to security. Self-help remedies may assist in promoting security in depth. Targeted investment may assist in promoting system survivability and systems of systems resiliency. Insurance mechanisms may assist in promoting security in depth, business continuity, system survivability, and system of systems resiliency. Import tariffs may assist in promoting global sourcing aspect of business continuity. Tax policy may assist in promoting security in depth, business continuity, system survivability, and system of systems resiliency. Guiding regulations may assist in promoting system survivability and system of systems resiliency. Targeted legislation may assist in promoting system of systems resiliency.
a. Market Driven Tactics
Market driven tactics are centered around industry standards activities, voluntary compliance, and public-private collaboration for information sharing.
Each sector enterprise must be free to animate or attenuate its reputation whether it is based on public trust, customer loyalty, or customer satisfaction.
These tactics assist in promoting enterprise commitment to security and promote competitiveness and security assessment results, Security Return on Investment results, incident management results, Chief Security Officer (CSO) Leadership Program, security assurance operations, and aspect oversight and assessment.
b. Self-help Remedies
Self-help remedies are government sanctioned, low cost actions whose practitioners are usually accorded the benefit of a doubt.
Each sector enterprise must be free to adopt innovative, nonstandard approaches with indemnification for consequences.
These remedies assist in promoting commoditized protection associated with security in depth and are based on access control, identity management, authorization management, and accountability management.
For example, suppose the Banking and Finance sector took it upon itself to back up its electrical and telecomm dependencies in some innovative but nonstandard way that satisfied some critical customer but not others and that complied with some regulatory provisions but not others, would indemnification be useful in opening the way to such innovation?
c. Targeted Investment
Targeted investment and funding can be used to stimulate research in critical areas.
Each sector enterprise must receive assistance to invest in demonstrating the achievement of system survivability and the achievement of system of systems resiliency.
These investments assist in promoting certified engineering associated with system survivability when directed at resistance, recognition, recovery, and reconstitution and research and engineering associated with systems of systems resiliency when directed at operation sensing and monitoring, distributed supervisory control, information and data recovery, and Next Generation Software Engineering.
d. Insurance Mechanisms
Insurance mechanisms can be used to reduce business resistance where unknown or low probability of occurrence events are involved.
Each sector enterprise must be offered insurance benefits tied to its demonstrated commitment to security assurance, defense in depth, business continuity, system survivability, and system of systems resiliency.
These mechanisms assist in promoting commoditized protection associated with security in depth, calculation of security return on investment, audited process associated with business continuity and supply chain management, certified engineering associated with system survivability, and research and engineering associated with system of systems resiliency.
e. Tax Policy
Tax policy, such as, the Research and Engineering Tax Credit, can be a powerful incentive.
Each sector enterprise must be offered tax benefits including Research and Engineering Tax Credits for demonstrating business continuity through supply chain management, demonstrating the achievement of system survivability, and demonstrating the achievement of system of systems resiliency.
Tax policy assists in promoting protection associated, audited process associated with business continuity and global sourcing, certified engineering associated with system survivability and resistance, recognition, recovery, and reconstitution, and research and engineering associated with system of systems resiliency and operation sensing and monitoring, distributed supervisory control, information and data recovery, and Next Generation Software Engineering.
f. Import Tariffs
Import tariffs on offshore outsourcing have been considered by some to assist in promoting the global sourcing aspect of business continuity.
g. Guiding Regulations
Guiding regulations are useful as mid-course corrections to achieve policy goals and as clarifications where they are needed.
Each sector enterprise must accept guiding regulations associated with system survivability, and system of systems resiliency.
These regulations assist in promoting certified engineering associated with system survivability and research and engineering associated with system of systems resiliency. Regulations are needed to align security assurance operations, configuration management, encryption, identity management, access control, authorization management, accountability management, regulatory compliance, global sourcing, coordinated Recovery Time Objectives, and interoperability of data and information exchange.
h. Targeted Legislation
Targeted legislation appears attractive, however, Congressional leaders often lack a sufficient understanding of technology and software issues.
Each sector enterprise must be mandated to publish an annual assessment report of its security assurance assertions, validating arguments, and verifying evidence associated with demonstrating commitment to security and security in depth, demonstrating business continuity and compliance management, demonstrating achievement of system survivability, and demonstrating achievement of system of systems resiliency.
This legislation assists in promoting research and engineering with system of systems resiliency and its operation sensing and monitoring, distributed supervisory control, information and data recovery, and Next Generation Software Engineering.
Appendix C. Applicable Public Policy Measures for Leading Indicators
Competitiveness Versus Security Assessment and Tradeoff [a, h]
a. Market-driven tactics to promote assessment results
h. Targeted legislation to require assessments
Security Return on Investment [a, d]
a. Market-driven tactics to promote Security Return on Investment results
d. Insurance mechanisms based on Security Return on Investment results
Incident Management [a, d]
a. Market-driven tactics to promote incident management results
d. Insurance mechanisms based on incident management results
Chief Security Officer (CSO) Leadership Program [a, d, h]
a. Market-driven tactics to promote Chief Security Officer (CSO) Leadership Program
d. Insurance mechanisms based on Chief Security Officer (CSO) Leadership Program
h. Targeted legislation to require Chief Security Officer (CSO) Leadership Program
Security Assurance Operations [a, d, g, h]
a. Market-driven tactics to promote security assurance operations
d. Insurance mechanisms based on security assurance operations
g. Guiding regulation to align security assurance operations
h. Targeted legislation to require security assurance operations
Configuration Management [d, g, h]
d. Insurance mechanisms based on configuration management
g. Guiding regulation to align configuration management
h. Targeted legislation to require configuration management
Encryption [g, h]
g. Guiding regulation to align encryption
h. Targeted legislation to require encryption
Identity Management [b, g, h]
b. Self-help remedies based on identity management
g. Guiding regulation to align identity management
h. Targeted legislation to require identity management
Access Control [b, g, h]
b. Self-help remedies based on access control
g. Guiding regulation to align access control
h. Targeted legislation to require access control
Authorization Management [b, g, h]
b. Self-help remedies based on authorization management
g. Guiding regulation to align authorization management
h. Targeted legislation to require authorization management
Accountability Management [b, g, h]
b. Self-help remedies based on accountability management
g. Guiding regulation to align accountability management
h. Targeted legislation to require accountability management
Regulatory Compliance [d, g, h]
d. Insurance mechanisms based on regulatory compliance
g. Guiding regulation to align regulatory compliance
h. Targeted legislation to require regulatory compliance
Aspect Oversight & Assessment [a, b]
a. Market-driven tactics to promote aspect oversight and assessment
b. Self-help remedies based on aspect oversight and assessment
Global Sourcing [b, d, e, f, g, h]
b. Self-help remedies based on global sourcing
d. Insurance mechanisms based on global sourcing
e. Tax policy to promote global sourcing
f. Import tariffs to promote global sourcing
g. Guiding regulation to align global sourcing
h. Targeted legislation to require global sourcing
Risk Management [b, d]
b. Self-help remedies based on risk management
d. Insurance mechanisms based on risk management
Crisis Management [b, d]
b. Self-help remedies based on crisis management
d. Insurance mechanisms based on crisis management
Open Source [a, b]
a. Market-driven tactics to promote open source
b. Self-help remedies based on open source
Commercial Off the Shelf [a]
a. Market-driven tactics to promote commercial off the shelf
Security Assurance Evaluation Tools [d]
d. Insurance mechanisms based on security assurance evaluation tools
Incident Management [a, d]
a. Market-driven tactics to promote incident management results
d. Insurance mechanisms based on incident management
Cyber Forensics [a, d]
a. Market-driven tactics to promote cyber forensics results
d. Insurance mechanisms based on cyber forensics
Management of Defects, Faults, and Failures [a, d]
a. Market-driven tactics to promote management of defects, faults, and failures results
d. Insurance mechanisms based on management of defects, faults, and failures
Resistance [a, b, c, d, e]
a. Market-driven tactics to promote resistance results
b. Self-help remedies based on resistance
c. Targeted investment directed at resistance
d. Insurance mechanisms based on resistance
e. Tax policy to promote resistance
Recognition [a, b, c, d, e]
a. Market-driven tactics to promote recognition results
b. Self-help remedies based on recognition
c. Targeted investment directed at recognition
d. Insurance mechanisms based on recognition
e. Tax policy to promote recognition
Recovery [a, b, c, d, e]
a. Market-driven tactics to promote recovery results
b. Self-help remedies based on recovery
c. Targeted investment directed at recovery
d. Insurance mechanisms based on recovery
e. Tax policy to promote recovery
Reconstitution [a, b, c, d, e]
a. Market-driven tactics to promote reconstitution results
b. Self-help remedies based on reconstitution
c. Targeted investment directed at reconstitution
d. Insurance mechanisms based on reconstitution
e. Tax policy to promote reconstitution
Reliability Engineering [d]
d. Insurance mechanisms based on Reliability Engineering
Availability Engineering [d]
d. Insurance mechanisms based on Availability Engineering
Maintainability Engineering [d]
d. Insurance mechanisms based on Maintainability Engineering
Coordinated Recovery Time Objectives [g, h]
g. Guiding regulation to align coordinated Recovery Time Objectives
h. Targeted legislation to require coordinated Recovery Time Objectives
Interoperability of Data and Information Exchange [g. h]
g. Guiding regulation to align interoperability of data and information exchange
h. Targeted legislation to require interoperability of data and information exchange
Operation Sensing and Monitoring [b, c, e]
b. Self-help remedies based on operation sensing and monitoring
c. Targeted investment directed at operation sensing and monitoring
e. Tax policy to promote operation sensing and monitoring
Distributed Supervisory Control [b, c, e]
b. Self-help remedies based on distributed supervisory control
c. Targeted investment directed at distributed supervisory control
e. Tax policy to promote distributed supervisory control
Information and Data Recovery [b, c, e]
b. Self-help remedies based on information and data recovery
c. Targeted investment directed at information and data recovery
e. Tax policy to promote information and data recovery
Next Generation Software Engineering [c, e]
c. Targeted investment directed at Next Generation Software Engineering
e. Tax policy to promote Next Generation Software Engineering