Archives page

Posts Tagged ‘Critical Infrastructure’

Insight Session with Nancy Nykamp, Executive Director, Intelligence, TSA November 10

Join us for an Insight Session with

Nancy Nykamp
Executive Director
Office of Intelligence & Analysis
U.S. Transportation Security Administration (TSA)

REGISTER

November is National Critical Infrastructure Security & Resilience Month!  Join us for an inside look at how TSA protects our critical transportation sector through the Office of Intelligence & Analysis.
Ms. Nykamp has served in numerous senior Department of Homeland Security (DHS) and Department of Defense (DOD) positions; building a diverse National Security and counterterrorism portfolio. She currently serves as Executive Director, Office of Intelligence and Analysis, Transportation Security Administration (TSA) where she oversees 30+ highly complex vetting and credentialing programs; execution of security threat assessments on 17+ million personnel with access to the Nation’s transportation sector; risk analysis of the Nation’s transportation sector; and strategic guidance and planning, and governance and optimization for the Office of Intelligence and Analysis.
Ms. Nykamp previously served as TSA Attaché, U.S. Embassy, Berlin, Germany, where she liaised with senior government officials from several European countries to optimize and harmonize aviation security measures. Ms. Nykamp’s first assignment with TSA was as Senior Advisor to the Deputy Administrator, where she was selected for the DHS Senior Executive Service Candidate Development Program (SES CDP).
As part of the DHS SES CDP, she served on executive assignment as Senior Counselor to the Assistant Secretary for International Affairs and Chief Diplomat, DHS, leading several Department initiatives to expand homeland security. She also served on executive assignment as Deputy Federal Security Director, Washington Dulles International Airport, advancing the TSA Administrator’s Risk-Based Security and counterterrorism initiatives.
Prior to joining TSA, Ms. Nykamp held several senior positions in DOD, including Senior Program Manager for international programs, U.S. Special Operations Command, and Senior Civilian Advisor, and Deputy Director for Interagency Operations, Joint Special Operations Command (JSOC).

GTSC Members only.

THE PRIVACY & CIVIL LIBERTIES ASSESSMENT REPORT: WHAT DOES IT REALLY TELL US? A CHIEF PRIVACY OFFICERS’ PERSPECTIVE

The week of April 7, 2014, with little notice or fanfare, the Department of Homeland Security issued its first annual Executive Order 13636 Privacy and Civil Liberties Assessment Report 2014. The report addresses the privacy and civil liberties impacts of certain agencies’ undertakings with respect to critical infrastructure cybersecurity and resilience. It is revealing as much for what it says, as it doesn’t say, with regard to the protection of privacy and civil liberties in the Executive Branch. The report is a study of contrasting approaches to privacy and civil liberties among first tier federal agencies.

On February 12, 2013, the President issued Executive Order (EO) 13636, Improving Critical Infrastructure Cybersecurity, and Presidential Policy Directive (PPD) 21, Critical Infrastructure Security and Resilience. Combined, the documents call for the federal government to work with the private sector to strengthen the security and resilience of the Nation’s infrastructure – the vast majority of which is privately owned – and do so in a way that protects the privacy and civil liberties of Americans.

As set forth in the EO 13636 Report, departments and agencies are required to do the following:

  • Develop a technology-neutral voluntary cybersecurity framework;
  • Promote and incentivize the adoption of cybersecurity practices;
  • Increase the volume, timeliness, and quality of cyber threat information sharing;
  • Explore the use of existing regulation to promote cyber security; and
  • Incorporate strong privacy and civil liberties protections into every initiative to secure our CI.

Additionally, PPD-21 requires that departments and agencies:

  • Develop a situational awareness capability that addresses both physical and cyber aspects of how infrastructure is functioning in near-real time;
  • Understand the cascading consequences of infrastructure failures;
  • Evaluate and mature the public-private partnership;
  • Update the National Infrastructure Protection Plan to take into account cyber aspects of infrastructure; and
  • Develop a comprehensive research and development plan.

The Department of Homeland Security (DHS) is the lead agency under the EO and PPD. And, under Section 5 of the Executive Order, Chief Privacy Officer and the Officer for Civil Rights and Civil Liberties of DHS, in consultation with the Privacy and Civil Liberties Oversight Board and in coordination with the Office of Management and Budget, are responsible for issuing a privacy and civil liberties assessment, with contributions from the privacy and civil liberties officials of the other agencies covered under the Executive Order (the Departments of Commerce, Defense, Health and Human Services (HHS), Justice, Transportation, Treasury, and Energy; the Office of the Director of National Intelligence (ODNI); and the General Services Administration (GSA)).

“Protections” include the Fair Information Practice Principles and any other privacy or civil liberties policies, principles or frameworks. The Fair Information Practice Principles to be used are those found in Appendix A of the National Strategy for Trusted Identities in Cyberspace, which mirrors the DHS Fair Information Practices (FIPPs), set forth in DHS Privacy Policy Guidance Memorandum 2008-1, The Fair Information Practice Principles: Framework for Privacy Policy at the Department of Homeland Security.

At close to 50 pages, DHS’s section was the most comprehensive, robust assessment contained in the report. The two DHS offices addressed their authorities, frameworks, and involvement with the Administration’s critical infrastructure cybersecurity efforts, and then the four areas in which DHS was carrying out its responsibilities under EO 13636 and PDD 21: Cybersecurity Information Sharing–Sharelines; Expansion of the Enhanced Cybersecurity Services Program; the DHS Private Sector Clearance Program; and the DHS Loaned Executive Program. For each of the four areas, the DHS assessment provided a concise discussion of the agency’s actions, past and present, and the implications for privacy and civil liberties. Importantly, DHS addressed in very meaningful ways the circumstances under which it would use PII. After each area, the assessment listed recommendations to DHS, for a total of seven recommendations, many of which encourage increased transparency, oversight, and education.

The other departments and agencies assessments were far shorter, with far less detail. Significantly, many are sector-specific agencies in sectors with vast amounts of PII about American citizens. This month alone, the Government Accounting Office called out the SEC (GAO-14-419) to improve controls over financial systems and data, the IRS (GAO-14-405) and most notably, the overall lax Federal agency response to data breaches involving PII (GAO-14-487T). This sector-specific PII might well be the target of future cyber incidents, and it certainly would be connected to any future incidents, yet most of the other agencies required by the E.O. could only muster cursory assessments under 10 pages in length.

For example, Treasury, the sector-specific agency for banking and finance, lightly assessed its involvement in four pages with three programs, Critical Infrastructure Private Sector Clearance Program, Voluntary Critical Infrastructure Cybersecurity Program, and Identification of Critical Infrastructure at Greatest Risk. Treasury provided no meaningful discussion of the FIPPs in its assessment, a requirement of the Executive Order.

Defense assessed of the Defense Industrial Base (DIB). Specific initiatives included: the DIB Cyber Security/Information Assurance (CS/IA) Program and the DIB Enhanced Cyber Security Services (DECS). Importantly, Defense noted that a “specific cyber incident may include PII that is incidental to, or embedded in, the information the DIB company has shared with [Defense] for cyber security analysis.” In the absence of a list of affected DIB companies, and the type and amount of PII that could be the subject of a cyber incident, the Defense assessment failed to provide a meaningful discussion of the privacy impacts associated with such sharing.

Justice’s assessment was surprisingly short, four pages, especially given that the Justice Privacy and Civil Liberties Officer is a senior position within the Department and an equal of DHS’s Chief Privacy Officer. The Justice assessment focused on iGuardian, “an unclassified web portal designed to accept cyber intrusion complaints from the private sector.” As the ACLU noted, Justice’s remark that only information that is “relevant” is maintained is dubious in a post-Snowden world, given that all information in the digital realm may be relevant to law enforcement and intelligence agencies.

Commerce’s very brief assessment focused on the National Institute of Standards and Technology’s (NIST) work on the Cybersecurity Framework in collaboration with industry. In fairness to Commerce, NIST has not yet issued its final version of the Framework, arguably limiting its ability to provide a thorough assessment of NIST’s efforts.

HHS – the sector-specific agency for health care – assessment ever so briefly touched on the various aspects of EO 13636 and PPD 21 with which it was involved: Cybersecurity Information Sharing; Cybersecurity Framework; Voluntary Critical Infrastructure Cybersecurity Program; and Identification of Critical Infrastructure at Greatest Risk. Transportation was the same, lightly touching on: Cybersecurity Information Sharing; Development of Cybersecurity Framework; The Cybersecurity Framework; Voluntary Critical Infrastructure Cybersecurity Program; and Identification of Critical Infrastructure at Risk. Energy’s assessment focused on its PPD-21 responsibilities related to the energy sector. Surprisingly, Energy failed to discuss those responsibilities from a civil liberties perspective.

ODNI assessed the implications of its issuance of “instructions for the Intelligence Community (IC) to ensure the timely production of unclassified cyber products to the U.S. homeland that identify a specific targeted entity”, otherwise known as “tearlines.” The ODNI assessment provided a passable discussion on the FIPPs, but in transitioning to the agency’s Intelligence Community responsibilities, it appeared to be accepting as true that any already collected PII was properly corrected. In light of the Snowden revelations and the bulk collection of telecommunications and internet service provider data, this part of the assessment rings hollow.

Finally, GSA addressed its responsibilities under the EO to work with Defense to make recommendations “on the feasibility, security benefits, and relative merits of incorporating security standards into acquisition planning and contract administration.” GSA came to the remarkable conclusion that its joint report with Defense on acquisition “does not directly impact privacy and civil liberties as personally identifiable information (PII) is not collected, used, or disseminated.”

Taken as a whole, it is clear that privacy is not protected in an equal fashion across the Executive Branch. Many agencies do not grasp the policy implications of the FIPPs. Some did not even bother to address them. Lastly, there was an overall lack of transparency in the agencies’ critical infrastructure cybersecurity efforts. And that may be the most important aspect of this report: it shows how far tier one agencies have to go to get privacy right.

Contributing Author:  Hugo Teufel

Hugo TeufelHugo Teufel is the former Chief Privacy Officer of the U.S. Department of Homeland Security.  An attorney, he assists public and private sector clients in a wide range of areas including privacy and security; investigations, compliance, and corporate governance; defense and homeland and national security; government contracts formation, administration and litigation.