DOCSLIB.ORG

Lincoln White Paper

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Lincoln White Paper Improving State and Local Governments’ Acquisition Security Management Strengthen information sharing about potential vulnerabilities in commercial technologies Dan Lips EXECUTIVE SUMMARY State and local governments are on the front lines of the national effort to protect American citizens from cybersecurity attacks. They are responsible for providing public safety and man- aging elections. State and local agencies hold some of our most sensitive information, including financial and health records. State and local education agencies manage the personal information belonging to more than 50 million schoolchildren and their parents. All of these vital national services face serious threats from potential cyberattacks. But state and local governments have limited cybersecurity expertise and capacity. In January 2020, the National Governors Association (NGA) and the National Association of State Chief Information Officers (NASCIO) issued a report describing state governments’ increasing respon- sibilities for supporting the cybersecurity needs of local government agencies, which often have few resources. State governments themselves have scarce resources for addressing cybersecurity vulnerabilities among other responsibilities, including information technology management and federal regulatory compliance. The federal government has an opportunity and a responsibility to support state and local gov- ernments’ cybersecurity postures, including by sharing information about known cybersecurity threats. One way that the federal government can assist state and local governments is by sharing infor- mation about known or perceived cybersecurity threats and by providing guidance about infor- mation technology acquisitions management. A review of recent federal and state information technology management policies shows that federal agencies are banning the acquisition and use of certain information technology with links to nation-states that present a cybersecurity threat to the United States. But state governments and local governments continue to purchase and use certain technologies that federal govern- ment agencies have deemed unsafe. Specifically, recent reviews warn that state and local agen- cies continue to use Lexmark, Lenovo, and DJI technology that federal agencies have prohibit- ed. 1 This report reviews publicly available information about differences in the cybersecurity acqui- sition policies and practices of federal, state, and local government agencies. It presents the following recommendations to Congress and the executive branch to take immediate actions to strengthen state and local governments’ cybersecurity: 1. Congress and the federal government should improve information sharing about known or perceived cybersecurity threats, consistent with the requirements of 2018 bipartisan legislation. 2. Congress and federal agencies should prohibit federal funds being used by state and local governments to purchase technology, equipment, or services that are identified to pose a cybersecurity threat to the United States by the Federal Acquisition Security Council. 3. Congress, federal agencies and federal watchdogs should partner with state and local government agencies to assess the presence of potential cybersecurity vulnerabilities within the inventories of state and local government agencies’ current information technology systems. 4. State officials and lawmakers should recognize security risks related to commercial off-the-shelf technology and pursue reforms to align state procurement policies with security recommendations from federal agencies. Improving information sharing about known cybersecurity threats has been a priority for the federal government over the past decade, under the leadership of the Obama and Trump admin- istrations. Bipartisan legislation passed by Congress has created a venue and legal processes for government agencies and partner organizations to share information about cybersecurity threats and vulnerabilities. In 2021 and beyond, Congress and federal agencies should prioritize sharing information about security vulnerabilities in commercial off-the-shelf technologies with state and local government agencies and other partners. Moreover, Congress should restrict the use of federal grant funding to prohibit states, localities, and tribal and territorial government agencies from purchasing technology or other equipment that would put sensitive data at risk. 2 BACKGROUND ON STATE AND LOCAL GOVERNMENT CYBERSECURITY CHALLENGES In 2020, state and local governments faced significant information technology challenges related to COVID-19—including transitioning government workers to teleworking,1 maintaining essential services,2 holding a national election,3 and supporting the unprecedented transition to remote or virtual learning for thousands of school districts affecting millions of children.4 State and local governments faced these challenges during a period when they were already facing new and increasing cybersecurity threats. In 2019, states, local governments, schools, and hospitals experienced a dramatic increase in cyberattacks, including ransomware.5 By one esti- mate, 140 “local governments, police stations and hospitals [had] been held hostage by ransom- ware attacks” during the first ten months of 2019.6 One notable victim was the City of Baltimore, which spent an estimated $18 million on a ransomware attack and related remediation expens- es.7 Overall, cyberattacks against state and local governments have increased by 50 percent since 2017.8 State and local governments have limited resources for cybersecurity, despite these rising chal- lenges. A 2020 report published by Deloitte and the National Association of State Chief Informa- 1 Noelle Knell, “Four States Share Realities of the Transition to Telework,” Government Technology, May 5, 2020, https://www.govtech.com/computing/Four-States-Share-Realities-of-the-Transi- tion-to-Telework.html. 2 Deloitte Insights and National Association of Chief Information Officers (NASCIO), “2020 Deloitte-NASCIO Cybersecurity Study” (October 2020), https://www.nascio.org/wp-content/up- loads/2020/10/2020-Deloitte-NASCIO-Cybersecurity-Study-1.pdf. 3 Maggie Toulouse Oliver and Paul Pate, “How We Prepared for the 2020 Election during a Pandemic,” StateScoop, September 14, 2020, https://statescoop.com/preparing-election-pandem- ic-nass/. 4 Kevin Bushweller, “How COVID-19 Is Shaping Tech Use. What That Means When Schools Reopen,” Education Week, June 2, 2020, https://www.edweek.org/ew/articles/2020/06/03/how- covid-19-is-shaping-tech-use-what.html. 5 Dan Lohrmann, “2019: The Year Ransomware Targeted State & Local Governments,” Government Technology, December 23, 2019, https://www.govtech.com/blogs/lohrmann-on-cybersecuri- ty/2019-the-year-ransomware-targeted-state--local-governments.html. 6 Allen Kim, “In the Last 10 Months, 140 Local Governments, Police Stations and Hospitals Have Been Held Hostage by Ransomware Attacks,” CNN, October 8, 2020, https://www.cnn. com/2019/10/08/business/ransomware-attacks-trnd/index.html. 7 Bruce Sussman, “Baltimore, $18 Million Later: ‘This Is Why We Didn’t Pay the Ransom,’” SecureWorld, June 12, 2019, https://www.secureworldexpo.com/industry-news/baltimore-ransom- ware-attack-2019. 8 Stephanie Kanowitz, “Cyberattacks on State, Local Government Up 50%,” GCN, September 4, 2020, https://gcn.com/articles/2020/09/04/cyberattacks-state-local-government-climbing.aspx. 3 tion Officers (NASCIO) highlighted the challenges facing states:9 • A majority of states spent less than 3 percent of their IT budgets on cybersecurity. • Just 18 states include a specified line item for cybersecurity in the state budget. • Fewer than 15 states support local government and public schools by providing train- ing or through other collaborations. • 42 percent of state CIOs reported inadequate cybersecurity staffing.10 Nevertheless, the same survey found that state government employees responsible for informa- tion technology and cybersecurity view the likelihood of security incidents in the next year to be greater than in the past.11 Not surprisingly, reviews of state governments’ cybersecurity postures have identified poten- tial vulnerabilities and weaknesses. For example, an October 2020 review by SecurityScorecard found that 75 percent of the states and territories “showed signs of a vulnerable IT infrastruc- ture.”12 A recent survey of state CIOs found that just half had “documented the effectiveness of [their] cybersecurity program with metrics and testing.13” According to the National Governors Association and NASCIO, state officials were seeking to provide additional cybersecurity support to local government agencies and public schools at the beginning of 2020.14 However, the economic effects of the COVID-19 recession are likely to create new downward pressure on state budgets. According to estimates published by the 9 Deloitte Insights and National Association of Chief Information Officers (NASCIO), “2020 Deloitte-NASCIO Cybersecurity Study Highlights Imperatives for State Governments,” press release, October 14, 2020, https://www.nascio.org/press-releases/2020-deloitte-nascio-cybersecurity-study-highlight/. 10 Deloitte Insights and NASCIO, “2020 Deloitte-NASCIO Cybersecurity Study,” op. cit., https://www.nascio.org/wp-content/uploads/2020/10/2020-Deloitte-NASCIO-Cybersecurity-Study-1. pdf. 11 Ibid. 12 Alexander Heid, “SecurityScorecard’s ‘State of the States’ Report Explained,” SecurityScorecard, October 15, 2020, https://securityscorecard.com/blog/securityscore-
Load more

Recommended publications
  • MPP System Control Module User Guide /V1.0 Nulllindeni Nulllindeni Nulllindeni Nulllindeni Nulllindeni Nulllindeni Nulllindeni Nulllindeni
    nulllindeni nulllindeni nulllindeni nulllindeni nulllindeni nulllindeni nulllindeni nulllindeni nulllindeni nulllindeni nulllindeni nulllindeni nulllindeni nulllindeni nulllindeni nulllindeni MPP System Control Module User Guide /V1.0 nulllindeni nulllindeni nulllindeni nulllindeni nulllindeni nulllindeni nulllindeni nulllindeni Document version:V1.0 Release Date:2017.4.13 nulllindeni nulllindeni nulllindeni nulllindeni nulllindeni nulllindeni nulllindeni nulllindeni Copyright © Zhuhai Allwinner Technology Co., Ltd. 2018. All rights reserved. No part or all of the contents of this document may be copied or reproduced without the written permission of the company, and may not be used.What form of communication. nulllindeni nulllindeni nulllindeni nulllindeni nulllindeni nulllindeni nulllindeni nulllindeni Trademark statement 、Allwinner and other Allwinner trademarks are trademarks of Zhuhai Allwinner Technology Co., Ltd.All other trademarks or registered trademarks mentioned in this document are the property of their respective owners. Note The products, services or features you purchase are subject to the terms and conditions of the company and all or part of the products, services or features described in this document may not be covered by your purchase or use. Unless otherwise agreed by the contract, Allwinner Company makes no representations or warranties, nulllindeni expressnulllindenior implied, regarnulllindeniding the contentsnulllindeniof this document.nulllindeni nulllindeni nulllindeni nulllindeni The contents of this document
    [Show full text]
  • Detective 11.0 October 2018
    OXYGEN FORENSIC® DETECTIVE 11.0 OCTOBER 2018 USE NEW WHATSAPP EXTRACTION METHOD AQCUIRE IOT DEVICES WhatsApp is without doubt the most popular messenger Digital assistants are already a part of everyday life and in the world with over 1.5 billion users globally. Thus, have been successfully used to solve several crimes. extracting complete WhatsApp content from all possible Oxygen Forensic® Detective v.11 brings support for the sources is essential for any investigation. two most popular digital assistants – Amazon Alexa and Google Home. Commonly used methods of WhatsApp data acquisition involve extracting data from mobile devices and their You can access Amazon Alexa cloud using a username cloud backups. Oxygen Forensic® Detective v.11 and password or token. A token can be found on the introduces an industry-first alternative method of device’s associated computer with Oxygen Forensic® WhatsApp data extraction. KeyScout and used in Cloud Extractor. The software acquires a complete evidence set from Amazon Alexa, In the new software version, you can access complete including account and device details, contacts, messages, WhatsApp data by scanning a QR code from a mobile calendars, notifications, lists, activities, skills, etc. app or using the WhatsApp token from a PC. This token can be extracted by our KeyScout utility from the Google Home data can be extracted via Google WhatsApp desktop app or from desktop Web browsers. username/password or a master token found in mobile devices. Extracted Google Home data includes account Once data is extracted, you will be able to download and device details, voice commands, and information WhatsApp communications from the subject’s account about users.Google Home data can also be acquired from any time later when an investigation requires by using a the Google Home mobile app on Apple iOS and Android specially generated WhatsApp QR token available in the devices.
    [Show full text]
  • CHINA DAILY for Chinese and Global Markets
    OLD MOBILES CHANCE RELATIONS LOTUS FROM SPACE Outlining the high stakes Flower seeds made Showroom opening to attract > p13 in future China-US ties a tour beyond Earth buyers of hand-assembled cars > ACROSS AMERICA, PAGE 2 > CHINA, PAGE 7 WEDNESDAY, June 19, 2013 chinadailyusa.com $1 The ‘Long March’ to Tinseltown By LIU WEI in shanghai “It is a long way to go,” he [email protected] says, “but I believe as the Chi- nese = lm market keeps growing The next Kung Fu Panda so fast, it is totally possible that will be the brainchild of both Chinese capital will hold shares American and Chinese film- in the major six Hollywood stu- makers and production will dios. It is just a matter of time.” start in August, says Peter Li, China’s Wanda Cultural managing director of China Group is one of the pioneers Media Capital, co-investor of in this process. In 2012 Wanda Oriental DreamWorks, a joint acquired AMC, the second venture with DreamWorks largest theater chain in North Animation. America, for $2.6 billion. CMC co-founded Oriental What Ye Ning, the group’s DreamWorks in 2012 with vice-president, has learned DreamWorks, Shanghai Media from the following integration Group and Shanghai Alliance is, = rst of all, trust and respect. Investment, with the aim of “The managing team of CHARACTER BUILDING producing and distributing ani- AMC was worried that we mated and live-action content would send a group of yellow PHOTO BY SUN CHENBEI / CHINA DAILY for Chinese and global markets. faces to replace them,” Ye says, From le : Li Xiaolin, president
    [Show full text]
  • Reconstructing Urban Memory of the Wenxi Fire Haoran Chang Figure 1 Photogrammetry Model
    Photogrammetry and Zhongshan Pavilion: Reconstructing Urban Memory of the Wenxi Fire Haoran Chang Figure 1 Photogrammetry model of Zhongshan Pavilion. Image courtesy of the artist. In line with the government’s scorched-earth policy, on November 12, 1938, a devastating fire was started in the city of Changsha, China. This military strategy calls for the intentional burning and destruction of all valuable resources, such as buildings, food, and transportation infrastructure, to prevent the invading enemy Refract | Volume 3 Issue 1 242 from utilizing them. During the Second Sino-Japanese War (1937–1945), the gov- ernor of Changsha followed instructions from the Nationalist government to exe- cute this scorched-earth policy. Yet officials mistakenly initiated the fire too quickly and destroyed the more-than-three-thousand-year-old city. In this fire, thousands of people lost their lives, and the majority of the city’s buildings were destroyed. Referred to today as the Changsha Fire of 1938, or the Wenxi Fire, this event left Changsha one of the most damaged cities during World War II, along- side Stalingrad, Hiroshima, and Nagasaki.1 Zhongshan Pavilion is one of the few architectural structures that survived the 1938 Wenxi Fire. As technology widely applied in cultural preservation, pho- togrammetry can play a significant role in preserving this structure for future gen- erations. Yet this project intends to further the conversation about the role of photogrammetry in memory preservation by considering the Zhongshan Pavilion as a heterogeneous site. The resulting virtual 3-D model opens new potentialities in challenging historical narratives that are told in the singular voice (the state’s) as presented at the physical site in Changsha.
    [Show full text]
  • User Manual V1.4
    SPARK User Manual V1.4 2017.07 Searching for Keywords Search for keywords such as “battery” and “install” to find a topic. If you are using Adobe Acrobat Reader to read this document, press Ctrl+F on Windows or Command+F on Mac to begin a search. Navigating to a Topic View a complete list of topics in the table of contents. Click on a topic to navigate to that section. Printing this Document This document supports high resolution printing. Using this Manual Legends Warning Important Hints and Tips Reference Read Before the First Flight Read the following documents before using the SPARKTM: 1. Spark in the Box 2. Spark User Manual 3. Spark Quick Start Guide 4. Spark Disclaimer and Safety Guidelines 5. Spark Intelligent Flight Battery Safety Guidelines We recommend that you watch all tutorial videos on the official DJITM website and read the Disclaimer before you fly. Prepare for your first flight by reviewing the Spark Quick Start Guide and refer to the User Manual for more details. Video Tutorials Go to the address below or scan the QR code on the right to watch the Spark tutorial videos, which demonstrate how to use Spark safely: http://www.dji.com/spark/info#video Download the DJI GO 4 App Be sure to use the DJI GOTM 4 app or other apps compatible with DJI aircraft during flight. Scan the QR code on the right to download the latest version. The Android version of the DJI GO 4 is compatible with Android v4.4 or later. The iOS version of the DJI GO 4 is compatible with iOS v9.0 or later.
    [Show full text]
  • TECHNOLOGY and INNOVATION REPORT 2021 Catching Technological Waves Innovation with Equity
    UNITED NATIONS CONFERENCE ON TRADE AND DEVELOPMENT TECHNOLOGY AND INNOVATION REPORT 2021 Catching technological waves Innovation with equity Geneva, 2021 © 2021, United Nations All rights reserved worldwide Requests to reproduce excerpts or to photocopy should be addressed to the Copyright Clearance Center at copyright.com. All other queries on rights and licences, including subsidiary rights, should be addressed to: United Nations Publications 405 East 42nd Street New York, New York 10017 United States of America Email: [email protected] Website: https://shop.un.org/ The designations employed and the presentation of material on any map in this work do not imply the expression of any opinion whatsoever on the part of the United Nations concerning the legal status of any country, territory, city or area or of its authorities, or concerning the delimitation of its frontiers or boundaries. This publication has been edited externally. United Nations publication issued by the United Nations Conference on Trade and Development. UNCTAD/TIR/2020 ISBN: 978-92-1-113012-6 eISBN: 978-92-1-005658-8 ISSN: 2076-2917 eISSN: 2224-882X Sales No. E.21.II.D.8 ii TECHNOLOGY AND INNOVATION REPORT 2021 CATCHING TECHNOLOGICAL WAVES Innovation with equity NOTE Within the UNCTAD Division on Technology and Logistics, the STI Policy Section carries out policy- oriented analytical work on the impact of innovation and new and emerging technologies on sustainable development, with a particular focus on the opportunities and challenges for developing countries. It is responsible for the Technology and Innovation Report, which seeks to address issues in science, technology and innovation that are topical and important for developing countries, and to do so in a comprehensive way with an emphasis on policy-relevant analysis and conclusions.
    [Show full text]
  • Report No. DODIG-2019-106: (U) Audit of the Dod's Management of the Cybersecurity Risks for Government Purchase Card Purchas
    Report No. DODIG-2019-106 SECRET//NOFORN ēĘĕĊĈęĔė ĊēĊėĆđ U.S. Department of Defense July 26, 2019 (U) Audit of the DoD’s Management of the Cybersecurity Risks for Government Purchase Card Purchases of Commercial Off-the-Shelf Items Classified By: Carol N. Gorman Derived From: DoD Inspector General Action Memorandum, “Cybersecurity Vulnerabilities Identified During the Audit of the DoD’s Implementation of Cybersecurity Controls for Unmanned Aerial Vehicle Systems” Declassify On: 50X1-HUM INTEGRITY /EWEE EXCELLENCE SECRET//NOFORN SECRET//NOFORN SECRET//NOFORN SECRET//NOFORN (U) Results in Brief (U) Audit of the DoD’s Management of the Cybersecurity Risks for Government Purchase Card Purchases of Commercial Off-the-Shelf Items July 26, 2019 (U) Findings (U//FOUO) We determined that the DoD purchased (U) Objective and used COTS information technology items with (U) We determined whether the DoD assessed and known cybersecurity risks. Specifically, Army and mitigated cybersecurity risks when purchasing Air Force GPC holders purchased at least $32.8 million commercial off-the-shelf (COTS) information technology of COTS information technology items, such as Lenovo items. Although we primarily focused on Government computers, Lexmark printers, and GoPro cameras, purchase card (GPC) purchases, we also assessed risks with known cybersecurity vulnerabilities in FY 2018. affecting traditional acquisition processes. In addition, we identified that the (U) Background . (U) The DoD purchases and uses a wide variety of COTS information technology items,
    [Show full text]
  • Cyber Resiliency Metrics, Measures of Effectiveness, and Scoring
    M T R 1 8 0 3 1 4 Approved for Public Release; MITRE TECHNICAL REPORT Distribution Unlimited. Public Release Case Number 18-2579 Cyber Resiliency Metrics, Measures of Effectiveness, and Scoring Dept. No.: T8A2 Project No.: 5118MC18-KA The views, opinions and/or findings contained in this report are those of The MITRE Corporation and should not be construed as an official government position, policy, or decision, unless designated by Enabling Systems Engineers and Program other documentation. Approved for Public Release; Distribution Managers to Select the Most Useful Unlimited. Public Release Case Number 18- 2579 Assessment Methods NOTICE This technical data was produced for the U. S. Government under Contract No. FA8702- 18-C-0001, and is subject to the Rights in Technical Data-Noncommercial Items Clause Deborah J. Bodeau DFARS 252.227-7013 (JUN 2013) Richard D. Graubart ©2018 The MITRE Corporation. All rights reserved. Rosalie M. McQuaid John Woodill Bedford, MA September 2018 Abstract This report is intended to serve as a general reference for systems engineers, program management staff, and others concerned with assessing or scoring cyber resiliency for systems and missions; selecting cyber resiliency metrics to support cyber resiliency assessment; and defining, evaluating, and using cyber resiliency measures of effectiveness (MOEs) for alternative cyber resiliency solutions. Background material is provided on how cyber resiliency scores, metrics, and MOEs can be characterized and derived; based on that material, a wide range of potential cyber resiliency metrics are identified. Topics to address when specifying a cyber resiliency metric are identified so that evaluation can be repeatable and reproducible, and so that the metric can be properly interpreted.
    [Show full text]
  • Piper Jaffray Cybersecurity Earnings Update
    Piper Jaffray Cybersecurity Earnings Update Third Quarter 2017 Marc Steifman Greg Klancher Co-Head of Technology Principal Investment Banking Piper Jaffray & Co. Piper Jaffray & Co. MINNEAPOLIS | BOSTON | CHICAGO | HOUSTON | LONDON | LOS ANGELES | NEW YORK | SAN FRANCISCO | ZÜRICH Piper Jaffray Companies (NYSE: PJC) is an investment bank and asset management firm headquartered in Minneapolis with offices across the U.S. and in London, Zurich and Hong Kong. Securities brokerage and investment banking services are offered in the United States through Piper Jaffray & Co., member NYSE and SIPC, in Europe through Piper Jaffray Ltd., authorized and regulated by the Financial Conduct Authority, and in Hong Kong through Piper Jaffray Hong Kong, authorized and regulated by the Securities and Futures Commission. Asset management products and services are offered through three separate investment advisory affiliates registered with the U.S. Securities and Exchange Commission: Advisory Research Inc., Piper Jaffray Investment Management LLC and PJC Capital Partners LLC. Piper Jaffray & Co., Member SIPC and FINRA 11/17 Piper Jaffray Case Study: Vista Equity Partners acquires majority stake in Jamf Vista Equity Partners: Undisclosed . Vista Equity Partners is a U.S.-based investment firm with more than $30 billion in cumulative capital commitments, currently invests in software, data and technology-enabled organizations. The firm invests in middle market management and leveraged buyouts, growth and acquisition Has purchased a majority financing, recapitalizations, private transactions, spin-outs and corporate divestitures. stake in . The firm was founded in 2000 and is headquartered in Austin, Texas. Jamf: . Jamf focuses on helping businesses, education and government organizations succeed with November 2017 Apple through its Jamf Pro and Jamf Now solutions.
    [Show full text]
  • Tvuanywheretm
    TVU Networks® TVU Anywhere TM Quick Start TVU Anywhere App User Guide iOS, Mac, and Android device support Document Part Number: TVUAnywhere QSUG Rev C EN 06-2020 Legal notices FCC/CE Compliance TVU®, TVU Networks®, TVU networks®, and TVUPack®, TVU Grid®, Federal Communications Commission (FCC) Regulation of TVU One®, TVU Era®, TVU CAS™, TVU Me™, TVU Anywhere™, TVU Electronic News Gathering (ENG) Mobile Systems MLink™, TVU RPS™, TVU Dashboard™, TVU MediaMind™, and The FCC provides specific policies and procedures related to TVU Sports™ are trademarks of TVU Networks Corporation and/ radio frequency (RF) emissions in mobile and portable devices. or its affiliates in the United States and/or other countries. The FCC outlines test requirements and specific test procedures Verizon® is a trademark of Verizon Communications, Inc., AT&T® based on the type of device. These test requirements and proce- is a registered trademark of AT&T, Inc. Huawei® is a registered dures can also cover Specific Absorption Rates (SAR) for RF. trademark of Huawei Technologies Co. Ltd., and Velcro® is TVU transmitter devices have always conformed to all appli- a registered trademark of Velcro Industries, B.V. App Store®, cable FCC regulations covering mobile systems for electronic Apple App Store®, iPhone®, iPad®, iPod touch® are trademarks of news gathering. All required tests for TVU transmitter devices Apple® Inc. All other trademarks are the property of their respec- as outlined in the regulations were performed by a third-party tive owner. testing lab, which issued a certificate of compliance for TVU Photographs are the copyright of their respective owners.
    [Show full text]
  • Collected from the Internet That Internet the from Collected Data of Off Based Profile Risk a Builds Score Risk Cyber FICO’S “FICO® Cyberriskscore,”FICO,2019
    TABLE OF CONTENTS 4 Overview 6 General Methodology Bibliography Entries 7 Frameworks & Scorecards 8 Barrett, Matthew P. (2018). Framework for Improving Critical Infrastructure Cybersecurity 1.1 8 Freund, Jack and Jack Jones (2014). Measuring and Managing Information Risk: a FAIR approach 8 Information Systems and Control Association (2019). Cobit 2019 8 International Organization for Standardization (2018). ISO/IEC 27000 family - Information security management systems 9 Center for Information Security (2019). Cybersecurity Tools 9 Global Cyber Alliance (2019). GCA Cybersecurity Toolkit for Small Business 9 European Telecommunications Standards Institute (2019). TC Cyber 9 Information Security Forum (2018). The ISF Standard of Good Practice for Information Security 2018 10 SWIFT (2019). SWIFT Customer Security Control Framework 10 BSA (2019). BSA Framework for Secure Software 10 American Public Power Association (2019). Cybersecurity Scorecard 10 BitSight (2019). BitSight Security Ratings 10 FICO (2019). FICO® Cyber Risk Score 11 F-Secure (2019). THE CYBER SECURITY Stress Test 11 NormShield (2019). The Comprehensive Cyber Risk Scorecard 11 NormShield (2019). The Rapid Cyber Risk Scorecard 11 RiskLens (2019). Risk Portfolio 11 Security Scorecard (2019). Security Scorecard 11 UpGuard (2019). BreachSight 11 Upguard (2019). VendorRisk 12 Cyber Insurance Metrics 13 European Union Agency for Network and Information Security (2016). Cyber Insurance: Recent Advances, Good Practices & Challenges 13 Böhme, Rainer and Galina Schwartz (2010). Modeling Cyber-Insurance: Towards A Unifying Framework 13 Marotta, Angelica et al. (2017). Cyber-insurance survey 13 Pal, Ranjan et al. (2014). Will Cyber-Insurance Improve Network Security? A Market Analysis 14 ROI/ROSI 15 European Union Agency for Network and Information Security (2012). Introduction to Return on Security Investment 15 Brangetto, Pascal and Mari Kert-Saint Aubyn (2015).
    [Show full text]
  • Technologies for Integration of Small Unmanned Aircraft Systems (S-UAS) in National Airspace System Matthew Dechering Manish Kumar Contents
    Technologies for Integration of small Unmanned Aircraft Systems (s-UAS) in National Airspace System Matthew Dechering Manish Kumar Contents 1. Introduction 2. Technology Survey 3. Existing Solutions 4. Operational Requirements for Urban Air Mobility 5. Solutions for Urban Air Mobility 6. Ongoing/Future Work 7. Conclusions Introduction: Small Unmanned Aircraft Systems (s-UAS) • s-UAS have generated a lot of interest in civilian domains: – Emergency Management, Law Enforcement, Infrastructure Inspection, Package Delivery, Imaging/surveillance • The FAA expects between 162% and 432% growth in number of unmanned flights by 2021 • Low end estimate of 2.75 Million units in the air by 2021, up from 1.10 million units Concept – The UTM Problem • A futuristic notional scenario of UAS usage in National Airspace System consists of a large number of UAS operating in crowded airspace – Safety and reliability issues in autonomous operations – Beyond Visual Line of Sight (BVLOS) operations risky • Objectives of UTM: maintain safe separation with other manned/ unmanned aircraft to avoid collisions while fulfilling UAS mission • Challenges: involves integration and development in several technological areas: – Computation – algorithms for collision-free path planning, tracking of UAS – Sensing - onboard and off-board to obtain situational picture of environment Source: FAA drone vision- http://www.airtrafficmanagement.net/ – Communication – enable information sharing 4 Concept – UTM Requirements • Mission planning – Allows users to request, specify and
    [Show full text]