C O R P O R A T I O N A Framework for Programming and Budgeting for Cybersecurity John S. Davis II, Martin C. Libicki, Stuart E. Johnson, Jason Kumar, Michael Watson, Andrew Karode For more information on this publication, visit www.rand.org/t/TL186 Library of Congress Cataloging-in-Publication Data is available for this publication. ISBN: 978-0-8330-9256-4 Published by the RAND Corporation, Santa Monica, Calif. © Copyright 2016 RAND Corporation R® is a registered trademark. Limited Print and Electronic Distribution Rights This document and trademark(s) contained herein are protected by law. This representation of RAND intellectual property is provided for noncommercial use only. Unauthorized posting of this publication online is prohibited. Permission is given to duplicate this document for personal use only, as long as it is unaltered and complete. Permission is required from RAND to reproduce, or reuse in another form, any of its research documents for commercial use. For information on reprint and linking permissions, please visit www.rand.org/pubs/permissions.html. The RAND Corporation is a research organization that develops solutions to public policy challenges to help make communities throughout the world safer and more secure, healthier and more prosperous. RAND is nonprofit, nonpartisan, and committed to the public interest. RAND’s publications do not necessarily reflect the opinions of its research clients and sponsors. Support RAND Make a tax-deductible charitable contribution at www.rand.org/giving/contribute www.rand.org Preface The U.S. Department of Homeland Security (DHS) has primary responsibility for the security of the nation’s unclassified cyber networks. To function, the nation’s economy and government have become increasingly dependent on reliable and secure networks, making this mission increasingly critical. This study examines the capabilities presented in the DHS report Blueprint for a Secure Cyber Future and how these capabilities fit in within the context of broad set of cybersecurity activities that can be used to defend a network. This study recommends an approach to evalu- ating cybersecurity defensive activities. The study was sponsored by Program, Analysis, and Evaluation (PA&E) of the Office of the Chief Financial Officer, DHS. It will be of interest to policymakers and program manag- ers who have responsibility for cybersecurity, particularly of the nation’s unclassified networks. This study builds on a broad set of studies that RAND has done in the fields of cyberse- curity and of program analysis. The RAND Homeland Security and Defense Center The research reported here was conducted in the Homeland Security and Defense Center (HSDC), which conducts analysis to prepare and protect communities and critical infra- structure from natural disasters and terrorism. Center projects examine a wide range of risk- management problems, including coastal and border security, emergency preparedness and response, defense support to civil authorities, transportation security, domestic intelligence, and technology acquisition. Center clients include the U.S. Department of Homeland Secu- rity, the U.S. Department of Defense, the U.S. Department of Justice, and other organizations charged with security and disaster preparedness, response, and recovery. HSDC is a joint center of two research divisions: RAND Justice, Infrastructure, and Environment and the RAND National Security Research Division. RAND Justice, Infra- structure, and Environment is dedicated to improving policy and decisionmaking in a wide range of policy domains, including civil and criminal justice, infrastructure protection and homeland security, transportation and energy policy, and environmental and natural resource policy. The RAND National Security Research Division conducts research and analysis for all national security sponsors other than the U.S. Air Force and the Army. The division includes the National Defense Research Institute, a federally funded research and development center whose sponsors include the Office of the Secretary of Defense, the Joint Staff, the Unified Combatant Commands, the defense agencies, and the U.S. Department of the Navy. The National Security Research Division also conducts research for the U.S. intelligence commu- nity and the ministries of defense of U.S. allies and partners. iii Contents Preface ........................................................................................................... iii Figures ...........................................................................................................vii Summary ........................................................................................................ ix Acknowledgments ............................................................................................xiii Abbreviations ...................................................................................................xv CHAPTER ONE Motivation ....................................................................................................... 1 CHAPTER TWO Core Concepts ................................................................................................... 5 Goal: Reduce the Expected Cost of Cyberattacks ........................................................... 7 Ring 1: Four Basic Strategies ................................................................................... 9 The Basis of Our Approach ....................................................................................10 The Benefits of Our Approach .................................................................................10 CHAPTER THREE Ring 2 ............................................................................................................13 Ring 2: Minimize Exposure ...................................................................................13 Ring 2: Neutralize Attacks .....................................................................................15 Ring 2: Increase Resilience .....................................................................................17 Ring 2: Accelerate Recovery ...................................................................................18 CHAPTER FOUR Ring 3 ............................................................................................................21 Ring 3: Resilience à Take Resilience Steps .................................................................21 Ring 3: Resilience à Conform to Resilience Guidelines ................................................. 22 Ring 3: Resilience à Improve Cross-System Engineering ................................................ 23 Ring 3: Recovery à Generate Rapid Response Plans .................................................... 24 Ring 3: Recovery à Increase Response Competence .....................................................25 Ring 3: Recovery à Build the Ability to Restore Systems .................................................25 Ring 3: Exposure à Reduce the Number of Networked Machines ..................................... 26 Ring 3: Neutralize Attack à Reduce the Number of Cyberattack Attempts ......................... 27 Ring 3: Neutralize Attack à Counter the Insider Threat .................................................29 Ring 3: Neutralize Attack à Develop Mitigations for Specific Known Threats ...................... 30 Ring 3: Neutralize Attack à Block Cyberattacks ......................................................... 30 v vi A Framework for Programming and Budgeting for Cybersecurity Ring 3: Neutralize Attack à Ensure the Quality of a System’s Hardware and Software ............ 34 Ring 3: Neutralize Attack à Systematically Reduce Risks Inherent in the Network ................. 38 Ring 3: Neutralize Attack à Improve the Security-Related Competence of System Administrators ................................................................................... 40 Ring 3: Neutralize Attack à Test Systems Against Simulated Attacks ................................ 44 Ring 3: Neutralize Attack à Defend Against DDOS Attacks ...........................................45 Ring 3: Neutralize Attack à Reduce the Amount of Material Exfiltrated by Attacks ............... 46 CHAPTER FIVE Using This Work ...............................................................................................49 Auditing Mechanism ...........................................................................................49 Prescriptive Mechanism ........................................................................................49 Improving the Cyberdefensive Actions ...................................................................... 50 Applying the Model to Broader IT Compliance Efforts ...................................................51 CHAPTER SIX Conclusion ......................................................................................................53 References ......................................................................................................55 Figures S.1. The Cyber Sunburst Graph ....................................................................... xi 2.1. The Cyber Sunburst Graph ........................................................................ 7 2.2. The Four Basic Strategies .......................................................................... 8 3.1. The “Minimize Exposure” Strategy with Actions ..............................................13 3.2. The “Neutralize Attacks” Strategy with Actions