AUTHORED BY: TIFFANY EAST ER ADAM EATON HALEY EWING TREY GREEN CHRIS GRIFFIN CHANDLER LEWIS KRISTINA MILLIGAN KERI WEINMAN ADVISOR: DR. DANNY DAVIS 2018-2019 CAPSTONE PROJECT CLIENT: POINTSTREAM, INC. COMPREHENSIVE U.S. CYBER FRAMEWORK KEY ASPECTS OF CRITICAL INFRASTRUCTURE, PRIVATE SECTOR, AND PERSONALLY IDENTIFIABLE INFORMATION 2018 – 2019 Capstone Team The Bush School of Government and Public Service, Texas A&M University Advisor: Danny W. Davis, Ph.D. About the Project This project is a product of the Class of 2019 Bush School of Government and Public Service, Texas A&M University Capstone Program. The project lasted one academic year and involved eight second-year master students. It intends to synthesize and provide clarity in the realm of issues pertaining to U.S. Internet Protocol Space by demonstrating natural partnerships and recommendations for existing cyber incident response. The project was produced at the request of PointStream Inc., a private cybersecurity contractor. Mission This capstone team analyzed existing frameworks for cyber incident response for PointStream Inc. in order to propose a comprehensive and efficient plan for U.S. cybersecurity, critical infrastructure, and private sector stakeholders. Advisor Dr. Danny Davis - Associate Professor of the Practice and Director, Graduate Certificate in Homeland Security Capstone Team Tiffany Easter - MPSA 2019 Adam Eaton - MPSA 2019 Haley Ewing - MPSA 2019 Trey Green - MPSA 2019 Christopher Griffin - MPSA 2019 Chandler Lewis - MPSA 2019 Kristina Milligan - MPSA 2019 Keri Weinman - MPSA 2019 Acknowledgement The Capstone Team would like to express gratitude to COL Phil Waldron, Founder and CEO of PointStream Inc., for this opportunity and invaluable support throughout the duration of this project. We would also like to thank the Bush School Faculty and Staff and the various contributors to our project, LTG (Ret.) Kevin McLaughlin, Dr. Stephen Cambone, and BG (Ret.) Leesa Papier. Table of Contents Acronym List ii Executive Summary vi Introduction 1 Chapter 1: Cyberattacks and Critical Infrastructure 25 Chapter 2: The Private Sector’s Role in Cybersecurity 63 Chapter 3: Cybersecurity and Individual Privacy 91 Recommendations 130 Annex A: Hypothetical Cyberattack on Abilene, Texas (Taylor County) Annex B: List of Referenced Governance Documents Annex C: Guidance Document Analysis Scorecard Annex D: Bibliography i Acronym List ACs Advisory Councils ACI American Cyber Institute AI Artificial Intelligence APT Advanced Persistent Threat ARPA Advanced Research Projects Agency CD Cybersecurity Division CIA Central Intelligence Agency CISA Cybersecurity and Infrastructure Security Agency CNA Computer Network Attacks CND Computer Network Defense CNE Computer Network Exploitation CNO Computer Network Operations CSIRT Computer Security Incident Response Team DAFB Dyess Air Force Base DARPA Defense Advanced Research Projects Agency DCI Defense Critical Infrastructure DDoS Distributed Denial of Service DHS Department of Homeland Security DHS CS Department of Homeland Security Cyber Strategy DIA Defense Intelligence Agency DIB Defense Industrial Base DNS Domain Name System DOC Department of Commerce DoD Department of Defense DoD CS Department of Defense Cyber Strategy 2018 DoDM Department of Defense Manual DOE Department of Energy ii Acronym List DOI Department of the Interior DOJ Department of Justice DOS Department of State DOT Department of Transportation DSCA Defense Support for Civilian Authorities DSS Defense Security Services ECD Emergency Communication Division EO Executive Order EPA Environmental Protection Agency ERCOT Electric Reliability Council of Texas EU European Union FBI Federal Bureau of Investigation FBI IC3 Federal Bureau of Investigation Internet Crime Complaint Center FCC Federal Communications Commission FEMA Federal Emergency Management Agency FISA Foreign Intelligence Surveillance Act FSRAs Federal and State Regulatory Agencies FTC Federal Trade Commission GAO Government Accountability Office GDPR General Data Protection Regulation GLBA Gramm-Leach-Bliley Act GSA General Services Administration HHS Department of Health and Human Services HIPAA Health Insurance Portability and Accountability Act HPSCI House Permanent Select Committee on Intelligence IC Intelligence Committee InfraGard Federal Bureau of Investigation InfraGard program iii Acronym List IP Internet Protocol IPTF Infrastructure Protection Task Force ISACs Information Sharing and Analysis Centers ISD Infrastructure Security Division IT Information Technology IoT Internet of Things JCS Joint Chiefs of Staff JP Joint Publication LFA Lead Federal Agency LGs Local Governments NCCIC National Cybersecurity and Communications Integration Center NCIRP National Cyber Incident Response Plan NCS White House National Cyber Strategy NEW Network-enabled Electronic Warfare NGOs Non-Governmental Organizations NIPP National Infrastructure Protection Plan NIST National Institute for Standards and Technology NPPD National Protection and Programs Directorate NRC Nuclear Regulatory Commission NRF National Response Framework NRMC National Risk Management Center NSA National Security Agency NSS White House National Security Strategy ODNI Office of the Director of National Intelligence OFAs Other Federal Agencies OMB Office of Management and Budget OPM Office of Personnel Management iv Acronym List RADICS Rapid Attack Detection, Isolation and Characterization Systems PEs Private Entities PII Personally Identifiable Information PPD Presidential Policy Directive SCADA Supervisory Control and Data Acquisition SEC Securities and Exchange Commission SECDEF Secretary of Defense SIGINT Signals Intelligence SLTT State, Local, Tribal, and Territorial Governments SNRA Strategic National Risk Assessment SSCI Senate Select Committee on Intelligence STT+IAGs State, Tribal, Territorial, and Insular Area Governments TCSSP Texas Cybersecurity Strategic Plan TDIR Texas Department of Information Resources USCYBERCOM U.S. Cyber Command U.S.C. United States Code US-CERT U.S. Computer Emergency Readiness Team USDA Department of Agriculture USDT Department of the Treasury USNORTHCOM U.S. Northern Command USPI U.S. Persons Information WMD Weapons of Mass Destruction UK United Kingdom USSR Union of Soviet Socialist Republics v Executive Summary While the societal, governmental, and economic benefits of a technologically-connected global community are potentially substantial, so too are the risks associated with protecting data and securing cyberspace against malicious activity. Providing security in cyberspace has generated the need for a new technology discipline: cybersecurity. The continuing proliferation and sophistication of cyber threats will allow for cyber actors at many levels, from simple hackers to antagonistic nation-states, to utilize them against U.S. interests. The U.S. must therefore be equipped both technologically and administratively to address these threats. This report examines the issues surrounding U.S. capabilities in providing cyber response, focusing on the federal level but including considerations for state and local governments as well as the private sector, in order to provide recommendations for developing a comprehensive, national cyber framework. Any discussion of a national cyber framework begins with identifying the role of the Federal Government and the current laws, strategies, plans, and frameworks that dictate how the Federal Government responds to a cyberattack against critical infrastructure. The various and often overlapping governance and guidance documents increases the complexity of cyber response. Alleviating this complexity requires first understanding the fundamental structure of U.S. critical infrastructure and the current capabilities of the Federal Government to respond to a cyberattack. An evaluation of the governance and guidance documents outlines the roles and responsibilities of each various Federal, state, and local governments, as well as private sector entities and identifies overlaps and potential deficiencies in guiding response capabilities. Understanding the role that the private sector can assume in cybersecurity is important when developing a national cyber framework. Since the majority of U.S. critical infrastructure is owned or operated by private sector entities, the capabilities and deficiencies in current private sector cybersecurity and cyber defense systems will have an impact on concerns for national security. The lack of comprehensive laws and policies to regulate cybersecurity cyber defense standards in the private sector has created vulnerabilities within cyberspace. These vulnerabilities are amplified due to a lack of a streamlined reporting process between the private sector and the government, as well as issues surround response jurisdiction and capabilities. Despite these issues, the private sector can still take on a vital role to complement or supplement government vi cyber capabilities, and the establishment of a public-private partnership for cyber response can be a powerful tool to include in a national cyber framework. Considerations for protecting the constitutionally-guaranteed right to privacy must also be included in any discussion of cybersecurity in the context of national defense and security. This includes determining the existence of any restrictions or over-restrictions on government capabilities, particularly those of the Department of Defense, when operating within U.S. Internet Protocol space for national defense. The right to privacy