CIP/HS research efforts span a variety of infrastructure sectors and related fields, including Energy, Transportation, Cybersecurity, Defense, and Finance, among others.
Through engagement with partners across industry, government, and academia, CIP/HS pursues research and develops projects that deliver expert analysis and insight into the policy, law, and economics of infrastructure security and resilience for those who own and operate key assets in the United States infrastructure, as well as those leaders responsible for setting the policy that governs security at the national and international levels.
Examples of Recent Work
Developed in partnership with CSIAC
Full Report Available Here
The recent case of Edward Snowden brought insider threat to the forefront of the public and corporate mind. Snowden provides a case study for the intelligent insider threat, the employee who acts in violation of organization policy, often without warning, and discloses restricted information to the public or a competitor. Snowden’s tale serves as a warning call to government and industry Leaders.
Snowden also serves as a reminder that threats can come from the most unexpected places. His is not the only insider threat story, nor is it the only damage that requires prevention or mitigation. Individuals seeking personal gain or complacent employees can do as much or more damage. In some ways, they are more threatening than the Snowdens of the world because they have incentive to keep their job, either as a source of information or income. Snowden knew he would not be coming back. His breach was massive but limited in time.
This paper serves as an overview of the incentives involved in mitigation and prevention strategies. It is important to note that there is no conclusive technique to identify insider threats before they occur, nor is there any way to completely prevent the damage they can inflict. However, this study will provide insight into policy which shapes measures and legal tools available to deter unauthorized release. The study will also suggest practical incentive structures, procedures, and use of technology to incentivize compliance and provide a disincentive against unauthorized use. However, leaders must always bear in mind that the decision to provide access to sensitive information bears a risk that the granted party will misuse that access. Therefore, the decision to grant access remains a risk based judgment that the granted party will use the access for purposes that are in line with the organizations’ purposes and ethical framework.
Developed in partnership with CSIAC
Full Report Available Here
In a time of aging infrastructure and cyber threats at historic peaks, the concern of failure in the critical infrastructure that supports society touches every corner of the private and public sectors. The military is not immune to these concerns, and though defense installations implement extensive mission assurance measures to remain operational in the event of an attack, disaster, or other major disruption, significant interdependencies with civilian critical infrastructure remain in the daily operations of domestic defense facilities.
Day-to-day operations of most facilities still rely on the availability of community transportation, water, power, and communications infrastructure. Even where contingencies exist to cover shortfalls in these capabilities, the greatest longevity and efficiency in operations comes from ensuring the security and resilience of community resources.
The military is no stranger to engagement with the private sector. The Department of Defense (DoD) is the largest source of government contracts in the United States. In recent years, DoD has used the contracting process as a tool to enhance systems security for defense resources in the Defense Industrial Base, implementing security provisions to the Defense Federal Acquisition Regulation Supplement (DFARS).
However, these provisions remain relatively narrow in scope, addressing information security for controlled technical information and supply-chain security measures for national security systems. Existing regulations focus on manufacturing and research contractors in the Defense Industrial Base who engage directly with sensitive IT systems, which touch only the periphery of community infrastructure vulnerabilities. Furthermore, aside from direct intervention in operations, deterrence in the procurement system stems from legal liability under contract and tort, where damages are only applied after a breach has already occurred.
The legal framework for implementing effective security measures for these critical systems is in a constant state of development with solutions coming piecemeal from a wide assortment of actors. The tools that currently exist are utilized from a perspective that treats ad hoc implementation and ex post facto enforcement as adequate. These legal tools are less cumbersome than prescriptive regulation and preventative measures, but the potential harm resulting from a massive disruption to the community power grid or transportation system is not easily remedied by monetary damages, especially when such a disruption bleeds into the operational effectiveness of a nearby defense facility.
For these reasons economic, policy, and legal tools must be implemented to provide DoD the ability to more directly influence maintenance and security of the critical infrastructure in communities surrounding defense facilities, especially in those lifeline sectors that most intrinsically support operations. In the following pages, we examine existing regulations and procedures in the contracting and acquisitions arena that could be adapted for contracts with local and regional asset operators and owners. We then examine other enabling measures that would grant DoD the necessary authority to more directly engage with both public- and private-sector entities responsible for the security and resilience of the critical infrastructure that feeds into these facilities.
See our Publication Library for other past work from CIP/HS
Partners have included:
- Cyber Security & Information Systems Information Analysis Center (CSIAC)
- Society of American Military Engineers (SAME) – The Infrastructure Security Partnership (TISP)
- The Atlantic Council
- Security Analysis and Risk Management Association (SARMA)
- National Laboratories
- Argonne National Laboratory
- Sandia National Laboratory
- Oak Ridge National Laboratory
- Universities
- James Madison University
- Old Dominion University
- Pennsylvania State University
- KEPCO International Nuclear Graduate School
- Naval Post-Graduate School
- U.S. Department of Homeland Security
- U.S. Department of Defense