Tribal Cyber Security: Hacking Away at an Undefined Threat
Nationally, the internet and communications infrastructure is an essential tool for ensuring the reliability of our emergency services to coordinate efforts, our financial system to complete transactions, and our economy to maintain business operations. Disruption to this infrastructure would wreak havoc on our population and require a monumental commitment of resources to recover from disruptive effects. Currently, the Department of Homeland Security is largely responsible for protective and responsive actions to cyber threats that face the Federal Executive Branch civilian networks. The authorities which outline the DHS role and responsibility for cyber security are in the Homeland Security Act of 2002 and the Federal Information Security Management Act of 2002. Homeland Security Presidential Directives (HSPD) further focus DHS’s role. HSPD 7 compels DHS to operate a central point for coordination of cyber security across federal departments and agencies, state and local governments, and the private sector. In response to HSPD 7, DHS created the U.S. Computer Emergency Readiness Team (US-CERT) to serve as the central point for responding, reporting, and analyzing cyber security issues.
The funding of DHS cyber security initiatives is risk driven and not threat driven, as stated by DHS Secretary Napolitano at a recent hearing before the subcommittee of the House Committee on Appropriations regarding DHS Appropriations for 2010. In that hearing, tribal cyber security issues were discussed and Congressman Steven Kirk asked whether there was any specific threat or risk information for cyber attacks related to tribal governments. Secretary Napolitano acknowledged that she did not have a specific report detailing the cyber threats which confronts tribal governments. Herein lies the challenge for Indian country: there is a constant threat of attacks to internet and communications systems, which tribal governments, businesses, and people utilize every day. However, there is no specific report or centralized point where the threat or the attack by cyber warriors is catalogued, categorized, and compiled. The $15 million set aside in the DHS 2010 appropriations bill may not be enough to manage the threat and it may not be geared toward truly protecting against the attacks to critical tribal infrastructure. It is not clear whether or not US-CERT has even provided access to its services by tribal governments who largely partner with other governments including the federal government when it comes to preparedness and response actions under HSPDs.
The time is now to develop the capacity and the expertise in tribal communities to identify, manage, respond, and recover from cyber attacks. The price of not doing so could result in the next cyber attack being launched from tribal computers or servers without the knowledge that hackers have hijacked tribal resources to carry out these attacks. The risk is there and it should be addressed at some level without creating a new bureaucracy to oust existing DHS or tribal government agencies who may be in a prime position to implement the EINSTEIN and its progeny into tribal systems. Tribes must be included in the National Infrastructure Protection Plan and the related Sector-Specific Plans when it comes to protection of the internet and communications systems.