Page 6 - index
P. 6







explain how proper protective measures would have mitigated or reduced the impact of the
event.

Regrettably, the U.S. government often cites actual event information as “classified” and
therefore not eligible to be shared. Again, stakeholders are not focused on the sources and
methods that often cause information to be classified. Sharing information about which TTPs
were used and how those events might have been prevented would help raise the bar of
education and awareness for stakeholders and practitioners.

Since 2006, the U.S. government has conducted a series of national cybersecurity exercises
primarily through DHS and FEMA. These exercises focused on various scenarios and threats,
have produced a variety of lessons learned and after action reports. However, as demonstrated
during a recent review, little if any action has been taken on the items identified and
documented, and many of the same items continue to appear in succeeding reports.

If we are going to invest in testing cyber readiness to identify gaps and then develop an
improvement plan to address those gaps, it is difficult to understand how this valuable
information seems to have been only minimally addressed.

The lessons learned and after action reports are valuable; therefore, someone should tackle the
findings and demand answers as to what steps have been taken to address the documented
gaps and weaknesses.

The legal environment governing cybersecurity, electronic crimes, and privacy includes
legislation that was largely enacted during a predominantly analog world. The time for
approaching the review of the legal environment in a piece meal manner has passed. There
should be a comprehensive examination of the current laws and regulations to reflect the needs
of a digital world, while promoting economic growth and providing privacy and protection of civil
liberties.

Several pending pieces of legislation attempt to address important issues such as information
sharing; timely, reliable, and actionable situational awareness; liability protection; and privacy. It
is important to have a broader view of the entire legal framework governing cybersecurity and
critical infrastructure protection.

The activities included in this blueprint are not exclusively intended to address the risks
associated with attempted disruption of the electric grid by nation states or terrorist
organizations; the supply of oil and natural gas; the water supply; or the transportation system.
These are all-important considerations and should be evaluated in the context of risk
management, including the potential impact and likelihood; the economics of cybersecurity; and
the business and personal needs of constituent stakeholders.

Instead, the blueprint is intended as a practical approach to raising the bar for cybersecurity and
critical infrastructure across a wide array of stakeholders and threats. By implementing these
actions we can disrupt the tactical and economic model of the bad guys—whether they are



I25B /1B>9>7C &171J9>5 M +5@D5=25B 49D9?>
?@IB978D K I25B 565>C5 &171J9>5 << B978DC B5C5BF54 G?B<4G945
   1   2   3   4   5   6   7   8   9   10   11