Comprehensive Cyber Defense Plan

Introduction

Today we face a growing threat of cyber attack, everything from our identities to our secure government networks are being attacked and successfully hacked. Our private data is being stolen, people are threatening each other’s lives online, and millions of lives are rested upon the trust that our electrical and water systems are secure and operational. We need a swift and effective response to the growing threat that stole our data from Equifax, that held people’s medical data hostage, and that hacked into and stole the NSA’s cyber warfare toolkit. 

I am introducing the plan below in order to respond to these threats and to create a system that takes the lead in driving productive change. This plan will create a generation of students who have the skills to dive into the cybersecurity job force, it will create rigorous standards for both transparency and security in government, and this plan will give law enforcement the tools to enforce laws in the cyber domain and respond to cyber attacks. This plan will also, not accidentally, create hundreds, if not thousands of jobs in the state of Minnesota, and greatly expand our expertise as a state. My goal with this plan is nothing less than to make Minnesota the world leader in cybersecurity. 

Cyber Security in Education

  1. Recommended topics for K-12
  1. Home Network Security
  1. Secure Wifi
  2. Secure LAN
  3. Networking Concepts
  4. Anonymous Browsing
  5. Utilizing encryptions
  1. Secure Passwords
  2. Online Identity protection
  3. Basic task automation
  4. Basic programming concepts
  5. Programming & math
  6. Programming & design
  7. Programming Skills
  1. Higher Level Skills: Analysis, Automation, User Experience, and Entertainment
  2. Core level Skills: Languages, Formatting, Databases, logical operation, optimization
  1. State funding for K-12 Programming clubs
  2. State hosted “hack a thons”
  1. Security
  1. Building secure systems
  2. Developing encryptions
  3. Testing security of model systems
  1. Tool development
  1. Develop needed tools for state or local govts
  2. Build systems for state or local govts
  1. Data analysis
  1. Test machine learning algorithms on model data to solve real-world problems
  1. State “Hack me” network
  1. Can test skills of potential job applicants
  2. Can keep up to date on new attacks
  3. Can identify statewide security flaws

Infrastructure Security

  1. Internet
  1. Where any address has only One ISP, Provide a grant to the county to establish a municipal internet providing service using no less than Fiber optic connections.
  1. Ensure that each municipal internet providing service is interconnected to ensure statewide redundancy
  2. Encourage local construction of web servers to ensure local internet uptime during national outages
  1. Invest in the development of renewable emergency modular network systems to serve as backups for established network infrastructure.
  1. Electricity
  1. Encourage modularization in the grid infrastructure
  2. Provide research grants to develop more adaptive and redundant/self-similar systems for electricity distribution
  3. Provide grants to citizens implementing grid-tied solar and renewable systems and update electrical infrastructure to allow for more local uptime dependent on local/individual energy production.
  1. Water
  1. Make compliance with EPA cybersecurity standards Mandatory

Govt Network Security Standards Expansion

  1. Encryption Standards
  1. All government networks must properly implement encrypted communications
  2. Encryptions should be no less than a 10 years to crack encryption standard
  3. All government websites must properly implement HTTPS (SSL/TLS)  
  1. Information System Access standards
  1. Minimum of two-factor authentication for all government systems
  1. Standards for Criminal Justice data
  2. Standards for Health data
  1. All personal health data access must be controlled via “Mandatory Access Control” systems
  2. All health information used for statewide analysis must be effectively anonymized and encrypted during transportation and storage.
  1. Standards for personal/license data

Data privacy and Device Security Laws

  1. Create/Expand/Evaluate minimum security measures for personal data by category
  1. Commercial/Consumer
  1. Email
  2. Address
  3. Phone Number
  4. Purchase Preferences
  1. Financial
  1. Credit Card Numbers
  2. Bank Acct Numbers
  3. Transaction Amounts/Date/Time
  4. Income
  5. Insurance Records (excluding health)
  1. PII
  1. Name
  2. SSN
  3. Drivers License
  4. Photos/ Recognition Vectors
  1. HIPPA
  2. Complex Social data/insights
  1. Friends
  2. Family
  3. Coworkers
  1. Complex personality data/insights
  1. Political Views
  2. Religious Beliefs
  3. Sensitive patterns of behavior (sexual preferences, risk tolerance, drug addictions)
  1. Expand data sharing laws
  1. Affirmative consent for sharing an individual’s data beyond basic user agreement
  1. Require explicit approval for the sharing of an individual’s data to any other organization, business, or law enforcement agency (without a warrant).
  2. Allow for the approval/disapproval of sharing for every individual data point category that might potentially be shared.
  1. Anonymization Standards for shared advertising information
  2. “Trigger Phrase Disclosure”
  1. All voice recording tools/software/devices must explicitly and publicly disclose all words that could trigger the recording to turn on
  1. Collected information disclosure
  1. Must make available a record of every data point collected or shared to any outside organization
  1. Create a legal structure for data mishandling fines, and security audits
  2. Create law banning malware on commercially sold devices
  1. Audit commercial devices and fine companies who sell products that contain malware
  1. E.g. Spyware on USB flash drives
  1. Security standards for New Vehicles
  1. Self Driving Cars
  1. All vehicular controls must be physically isolated and not connected to any networked device
  2. All networked devices and systems must have regular patches
  3. All networked devices must have built-in firewalls and encryption protocols
  1. Non-Self Driving cars
  1. All vehicular controls must be physically isolated and not connected to any networked device
  1. Security for “Internet of things” devices
  1. All IoT devices must use some form of cryptographic communication
  2. IoT devices must have built-in firewalls and patch management software/firmware
  3. IoT devices must have non-networked or “secure” modes
  4. IoT devices that control any device or component that could reasonably lead to the physical harm of an individual or the disruption of network or other infrastructure services must be protected with some form of secure access control and antivirus
  5. Threat assessment on IoT devices must be based on a “worst case” or and “every device at once” scenario.

Statewide PKI System

  1. State employee PKI ID
  1. First wave of PKI ID issuance
  2. Used to log into govt computer systems and log user access
  3. PKI used to digitally sign official documents
  4. Implementation will be aided by the Natl Guard with experience in PKI
  1. Citizen PKI ID
  1. Eventually, replace both state ID’s and Driver's Licenses
  2. Used to log in to Unified MN web portal, and used as much as possible instead of physically going to the DMV, Courthouse etc.
  1. Example: Fishing License, Hunting License, Paying Fines, contacting public defenders etc.
  1. Used to record active licenses etc.
  2. Cards Issued Universally to MN residents for free.
  1. Card initially issued at age 15
  2. New card issued every 3 years following
  1. Unified MN Web Portal
  1. All mn state and local govt offices that interact with the public must create and manage a website on this portal that uses the PKI certs for ID verification.
  2. All actions that can feasibly be performed online should be implemented to minimize the need for in-person interaction at govt offices and reduce delays
  3. Ideally, a central calendar will track all public events being held by any govt office so that citizens can be aware of what is going on in their area.

Cyber Warrant Standardization Plan

  1. Warrant types
  1. Identification Warrant
  1. Warrant issued for the purpose of making a positive identification of an individual who is known to have committed some crime via the internet.
  1. Passive Warrant
  1. Warrant issued to allow non-credentialed & non-invasive scanning and reading of personal networks and profiles
  1. Active Warrant
  1. Warrant issued to uncover hidden data and protected networks
  1. Aggressive Warrant
  1. Warrant issued to shut down, deny, or contain any imminent threat, or aid in the near capture of a suspect with significant evidence
  2. An example would be the shutting down of a network when a suspect is in the process of transferring illegal funds When a suspect is using a network to buy or sell, humans, human organs, illegal firearms or any volatile, dangerous, or hazardous material. When a suspect is in the process of launching or planning a cyber attack, espionage or threats of violence
  1. Cyber Warrant Specialist Inspector General team
  1. A team of specially trained Inspectors General will be created to manage the oversight of cyber warrant execution
  2. The team will have significant experience working with cyber forensics and information systems
  1. Warrant Execution Oversight
  1. Two Person Control
  1. When executing a cyber warrant, no single individual will have access to the system. At all times no less than two people must be present to execute any cyber warrant.
  1. Independent Logging and monitoring
  1. The IG team will monitor 100% of the network traffic and capture 100% of the on-screen activity of any cyber warrant execution system
  2. The IG will provide copies of cyber evidence to both prosecution and defense
  3. Law enforcement will not have access to original copies of system logs and screen recordings.

MN Air National Guard Cyber Defense Squadron

  1. Establish a new Cyber Defense Squadron(or Base?) (at Duluth ANG Base?).
  1. Create 750 ANG slots (est. $12 Million/Year)
  1. Mission
  1. Perform Cybersecurity Audits of State and local govt, infrastructure, and commercial information systems
  2. Assist in the implementation and design of secure cyber systems
  1. E.g. establishing statewide PKI
  1. Assist law enforcement in the execution of standardized cyber warrants
  2. Respond to cyber attacks and network outages
  1. Network Recovery
  2. Cyber Forensics
  3. Counterattack