米国 国土安全保障省 国土安全保証諮問委員会の最終報告書(バイオメトリックス、経済安全保障、緊急技術とか・・・)
こんにちは、丸山満彦です。
国土安全保障諮問委員会の2020.11に公表された最終報告書を中心にいくつかまとめておきます・・・
● U.S. Department of Homeland Security - Homeland Security Advisory Council
・経済安全保障
・2020.11.16 [PDF] Final Report of the Economic Security Subcommittee
・ICTリスク低減
・2020.11.16 [PDF] Final Report of the ICT Risk Reduction Subcommittee
・バイオメトリクス
・2020.11.13 [PDF] Final Report of the Biometrics Subcommittee
過去分
・信仰に基づくコミュニティを狙った暴力の防止
・2019.12.17 [PDF] Final Report of the Preventing Targeted Violence Against Faith-Based Communities Subcommittee
・州、地方、部族、領地のサイバーセキュリティ
・2020.04.21 [PDF] State, Local, Tribal, Territorial Cybersecurity Final Report
米国政府のセキュリティ対応について、経済産業省が過去(2018.03)に整理していますね。。。
● 経済産業省
・2018.03 [PDF] 調査報告書 平成 29 年度サイバーセキュリティ経済基盤構築事業 (米国から見た諸外国のサイバー空間における能力等の実態に関する調査)
各最終報告書の推奨事項
・経済安全保障
・2020.11.16 [PDF] Final Report of the Economic Security Subcommittee
| # | Recommendation |
| 1 | The department should institutionalize the Economic Security Council. Congress should provide a legislative mandate for the establishment and maintenance of the council to identify concentrated risks, to set priorities and to coordinate enterprise-wide action on economic security matters. |
| 2 | DHS must lead by example in procurement practices that foster cybersecurity, including supply chain security. The Secretary should ensure effective coordination through the Economic Security Council or some other mechanism among the many offices that can contribute to security in acquisitions, including the Office of Management, the Office of Acquisition, the acquiring component, CISA, the Chief Information Officer, and the Office of Science and Technology. |
| 3 | A Deputy Assistant Secretary for Economic Security should be institutionalized within the Office of Strategy, Policy, and Plans. |
| 4 | The intelligence community and DHS should create a joint supply chain intelligence center with private sector entities as participants and customers. This center should provide practical guidance about suppliers that may pose a particular risk. The center should also influence intelligence collection priorities and provide feedback to improve the quality of supply chain intelligence. |
| 5 | The Secretary should define roles and missions and coordination responsibilities between CISA and the Office of Strategy, Policy and Plans, for the task of mapping civilian supply chain and economic security risks. |
| 6 | At the start, the DHS economic security effort should be incremental, focused on high-impact, focused reviews of priority topics/sectors. |
| (1) | DHS should formalize its role in supplying data and risk management analysis to the Commerce Department pursuant to E.O. 13873. |
| (2) | DHS should conduct a joint DoD-DHS analysis of the industries identified by China as its priorities for ensuring China’s economic security (and reducing the economic security of the United States). The study should ask two questions about every industry on China’s shopping list which U.S. producers are put at risk by China’s mercantilist policies and what can the U.S. do to ensure their survival? |
| (3) | DHS should conduct industry-wide supply chain assessments of particular companies or industries based on referrals from CFIUS, from Team Telecom, and from the E.O. 13873 interagency process. |
| (4) | DHS’s economic security unit should also accept referrals from the Federal Acquisition Security Council. It should be possible for the Council to seek a broader study of a particular industry or company than the Council itself is designed to perform. DHS’s economic security unit should be prepared to accept such referrals. |
| (5) | The DHS economic security unit should accept nominations for economic security reviews from DHS components concerned about their critical components. |
| 7 | DHS’s economic security unit should be a focal point for Hart-Scott-Rodino reviews where the merger could reduce competition or security in sales of equipment that is vital to DHS missions, such as icebreakers and cargo and traveler scanning equipment. |
| 8 | FEMA, in coordination with DHS and the interagency, should put forward a framework for an executive order or legislation that revives and makes best use of existing authorities under the Defense Production Act and related executive and statutory authorities. |
| (1) | EMA should rebuild its internal structures and programs to ensure that it has the resources necessary to respond to sudden national shortages during a national emergency. |
| (2) | FEMA and DHS should strengthen their engagement with the Title III program under the Defense Production Act, and develop an institutional capability to sponsor and follow through on the use of Title III funds to meet homeland economic security goals. |
| 9 | The Secretary should direct CBP and ICE/HSI to make enforcement of economic security measures a measurable enforcement priority — and an intelligence collection target. |
| 10 | The Secretary should direct USCIS and ICE to increase coordination on student visas, granting USCIS appropriate access to SEVIS data and working together on site visits and investigations in technology-heavy visa programs such as CPT and OPT. The Secretary should direct CBP, ICE, and USCIS to standardize and make available to each other data on foreign nationals coming to the U.S. for research and study; the State Department should join in this initiative. |
| 11 | USCIS and the relevant HSAC subcommittee should review the EB-5 program for the risk that Chinese applicants may be operating as agents of the Chinese government. |
| 12 | DHS should engage its interagency partners to: |
| (1) | Spur creation of a technology oversight and regulating task force to ensure that rapidly evolving Chinese technology does not evade necessary regulation; |
| (2) | Expand UAS regulatory resources (with support from Congress); |
| (3) | Encourage and actively support innovation in the development and production of UAS in the United States by U.S. companies, particularly for those UAS intended for U.S. government use; |
| (4) | Regulate the export of data (such as imagery) collected by UAS manufacturers; |
| (5) | Consider requiring validation of the security of software, firmware, hardware and other UAS elements; and |
| (6) | Ensure effective detection and tracking of UAS and identification of UAS registrants |
| 13 | TSA and the Deputy Assistant Secretary for Economic Security should jointly review the threat posed by Nuctech and other passenger and cargo screening equipment from China, with particular emphasis on Nuctech’s access to data and algorithms used by security agencies. DHS should decide whether the use of insecure equipment is consistent with TSA’s foreign airport security assessment standards. |
| 14 | In coordination with the federal interagency process, the Department should identify relevant global standard-setting activities likely to have an impact on DHS and determine whether Chinese government efforts to influence the standards require monitoring or action. |
・ICTリスク低減
・2020.11.16 [PDF] Final Report of the ICT Risk Reduction Subcommittee
| # | Recommendations |
| 1 | Develop an effective and robust risk management framework to guide ICT procurement across the government, with particular emphasis on unclassified systems. |
| 2 | Standardize the sharing and reception of threat data from the IC and across departments and agencies. |
| 3 | Establish a joint National Supply Chain Intelligence Center (NSCIC) Center of Excellence within DHS to operationalize and mature ICT risk reduction efforts. |
| 4 | Conduct a comprehensive review of the DHS procurement office authorities to ensure and maintain capabilities adequate for reducing ICT risks for the department. |
| 5 | Improve public-private partnerships specifically focused on the ICT security effort. |
・バイオメトリクス
・2020.11.13 [PDF] Final Report of the Biometrics Subcommittee
| # | Recommendations |
| 1 | Establish a DHS Biometrics Oversight and Coordination Council, with representation by the appropriate DHS agencies and offices. The Council would be chaired by the DHS Deputy Secretary. |
| 2 | The BOCC protocols should provide a fast-track process to approve pilots and emergency uses of biometrics, to include direct interaction between S-2, as Chair of the Council, and the relevant agency head. |
| 3 | The DHS Office of Policy should have the lead role within the Department regarding the development of biometric policies regarding biometric retention, privacy protection (in coordination with CRCL and PRIV), negotiating international agreements, and avoiding inappropriate bias. |
| 4 | The operational role for the collection and uses of biometrics should remain within the DHS agency that has the unique mission or program that is aided and/or made more effective with the use of biometrics. |
| 5 | Each DHS agency using biometrics shall designate one official within such agency with the responsibility for overseeing uses of biometrics for the agency. |
| 6 | Update the Biometrics Strategic Framework of 2015 |
| 7 | Where sharing of biometrics involves negotiations with other nations, DHS’ Office of Policy should have the lead role, but the operational component(s) with equities and relationships should play an active role in negotiations. |
| 8 | In addition to an implementation plan, every new use of a biometric should require, concurrently therewith, a communication/outreach plan. |
| 9 | As part of its implementation plan, the DHS component agency proposing a new use of biometrics or a new biometric has the responsibility for evaluating and presenting the technical aspects, including matching and analysis, of the biometric and how it is to be integrated into operational protocols in support of the agency mission. The component agency or the BOCC should call upon S&T, as needed, to assist regarding the technical evaluation of the proposed biometric. |
| 10 | The Management Directorate (MGMT), through its budget offices, should annually capture budget data related to different biometrics on an agency and department-wide basis and provide it to the BOCC to provide visibility to its oversight and coordination role. |
・信仰に基づくコミュニティを狙った暴力の防止
・2019.12.17 [PDF] Final Report of the Preventing Targeted Violence Against Faith-Based Communities Subcommittee
1. Central Point of Contact in DHS for Faith-Based Organizations (FBOs)
Finding: There should be a central point of contact designated within DHS for matters associated with the security of faith-based organizations.
Recommendations:
- DHS designate a position at the Assistant Secretary level or higher to serve as a Director who will oversee and lead all the Department’s faith-based programs and represent the Department within the Interagency.
- DHS recommend to the Assistant to the President for National Security Affairs the creation of an FBO working group dedicated to securing houses of worship, to be convened at the National Security Council to support policy formulation within the Interagency and across the Federal government.
2. Proactive Training for Faith-Based Communities
Finding: There is not a consistent approach to preparing and training FBOs for the security of their communities.
Recommendation:
- DHS take lead, in conjunction with State and local officials, in establishing a package approach to security of FBOs.
3. FBO Coordination with Law Enforcement
Finding: The relationships between state and local law enforcement and the FBOs are very “unlevel” across the country, especially outside urban areas.
Recommendations:
- DHS encourage FBOs to work with local police and first responder communities to develop real-time information sharing systems.
- DHS, working with State officials, seek to provide local law enforcement with additional earmarked funding to create or expand outreach and connectivity with FBOs, especially in rural areas.
4. Protective Security Advisors (PSAs)
Finding: The role of PSAs must be enhanced.
Recommendation:
- DHS determine specific requirements for PSAs, and if necessary, request additional sustained funding from Congress to hire, train, and increase the actual numbers of PSAs as needed for the security of the FBOs.
5. Fusion Center Outreach to FBOs
Finding: Fusion Centers are not well known or understood and are not organized in the same manner across the country.
Recommendations:
- DHS work with State and local officials to ensure Fusion Centers receive the same level of training and are similarly organized around the guiding principle of proactive outreach to every house of worship within a Fusion Center’s area of responsibility.
- DHS, with State and local officials, reinforce the expectation that Fusion Centers and the PSAs are to be considered a team, and their work is inextricably linked.
- DHS conduct an evaluation of Fusion Centers to determine their effectiveness in promoting FBO security, and from that evaluation identify areas needing improvement.
- DHS demonstrate transparency in the procedures and guidelines of Fusion Centers in order to guarantee privacy, civil rights, and civil liberties for FBOs and their communities.
6. Defining the Domestic Terrorism Threat
Finding: Members of law enforcement have cited the absence of a domestic terrorism statute as hampering their efforts to track and prosecute domestic terrorist groups.
Recommendation:
- Congress, working with DHS and the Department of Justice, encourage cooperation between Federal, State, local, and Tribal law enforcement to monitor, understand, investigate, and prosecute acts of domestic terrorism through intelligence sharing requirements.
- Congress work with DHS and DOJ to pass a statute defining such acts and providing funds for monitoring the acts can assist law enforcement in ordering its priorities without compromising constitutional values.
7. Federal Emergency Management Agency (FEMA) Grants
Finding: The FEMA Nonprofit Security Grant Program is a vital source of funding for FBOs to bolster their security, but the funding level is insufficient, and the application process is complex, opaque, and long.
Recommendations:
- DHS seek additional funding from Congress to provide increased security grant money for FBOs.
- DHS establish an office dedicated to assisting applicants, particularly from small or poorly staffed FBOs, in order to navigate the complexities of the Federal grants process.
- To avoid any potential conflicts of interest, this office of grant application assistance should be separate from any of the grant-awarding arms of DHS and its staff should play no role in reviewing or awarding grants.
- DHS give the new Director responsibility for the Nonprofit Security Grant Program.
・州、地方、部族、領地のサイバーセキュリティ
・2020.04.21 [PDF] State, Local, Tribal, Territorial Cybersecurity Final Report
Empower Cyber Mutual Assistance for SLTT Entities
DHS should:
- Provide for SLTT stakeholders a single point of contact for cyber response within a reasonable geographic distance of the relevant parties.
- Where reasonable caution points toward enhanced coordination, provide samples of agreements and provide for additional resources for cyber mutual aid that can be put in place.
- Together with States, design and test coordination and response plans, including those that include the SLTT National Guard unit.
- Define clear roles and responsibilities for outreach, communications, and information sharing, as well as for prioritizing and navigating an SLTT cyber alert system.
- Consolidate a set of requirements and path forward for constructing a civilian equivalent to the National Guard cyber-force.
- Establish nation-wide Cyber 211 or 911 programs to provide consistent reporting of cyber incidents around the country.
- Establish a National Cybersecurity Academy to train SLTT government employees.
- Build collaborative partnerships with NGOs focused on training, empowering and developing young people to engage with DHS, and other similar organizations. Provide grants and resources to such organizations to build cybersecurity education programs.
Create a Dedicated Grant Program for SLTT Cybersecurity
DHS should establish a dedicated grant program to support SLTT agencies. Examples of program characteristics should include:
- Baseline capability documents, and associated grant criteria, that will be developed and monitored primarily by the Cyber Security Division of DHS (formerly CS&C).
- Grant awards should be conditioned upon the completion and submission to the grants administering body of assessments, such as the National Cyber Security Review (NCSR) assessment facilitated by the Multi-State Information Sharing and Analysis Center. While states are understandably unwilling to reveal cybersecurity capabilities and posture to a broad audience, the grants committee needs this data to understand the baseline current state and inform investment strategies with targeted improvements.
- Grants structured to permit regional collaboration and coordination, as well as traditional SLTT capability enhancement.
Grants support for planning, prioritization, information-sharing, and goal assessment aspects of capability development, as well as for the life cycle of key technology. SLTT grant applications will need to articulate how their use of funds addresses both their own needs and their ability to contribute to a national response.
- Receipt of funds will be conditional upon participation and data-sharing for national situational awareness and analytics.
Strengthen Regional Cohesion, Situational Awareness, and Preparedness
DHS should:
- Establish a robust and comprehensive technical assistance program to support cybersecurity capability development. This effort should include development of model policies, guideline documents, best practices, workshops, how-to guides and other resources for SLTT agencies of all levels of maturity.
- Design a consistent SLTT customer management system, re-organize the website for consistency and ease of use, better organize description of services, implement a marketing and communications strategy leveraging SLTT associations and partners, improve tailored education and training programs, and enhance incident response capabilities.
- Identify the characteristics of strong regions, what leads to these characteristics, and apply this knowledge to other regions to help increase their strength.
- Support regional planning and resilience as part of the grants program.
Enable Fusion Centers to Provide Greater Cyber Situational Awareness
DHS should:
- Work in partnership with the Intelligence Community to increase the availability of intelligence training for SLTT cyber analysts.
- Support the National Network of Fusion Centers Cyber Intelligence Network (CIN) community on HSIN by having the NCCIC provide overnight management. Most fusion centers are not operating 24/7 and providing this much needed coverage will greatly improve situational awareness.
- Define cyber requirements to augment existing, predominantly law enforcement, fusion center capabilities. Train and expand the PSA program to include Cyber as an available resource.
- Explore whether fusion centers can be used as SLTT Cyber Security Operations Centers in areas that do not have SOCs.
- Support and train to equip fusion centers in this way.
- Review/update/expand guidance documents such as Cyber Integration for Fusion Centers: An Appendix to the Baseline Capabilities for State and Major Urban Area Fusion Centers[1].
Equip State and Local Election Officials to Identify and Counter a Comprehensive Range of Threats
DHS should:
- Create and sustain a consolidated portrait of Threat across the entire threat surface, including informational arenas, so that key stakeholders from any part of the ecosystem can understand what the nation faces and the interconnected nature of technology, information, influence, and election outcomes.
- Empower and fund SLTT Election officials to identify and defend against threats to the election system.
- Identify the gaps in current mitigation strategy and provide support in ways that SLTT Election officials can use.
Manage the Risks Introduced by Smart Cities DHS should:
- Assess current and planned deployments of Smart Cities throughout the United States.
- Define a path to create mechanisms for managing cyber/cyber-physical risk in Smart Cities.
- Evaluate risks to public safety and critical infrastructure function associated with these deployments and plans.
- Inventory known or suspected cybersecurity incidents in Smart Cities globally to act as a corpus of knowledge to help better inform Smart City planners, regulators, and insurers.
[1] See https://it.ojp.gov/GIST/178/Cyber-Integration-for-Fusion-Centers--An-Appendix-to-the-Baseline-Capabilities-forState-and-Major-Urban-Area-Fusion-Centers.
Comments