WCEFT E-Signature Risk Assessment
- Larry Talley - NOAA Federal (Unlicensed)
Business Risk in the Permit Context
Considerations of business risk may benefit from categorization according to FIPS 199 which provides a common framework for expressing information security concerns throughout the federal government. This system has a FIPS 199 security categorization as follows:
- Low confidentiality requirements -- loss of confidentiality would be expected to have a limited adverse effect on organizational operations, assets, or individuals. A breach of confidentiality would damage our relationship with our constituency and could impact our ability to collect accurate data with which to manage fisheries. This could cause a degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is noticeably reduced. It could also expose us to litigation and professional disrepute.
- Moderate integrity requirements -- among other things data from this system could be used to establish individual fishing quotas based on historical participation in a fishery. Individual fishing quotas have value, and it is critical to maintain access controls, change tracking, and auditability. The moderate level is specified to recognize that loss of integrity could result in significant financial harm to individuals.
- Low availability requirements -- a temporary loss of availability would be expected to have a limited adverse effect. Transactions dependent on this data are not particularly time-sensitive, and business requirements could be met via manual methods during a temporary system outage.
NIST 800-30: Risk Management Guide for Information Technology Systems defines risk as a function of the likelihood of a given threat-source's exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization. The threat and vulnerability identification process that follows is based on NIST 800-30.
Data sensitivity and security
Information collected pursuant to requirements of the MSA is protected by its confidentiality provisions at § 402 and under its implementing regulations at 50 CFR Part 600 Subpart E, including NOAA Administrative Order (NAO) 216-100. Additional protections of the Privacy Act and FOIA apply to such data as well as those collected under the Halibut Act.
Mitigating controls
Perhaps the most significant mitigating control is that in commercial fisheries transactions, both parties to the transaction (typically the fisher and the fish processor) are permitted entities and each has some responsibility for accurate and complete record-keeping and reporting (for example, the fisher is required to keep a logbook showing fishing efforts and catch, while the processor is required to report fish purchased). In these transactions it is typical for the parties to the transactions to have opposite and balancing interests (for example, when a fisher is selling fish to a processor, the fisher wants the amount paid to be high, while the processor wants the amount paid to be low). These multiple sources of information and counter-balanced incentives tend to make deception more difficult to initiate and sustain.
Another mitigating control is that under the authority of the Debt Collection Improvement Act (31 U.S.C. 7701), NMFS would collect Tax Identification Number information from individuals in order to issue, renew, or transfer fishing permits or to make nonpermit registrations.
The vessels and processors involved are permitted and therefore have a prior "trusted relationship" with NMFS. In many cases this prior relationship involves confirming vessel ownership with the US Coast Guard, verifying participation in prior fisheries through previously submitted state or federal fish tickets or logbooks, confirmation of business ownership, etc.
Threat and Vulnerability Identification
(see Categories of Harm and Impact Definitions)
Vulnerability |
Threat-source |
Threat Action |
Category of Harm |
Likelihood of Occurrence |
Impact of Harm |
E-signature Cost Benefit Assessment |
|---|---|---|---|---|---|---|
System unavailability |
Error, component failure, or act of God |
Power failure, network failure, computer component failure, operator error, software failure, capacity constraint, etc. |
Inconvenience, distress or damage to standing or reputation |
Moderate: failures will happen, but competently managed systems typically have availability records of 99% or better |
Low: for fishery management decision support typical availability is adequate. Even in the event of a systemic failure fishery management decision-making would continue and unavailability would be a short-term inconvenience. Smaller scale failures, for instance a failure that prevents reporting from one processor, would be a minor inconvenience. |
N.A. (E-signature has no effect, positive or negative, on this vulnerability) N.A. (E-signature has no effect, positive or negative, on this vulnerability) |
System unavailability |
Vandalism |
Internet security exploit such as denial-of-service attack |
Inconvenience, distress or damage to standing or reputation |
Low: this is not an high-profile Internet system and should not be a particularly attractive target. Also, if necessary, the system could be hosted in a data center with an incident response capability that could deal with all but the most sophisticated attacks. |
Low: even in the event of a systemic failure fishery management decision-making would continue and unavailability would be a short-term inconvenience |
N.A. |
System misuse |
System administrator, operator, or other agency user |
Abuse of insider knowledge and access for unauthorized use or release of information |
Unauthorized release of sensitive information |
Low: agency staff have significant incentives to behave appropriately and periodic training in ethics and computer security |
Moderate: at worst, a release of personal or commercially sensitive information to unauthorized parties resulting in loss of confidentiality with an expected serious adverse effect on organizational operations. |
N.A. |
" |
" |
" |
Civil or criminal violations |
Low: agency staff have significant incentives to behave appropriately and periodic training in ethics and computer security |
Moderate: at worst, a risk of civil or criminal violations that may be subject to enforcement efforts |
N.A. |
System compromise |
Vandal |
Internet security exploit circumventing security controls |
Unauthorized release of sensitive information |
Low: agency staff use due diligence to secure systems and reduce vulnerabilities. Also this is not an high-profile Internet system and should not be a particularly attractive target. If necessary, the system could be hosted in a data center with an incident response capability that could deal with all but the most sophisticated attacks. |
Moderate: at worst, a release of personal or commercially sensitive information to unauthorized parties resulting in loss of confidentiality with an expected serious adverse effect on organizational operations. |
N.A. |
" |
" |
" |
Civil or criminal violations |
Low: agency staff use due diligence to secure systems and reduce vulnerabilities. Also this is not an high-profile Internet system and should not be a particularly attractive target. If necessary, the system could be hosted in a data center with an incident response capability that could deal with all but the most sophisticated attacks. |
Moderate: at worst, a risk of civil or criminal violations that may be subject to enforcement efforts |
N.A. |
Failure to report |
Processor or processor in collusion with fisher |
Processor fails to report, either through negligence, or with intent to mislead fisheries managers and evade fisheries management controls or enforcement actions |
Harm to agency programs or public interests |
Low: permitted parties know the rules and understand the risks of non-compliance |
Moderate: most individual trip reports would be inconsequential in overall impact, but some would be consequential, and any widespread or long-term failure to report would facilitate overfishing. |
Benefit: failure to report would be detectable quickly, resulting in more responsive enforcement and potentially a higher rate of compliance |
" |
" |
" |
Civil or criminal violations |
Low: permitted parties know the rules and understand the risks of non-compliance |
Moderate: at worst, a risk of civil or criminal violations that may be subject to enforcement efforts |
Benefit: failure to report would be detectable quickly, resulting in more responsive enforcement and potentially a higher rate of compliance |
Under-reporting or misreporting catch |
Fisher and processor in collusion |
Fisher and processor collude to under-report or misreport, to mislead fisheries managers and evade fisheries management controls |
Harm to agency programs or public interests |
Low: permitted parties have a lot to lose and there are enough checks and balances in the system to discourage fraud |
Moderate: at worst, a serious adverse effect to public interests. For example, in a commercial landing the species could be misreported from an overfished species to a less restricted species to evade a fisheries closure action, with potentially significant damage to the overfished species, i.e., public interests |
Benefit: e-reporting and e-signature can result in more immediate feedback for detectable errors, and more immediate feedback facilitates more accurate reporting |
" |
" |
" |
Civil or criminal violations |
Low: permitted parties have a lot to lose and there are enough checks and balances in the system to discourage fraud |
Moderate: at worst, a risk of civil or criminal violations that may be subject to enforcement efforts |
Benefit: misreporting problems might be detected quickly, resulting in more responsive enforcement and potentially a higher rate of compliance |
Impersonation in e-ticket transactions |
Common criminal/identity thief |
Impersonation using stolen identity credentials, to receive full market price for stolen fish |
Inconvenience, distress or damage to standing or reputation |
Low: e-ticket transactions take place in a context of fish delivery, and the fisher and processor are normally known to each other |
Low: someone would be likely to notice and when detected, the impact could be effectively mitigated. The impact would be limited to the parties whose identity and fish have been stolen |
No net cost or benefit: inconvenience, distress or damage is not significantly different in electronic transactions than it is in paper transactions |
" |
" |
" |
Civil or criminal violations |
Low: e-ticket transactions take place in a context of fish delivery, and the fisher and processor are normally known to each other |
Moderate: at worst, a risk of civil or criminal violations that may be subject to enforcement efforts |
Cost: criminal e-signature forgery, falsification or misrepresentation will provide new challenges for enforcement investigation and litigation |
Impersonation in e-ticket transactions |
Competitor |
Impersonation using stolen identity credentials, to sell fish without debiting own quota |
Inconvenience, distress or damage to standing or reputation |
Low: a competitor might have a motive, but is unlikely to have means or opportunity |
Low: impersonated parties would be likely to notice and when detected, the impact could be effectively mitigated |
No net cost or benefit: inconvenience, distress or damage is not significantly different in electronic transactions than it is in paper transactions |
" |
" |
" |
Civil or criminal violations |
Low: a competitor might have a motive, but is unlikely to have means or opportunity |
Moderate: at worst, a risk of civil or criminal violations that may be subject to enforcement efforts |
Cost: criminal e-signature forgery, falsification or misrepresentation will provide new challenges for enforcement investigation and litigation |
Repudiation to escape accountability |
Customer (fisher or processor) |
Signer claims "I didn't sign that" |
Inconvenience, distress or damage to standing or reputation |
Low: in most cases a customer who repudiated an e-ticket document submission could then be prosecuted for fishing or processing without meeting record-keeping and reporting obligations. There will generally be independent evidence of the fishing or processing activity (follow the fish.) |
Low: agency might expend effort to resolve, but the distress would be limited and short-term |
Cost: despite e-signature's legal standing and agency instructions, there is likely to be a tendency to regard a holographic signature as more significant or more binding. It is likely that the requirement to sign a filing with a holographic signature has more influence on the signer's behavior with respect to their consideration of what they are submitting, their commitment to reporting the truth, and their expectation of being held accountable. Persons signing with an e-signature are likely to understand that it would be difficult to prove what individual executed the e-signature (because credentials are transferable). This is likely to motivate some people to repudiate their e-signature if they are being held accountable for something signed with an e-signature. |
" |
" |
" |
Civil or criminal violations |
Low: in most cases a customer who repudiated an e-ticket document submission could then be prosecuted for fishing or processing without meeting record-keeping and reporting obligations. There will generally be independent evidence of the fishing or processing activity (follow the fish.) |
Moderate: at worst, a risk of civil or criminal violations that may be subject to enforcement efforts |
Cost: criminal e-signature forgery, falsification or misrepresentation will provide new challenges for enforcement investigation and litigation |
E-signature Risk Mitigation
Risk Mitigation Analysis Worksheet (per procedural directive page 9)
Impact Categories |
Significant |
Impact |
Assurance Level |
|---|---|---|---|
Inconvenience, distress or damage to standing or reputation |
No |
Low |
1 |
Financial loss or agency liability |
N/A |
N/A |
|
Agency liability |
N/A |
N/A |
|
Harm to agency programs or public interests |
No |
Moderate |
3 |
Unauthorized release of sensitive information |
No |
Moderate |
3 |
Personal Safety |
N/A |
N/A |
|
Civil or criminal violations |
No |
Moderate |
3 |
Appropriate OMB Assurance Level to Mitigate Business Risk
Lowest Assurance Level that Mitigates All Impact Categories |
Mitigating Controls |
Appropriate Assurance Level with Consideration of Mitigating Controls |
Proposed E-signature Alternative |
|---|---|---|---|
Level 3---...appropriate for transactions needing high confidence in the asserted identity's accuracy. People may use Level 3 credentials to access restricted web services without the need for additional identity assertion controls. |
Multiple sources of information, some with counter-balancing incentives. |
Level 2---On balance, confidence exists that the asserted identity is accurate. Level 2 credentials are appropriate for a wide range of business with the public where agencies require an initial identity assertion (the details of which are verified independently prior to any Federal action). |