Hawaii Non-Commercial Bottomfish Logbook Risk Assessment
E-signature Evaluation
Business Context and Volume
NMFS manages fishing in waters of the United States and international waters under authority of various statutes and laws, primarily the Magnuson-Stevens Fishery Conservation and Management Act (Public Law 94-265, as variously amended, most recently by the Magnuson-Stevens Fishery Conservation and Management Reauthorization Act (P.L. 109-479)) (MSA) and the High Seas Fishery Management and Conservation Act.
The Western Pacific Region Fisheries Management Council introduced a new non-commercial bottomfish logbook requirement effective in November 2008. The fishery opens November 15, 2008.
Non-commercial means recreational and subsistence. No commercial software vendors are currently addressing this market. NMFS is developing a web-based application for online reporting at the end of a day-trip.
The most important thing is that people report what they caught. This is more important than getting a permit. There is no funding for surveys or follow-up, compliance is problematic. Assessing compliance is problematic. The agency doesn't want anything to slow down or discourage people from reporting. The method of submitting is optimized for customer convenience. Vessel owners are obligated to report, but each fisher onboard should be permitted and named in the logbook report.
The agency doesn't know how many recreational fishers there are. Participation could be 50 to 5,000 vessels. Requirements are to report within 24 hours of landing, typically vessels land every day, and there is no estimate of how many days they will fish.
Business Drivers
Under the MSA there are statutory requirements to develop total allowable catch and manage the fishery to prevent overfishing. These requirements are further described in National Standard 1 (NS1). This particular fishery is considered a threatened fishery. A number of species may be overfished. The council has determined that this logbook program is the best mechanism for acquiring the information necessary to meet National Standard 1. An e-signature feature has been specified to hold fishers accountable for the information they report.
Business Risk in the Permit Context
Considerations of business risk may benefit from categorization according to FIPS 199 which provides a common framework for expressing information security concerns throughout the federal government. This system has a FIPS 199 security categorization as follows:
- Low confidentiality requirements -- loss of confidentiality would be expected to have a limited adverse effect on organizational operations, assets, or individuals. A breach of confidentiality could result in minor damage to our relationship with our constituency and could have a minor impact on our ability to collect accurate data. This could cause a degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is noticeably reduced.
- Low integrity requirements -- loss of integrity would be expected to have a limited adverse effect on organizational operations, assets, or individuals. Data collected from this program is unlikely to be considered definitive evidence, so before this data has significant influence on decisions every effort will be made to check and verify.
- Low availability requirements -- a temporary loss of availability would be expected to have a limited adverse effect. Transactions dependent on this data are not particularly time-sensitive, and business requirements could be met via manual methods during a temporary system outage.
NIST 800-30: Risk Management Guide for Information Technology Systems defines risk as a function of the likelihood of a given threat-source's exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization. The threat and vulnerability identification process that follows is based on NIST 800-30.
Users and functionality
These are small personal vessels (vicinity of 20ft) that may have a fish finder, GPS, and cell phone aboard. They won't have Internet at sea or at the dock, they may have Internet at home. Plan is to provide a web application that will let them register and then report after each fishing trip.
Functionality would be creation/maintenance of the e-logbook record, which will be stored online in a NMFS database, there will be some value-add features for the fishers to encourage them to use the system.
Data sensitivity and security
Information collected pursuant to requirements of the MSA is protected by its confidentiality provisions at § 402 and under its implementing regulations at 50 CFR Part 600 Subpart E, including NOAA Administrative Order (NAO) 216-100. Additional protections of the Privacy Act and FOIA also apply to such data.
Mitigating controls
It may be possible to validate some registrants through NPS. Because this is a new program for recreational and subsistence fishers, and there is a strong need for the information, and little leverage for enforcement, the emphasis is on ease of use and positive reinforcement for compliance.
Threat and Vulnerability Identification
(see Categories of Harm and Impact Definitions)
Vulnerability |
Threat-source |
Threat Action |
Category of Harm |
Likelihood of Occurrence |
Impact of Harm |
E-signature Cost Benefit Assessment |
|---|---|---|---|---|---|---|
System unavailability |
Error, component failure, or act of God |
Power failure, network failure, computer component failure, operator error, software failure, capacity constraint, etc. |
Inconvenience, distress or damage to standing or reputation |
Moderate: failures will happen, but competently managed systems typically have availability records of 99% or better. Agency staff use due diligence to secure systems and reduce vulnerabilities, including daily data backups, etc. |
Low: for fishery management decision support typical availability is adequate. Even in the event of a systemic failure fishery management decision-making would continue and unavailability would be a short-term inconvenience. Smaller scale failures, for instance a failure that prevents reporting from one vessel, would be a minor inconvenience. |
N.A. (E-signature has no effect, positive or negative, on this vulnerability) |
System unavailability |
Vandalism |
Internet security exploit such as denial-of-service attack |
Inconvenience, distress or damage to standing or reputation |
Low: this is not an high-profile Internet system and should not be a particularly attractive target. Also, if necessary, the system could be hosted in a data center with an incident response capability that could deal with all but the most sophisticated attacks. |
Low: even in the event of a systemic failure fishery management decision-making would continue and unavailability would be a short-term inconvenience |
N.A. |
System misuse |
System administrator, operator, or other agency user |
Abuse of insider knowledge and access for unauthorized use or release of information |
Unauthorized release of sensitive information |
Low: agency staff have significant incentives to behave appropriately and periodic training in ethics and computer security |
Moderate: at worst, a release of personal information to unauthorized parties resulting in loss of confidentiality with an expected serious adverse effect on organizational operations |
N.A. |
" |
" |
" |
Civil or criminal violations |
Low: agency staff have significant incentives to behave appropriately and periodic training in ethics and computer security |
Moderate: at worst, a risk of civil or criminal violations that may be subject to enforcement efforts |
N.A. |
Failure to report |
Fisher |
Fisher fails to report, either through negligence, or with intent to mislead fisheries managers and evade fisheries management controls |
Harm to agency programs or public interests |
High: fishers may be negligent or uninformed. Also this is a new program, and fishers may not be convinced of its necessity or of fisheries managers credibility |
Moderate: any individual non-commercial trip report would be inconsequential in overall impact, but widespread and long-term failure to report may facilitate overfishing with significant damage to public interests |
Benefit: e-reporting and e-signature make compliance easier and therefore significantly more likely |
" |
" |
" |
Civil or criminal violations |
High: fishers may be negligent or uninformed. Also this is a new program, and fishers may not be convinced of its necessity or of fisheries managers credibility |
Low: at worst, a risk of civil or criminal violations of a nature that would not ordinarily be subject to enforcement efforts |
Benefit: e-reporting and e-signature make compliance easier and therefore significantly more likely |
Under-reporting or misreporting catch |
Fisher |
Fisher under-reports or misreports, to mislead fisheries managers and evade fisheries management controls |
Harm to agency programs or public interests |
Low: fishers who make the effort to report are probably trying to be good citizens |
Low: any individual non-commercial trip report with highly unlikely numbers would trigger data quality checks and would be corrected or disregarded. Credible individual non-commercial trip reports, even if intentionally misreported, would be inconsequential in overall impact. Even a concerted long-term effort to misreport by any one fisher is likely to be either not creditable or inconsequential. |
Benefit: e-reporting and e-signature make compliance easier and therefore significantly more likely, also, more immediate feedback on detectable errors will result in more accurate reporting |
" |
" |
" |
Civil or criminal violations |
Low: fishers who make the effort to report are probably trying to be good citizens |
Low: at worst, a risk of civil or criminal violations of a nature that would not ordinarily be subject to enforcement efforts |
Benefit: e-reporting and e-signature make compliance easier and therefore significantly more likely, also, more immediate feedback on detectable errors will result in more accurate reporting |
Impersonation in e-logbook transactions |
Disgruntled friend |
Impersonation using stolen identity credentials |
Inconvenience, distress or damage to standing or reputation |
Low: a friend might possibly have the means, motive, and opportunity, but they probably also know that there is little likelihood of achieving any distress or damage |
Low: impersonated parties might not notice, however, given the resolution of the data a few intentional misreports would not significantly change the qualilty of the dataset |
Cost: e-reporting and e-signature present a broader attack surface making impersonation more likely |
" |
" |
" |
Unauthorized release of sensitive information |
Low: the friend who might possibly have the means and opportunity already has access to sensitive information and is unlikely to find anything more interesting in e-logbook data |
Low: the impact would be limited to the party whose identity has been stolen |
Cost: e-reporting and e-signature present a broader attack surface making impersonation more likely |
" |
" |
" |
Civil or criminal violations |
Low: a friend might possibly have the means, motive, and opportunity, but they probably also know that there is little likelihood of achieving any distress or damage |
Low: at worst, a risk of civil or criminal violations of a nature that would not ordinarily be subject to enforcement efforts |
Cost: e-reporting and e-signature present a broader attack surface making impersonation more likely |
Repudiation to escape accountability |
Customer (fisher) |
Signer claims "I didn't sign that" |
Inconvenience, distress or damage to standing or reputation |
Low: customers (and the agency) have little at stake in any one e-logbook document submission. If a customer repudiated a sequence of submissions, or their entire history of submissions, the agency would have more reason for concern, but it is hard to imagine circumstances that would lead to this behavior. |
Low: agency might expend effort to resolve, but the distress would be limited and short-term |
Cost: despite e-signature's legal standing and any agency instructions, there is likely to be a tendency to regard a holographic signature as more significant or more binding. It is likely that the requirement to sign a filing with a holographic signature has more influence on the signer's behavior with respect to their consideration of what they are submitting, their commitment to reporting the truth, and their expectation of being held accountable. Persons signing with an e-signature are likely to understand that it would be difficult to prove what individual executed the e-signature (because credentials are transferable). This is likely to motivate some people to repudiate their e-signature to attempt to escape accountability. |
" |
" |
" |
Civil or criminal violations |
Low: customers (and the agency) have little at stake in any one e-logbook document submission. If a customer repudiated a sequence of submissions, or their entire history of submissions, the agency would have more reason for concern, but it is hard to imagine circumstances that would lead to this behavior. |
Low: at worst, a risk of civil or criminal violations of a nature that would not ordinarily be subject to enforcement efforts |
Cost: criminal e-signature forgery, falsification or misrepresentation will provide new challenges for enforcement investigation and litigation |
E-signature Risk Mitigation
Risk Mitigation Analysis Worksheet (per procedural directive page 9)
Impact Categories |
Significant |
Impact |
Assurance Level |
|---|---|---|---|
Inconvenience, distress or damage to standing or reputation |
No |
Low |
1 |
Financial loss or agency liability |
No |
Low |
1 |
Agency liability |
No |
Low |
1 |
Harm to agency programs or public interests |
No |
Low |
2 |
Unauthorized release of sensitive information |
No |
Low |
2 |
Personal Safety |
N/A |
N/A |
|
Civil or criminal violations |
No |
Low |
2 |
Appropriate OMB Assurance Level to Mitigate Business Risk
Lowest Assurance Level that Mitigates All Impact Categories |
Mitigating Controls |
Appropriate Assurance Level with Consideration of Mitigating Controls |
Proposed E-signature Alternative |
|---|---|---|---|
Level 2---On balance, confidence exists that the asserted identity is accurate. Level 2 credentials are appropriate for a wide range of business with the public where agencies require an initial identity assertion (the details of which are verified independently prior to any Federal action). |
Because this is a new program for recreational and subsistence fishers, and there is a strong need for the information, and little leverage for enforcement, the emphasis is on ease of use and positive reinforcement for compliance. |
Level 1---Little or no confidence exists in the asserted identity. For example, Level 1 credentials allow people to bookmark items on a web page for future reference. |