HLL Risk Assessment
Background
As stated in the Procedural Directive 32-110-01 "Use and Implementation of Electronic Signatures" NMFS program officials must perform a qualitative risk assessment consistent with the analytic framework called out in OMB M-01-04, "E-authentication Guidance for Federal Agencies." The OMB policy, and in turn, the NMFS Procedural Directive identifies seven potential categories of impact from using e-signatures that include:
- Inconvenience, distress, or damage to standing or reputation to any party
- Financial loss to any party
- Agency liability
- Harm to agency programs or public interests
- Unauthorized release of sensitive information
- Personal safety
- Civil or criminal violations
This risk assessment was conducted by the FIS e-signature task force in consultation with the Pacific Region program office. In order to help articulate the various pilot's appropriate levels of risk, we utilized the ThinkTank program. ThinkTank is a collaborative technology which allows for simultaneous, anonymous input of ideas and in this case, voting. Each pilot was vetting through two series of criteria to help determine the appropriate level of risk. Facilitated conversations were held to ensure that each participant had a clear understanding of each pilot, each criterion, and how exactly to express their vote through ThinkTank.
In the first section each participant voted on whether or not there was a significant probability of occurrence for infraction against the pilot, this was a yes/no decision, and then what possible impact of harm might occur should an infraction occur, this was voted on a low/medium/high scale.
Next, each pilot was then voted against the OMB Assurance Levels to help gauge agreement around the group's opinion of which OMB Assurance Level the individual pilots might belong to.
See the ThinkTank report for the full meeting results.
E-signature Risk Evaluation
Business Context and Volume
NMFS manages fishing in waters of the United States and international waters under authority of various statutes and laws, primarily the Magnuson-Stevens Fishery Conservation and Management Act (Public Law 94-265, as variously amended, most recently by the Magnuson-Stevens Fishery Conservation and Management Reauthorization Act (P.L. 109-479)) (MSA) and the High Seas Fishery Management and Conservation Act.
The reporting and recordkeeping rules for Pacific Island fisheries (50 CFR §665.14) were modified in 2007 to give fishers the option to submit electronic logbook forms (electronic logbooks). This change followed a 2006 recommendation by the Western Pacific Regional Fishery Management Council titled Regulatory Amendment to the Fishery Management Plans of the Western Pacific Region Authorizing the Optional Use of Electronic Logbook Forms. The objectives of allowing electronic logbook use include:
- Allowing fishers to record and submit their data electronically whenever possible
- Reducing the amount of time spent by fishers complying with federal reporting requirements
- Improving the accuracy of the data collected
- Reducing the amount of time spent by NOAA Fisheries Service processing the logbook data
Currently one vessel reports logbook information electronically through a pilot electronic logbook program. Previously there were seven vessels reporting electronically with 30 more utilizing a GPS plotter/longline logbook program which would potentially enable them to e-report. Successful clarification of the e-signature and e-logbook vendor certification (in process) could enable/allow up to 150 vessels to e-report. (Although technology, language, and economic barriers are likely to reduce participation to approximately fifty vessels in the near term.) Vessels are required to report (transfer data) within 72 hours of landing. Vessels typically land every few weeks. The potential exists for future daily reporting using VMS as a data transport mechanism.
Business Drivers
Timely information on fishing effort, catch and bycatch is required as an element of National Standard 1 (NS1). Timeliness of reporting may become even more critical if, as is likely, Hawaiian fisheries become participants in additional international fishery management regimes. In these longline fisheries an electronic logbook program provides the best mechanism for acquiring timely information. Logbook record-keeping and reporting regulations require vessel operator signatures for accountability. An e-signature feature is required to make e-logbook reporting feasible.
Business Risk in the Permit Context
Considerations of business risk may benefit from categorization according to FIPS 199 which provides a common framework for expressing information security concerns throughout the federal government. This system has a FIPS 199 security categorization as follows:
- Low confidentiality requirements -- loss of confidentiality would be expected to have a limited adverse effect on organizational operations, assets, or individuals. A breach of confidentiality would damage our relationship with our constituency and could impact our ability to collect accurate data with which to manage fisheries. This could cause a degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is noticeably reduced. It could also expose us to litigation and professional disrepute.
- Moderate integrity requirements -- among other things data from this system could be used to establish individual fishing quotas based on historical participation in a fishery. Individual fishing quotas have value, and it is critical to maintain access controls, change tracking, and auditability. The moderate level is specified to recognize that loss of integrity could result in significant financial harm to individuals.
- Low availability requirements -- a temporary loss of availability would be expected to have a limited adverse effect. Transactions dependent on this data are not particularly time-sensitive, and business requirements could be met via manual methods during a temporary system outage.
NIST 800-30: Risk Management Guide for Information Technology Systems defines risk as a function of the likelihood of a given threat-source's exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization. The threat and vulnerability identification process that follows is based on NIST 800-30.
Users and functionality
These are mid-size vessels (vicinity of 70ft) that have GPS, VMS, and sophisticated fish-finding technology. A number of the vessels have e-logbook software onboard integrated with track plotting systems. This e-logbook application includes a unique identifier via a hardware dongle which could be used to identify data from the vessel. An existing rule provides authority for optional electronic reporting. E-Logbook Vendor Certification Guidelines are in the approval process that would allow a vendor to promote an e-logbook application as NMFS-approved for e-logbook compliance.
By regulation responsibility for fishing logbook reporting is on the operator of the fishing vessel.
Functionality would be creation/maintenance of the e-logbook record, storage of the e-logbook records, and submission of e-logbook records via email or portable media (floppy, cd, memory stick). An important functionality aspect from the risk perspective is that the e-logbook software onboard the vessel is "trusted software", evaluated and certified by agency staff, and that trusted software captures and stores the customer's data locally onboard the vessel. At the end of a trip the accumulated e-logbook data is then transferred as a package on portable media or electronic mail to NMFS personnel. (Note that this design does not involve network exposure in the sense of an online system. One data submission alternative, email transmission, would occur over the public Internet, however, there is still a much smaller "attack surface" than with an online interactive application. Note also that vessel owners are not prohibited from installing e-logbook software on networked computers, so while it isn't likely, it is possible that the e-logbook data could be exposed to network vulnerabilities through other network-aware software installed on the same computer.)
Data sensitivity and security
E-Logbook data is fisheries confidential data under the trade secrets act. Information collected pursuant to requirements of the MSA, including permit application information, is protected by its confidentiality provisions at § 402 and under its implementing regulations at 50 CFR Part 600 Subpart E, including NOAA Administrative Order (NAO) 216-100. Additional protections of the Privacy Act and FOIA apply to such data as well as those collected under the Halibut Act.
Mitigating controls
Perhaps the most significant mitigating control is that in commercial fisheries transactions, both parties to transactions (typically the fisher and the fish processor) are permitted entities and each has some responsibility for accurate and complete record-keeping and reporting (for example, the fisher may be required to keep a logbook showing fishing efforts and catch, while the processor is required to report fish purchased). In these transactions it is typical for the parties to the transactions to have opposite and balancing interests (for example, when a fisher is selling fish to a processor, the fisher wants the amount paid to be high, while the processor wants the amount paid to be low). These multiple sources of information and counter-balanced incentives tend to make deception more difficult to initiate and sustain.
Another mitigating control is that under the authority of the Debt Collection Improvement Act (31 U.S.C. 7701), NMFS would collect Tax Identification Number information from individuals in order to issue, renew, or transfer fishing permits or to make nonpermit registrations.
The VMS system provides independent confirmation of the vessel's location. The agency has technical capability to confirm fishing locations reported on logbook entries.
NMFS Pacific Islands Region has created an electronic logbook computer program certification process to approve e-logbook software before it can be used to satisfy mandatory record keeping and reporting requirements. The stated aim of the certification process is "...to encourage the use of electronic logbooks for the reporting of catch and effort data by promoting standard data exchange procedures, formats, and application validation tests" but the certification process is also clearly intended as a risk-mitigating control.
At least one vendor of e-logbook software requires a licensing compliance dongle which is used to form a unique identifier for each logbook page. Through this unique identifier each logbook submission can be tied to a particular instance of the e-logbook software.
The vessels which will be reporting are permitted to fish and therefore have a prior "trusted relationship" with NMFS. In many cases this prior relationship involves confirming vessel ownership with the US Coast Guard, verifying participation in prior fisheries through previously submitted state or federal fish tickets or logbooks, confirmation of business ownership, etc.
This is not an online system and there are no mechanisms for online self-registration. Existing permit holders, or applicants for new fishing permits, will be invited to register to submit electronic logbooks. A fisher using a permit whose permit holder is registered for electronic logbook reporting, and using a certified E-Log-App, may submit electronic logbooks. The software receiving electronic logbook submissions (through email or through portable media) will recognize data that originated in certified E-Log-Apps by adherence to the NMFS-specified schema, and will recognize permit holders who are registered to submit electronic logbooks by permit number. The receiving software will report any non-conforming data or unregistered submission as errors and ignore those submissions.
Threat and Vulnerability Identification
(see Categories of Harm and Impact Definitions)
Vulnerability |
Threat-source |
Threat Action |
Category of Harm |
Likelihood of Occurrence |
Impact of Harm |
E-signature Cost Benefit Assessment |
|---|---|---|---|---|---|---|
System unavailability |
Error, component failure, or act of God |
Power failure, network failure, computer component failure, operator error, software failure, capacity constraint, etc. |
Inconvenience, distress or damage to standing or reputation |
Moderate: failures will happen, but competently managed systems typically have availability records of 99% or better. Agency staff use due diligence to secure systems and reduce vulnerabilities, including daily data backups, etc. |
Low: for fishery management decision support typical availability is adequate. Even in the event of a systemic failure fishery management decision-making would continue and unavailability would be a short-term inconvenience. Smaller scale failures, for instance a failure that prevents reporting from one vessel, would be a minor inconvenience. |
N.A. (E-signature has no effect, positive or negative, on this vulnerability) |
System unavailability |
Vandalism |
Internet security exploit such as denial-of-service attack |
Inconvenience, distress or damage to standing or reputation |
Low: this is not an online Internet-exposed system and should have very low vulnerability to network-based exploits. |
Low: even in the event of a systemic failure fishery management decision-making would continue and unavailability would be a short-term inconvenience |
N.A. |
System misuse |
System administrator, operator, or other agency user |
Abuse of insider knowledge and access for unauthorized use or release of information |
Unauthorized release of sensitive information |
Low: agency staff have significant incentives to behave appropriately and periodic training in ethics and computer security |
Moderate: at worst, a release of personal or commercially sensitive information to unauthorized parties resulting in loss of confidentiality with an expected serious adverse effect on organizational operations |
N.A. |
" |
" |
" |
Civil or criminal violations |
Low: agency staff have significant incentives to behave appropriately and periodic training in ethics and computer security |
Moderate: at worst, a risk of civil or criminal violations that may be subject to enforcement efforts |
N.A. |
Failure to report |
Fisher |
Fisher fails to report, either through negligence, or with intent to mislead fisheries managers and evade fisheries management controls |
Harm to agency programs or public interests |
Low: permitted fishers know the rules and understand the risks of non-compliance |
Moderate: any individual trip report would be inconsequential in overall impact, but widespread and long-term failure to report may facilitate overfishing with significant damage to public interests |
Benefit: e-reporting and e-signature can be additional features of fishing activity management software, providing e-logbook reporting in a value-added context, potentially making compliance more attractive |
" |
" |
" |
Civil or criminal violations |
Low: permitted fishers know the rules and understand the risks of non-compliance |
Moderate: at worst, a risk of civil or criminal violations that may be subject to enforcement efforts |
Benefit: failure to report would be detectable quickly, resulting in more responsive enforcement and potentially a higher rate of compliance. Also e-reporting and e-signature can be additional features of fishing activity management software, providing e-logbook reporting in a value-added context, potentially making compliance more attractive. |
Under-reporting or misreporting catch |
Fisher |
Fisher under-reports or misreports, to mislead fisheries managers and evade fisheries management controls |
Harm to agency programs or public interests |
Low: permitted fishers know the rules and understand the risks of non-compliance |
Low: any individual trip report with highly unlikely numbers would trigger data quality checks and would be corrected or disregarded. Credible individual trip reports, even if intentionally misreported, would be inconsequential in overall impact. Even a concerted long-term effort to misreport by any one fisher is likely to be either not creditable or inconsequential. |
Benefit: e-reporting and e-signature can result in more immediate feedback for detectable errors, and more immediate feedback facilitates more accurate reporting |
" |
" |
" |
Civil or criminal violations |
Low: permitted fishers know the rules and understand the risks of non-compliance |
Moderate: at worst, a risk of civil or criminal violations that may be subject to enforcement efforts |
Benefit: misreporting problems might be detected quickly, resulting in more responsive enforcement and potentially a higher rate of compliance. |
Impersonation in e-logbook transactions |
Common criminal/identity thief |
Impersonation using stolen identity credentials, with fraudulent reporting of false data to incriminate or defame victim |
Inconvenience, distress or damage to standing or reputation |
Low: opportunity will be limited because the e-logbook is onboard the vessel at sea and protected by two layers of security controls (access controls on the vessel's computer, and access controls on the e-logbook software); also common criminals are unlikely to have subject-area expertise to discover an incrimination or defamation opportunity and there are probably easier attacks |
Low: impersonated parties or agency staff would be likely to notice during dockside interview process and/or subsequent data review, and when detected, the impact could be effectively mitigated |
No net cost or benefit: e-reporting and e-signature provide two layers of security controls (access controls on the vessel's computer, and access controls on the e-logbook software); the traditional paper logbook may have been laying about on the bridge with no security control. However, this may be balanced by the fact that it is easy to understand and mitigate the risk with the traditional paper logbook (the skipper will understand the risk and the potential solutions), while the risks associated with electronic solutions won't be well understood. |
" |
" |
Impersonation using stolen identity credentials, for access to sensitive information |
Unauthorized release of sensitive information |
Low: opportunity will be limited because the e-logbook is onboard the vessel at sea and protected by two layers of security controls (access controls on the vessel's computer, and access controls on the e-logbook software); also an uninformed criminal would be unlikely to find or identify sensitive information |
Low: probably the only information of value that is credibly at risk is catch location, timing, and gear, and the people with the means to take advantage of that unique information are already well placed to have that same knowledge or to acquire it by closely observing the victim's fishing activity. Also, the impact would be limited to the party whose identity has been stolen |
No net cost or benefit: e-reporting and e-signature provide two layers of security controls (access controls on the vessel's computer, and access controls on the e-logbook software); the traditional paper logbook may have been laying about on the bridge with no security control. However, this may be balanced by the fact that it is easy to understand and mitigate the risk with the traditional paper logbook (the skipper will understand the risk and the potential solutions), while the risks associated with electronic solutions won't be well understood. |
Impersonation in e-logbook transactions |
Disgruntled industry employee |
Impersonation using stolen identity credentials, with fraudulent reporting of false data to incriminate or defame victim |
Inconvenience, distress or damage to standing or reputation |
Low: opportunity will be limited because the e-logbook is onboard the vessel at sea and protected by two layers of security controls (access controls on the vessel's computer, and access controls on the e-logbook software); however, an employee might be more likely than others to have the means, motive, and opportunity |
Low: impersonated parties or agency staff would be likely to notice during dockside interview process and/or subsequent data review and reconciliation, and when detected, the impact could be effectively mitigated |
No net cost or benefit: vulnerability for an employee attack is not significantly different in electronic transactions than it is in paper transactions |
" |
" |
Impersonation using stolen identity credentials, for access to sensitive information |
Unauthorized release of sensitive information |
Low: the employee who might possibly have the means and opportunity already has access to sensitive information and is unlikely to find anything more interesting in e-logbook data |
Low: probably the only information of value that is credibly at risk is catch location, timing, and gear, and the disgruntled industry employee is well placed to already have that same knowledge or to acquire it by closely observing the victim's fishing activity. Also, the impact would be limited to the party whose identity has been stolen |
No net cost or benefit: vulnerability for an employee attack is not significantly different in electronic transactions than it is in paper transactions |
Impersonation in e-logbook transactions |
Competitor |
Impersonation using stolen identity credentials, with fraudulent reporting of false data to incriminate or defame victim |
Inconvenience, distress or damage to standing or reputation |
Low: opportunity will be limited because the e-logbook is onboard the vessel at sea and protected by two layers of security controls (access controls on the vessel's computer, and access controls on the e-logbook software) |
Low: impersonated parties or agency staff would be likely to notice during dockside interview process and subsequent data review and reconcilation, and when detected, the impact could be effectively mitigated |
No net cost or benefit: e-reporting and e-signature provide two layers of security controls (access controls on the vessel's computer, and access controls on the e-logbook software); the traditional paper logbook may have been laying about on the bridge with no security control. However, this may be balanced by the fact that it is easy to understand and mitigate the risk with the traditional paper logbook (the skipper will understand the risk and the potential solutions), while the risks associated with electronic solutions won't be well understood. |
" |
" |
Impersonation using stolen identity credentials, for access to sensitive information |
Unauthorized release of sensitive information |
Low: opportunity will be limited because the e-logbook is onboard the vessel at sea and protected by two layers of security controls (access controls on the vessel's computer, and access controls on the e-logbook software) |
Low: probably the only information of value that is credibly at risk is catch location, timing, and gear, and the people with the means to take advantage of that unique information are already well placed to have that same knowledge or to acquire it by closely observing the victim's fishing activity. Also, the impact would be limited to the party whose identity has been stolen |
No net cost or benefit: e-reporting and e-signature provide two layers of security controls (access controls on the vessel's computer, and access controls on the e-logbook software); the traditional paper logbook may have been laying about on the bridge with no security control. However, this may be balanced by the fact that it is easy to understand and mitigate the risk with the traditional paper logbook (the skipper will understand the risk and the potential solutions), while the risks associated with electronic solutions won't be well understood. |
" |
Common criminal/identity thief |
Impersonation using stolen identity credentials |
Civil or criminal violations |
Low: opportunity will be limited because the e-logbook is onboard the vessel at sea and protected by two layers of security controls (access controls on the vessel's computer, and access controls on the e-logbook software) |
Moderate: at worst, a risk of civil or criminal violations that may be subject to enforcement efforts |
Cost: criminal e-signature forgery, falsification or misrepresentation will provide new challenges for enforcement investigation and litigation |
Repudiation to escape accountability |
Customer (fisher) |
Signer claims "I didn't sign that" |
Inconvenience, distress or damage to standing or reputation |
Low: in most cases a customer who repudiated an e-logbook submission could then be prosecuted for fishing without reporting. There will generally be independent evidence of the fishing or processing activity (follow the fish, also follow the VMS track.) |
Low: agency might expend effort to resolve, but the distress would be limited and short-term |
Cost: despite e-signature's legal standing and any agency instructions, there is likely to be a tendency to regard a holographic signature as more significant or more binding. It is likely that the requirement to sign a filing with a holographic signature has more influence on the signer's behavior with respect to their consideration of what they are submitting, their commitment to reporting the truth, and their expectation of being held accountable. Persons signing with an e-signature are likely to understand that it would be difficult to prove what individual executed the e-signature (because credentials are transferable). This is likely to motivate some people to repudiate their e-signature to attempt to escape accountability. |
" |
" |
" |
Civil or criminal violations |
Low: in most cases a customer who repudiated an e-logbook document submission could then be prosecuted for fishing without following record-keeping and reporting requirements. There will generally be independent evidence of the fishing or processing activity (follow the fish.) |
Moderate: at worst, a risk of civil or criminal violations that may be subject to enforcement efforts |
Cost: criminal e-signature forgery, falsification or misrepresentation will provide new challenges for enforcement investigation and litigation |
E-signature Risk Mitigation
Risk Mitigation Analysis Worksheet (per procedural directive page 9)
Impact Categories |
Significant |
Impact |
Assurance Level |
|---|---|---|---|
Inconvenience, distress or damage to standing or reputation |
No |
Mod |
2/3 |
Financial loss or agency liability |
No |
Mod |
2/3 |
Agency liability |
No |
Mod |
2/3 |
Harm to agency programs or public interests |
No |
Low |
2 |
Unauthorized release of sensitive information |
No |
Low |
2 |
Personal Safety |
N/A |
N/A |
|
Civil or criminal violations |
No |
Moderate |
3 |
Appropriate OMB Assurance Level to Mitigate Business Risk
Lowest Assurance Level that Mitigates All Impact Categories |
Mitigating Controls |
Appropriate Assurance Level with Consideration of Mitigating Controls |
Proposed E-signature Alternative |
|---|---|---|---|
Level 3---...appropriate for transactions needing high confidence in the asserted identity's accuracy. People may use Level 3 credentials to access restricted web services without the need for additional identity assertion controls. |
Multiple sources of information, some with counter-balancing incentives. The VMS system provides independent confirmation of the vessel's location. Mandatory landing reports (fish tickets) provide independent confirmation of retained catch. |
Level 2---On balance, confidence exists that the asserted identity is accurate. Level 2 credentials are appropriate for a wide range of business with the public where agencies require an initial identity assertion (the details of which are verified independently prior to any Federal action). |