Public Private Partnerships and National Input to International Cyber Security

Transcription

1 Public Private Partnerships and National Input to International Cyber Security 10 September 2009 Tallinn, Estonia Maeve Dion Center for Infrastructure Protection George Mason University School of Law Arlington, Virginia. U.S.A.

2 CIP and National Inputs Law Organization Strategy / Policy Breakout Sessions

3 Sample* Areas of Law Security Regulations by Industry / Sector Information Sharing (Open Government, Privacy) Antitrust / Competition Criminal Law Tort Law Private Ordering (Contracts) National Security & Defense Law International Agreements / Law

4 Legal Complexities (?) in Cyber Military support to civil authorities (e.g., Estonia, U.S.) Agency? Clarity re: when business may be acting as agent of the state all parties understand when that happens and the ramifications (business expectations). Primers?

5 CIP and National Inputs Law Organization Strategy / Policy Breakout Sessions

6 Organization Private Sector networks Government hierarchical Decisive leadership and vision Organization whom to go to to get things done Expertise Speed of solution Authorities for coordination Appropriations / Funding CERT MOD, Civilian

7 Organization Threat Mitigation (all state powers of coercion, private sector, users) State Defense (military, intelligence, interior / homeland) private sector when?

8 CIP and National Inputs Law Organization Strategy / Policy Breakout Sessions

9 Strategy / Policy Strategy led, not tool led (mitigation, offense, defense) Strategy incorporates law & policy (permissible & preferable)

10 Strategy / Policy Examples re: CIP Cyber conflict between countries X & Y. Effects on CI in country A. Strategy for interference (harm to life, vs economy) Effects on CI in countries A, B, C. Coordinated strategies for interference? What if potential effects are worse in country B (size of economy, type of information society / vulnerabilities), and needs assistance in interference from country A (politically sensitive?) Risk Management (methodologies)

11 Methodologies Respondents identified 124 unique methodologies or techniques for security risk analysis. The top five accounted for only 28% of all responses. Top 5 Methodologies CARVER 14 RAM-x (C, D, W) 14 ARM/CRM 12 MSRAM 6 OPSEC 6 Some other answers: SHIRA, TRAM, RAMCAP, HLS-CAM

12 CIP and National Inputs Law Organization Strategy / Policy Breakout Sessions

13 Measures for Security

14 Measures for Security

15 Measures for Security (flexibility? Coordination?)

16 TECH-LAW-POLICY RELATIONSHIP TECHNOLOGY the Possible* POLICY the Preferable* LAW the Permissible*

17 TECH-LAW-POLICY RELATIONSHIP TECHNOLOGY the Possible* POLICY the Preferable* LAW the Permissible*

18 TECH-LAW-POLICY RELATIONSHIP TECHNOLOGY the Possible* POLICY the Preferable* LAW the Permissible*

19 TECH-LAW-POLICY RELATIONSHIP LAW the Permissible* TECHNOLOGY the Possible* POLICY the Preferable*

20 LAW OF CYBER CONFLICT information society law criminal law law of armed conflict privacy digital evidence slas e-commerce information society services isp liability e-government access to public information domain names intellectual property freedom of expression it procurements criminal proceedings sanctions crimes wiretapping forensics war crimes terrorist crimes critical information infrastructure protection jus ad bellum jus in bello neutrality

21 LAW OF CYBER CONFLICT information society law criminal law law of armed conflict privacy digital evidence slas e-commerce information society services isp liability e-government access to public information domain names intellectual property freedom of expression it procurements criminal proceedings sanctions crimes wiretapping forensics jus ad bellum war crimes terrorist crimes critical information infrastructure protection jus in bello neutrality

22 LAW OF CYBER CONFLICT information society law criminal law law of armed conflict privacy digital evidence slas e-commerce information society services isp liability e-government access to public information domain names intellectual property freedom of expression it procurements criminal proceedings sanctions crimes wiretapping forensics jus ad bellum war crimes terrorist crimes critical information infrastructure protection jus in bello neutrality

23 Breakout Sessions Laws and procedures are different per country (not necessarily endorsing consensus) Different threats Different vulnerabilities Different social groundworks International Heli: minimum standards, NATO Practical Effects (e.g., rapid response teams)

24 CIP and National Inputs Law Organization Strategy / Policy Breakout Sessions QUESTIONS?

25 Critical Information Infrastructure Protection Law CCD COE Training 8 September 2009 Tallinn, Estonia Maeve Dion Center for Infrastructure Protection George Mason University School of Law Arlington, Virginia. U.S.A.

26 CIIP Law Definitions & Lexicon (CIIP as part of CIP) Sample* Areas of Law Policy Considerations for CIIP

27 Defining CI 2007 Survey Netherlands France New Zealand Germany [A] sector was deemed critical if its breakdown or serious disruption could lead to damage on a national scale. All infrastructures that are vital to the maintenance of primary social and economic processes are considered critical sectors.... infrastructure necessary to provide critical services. Critical services are those whose interruption would have a serious adverse effect on New Zealand as a whole or on a large proportion of the population, and which would require immediate reinstatement. Critical infrastructures (CI) are organisations and facilities of major importance to the community whose failure or impairment would cause a sustained shortage of supplies, significant disruptions to public order or other dramatic consequences.

28 Defining CIP 2007 Survey Australia Canada U.K.... those physical facilities, supply chains, information technologies and communication networks which, if destroyed, degraded or rendered unavailable for an extended period, would significantly impact on the social or economic well being of the nation, or affect Australia s ability to conduct national defence and ensure national security.... those physical and information technology facilities, networks, services and assets which, if disrupted or destroyed, would have a serious impact on the health, safety, security or economic well being of Canadians or the effective functioning of governments in Canada.... those assets, services and systems that support the economic, political and social life of the UK whose importance is such that loss could: cause large scale loss of life have a serious impact on the national economy have other grave social consequences for the community be of immediate concern to the national government.

29 Defining CIP 2007 Survey Belgium Finland... identifies three types of critical infrastructure: vital points, i.e. facilities that require protection because of their socio economic importance, e.g. nuclear plants, bridges, ports, etc.; sensitive points, i.e. facilities that require protection because of their importance for the national or allied defence potential; critical points, i.e. persons, public authorities, communities, buildings, facilities, places and goods which face a real or potential threat of political or criminal nature. Critical Infrastructure to Be Secured: Technological infrastructure of society Transportation, logistics and distribution systems Food supply Energy supply Social and health care arrangements Industry and systems related to national defence

30 CIIP Law Definitions & Lexicon (CIIP as part of CIP) Sample* Areas of Law Policy Considerations for CIIP

31 Sample* Areas of Law Security Regulations by Industry / Sector Information Sharing (Open Government, Privacy) Antitrust / Competition Criminal Law Tort Law Private Ordering (Contracts) National Security & Defense Law International Agreements / Law

32 Security Regulations by Industry Industry / Sector Specific Limited? Interconnections? Operations vs. safety vs. security Comprehensive? Culture / Policy Accountability

33 Information Sharing Required vs. Voluntary Public vs. Private Vulnerabilities AND Threats Third Party Access to Information Proprietary Info / Market Strength Increased Regulation Private lawsuits Privacy / Open Government Laws Within / Between Governments

34 Antitrust / Competition Law Private Sector Collaboration & Cooperation Information Sharing Relationship with Regulators Structures for Exemptions / Approvals Timely? Costly?

35 Criminal Law Wrongful Activity: Alteration / Deletion of Content Degradation / Damage to System Unauthorized Access Traditional Crimes (theft, insider trading, etc.) Intent (act vs. consequential harm) Damage Requirements Aggregation Timing Corporate Accountability Investigation & Enforcement (international)

36 Tort Law ISPs = Publisher or Distributor Slander / Defamation (waiver / immunity) Contributory Infringement (copyright) Negligence vs. Negligent Enablement E.g., Breach Notifications (legislative) Consequential Harm Evolution of Foreseeable (reasonableness) Likelihood of Bad Activity Likelihood of Harm (> intervening criminal act) Least Cost Avoider Contractual Relationship (definition of legal duty )

37 Private Ordering (Contracts) Private Re distribution of Risk Waivers / Immunities (e.g., software) User s Negligence Trumps (e.g., U.K. banking) Risk Assessment based on Knowledge Unequal Knowledge of Risks? Private Risk = Based on Business Practice Risk to Business Profitability Risk of Damage to Assets Risks when Government = Customer Awareness of Threat Levels Costs for Mitigation of Risks (e.g., Estonia vs. U.S.)

38 National Security & Defense Balance of Government Interests Security / Defense Intelligence Law Enforcement Emergency Powers Resource Allocation Control of Systems Prioritization of Restoration War Powers Use of the Military to Support Civil Authorities State Secrets Foreign Ownership (access & control)

39 International Agreements / Law Humanitarian Law NATO Mutual Cooperation Agreements (law enforcement)

40 CIIP Law Definitions & Lexicon (CIIP as part of CIP) Sample* Areas of Law Policy Considerations for CIIP

41 Policy Considerations for CIIP Access & Availability Identification, authentication, access controls, and auditing. Intrusion detection, firewalls, antivirus software. Network resilience, redundancy. Data storage, integrity, encryption. Protecting CII Human Factors Training / certification for technological capabilities. Organizational security programs, training, and oversight. End user education. Organizational Responsiveness To law enforcement and intelligence: technical requirements, information demands, etc. To regulators: Informational auditing, security plans, licensing requirements, etc. Proactive Abilities Awareness and monitoring of interdependencies. Threat identification and prediction.

42 Policy Considerations for CIIP Threats Threats to CII, and threats via CII (disruption & weaponization) WHO? HOW? WHY? Natural disaster. Insider. Associate (contractor / vendor). External (competitor / enemy). Human error (development or operations). Failure of awareness (human error at policy & management level). Deliberate act. Accident. To hurt the infrastructure operator. To hurt an entity reliant upon the infrastructure. Theft / Extortion. To hurt an economy.

43 Policy Considerations for CIIP CIIP Needs Credible monitoring of activity in the Internet and the network backbone. Early warning system. Incident tracking. Response protocols to escalation of incidents. Clearly defined frameworks for response and reconstitution. Trusted processes that enable intelligence transfer between public and private sectors. Alignment of physical CIP and cyber CIP. Establishment of common definitions, taxonomy, and standards. Dedication to the next generation (education & training). Decisive leadership & vision.

44 CIIP Law Definitions & Lexicon (CIIP as part of CIP) Sample* Areas of Law Policy Considerations for CIIP QUESTIONS?

45 SPECTRUM OF CYBER CONFLICT not patching the software breach of internal policy or regulations illegal interception crime armed attack cyber warfare breach of a legal obligation ISPs not reporting illegal activity terrorist activity + purpose to force the government or interfere with social structure of the state

46 LAW OF CYBER CONFLICT information society law not patching the software breach of internal policy or regulations criminal law illegal interception crime law of armed conflict armed attack cyber warfare breach of a legal obligation terrorist activity ISPs not reporting illegal activity + purpose to force the government or interfere with social structure of the state

47 LAW OF CYBER CONFLICT information society law criminal law law of armed conflict privacy digital evidence slas e-commerce information society services isp liability e-government access to public information domain names intellectual property freedom of expression it procurements criminal proceedings sanctions crimes wiretapping forensics war crimes terrorist crimes critical information infrastructure protection jus ad bellum jus in bello neutrality

48 INTERNATIONAL ORGANISATIONS NATO ICANN OECD COUNCIL OF EUROPE EUROPEAN UNION UN OSCE INTERNATIONAL TELECOMMUNICATIONS UNION UNESCO UNCITRAL

49 LEVELS OF CYBER INCIDENT MANAGEMENT INTERNATIONAL STATE ORGANISATION USER

50 LEVELS AND SOURCES OF LAW international treaties bilateral agreements customary law national constitution statutes regulations case law organisation contracts internal regulations soft standards best practices

51 AREAS OF CYBER INCIDENT MANAGEMENT DIPLOMACY INTELLIGENCE MILITARY POLICY LAW ECONOMICS

52 TECH-LAW-POLICY RELATIONSHIP TECHNOLOGY the Possible* POLICY the Preferable* LAW the Permissible*

53 THE BOX

54 LEGAL AUTOMATION