Click to edit Master title style

Transcription

1 Cybersecurity: Working the Calm Before the Storm Thursday, October 9, :00 P.M. - 1:00 P.M. CST Michael E. Clark and Charles E. Harrell 10/8/ DMADMIN/ _1.PPTX

2 Legal Landscape Federal Regulation Patchwork of legislative and administrative standards Federal Trade Commission Act ( FTC Act ) Health Insurance Portability and Accountability Act of 1996 ( HIPAA ), and Health Information Technology for Economic and Clinical Health Act ("HITECH Act") Gramm-Leach-Bliley Act ( GLBA ) Federal Americans with Disabilities Act ( ADA ) Children's Online Privacy Protection Act ( COPPA ) Fair Credit Reporting Act ( FCRA ) and Fair and Accurate Credit Transactions Act ( FACTA ), Electronic Communications Privacy Act (Stored Communications Act and Wiretap Act), and Telephone Consumer Protection Act. Video Privacy Protection Act ( VPPA ) National Institute of Standards and Technology ( NIST ) 10/8/

3 Legal Landscape Federal Regulation Patchwork of legislative and administrative standards (cont.) SEC requirements Division of Corporation Finance Disclosure Guidance: Topic No. 2 Click Cybersecurity to (dated edit October Master 13, 2011) title - guidelines style for public corporations who suffer cyber attacks or data breaches, which require disclosure of material events that affect the company s operations, liquidity, financial condition, viability, product or customer lines, losses, and on-going litigation SEC Sweep Letters In 2014, the SEC has sent market participants detailed Click questionnaires, to edit called Master cybersecurity subtitle sweep style letters, asking for information about firms cybersecurity practices. Cybersecurity Roundtable SEC held roundtable discussion on March 26, Rule 13(a)-15(f) of the Exchange Act (ICFR) Adopting release effective August 14, /8/

4 Legal Landscape Federal Regulation Patchwork of legislative and administrative standards (cont.) New Legislation: Cyber Intelligence Sharing and Protection Act ( CISPA ) (passed the House on April 18, 2013) H.R. 624 (113th Congress) The bill purports to allow companies and the federal government to share information to prevent or defend against network and other Internet attacks. Under CISPA, any company can use cybersecurity systems to identify and obtain cyber threat information to protect the rights and property of the company, and then share that information with third parties, including the government, so long as it is for cybersecurity purposes. It was designed to facilitate two-way information sharing between intelligence agencies and private businesses. It has generated significant debate as it has meaningful implications to an individual privacy rights. If enacted, it could allow the government to hold critical infrastructure businesses accountable for not making measurable improvements in their information security procedures. 10/8/

5 Legal Landscape State Regulation State Legislation 47 states have data security statutes requiring notification of breaches. Timing of Notice: Some states have a specific notice period (within days of discovery). Many states, however, simply provide that notice shall be made within a reasonable time period or without unreasonable delay. Some states include an element of harm or a trigger for notification. To Whom Notice Must be Given? 10/8/

6 Legal Landscape Government Enforcement Actions Federal Trade Commission Enforcement The FTC is the most active federal agency in enforcing consumer privacy protections and 5 of the FTC Act has been the FTC s primary enforcement mechanism. Section 5(a) of the Federal Trade Commission Act ( FTC Act ), 15 U.S.C. 45(a), prohibits unfair or deceptive acts or practices in or affecting commerce. More than 30 enforcement actions have been brought by the FTC since May Click 1, to The edit FTCMaster has brought subtitle more than style 50 in all since FTC s Health Breach Notification Rule 10/8/

7 Legal Landscape Government Enforcement Actions Federal Trade Commission Enforcement (cont.) Federal Trade Commission v. Wyndham Worldwide Corp., No , 2014 U.S. Dist. LEXIS (D.N.J. Apr. 7, 2014). This case was the first legal challenge to the FTC s enforcement authority. Wyndham moved to dismiss the Complaint arguing that the FTC s unfairness authority does not cover data security. The court disagreed, holding that the FTC s unfairness authority coexists with existing data-security regulatory scheme. On June 23, 2014, the U.S. District Court of New Jersey granted Wyndham s Motion to certify for interlocutory appeal the order denying the motion to dismiss. 10/8/

8 Cyber Insurance Introduced CYBER TIMELINE Notice Costs Covered Broad Privacy Ins. Vendor Coverage Corp Confidential Info. PCI Fines & Penalties Reg. Fines & Penalties System Full Limit Failure Policies HIPAA Gramm- Leach- Bliley 1 SB1386 PCI HITECH SEC Cyber Order (2/12/13) Sony Click to edit Master 5 Target subtitle style 6 (11/27/13-12/15/14) Card Systems Insurance History Regulatory/Industry History Claims/Losses History 1 GLB requires private financial information to be properly protected 2 $45 million credit and debit cards were stolen 3 $140MM in fines and settlements 4 Data breach ( spear phishing ) involving names of customers and addresses/affected at least 50 companies TJX 2 Heartland 3 Epsilon 4 Neiman Marcus 9 NIST Framework Ver /4/2013 (PF) 7/10/2013 (M-SD) 9/11/2013 (M-Dallas) 2/13/2014 (FF) least through version 2.0 of Framework 10/8/ Sony PlayStation/BMG s website breaches (cleanup $171MM) Homeland Security/ PPD-21 (2/12/13) 6 $165MM in cyber breach insurance 7 Michaels Stores disclosed on April 18, District court grants interlocutory appeal on June 23, NM was hacked from July to December Framework for Improving Critical Infrastructure Cybersecurity 11 NIST will continue to serve as convener and coordinator at Michaels 7 (5/8/13-1/27/14) 12 Hackers stole 4.5 million patient records by breaking into the company s network through a hole in the network created by Heartbleed 13 October 2, 2014 securities filing disclosed that a cyber attack compromised data for 76 million households and 7 million businesses 14 Employee gained access to 1600 customer s personal data records October 2014 CISPA passes House on 4/18/13, but stalls in the Senate Home Depot (9/8/2014) JP Morgan Chase 13 ATT announces internal data breach 14 10/2014) CHS of Franklin, TN 12 (8/2014) FTC v. Wyndham 8 (4/7/14) NIST Framework Ver

9 Homeland Security February 12, 2013 Chemical Sector The Department of Homeland Security is designated as the Sector-Specific Agency for the Chemical Sector. Commercial Facilities Sector The Department of Homeland Security is designated as the Sector-Specific Agency for the Commercial Facilities Sector. Communications Sector The Department of Homeland Security is designated as the Sector-Specific Agency for the Communications Sector Critical Manufacturing Sector TheClick Department toofedit Homeland Master Security is designated subtitle as thestyle Sector-Specific Agency for the Critical Manufacturing Sector. Dams Sector The Department of Homeland Security is designated as the Sector-Specific Agency for the Dams Sector. Defense Industrial Base Sector The Department of Defense is designated as the Sector-Specific Agency for the Defense Industrial Base Sector. 10/8/

10 Homeland Security Emergency Services Sector The Department of Homeland Security is designated as the Sector-Specific Agency for the Emergency Services Sector. Energy Sector The Department of Energy is designated as the Sector-Specific Agency for the Energy Sector. Financial Services Sector The Department of Treasury is designated as the Sector-Specific Agency for the Financial Services Sector. Food and Agriculture Sector The Department of Agriculture and the Department of Health and Human Services are designated as the Co-Sector-Specific Agencies for the Food and Agriculture Sector. Government Facilities Sector The Department of Homeland Security and the General Services Administration are designated as the Co-Sector-Specific Agencies for the Government Facilities Sector. Healthcare and Public Health Sector The Department of Health and Human Services is designated as the Sector-Specific Agency for the Healthcare and Public Health Sector. 10/8/

11 Homeland Security Information Technology Sector The Department of Homeland Security is designated as the Sector-Specific Agency for the Information Technology Sector. Nuclear Reactors, Materials, and Waste Sector Click The Department to edit of HomelandMaster Security is designated title as the Sector-Specific style Agency for the Nuclear Reactors, Materials, and Waste Sector. Transportation Systems Sector The Department of Homeland Security and the Department of Transportation are designated as the Co-Sector-Specific Agencies for the Transportation Systems Sector. Water and Wastewater Systems Sector TheClick Environmental to edit Protection Master Agency is designated subtitle as thestyle Sector-Specific Agency for the Water and Wastewater Systems Sector. 10/8/

12 Legal Landscape European Privacy 1995 European Union Data Protection Directive UK Data Protection Act of 1998 EU Safe Harbor Provision (2000) European General Data Protection Regulation (proposed) Article 29 Working Party Opinion on Personal Data Breach Notification 10/8/

13 Framework for Improving Critical Infrastructure Cybersecurity Version 1.0 National Institute of Standards and Technology February 12, /8/

14 Framework Core Structure 10/8/

15 Framework Implementation Tiers 10/8/

16 Coordination of Framework Implementation The image above describes a common flow of information and decisions at the following levels within an organization: Executive Business/Process 10/8/2014 Implementation/Operations

17 NIST Initiatives 10/8/

18 Bioscience NIST will provide the measurement science, data, and tools that are needed for efficient manufacturing in biosciences and nanotechnology. NIST research in biomanufacturing will help create new manufacturing paradigms that use cells as factories for fuels, pharmaceuticals, and specialty chemicals. Data analytics/big Data Much of advanced manufacturing depends upon the ability to make at scale or integrate the use of new materials into existing manufacturing processes. NIST will continue to invest in strengthening its efforts to develop the standards and data needed to support advanced materials modeling and design. Systems Engineering The convergence of digital technologies with manufactured products, engineered systems of products, and associated services are enabling a new generation of smart manufacturing processes and equipment. As these processes have grown exponentially in complexity, new and revised standards are required to accompany dramatic improvements in systems engineering, integration, and testing. NIST supports the closer integration of robotics and humans in the manufacturing environment, and is developing a testbed to evaluate the automated in-process quality monitoring and control systems that are critical to the efficient operation of modern factories. 10/8/

19 In-Place Precision Measurement Lasers are an enabling technology for an enormous range of measurements Click in to physical edit standards, Master chemistry, title biological style systems, space-based research, and many other areas. NIST is the world leader in the development and application of ultrastable lasers. However, the coherence (or stability) of lasers has not significantly increased over the past decade despite intense world-wide research efforts. NIST researchers are developing a research program to achieve Click to laser edit frequency Master stability subtitle more than style 100 times better than the world s best lasers today, and extend optical coherence times to more than 1,000 seconds. 10/8/

20 Collaboration and Partnership NIST s new Advanced Manufacturing Technology Consortia (AMTech) program will provide financial assistance to leverage existing consortia or establish Click new industry-led to edit consortia Master to develop road-maps title of critical style longterm industrial research needs well fund research at leading universities and government laboratories directed at meeting these needs. The National Network for Manufacturing Innovation (NNMI) is a proposed network Clickoftomanufacturing edit Master innovation subtitle institutes style that would bring together companies, university and community colleges, and government to co-invest in applied research and development of cuttingedge manufacturing technologies. 10/8/

21 NIST ROADMAP FOR IMPROVING CRITICAL INFRASTRUCTURE (2/12/2014) 1. AREAS FOR DEVELOPMENT, ALIGNMENT AND COLLABORATION: a. AUTHENTICATION b. AUTOMATED INDICATOR SHARING c. CONFORMITY ASSESSMENT d. CYBERSECURITY WORKFORCE e. DATA Click ANALYTICS to edit Master subtitle style f. FEDERAL AGENCY CYBERSECURITY ALIGNMENT g. INTERNATIONAL ASPECTS, IMPACTS AND ALIGNMENT h. SUPPLY CHAIN RISK MANAGEMENT i. TECHNICAL PRIVACY STANDARDS 10/8/

22 Cyber-Security 10/8/

23 Cyber-Security/NAD There is a growing realization in the IT industry that current cyber-security technologies are losing an arms race with those who seek to launch network-based attacks. The current state of the art in Network Intrusion Detection technologies, which detect specific signatures Clickof malicious to edit software, Master cannot keep pace with title the ratestyle of innovation in attack vectors. Such schemes are inherently reactionary, requiring the identification and reverse engineering of new attacks and the near constant update of attacksignatures in global security systems. Recent advances in Network Anomaly Detection (NAD) technologies may stop this arms race by shifting the focus from identifying specific attacks toward detecting significant deviations from models of normal network behavior. A primary barrier to further NAD technology development Click and tocommercialization edit Master is thesubtitle lack of realistic style reference data and techniques for rigorous test and measurement. NIST is beginning a research program to develop methodologies to generate highfidelity, purely synthetic reference data of network traces to approximate the diversity of real network traffic that can be instrumented with controlled instances of malicious traffic. The spatial scale, application diversity, technology diversity, and temporal range that must be modeled present a significant technical challenge. 10/8/

24 Systems Engineering The computing systems that enable modern life, from the Internet to those that control critical infrastructure, are growing in both scale and complexity. The inability to measure, predict, or control macroscopic behavior in complex information Click systems can tojeopardize edit ourmaster nation s security and title cost billions style of dollars through high-profile system events such as cascading failure modes. NIST is applying its core competencies in applied and computational mathematics, measurement science, and systems engineering to characterize macro-scale structures and dynamics of large-scale interconnected systems and to understand behavior in complex information systems. 10/8/

25 Collaboration and Partnership National Cybersecurity Center of Excellence In the face of the Nation s cybersecurity challenges, NIST, with the State of Maryland and Montgomery County, established the NCCoE in The NCCoE is collaborating with experts from industry, Click government, to edit and academia Master to build standards-based title style reference designs to address common cybersecurity challenges. In 2013, the NCCoE launched its first use case to develop a platform that allows health care providers to securely collect, process, and exchange patient data. This first use case was quickly followed by four others focusing on challenges in critical infrastructure sectors including financial services and energy. In addition to sectorspecific use cases, Click the NCCoE to edit is working Master on building subtitle block solutions style that can be applied across industry sectors. Active building blocks include work on hardware roots of trusted geolocation for cloud computing, attribute-based access control, mobile device security, and software asset management. The NCCOE has attracted 19 industry partners to provide hardware, software, and expertise to aid the Center s efforts in advancing the rapid adoption of secure technologies. 10/8/

26 NIST s FY 2015 Budget Request WASHINGTON The U.S. Department of Commerce released details today about the President s fiscal year (FY) 2015 budget request to Congress for the National Institute of Standards and Technology (NIST). The FY 2015 budget request of $900 million aligns Click with theto agency s edit vision for Master expanding and strengthening title style NIST programs in a number of key national priority areas such as forensic science, lightweight vehicle alloys and bioengineering measurement tools. The request is a $50 million increase from FY 2014 enacted levels. Scientific and Technical Research and Services (STRS), $680 million The STRS request includes $29 million above FY 2014 enacted levels to allow NIST s laboratoryclick programs to toedit conductmaster measurement subtitle research andstyle services that are central to innovation, productivity, trade and public safety. Funding requests include: Measurement Science and Standards for Forensic Science Infrastructure (+$3.5 million) Cyber-Physical Systems (+$7.5 million) Advanced Materials (+$5 million) Synthetic Biology (+$7 million) Lab-to-Market (+$6 million) 10/8/

27 Healthcare and Big Data 10/8/

28 A computer can know and remember as much marketing detail about 200,000,000 consumers as did the owner of a crossroads general store about his handful of customers. I can know and select such Click personal to details edit as who Master prefers strong title coffee, style imported beer, new fashions, bright colors. Who just bought a home, freezer, camera, automobile. Who has a new baby, is overweight, got married, owns a pet, likes romantic novels, serious reading, listens to Bach or The Beatles Those marketers who ignore the implications of our new individualized information society will be left behind in what may well come to be known as the age of mass production and marketing ignorance. 1 1 Lester Wunderman, Being Direct (New York: Random House, 1996), /8/

29 The New Value Framework Right living. Patients must play an active role in their own health by making the right choices about diet, exercise, preventive care, and other lifestyle factors. Right care. Patients must receive the most timely, appropriate treatment available. Right care relies heavily on protocols, but also requires a coordinated approach with all caregivers having access Click to the same to information edit and Master working toward title the same style goal to avoid duplication of effort and suboptimal treatment strategies. Right provider. Any professionals who treat patients must have strong performance records and they should also be selected based on their skill sets and abilities rather than their job titles. For instance, nurses or physicians assistants may perform many tasks that do not require a doctor. Right value. Providers and payors must find ways to improve value while preserving or improving health-care quality. Key pathways are to link provider reimbursement to patient outcomes and implement Clicknew toprograms editdesigned Master to eliminate subtitle wasteful spending. style Right innovation. Stakeholders must focus on new therapies and approaches to health-care delivery. They should also improve the innovation engines themselves for instance, by advancing medicine and boosting R&D productivity. 10/8/

30 The New Value Framework (cont.) The value pathways evolve as new data become available, fostering a feedback loop. 10/8/

31 10/8/

32 Big Data Pitfalls 10/8/

33 Data Breaches/Release of Confidential Information Numbers Click to edit can Master be usedtitle to style evaluate doctors -- rightly or wrongly Eliminating high spending does not equate to eliminating Click to edit waste Master subtitle style Data Brokers 10/8/

34 Things happening today or very soon Pioneered more than a decade ago, devices mounted on utility poles are able to sense the radio stations being listened to by passing drivers, with the results sold to Click advertisers. to 1 edit Master title style In 2011, automatic license-plate readers were in use by three quarters of local police departments surveyed. Within 5 years, 25% of departments expect to have them installed on all patrol cars, alerting police when a vehicle associated with an outstanding warrant is in view. 2 Meanwhile, civilian uses of license-plate readers are emerging, leveraging cloud platforms and promising multiple ways of using the information collected. 3 1 ElBoghdady, Dina, Advertisers Tune In to New Radio Gauge, The Washington Post, October 25, American Civil Liberties Union, You Are Being Tracked: How License Plate Readers Are Being Used To Record Americans Movements, July, Hardy, Quentin, How Urban Anonymity Disappears When All Data Is Tracked, The New York Times, April 19, /8/

35 Experts at the Massachusetts Institute of Technology and the Cambridge Police Department have used a machine-learning algorithm to identify which burglaries likely were committed by the same offender, thus aiding police investigators. 4 Differential Click pricing to (offering edit different Master prices to different title customers style for essentially the same goods) has become familiar in domains such as airline tickets and college costs. Big data may increase the power and prevalence of this practice and may also decrease even further its transparency. 5 The UK firm FeatureSpace offers machine-learning algorithms to the gaming industry that may detect early signs of gambling addiction or other aberrant behavior among online players. 6 4 Rudin, Cynthia, Predictive policing: Using Machine Learning to Detect Patterns of Crime, Wired, August 22, : -detect-pattern 5 (1) Schiller, Benjamin, First Degree Price Discrimination Using Big Data, Jan , Brandeis University. and (2) Fisher, William W. When Should We Permit Differential Pricing of Information? UCLA Law Review 55:1, Burn-Murdoch, John, UK technology firm uses machine learning to combat gambling addiction, The Guardian, August 1, /8/

36 Retailers like CVS and AutoZone analyze their customers shopping patterns to improve the layout of their stores and stock the products their customers want in a particular location. 7 By tracking cell phones, RetailNext offers ricks-and-mortar retailers the chance to recognize returning customers, just as cookies Click allow them to be edit recognized Master by on-line merchants. title 8 Similar style WiFi tracking technology could detect how many people are in a closed room (and in some cases their identities). The retailer Target inferred that a teenage customer was pregnant and, by mailing her coupons intended to be useful, unintentionally disclosed this fact to her father. 9 7 Clifford, Stephanie, Using Data to Stage-Manage Paths to the Prescription Counter, The New York Times, June 19, Clifford, Stephanie, Attention, Shoppers: Store Is Tracking Your Cell, The New York Times, July 14, Duhigg, Charles, How Companies Learn Your Secrets, The New York Times Magazine, February 12, /8/

37 Social media and public sources of records make it easy for anyone to infer the network of friends and associates of most people who are active on the web, and many who are not. 10 The Durkheim Project, funded by the U.S. Department of Defense, analyzes social-media behavior to detect early signs of suicidal thoughts among veterans. 11 Insight into the spread of hospital-acquired infections has been gained through the use of large amounts of patient data together with personal information about uninfected patients and clinical staff. 12 Individuals heart rates can be inferred from the subtle changes in their facial coloration that occur with each beat, enabling inferences about their health and emotional state Facebook s The Graph API (at describes how to write computer programs that can access the Facebook friends data. 11 Ungerleider, Neal, This May Be The Most Vital Use Of Big Data We ve Ever Seen, Fast Company, July 12, (1) Wiens, Jenna, John Guttag, and Eric Horvitz, A Study in Transfer Learning: Leveraging Data from Multiple Hospitals to Enhance Hospital-Specific Predictions, Journal of the American Medical Informatics Association, January (2) Weitzner, Daniel J., et al., Consumer Privacy Bill of Rights and Big Data: Response to White House Office of Science and Technology Policy Request for Information, April 4, Frazer, Bryant, MIT Computer Program Reveals Invisible Motion in Video, The New York Times video, February 27, /8/

38 Facial-recognition technologies are beginning to be practical in commercial and law-enforcement applications. 14 They are able to acquire, normalize, and recognize moving faces in dynamic scenes. Real-time video surveillance with single-camera systems (and some with multi-camera Click systems, to which edit can both recognize Master objects and title analyze activity) style has a wide variety of applications in both public and private environments, such as homeland security, crime prevention, traffic control, accident prediction and detection, and monitoring patients, the elderly, and children at home. 15 Depending on the application, use of video surveillance is at varying levels of Deployment Workshop on Frontiers in Image and Video Analysis, National Science Foundation, Federal Bureau of Investigation, Defense Advanced Research Projects Agency, and University of Maryland Institute for Advanced Computer Studies, January 28-29, For example, Newark Airport recently installed a system of 171 LED lights (from Sensity [ that contain special chips to connect to sensors and cameras over a wireless system. These systems allow for advanced automatic lighting to improve security in places like parking garages, and in doing so capture a large range of information. 16 This was discussed at the workshop cited in footnote /8/

39 Social-network analysis is used in criminal forensic investigations to understand the links, means, and motives of those who may have committed crimes. In the realm of commerce, it is well-understood that what a person s friends like or buy can influence what he or she might buy. For example, in 2010, it was reportedclick that having one toiphone-owning edit Master friend makes a person title threestyle times more likely to own an iphone than otherwise. A person with two iphone-owning friends was five times more likely to have one. 17 There are many commercial social listening services, such as Radian6/Salesforce Cloud, Collective Intellect, Lithium, and others, that mine data from social-networking feeds for use in business intelligence. Click to edit Master subtitle 18 Coupled with social-network analysis, this information can be used to evaluate changing style influences and the spread of trends between individuals and communities to inform marketing strategies. 17 Sundsøy, P. R., et al., "Product adoption networks and their growth in a large mobile phone network," Advances in Social Networks Analysis and Mining (ASONAM), Top 20 social media monitoring vendors for business, Socialmedia.biz, social-media-monitoring-vendors-for-business/ 10/8/

40 Cyber Security Click to edit October Master 2014 subtitle style 10/8/ DM3/ _1.PPTX 40