Legal Issues / Estonia Cyber Incident

Transcription

1 Control System Cyber Security Conference 22 October 2009 Legal Issues / Estonia Cyber Incident Maeve Dion Center for Infrastructure Protection George Mason University School of Law

2 Legal Issues / Estonia Cyber Incident CIP law, security, & defense. Estonia incident International concerns. Frameworks for international cyber security.

3 Sample* Areas of CIP Law Security Regulations by Industry / Sector Information Sharing (Open Government, Privacy) Antitrust / Competition Criminal Law Tort Law Private Ordering (Contracts) National Security & Defense Law International Agreements / Law

4 National Security & Defense Balance of Government Interests Security / Defense Intelligence Law Enforcement Diplomacy / Foreign Affairs Emergency Powers Resource Allocation Control of Systems Prioritization of Restoration War Powers & LOAC Other: Use of the Military to Support Civil Authorities State Secrets Foreign Ownership (access & control)

5 Jurisdictions (Situational Awareness) MIL HS CORP LE DEPT. of ST. IC

6 International Concerns Laws and procedures are different per country Different threats Different vulnerabilities Different social groundworks International cooperation and coordination REQUIRED for CIP / cyber incident management.

7 Cooperative Cyber Defence COE The mission of the CCD COE is to enhance the Cooperative Cyber Defence Capability of NATO and NATO nations, thus improving the Alliance s interoperability in the field of cooperative cyber defence. BY Doctrine and Concept Development Awareness and Training Research and Development Analysis and Lessons Learned Consultation What the CCD COE is NOT: a 24/7 incident handling centre Computer Emergency Response Team

8 Estonia Incident 2007 DDoS attacks. Defacement of government websites. Spam. Online distribution of attack code and instructions. Online propaganda.

9 Estonia Incident Tension regarding Soviet-era memorial & graves of soldiers. Public debate over relocation. Early spring 2007: government decision to relocate.

10 Estonia Incident April: physical incidents in Estonia.

11 Estonia Incident Apr 1 May: siege of embassy in Moscow / ambassador attacked. Cyber attacks and sanctions begin: DDoS, defacement, spam, online distribution of attack codes and instructions, online propaganda. Duma delegation to Tallinn demands government step down. Bridge / trade closure; business contracts suspended.

12 Estonia Incident Apr. 18 May: main attack (DDoS). govt websites banks critical routers at ISP level govt s Internet-based communications

13 Estonia Incident 2007 War: use of force Terrorism Riot / flash mob Hactivist attacks

14 Estonia Incident 2007 Successful ad hoc response, domestically & internationally. Set the standard for public openness about an incident. New Estonian laws & CIP structures. Momentum for international cooperation & coordination.

15 International Concerns Domestic Law International Law Domestic Law Domestic Law Domestic Law Domestic Law

16 International Concerns Domestic Law International Law Domestic Law Domestic Law Domestic Law Domestic Law

17 Jurisdictions for Response Health / Pandemic Hospital / Clinic State Health / HS Federal Health / HS International WHO Quarantine Authorities Intelligence Community Law Enforcement Cyber Incident Corporation / Agency (network / system security) Federal HS ( cyber-related incident of national significance) Military (conflict mgt, armed conflict) IC, LE, Diplomacy

18 Frameworks for Criteria Definition Identification of Criteria Map Response Decisions to Criteria (decision tree) Legal Frameworks National Cyber Crimes Conflict Management / Armed Conflict International Treaties / Agreements Law of the Sea, Outer Space, Satellites, Telecommunications FICS initiative

19 FICS Frameworks for International Cyber Security Criteria Is there a military response? Is there a foreign relations response? Is there a law enforcement response? Is there an intelligence community response? Is international assistance / coordination required? Is there a regulatory response? Is there a corporate response?

20 Center for Infrastructure Protection Maeve Dion

21 Policy Considerations for CIIP Access & Availability Identification, authentication, access controls, and auditing. Intrusion detection, firewalls, antivirus software. Network resilience, redundancy. Data storage, integrity, encryption. Protecting CII Human Factors Training / certification for technological capabilities. Organizational security programs, training, and oversight. End user education. Organizational Responsiveness Proactive Abilities To law enforcement and intelligence: Awareness and monitoring of technical requirements, interdependencies. information demands. Threat identification and prediction. To regulators: Informational auditing, security plans, licensing requirements. To emergency responders.

22 Policy Considerations for CIIP Threats Threats to CII, and threats via CII (disruption & weaponization) WHO? HOW? WHY? Natural disaster. Employee / insider. Associate (contractor / vendor). External (competitor / enemy). Human error (development or operations). Failure of awareness (human error at policy & management level). Deliberate act. Accident. Theft / Extortion. To hurt the infrastructure operator. To hurt an entity reliant upon the infrastructure. To hurt an economy / country.