Working with the Federal Government on Cybersecurity

Transcription

1 O B S I D I A N C Y B E R S E C U R I T Y O C C A S I O N A L P A P E R Working with the Federal Government on Cybersecurity Preparation is Key to Success December 5, 2013

2 Table of Contents CONSIDER THIS... 2 INTRODUCTION... 2 COMMON TYPES OF FEDERAL GOVERNMENT DEALINGS REGARDING CYBER... 3 WHY PLAN FOR GOVERNMENT DEALINGS?... 3 Reaping the Benefits of Government Interaction... 4 Avoiding Criminal and Civil Liability... 4 Minimizing Disruptions to Operations... 5 Maintaining Public Image... 5 WHAT CAN HAPPEN IF YOU FAIL TO PLAN APPROPRIATELY?... 6 Common Risks: Responding to Legal Requests... 6 Common Risks: Information Sharing... 7 Common Risks: Notifying Cybersecurity Victims... 7 POLICY AND PROCEDURE DEVELOPMENT... 7 Clear Definitions... 8 Roles and Responsibilities... 8 CONSIDER ANOTHER SCENARIO... 9 FOR MORE INFORMATION... 9 WORKING WITH THE FEDERAL GOVERNMENT ON CYBERSECURITY 1

3 Consider This Imagine taking a vacation outside of the country and leaving a subordinate in charge of your firm. A few days into the trip, you get an urgent message to call the office because the Federal Bureau of Investigation (FBI) arrived at your firm with a search warrant for one of your client s electronic files. Not knowing how to respond and unable to reach you immediately, your team decided the best course of action was to give the FBI agents the entire server that contained the suspect data. Unfortunately, that server also contained files for clients that were not covered under the warrant, and was essential for certain day-to-day operations. The rumor mill has started churning, and agitated clients have been calling the office with questions. Some are threatening to sue for what they consider a violation of their confidentiality. To make matters worse, one of your employees was unaware that the warrant was sealed by a judge and told the client who is the subject of the investigation about the warrant. After getting in touch, your firm s attorney informs you that you need to return immediately; the firm and its employees may face civil and possibly even criminal penalties. Your attorney also informs you that, with a little planning and training, this disaster could have been avoided. Introduction The purpose of this paper is to help executives and leadership teams recognize and understand the need to plan for cybersecurity-related interactions with the federal government that are thoughtful, productive, and minimize risk for all involved parties. A number of government agencies have national security and law enforcement responsibilities and play a significant role in securing and investigating cyberspace. Your contact with these agencies may be part of a voluntary partnership; but, occasionally, the contact may be unexpected. You and your employees need to understand your rights and responsibilities as well as the risks and potential rewards associated with working with a government agency on a variety of cyber matters. This paper will explore some common types of federal government dealings, discuss why planning for interaction with government is important, describe what could happen if a firm fails to plan appropriately, and provide suggestions on establishing policies and procedures for your firm. This document does not provide legal advice. Rather, it is a guide for discussions between management, legal advisors, and information technology (IT) professionals on how to plan in advance for potential federal government cybersecurity dealings. WORKING WITH THE FEDERAL GOVERNMENT ON CYBERSECURITY 2

4 Common Types of Federal Government Dealings Regarding Cyber The ways that your firm could find itself interacting with federal government agencies vary widely. Your interaction may be quick or long-term. It may be initiated by the government or you may call on the government for their assistance. Some common types of government dealings are briefly described below: Government-Initiated Dealings Servicing a legal process Notifying your firm of a data breach Requesting voluntary disclosure Investigating a crime Firm-Initiated Dealings Reporting an incident/crime Notifying of a data breach Seeking intelligence related to an incident Mutual Dealings Participating in publicprivate information sharing alliances (e.g., Infragard, the Defense Industrial Base, the Cybersecurity Pilot, etc.) Participating in policyshaping partnerships The following are some key federal government agencies that routinely interact with private firms on cybersecurity: U.S. Department of Homeland Security (DHS): DHS Cyber Security and Communications (CS&C) is responsible for enhancing the security, resilience, and reliability of the nation s cyber and communications infrastructure. FBI: The FBI has a mission to investigate high-tech crimes, including cyber-based terrorism, espionage, computer intrusions, and major cyber fraud. U.S. Secret Service (USSS): The USSS has both a protective mission to safeguard the President and certain dignitaries, and a mission to protect the integrity of the nation s financial systems. U.S. Department of Energy (DOE): The Office of Electricity Delivery and Energy Reliability (OE) within DOE works with DHS and other federal agencies to reduce the risk of disruptions to the nation s electric grid caused by cyber incidents. U.S. Securities and Exchange Commission (SEC): The mission of the SEC is to protect investors; maintain fair, orderly, and efficient markets; and facilitate capital formation. Why Plan for Government Dealings? Smart policy planning will help you and your firm maximize the upside of government interactions while minimizing the downside. WORKING WITH THE FEDERAL GOVERNMENT ON CYBERSECURITY 3

5 Reaping the Benefits of Government Interaction In some cases, your firm may find that the government is literally here to help. The federal government has access to information sources that are more detailed, diverse, and interconnected than even the biggest IT providers. The government has many formal partnership programs, such as Infragard, that allow them to share their wealth of information freely. The government can also share information through a specific non-disclosure agreement with your firm. Partnerships like these can provide important threat information that is vital to protecting a firm and its employees. In simple cases, the government can provide unclassified information on cyber threats. In more advanced partnerships, the government can clear company personnel to receive extremely sensitive and classified threat information. Some of that information can highlight breaches in your firm s systems, enabling you to take corrective action. Other government partnerships, such as the recent National Institute of Standards and Technology cybersecurity framework workshops, allow a firm to influence government policy development, which gives you the power to protect your business interests from unwanted regulation. Avoiding Criminal and Civil Liability Failing to comply with proper legal processes, such as a search warrant for files on a server, creates a criminal liability for firms. Search warrants, in particular, are no small matter. The concept of a search warrant is established in the fourth amendment of the Constitution. If the government can demonstrate to a federal magistrate judge that there is probable cause that evidence of a crime is located in a particular place, the judge may issue a warrant permitting the government to enter that location and seize such evidence, including any container (digital or otherwise) that could contain the evidence. It is important for a firm served with a warrant to be able to tell the government exactly where the required data resides, and to cooperate with the government in finding it. Yet, a firm should not simply show everything to the government. Take the scenario described at the beginning of this report as an example. Providing client information to the government without a proper legal basis would most likely result in a civil liability. Even when provided with a warrant, firms have been sued over providing information to officials. In 2011, a convicted sex offender sued MySpace for complying with a warrant signed by a Georgia state magistrate. The offender argued that My Space, as a California-based company, should not have responded to an out-of-state warrant. Although MySpace successfully defended their actions, they still had to defend themselves. In that case, the MySpace employees acted lawfully and in compliance with the company s stated policy; however, had that policy been less precise or if the employees had applied it inconsistently, the results might have been different. In many criminal cases, employees naturally want to help law enforcement, but the law requires due process. These competing pressures are hard enough to navigate with a plan in place; without a plan, employee actions can severely financially damage and harm a firm s reputation. WORKING WITH THE FEDERAL GOVERNMENT ON CYBERSECURITY 4

6 Minimizing Disruptions to Operations Understanding the rules of collecting evidence will help you create processes that can mitigate disruptions to your business. In the scenario described at the beginning of this report, untrained employees simply handed over an entire server to FBI agents without any idea of how long that server would be gone. For some firms, this alone could be enough to shutter the business, and it was unnecessary. Digital forensic tools have advanced to the point that, with a little help from a trained IT staff, the FBI agents could have copied only the items to which they were entitled. Had the untrained employees taken it upon themselves to copy the files they thought were relevant, the employees would then be involved in hearings and potentially even a trial that, at best, would waste employee time and resources. At its worst, a trial would expose the firm to bad publicity and lawsuits. Well-trained employees operating under a solid plan can effectively minimize these disruptions. Maintaining Public Image Regardless of your business, the way your firm handles interactions with the government is going to influence the way your clients and the public view your firm. For instance, companies that work closely with the federal government to combat child sexual exploitation on the Internet are understandably proud of that fact. However, when a recent reporting on the National Security Agency (NSA) leaks erroneously indicated that certain major providers voluntarily gave the NSA a backdoor into their servers, those firms were quick to set the record straight. Understanding this balance in public perception is important. No legitimate firm wants to be perceived as actively helping criminals commit their crimes, but neither do they want clients to believe they spy on them for the government. Knowing what the middle ground is for your firm and staying on it is a lot easier when you think through the problem before you encounter it. WORKING WITH THE FEDERAL GOVERNMENT ON CYBERSECURITY 5

7 What Can Happen if You Fail to Plan Appropriately? Failing to properly plan for government interaction can be dangerous for firms. Many pitfalls exist in unplanned government interactions as a firm tries to balance the government s needs with their needs. The table and subsections below outline some of the potential issues: Government Needs Firm Needs Risks To gather data according to a court order or other legal process To voluntarily share intelligence across public and private sectors To notify cybersecurity breach victims To protect the privacy interests of the firm and its clients To minimize disruptions to business To receive intel from the government in order to assist in cyber defense To avoid the loss of reputation To comply with applicable data breach laws The firm s technical staff have little or no legal training The legal department does not understand technology and does not know how to assist government forensic experts The types of data maintained are not well inventoried or defined The firm must share data only within the confines of their privacy policy and applicable laws The proper employees must understand the limits of using classified government briefings The data breach notification must be handled properly to avoid damaging the firm s reputation The failure to disclose may result in significant legal trouble Common Risks: Responding to Legal Requests Responding to a legal request can be stressful for unprepared employees and can result in significant legal troubles. For example: Your IT staff understands the types of data contained on the firm s systems, but they have little, if any, legal training. Your attorneys are probably not computer experts and do not understand what types of data your firm keeps. Neither group has a good handle on what types of data you own, so no one understands what to do with incoming legal requests. If your firm does not understand what client data you possess and cannot put it into a legal framework, major mistakes are inevitable. WORKING WITH THE FEDERAL GOVERNMENT ON CYBERSECURITY 6

8 Common Risks: Information Sharing Information sharing partnerships with the government can help you secure not only your firm s IT systems, but the critical infrastructure on which the firm depends. However, there are limits to how a firm can engage in these partnerships. For example: Your privacy policy is not clear or fully understood. For example, if your privacy policy has a statement such as, We will not share your information with any third party outside of our organization, other than as necessary to sharing things like server log files with the government may constitute a violation of your own policy. If a client gets investigated because your firm violated its own policy for sharing with the government, they might want to sue you. Your employees are not trained to handle classified information. If the government clears certain employees to receive a classified cyber threat briefing with classified indicators of a hacking attack, simply asking an employee who is not cleared to check the network for those indicators might be a crime. Your employees are not trained to properly disclose information to the government. If the government informs you that your firm has been the victim of a data breach, you may have additional disclosure requirements and employees may feel the need to disclose as quickly as possible. Disclosing prematurely before the full scope of a breach is known can cause confusion and lead to a situation where your firm has to continually revise its public assessment of the scope of the breach. Common Risks: Notifying Cybersecurity Victims Your firm does not have a procedure for notifying clients about a breach. If you delay notifying the client about a breach, it increases the risk that clients will find out about the breach from another source, giving the client the impression that your firm was attempting to cover up the intrusion. Policy and Procedure Development The risks detailed above are common, clear, and profound. Yet there are certain measures you and your firm can take today to minimize the impact of these risks. You should engage legal representation and subject matter experts early so that you have policies in place prior to engaging with government agencies. If you lack the expertise internally, you should engage outside assistance to help with your planning efforts. You should also convene a joint legal and technical team to revise your policies and procedures with clear definitions of the types of data you maintain and a concise listing of the roles and responsibilities of your team members. WORKING WITH THE FEDERAL GOVERNMENT ON CYBERSECURITY 7

9 Clear Definitions Legal and IT professionals often have difficulty agreeing on the definitions of certain key terms, but it is critical that they work together to define the types of data you possess and the legal process required to release it to the government. Your firm should establish a combined legaltechnical team to define each of the following: Business records and transactional data: When clients sign up for an online service, or transact business on your web site, many records of those transactions are kept automatically. The legal requirements for obtaining transactional data and business records are generally lower than what is required for the content of a client s files. It is critical that your policies address these types of records and distinguish them from the personal communications of a client. Contents of Communications: Clients have a high expectation of privacy in terms of the contents of electronic items they entrust to you. When clients use your service to communicate with you or others or if they store personal electronic items with you they may have a higher expectation of privacy for that data. Generally, communications will require a court order, such as a warrant. Your legal and technical teams must work together to understand what data falls into this category, and prepare employees to handle this information appropriately. Metadata: Strictly speaking, metadata is data about data and is often captured automatically by systems. Defining metadata legally is tricky. Your clients may have a low privacy interest in some metadata (e.g., date and time stamps), but a high interest in others (e.g., global positioning system coordinates embedded in digital camera images). There is not a clear legal standard for the government to obtain all types of metadata, so your team should define what types of metadata you possess and what types of legal process you expect from the government for that metadata. Your published privacy policy should clearly state how you will handle metadata. Your combined legal-technical team definitions may get challenged in court by clients or the government, and you may be forced to adapt them. They should be reviewed periodically to make certain they are consistent with your current systems and new case law. By establishing a thoughtful starting point, your firm will be better able to defend its actions. Roles and Responsibilities During any government interaction, it is critical that each employee knows what they are responsible for and the limitations of their role. Your policy and procedures documents should be developed with the input of multiple stakeholders, and at minimum, the following items should be covered: Management: Management has the ultimate responsibility for ensuring plans are executed correctly and that the firm continues to run smoothly. The policies and procedures you develop must set guidelines that empower management to make the WORKING WITH THE FEDERAL GOVERNMENT ON CYBERSECURITY 8

10 appropriate decisions when dealing with the government, but also keep them focused on the overall needs of the firm. Legal: The legal team s primary responsibility is to protect the firm from legal liability during any interaction with the government. Your policy must make it clear which functions and actions require approval from your legal department. The policy should identify points of contact for legal support, including emergency numbers. Technical: The IT team has a responsibility for preserving data, maintaining the operation of the firm s systems, and providing only authorized access to client data. The technical team will require a clear set of procedures for protecting and preserving firm and client data. Those procedures must also clearly specify what actions require management/legal department approval and which functions may be undertaken independently. When your entire team has established policies and procedures for government interaction, and employees are well trained in them, your firm will be in a much better position to proactively engage the government or to handle the unexpected visit from government officials. Consider Another Scenario You are on vacation when your attorney calls you. There is nothing to worry about, she says. She informs you that the FBI showed up with a search warrant yesterday for a client s files. The staff precisely followed the procedure you put in place for this possibility. They sought legal advice and were able to assist the agents in making forensic copies of the exact data they needed, nothing more. The agents passed along their appreciation. The rights of the clients were maintained, so there should be no blowback. You can relax and enjoy your vacation knowing that your staff are well trained and prepared. For More Information If you would like to receive additional information on this topic or on other cybersecurity issues, contact: Ria M. Thomas Principal / Senior Director for Cybersecurity rthomas@obsidiandc.com Obsidian Analysis, Inc Eye St NW 4 th Floor Washington, DC WORKING WITH THE FEDERAL GOVERNMENT ON CYBERSECURITY 9