Cybersecurity Primer

Size: px
Start display at page:

Download "Cybersecurity Primer"

Transcription

1 Cybersecurity Primer August 15, 2014 National Journal Presentation Credits Producer: David Stauffer Director: Jessica Guzik

2 Cybersecurity: Key Terms Cybersecurity Information security applied to computers and networks Cyber incident Cyber attack Cyber threat intelligence National Security System Critical infrastructure A violation of an organization s security policy as a means to access networks or spread malicious codes An attack targeting an enterprise s use of cyberspace to disrupt, disable, destroy, or control a computing infrastructure and its data; types of attacks include, but are not limited to denials-of-service, viruses, malware, and phishing schemes Information about vulnerability of or threat to a government or private sector entity s network; includes information about a network s protection from attackers Any information system that involves intelligence activities, cryptologic activities related to national security, command and control of military forces, or direct fulfillment of military or intelligence missions Physical or virtual assets and systems vital to society; destruction or damage to such assets could debilitate national security, the economy, public health or safety, or the environment Source: Government Accountability Office, 2013; U.S. Department of Commerce, 2003; Center for Strategic and International Studies, 2013, NIST

3 Number of Cyber Incidents Reported Among Federal Agencies Has Increased Nearly Ninefold Since 2006 Number of Incidents Reported to U.S. Computer Emergency Readiness Team (US-CERT), FY Number of reported cyber incidents has lead to a growing concern about cybersecurity and the destructive impact cyber attacks could have on the government, military, private sector, and even personal operations Number of reported cyber incidents has prompted many to urge the U.S. government to provide a greater level of protection from such attacks Rise in reported incidents may also be partially attributed to better reporting; a growing awareness of cyber attacks has led agencies and companies that are part of critical infrastructure to be more forthcoming about threats and incidents Source: Government Accountability Office, 2013; Ellen Nakashima and Danielle Douglas, More Companies Reporting Cybersecurity Incidents, The Washington Post, March 1,

4 Federal Agencies are Vulnerable to a Variety of Cyber Incidents Types of Incidents Reported to US-CERT, FY Scans, probes, attempted access Unauthorized access Unknown or under investigation Malicious code Improper usage Spreading malicious codes, unauthorized access, and improper usage are the most common types of cyber incidents, accounting for 55% of total incidents reported According to the Government Accountability Office, many of these incidents resulted in data loss, data theft, computer intrusions, privacy breaches, and economic loss Source: Government Accountability Office,

5 Threats to Cybersecurity are Decentralized and Diverse Actors Threatening Private and Public Cybersecurity Spyware or Malware Authors Individuals or organizations producing and distributing malware/spyware Business Competitors Companies obtaining sensitive information from rival or target companies to improve their competitive edge Criminal Groups Groups attacking systems for monetary gain Spammers Individuals or organizations distributing unsolicited s with hidden or false information Threats to Cybersecurity Insiders Organization insiders gaining network access to damage or steal system data (e.g. NSA s Edward Snowden) Bot-net Operators Networks of remotely controlled systems coordinating cyber attacks Hackers Individuals or groups gaining unauthorized access into networks for various reasons Nations Foreign governments seeking information to develop information warfare doctrine, programs, and capabilities Phishers Individuals or groups stealing identities or information for monetary gain International Corporate Spies Spies conducting economic and industrial espionage Terrorists Individuals or groups seeking to destroy, incapacitate, or exploit critical infrastructure Cyber threats are caused by individuals and organizations motivated by financial gain, political advantage, and ideological causes Many cyber attacks fall under multiple categories, e.g. a terrorist and a phisher can be one in the same Source: Government Accountability Office, 2013; Congressional Research Service, 2013; 5

6 Government Agencies and Organizations Protect Federal, Private Organizations Against Cyber Threats Agencies Tasked with Protecting Nation s Cybersecurity Department of Homeland Security Responds quickly to cyber vulnerabilities Partners with owners and operators of critical infrastructure, to release actionable cyber alerts Investigates and arrests criminals Educates public on cyber safety Within DHS, United States Computer Emergency Readiness Team (US-CERT) provides cyber threat warning information and coordinates responses Office of Management and Budget Develops and oversees implementation of policies, principles, standards, and guidelines on information security in federal agencies Annually reviews and approves agency information security programs Department of Commerce Oversees Internet Policy Task Force Researches and reviews cybersecurity standards in the commercial sector Within the Department of Commerce, the National Institute of Standards and Technology (NIST) develops minimum security standards for agencies and guidelines for identifying information systems critical to national security Source: Government Accountability Office, 2013; Department of Homeland Security, 2013; Department of Commerce,

7 Cybersecurity Became a Legislative Priority in Past Decade Timeline of Enacted Cybersecurity Legislation Federal Information Security Management Act (FISMA) Establishes a comprehensive, riskbased framework to ensure information security controls over information resources supporting federal operations and assets Comprehensive National Cybersecurity Plan Establishes frontline of defense against network intrusion, enhances U.S. counterintelligence capabilities and expands cyber education National Infrastructure Protection Plan Provides framework integrating a range of efforts and partnerships designed to make the nation s critical infrastructure more safe Executive Order Improving Critical Infrastructure of Cybersecurity, Failure of CISPA EO requires government to share cybersecurity threats with private sector and directs NIST to create best practices for cybersecurity in the private sector; House passes, but Senate does not take action on, major cybersecurity bill CISPA Source: National Journal Research; White House, 2000; Government Accountability Office, 2013; Department of Homeland Security, 2009; Central Intelligence Agency, 2008; Gerry Smith, Senate Won t Vote on CISPA, Deals Blow to Controversial Cyber Bill, HuffPost Tech, April 25,

8 In Executive Order, Private Sector Cooperation Encouraged But Voluntary Cybersecurity Executive Order (EO) Flow of Information Mandated Course of Action Recommendations and detected threats U.S. Executive Branch Ordered National Institute of Standards and Technology (NIST) to create a cybersecurity framework to identify threats and establish guidelines for protection; a first draft was released in February of 2014 Ordered NIST to assess its own performance on privacy Directs all government agencies to provide alerts to the private sector in the event of a threat Private Sector May help NIST develop framework May volunteer to comply with cybersecurity framework May help to protect critical infrastructure, e.g., electrical grids, banking systems, and water treatment plants Voluntary Course of Action Obama s 2013 executive order aimed to enhance cybersecurity by establishing a synergetic framework between the private sector and government agencies Government agencies must share information about alerts, threats, and vulnerabilities with private sector In return, private sector entities are advised, though not required, to help NIST develop a stronger cybersecurity framework Source: Brian Fung, Why Some Privacy Advocates Are Grinning Over Obama s Cybersecurity Order, National Journal, Feb. 13, 2013; Michael S. Schmidt and Nicole Perlroth, Obama Order Gives Firms Cyberthreat Information, New York Times, Feb. 12, 2013; Chenxi Wang, Obama s Cybersecurity Executive Order: Heart in the Right Place But There Is Little Teeth, Forbes, Feb. 14, National Institute of Standards and Technology, Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0, Feb. 12,

9 Executive Order Struggles with Implementation Process of Implementing Cybersecurity Information Sharing EO DHS Communications Service Providers Critical Infrastructure Sectors Participating Not Participating Defense Telecomm Energy Chemical Certifies To provide sharing services and utilities to Critical Manufacturing Dams Emergency Services Food and Agriculture Financial Services Health Care Nuclear Water IT Transportation Government Facilities Commercial Facilities The information sharing program outlined in the 2013 EO has only reached three of 16 critical infrastructure industries DHS does not directly advertise or maintain the program, instead relying on private service providers for those functions; government information provided through the program is free, but companies must purchase the data sharing services and utilities from private providers Currently, only two service providers, CenturyLink and AT&T, have applied and been approved for the program Source: Aliya Sternstein, Who Receives Hacker Threat Info From DHS? NextGov, August 11, 2014; Department of Homeland Security, Critical Infrastructure Sectors. 9

10 Program Has a Chicken-and-Egg Problem of Low Participation Barriers to Participation in Information Sharing Program Limited number of communications service providers participating Because critical infrastructure sectors aren t participating, because The executive order currently has a chicken-and-egg problem; the program needs more service providers to expand the service to all 16 critical infrastructure sectors, but because so few sectors are currently involved, few service providers are interested in expanding into the program Moreover, there are barriers for service providers: the current accreditation process for service providers takes eight months, and the investment that companies need to make to get clearance for employees to view the information and build secure communications networks to protect the information is formidable Source: Aliya Sternstein, Who Receives Hacker Threat Info From DHS?, NextGov, August 11, 2014; Department of Homeland Security, Critical Infrastructure Sectors. 10

11 In 2014, Congress Advanced Legislation to Increase Cybersecurity Sharing Participation Timeline of Recent Legislative Action on Cybersecurity June 2014 July July 28, 2014 July 31, 2014 The Cyber Information Sharing Act (CISA) is introduced in the Senate, removing legal barriers for companies to share information about cybersecurity threats and providing liability protection for companies who share such information The Senate Select Committee on Intelligence approves CISA and sends it to the Senate floor for debate Liability protection would allow protection from civil action, regardless of prior contracts that may prevent sharing information without a customer s consent The House passes three bills: The National Cybersecurity and Critical Infrastructure Protection Act, which creates a civilian agency under DHS to handle cyber information sharing between the government and private industries and organizations for security purposes; The Critical Infrastructure Research and Development Advancement Act, which directs DHS to develop a strategic plan for cybersecurity protection; and The Homeland Security Boots-On-The-Ground Act, which requires DHS to develop occupation classifications for individuals performing cybersecurity functions The Cyber Information Sharing Tax Credit Act is introduced in the Senate, providing tax credits to private companies who share information regarding cybersecurity threats with security research organizations Sources: Gregory S. McNeal, Controversial Cybersecurity Bill Known As CISA Advances Out Of Senate Committee, Forbes, July 9, 2014; Steve Augustino, Jameson Dempsy and Dawn Damschen, Could 2014 Be The Year for Cybersecurity Sharing Legislation? Above The Law, July 14, 2014; Mary-Louise Hoffman, Sen. Kirsten Gillibrand Proposes Tax Incentves To Spur Cyber Intel Sharing, ExecutiveGov, August 4, 2014; Eric Chabrow, How House Passed 3 Cybersecurity Bills, Bank Info Security, July 29,

12 NIST Framework s Tiers Rate Organizational Preparedness Against Cyber Threats NIST Tiers Risk Management Process Integrated Risk Management Program External Participation Tier I Partial No formalized process, ad hoc and reactive to threats, not informed by organizational needs or current trends Limited awareness of cybersecurity risk and no organization-wide approach to risk management No processes in place to participate in coordination with other entities on cybersecurity Tier II Risk Informed Risk management practices are approved by management but may not be organization-wide policy; risk management may be informed by organizational needs or current trends Awareness of cybersecurity risk at the organizational level, no organizational approach The organization understands it is part of a larger ecosystem but has no formal system for external interaction Tier III Repeatable The organization s risk management practices are formally approved and expressed as policy, and the organization changes those practices based on updated organizational needs and current trends A consistent organization-wide approach to risk management The organization understands its partners and dependencies and receives information from those entities that allows for collaboration and informed responses to threats Tier IV Adaptive A formalized and continuously updating system of cybersecurity practices based on information from previous and current cybersecurity activities An organization-wide approach to managing cybersecurity risk using risk-informed policies and procedures, with cybersecurity risk management as a part of organizational culture Actively shares information with partners to ensure systemic security and defense against a cybersecurity breach Source: National Institute of Standards and Technology, Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0, Feb. 12, 2014.

13 Cyber Attacks Cost Private Sector Millions Average Annual Cost of Cyber Attack Damages Per Sector in FY 2012 In millions of dollars Cyber attacks were most costly to defense, utilities and energy, and financial services sectors in FY 2012; these sectors spent an average of $19.4 million on cyber attack damages, while all other sectors shown spent an average of $5.7 million Cyber attacks are mostly likely to target defense, utilities, and financial services sectors because they contribute to the nation s critical infrastructure Consumer products, hospitality, and retail sectors spend the least on cyber attack damages because they rarely possess information pertinent to the nation s critical infrastructure * Data is based on survey of 56 companies; cost refers to cost of addressing cyber attack damages Source: 2012 Cost of Cyber Crime Study: United States, Ponemon Institute, October

14 Cyber Attacks Prompt Private Sector to Take Precautions Proactive vs. Reactive Corporate Spending Against Cyber Threats, 2010 Annual Gross Written Premiums for Cybersecurity Private Liability Insurance In millions of dollars Companies spent more on proactive measures labor, capital, or services that assist in avoiding cyber incidents and data breaches in 2010 than on reactive measures expenditures made in response to cyber incidents and data breaches Aligning with this trend is the growth of the cybserinsurance market, which commanded $1 billion in annual premiums in 2012, a 40% increase compared to 2010 Source: Adam Mazmanian, The Cyber Premium, National Journal, June 15, 2012; NIST,

CLIENT UPDATE CRITICAL INFRASTRUCTURE CYBERSECURITY: U.S. GOVERNMENT RESPONSE AND IMPLICATIONS

CLIENT UPDATE CRITICAL INFRASTRUCTURE CYBERSECURITY: U.S. GOVERNMENT RESPONSE AND IMPLICATIONS CLIENT UPDATE CRITICAL INFRASTRUCTURE CYBERSECURITY: U.S. GOVERNMENT RESPONSE AND IMPLICATIONS NEW YORK Jeremy Feigelson jfeigelson@debevoise.com WASHINGTON, D.C. Satish M. Kini smkini@debevoise.com Renee

More information

Myths and Facts about the Cyber Intelligence Sharing and Protection Act (CISPA)

Myths and Facts about the Cyber Intelligence Sharing and Protection Act (CISPA) Myths and Facts about the Cyber Intelligence Sharing and Protection Act (CISPA) MYTH: The cyber threat is being exaggerated. FACT: Cyber attacks are a huge threat to American lives, national security,

More information

JOINT EXPLANATORY STATEMENT TO ACCOMPANY THE CYBERSECURITY ACT OF 2015

JOINT EXPLANATORY STATEMENT TO ACCOMPANY THE CYBERSECURITY ACT OF 2015 JOINT EXPLANATORY STATEMENT TO ACCOMPANY THE CYBERSECURITY ACT OF 2015 The following consists of the joint explanatory statement to accompany the Cybersecurity Act of 2015. This joint explanatory statement

More information

National Cyber Threat Information Sharing. System Strengthening Study

National Cyber Threat Information Sharing. System Strengthening Study Contemporary Engineering Sciences, Vol. 7, 2014, no. 32, 1755-1761 HIKARI Ltd, www.m-hikari.com http://dx.doi.org/10.12988/ces.2014.411235 National Cyber Threat Information Sharing System Strengthening

More information

Cybersecurity and Corporate America: Finding Opportunities in the New Executive Order

Cybersecurity and Corporate America: Finding Opportunities in the New Executive Order Executive Order: In the President s State of the Union Address on February 12, 2013, he announced an Executive Order Improving Critical Infrastructure Cybersecurity (EO) to strengthen US cyber defenses

More information

NIST Cybersecurity Framework What It Means for Energy Companies

NIST Cybersecurity Framework What It Means for Energy Companies Daniel E. Frank J.J. Herbert Mark Thibodeaux NIST Cybersecurity Framework What It Means for Energy Companies November 14, 2013 Your Panelists Dan Frank J.J. Herbert Mark Thibodeaux 2 Overview The Cyber

More information

ROCKEFELLER SNOWE CYBERSECURITY ACT SUBSTITUTE AMENDMENT FOR S.773

ROCKEFELLER SNOWE CYBERSECURITY ACT SUBSTITUTE AMENDMENT FOR S.773 ROCKEFELLER SNOWE CYBERSECURITY ACT SUBSTITUTE AMENDMENT FOR S.773 March 17, 2010 BACKGROUND & WHY THIS LEGISLATION IS IMPORTANT: Our nation is at risk. The networks that American families and businesses

More information

THE 411 ON CYBERSECURITY, INFORMATION SHARING AND PRIVACY

THE 411 ON CYBERSECURITY, INFORMATION SHARING AND PRIVACY THE 411 ON CYBERSECURITY, INFORMATION SHARING AND PRIVACY DISCLAIMER Views expressed in this presentation are not necessarily those of our respective Departments Any answers to questions are our own opinions

More information

GAO. INFORMATION SECURITY Persistent Weaknesses Highlight Need for Further Improvement

GAO. INFORMATION SECURITY Persistent Weaknesses Highlight Need for Further Improvement GAO For Release on Delivery Expected at time 1:00 p.m. EDT Thursday, April 19, 2007 United States Government Accountability Office Testimony Before the Subcommittee on Emerging Threats, Cybersecurity,

More information

Cybersecurity Information Sharing Legislation Protecting Cyber Networks Act (PCNA) National Cybersecurity Protection Advancement (NCPA) Act

Cybersecurity Information Sharing Legislation Protecting Cyber Networks Act (PCNA) National Cybersecurity Protection Advancement (NCPA) Act In a flurry of activity, the U.S. House of Representatives last week passed two cybersecurity information sharing bills. Both the House Intelligence Committee and the House Homeland Security Committee

More information

Cybersecurity: Legislation, Hearings, and Executive Branch Documents

Cybersecurity: Legislation, Hearings, and Executive Branch Documents CRS Reports & Analysis Print Cybersecurity: Legislation, Hearings, and Executive Branch Documents Rita Tehan, Information Research Specialist (rtehan@crs.loc.gov, 7-6739) View Key CRS Policy Staff May

More information

Cybersecurity: Legislation, Hearings, and Executive Branch Documents

Cybersecurity: Legislation, Hearings, and Executive Branch Documents Cybersecurity: Legislation, Hearings, and Executive Branch Documents Rita Tehan Information Research Specialist November 17, 2015 Congressional Research Service 7-5700 www.crs.gov R43317 Cybersecurity:

More information

Preservation of longstanding, roles and missions of civilian and intelligence agencies

Preservation of longstanding, roles and missions of civilian and intelligence agencies Safeguards for privacy and civil liberties Preservation of longstanding, respective roles and missions of civilian and sharing with targeted liability Why it matters The White House has pledged to veto

More information

Westlaw Journal. What is the Cybersecurity Framework? Risk Management Process And Pathway to Corporate Liability? Expert Analysis

Westlaw Journal. What is the Cybersecurity Framework? Risk Management Process And Pathway to Corporate Liability? Expert Analysis Westlaw Journal Computer & Internet Litigation News and Analysis Legislation Regulation Expert Commentary VOLUME 31, ISSUE 14 / DECEMBER 12, 2013 Expert Analysis The Cybersecurity Framework: Risk Management

More information

Business Continuity for Cyber Threat

Business Continuity for Cyber Threat Business Continuity for Cyber Threat April 1, 2014 Workshop Session #3 3:00 5:30 PM Susan Rogers, MBCP, MBCI Cyberwise CP S2 What happens when a computer program can activate physical machinery? Between

More information

West Texas Cyber Security Consortium

West Texas Cyber Security Consortium West Texas Cyber Security Consortium GOVERNMENT IT REPORT White House Tilts Toward Public-Private Cybersecurity Cooperation By John K. Higgins E-Commerce Times Part of the ECT News Network 06/23/14 5:00

More information

Cybersecurity: Legislation, Hearings, and Executive Branch Documents

Cybersecurity: Legislation, Hearings, and Executive Branch Documents Cybersecurity: Legislation, Hearings, and Executive Branch Documents Rita Tehan, Information Research Specialist (rtehan@crs.loc.gov, 7-6739) April 17, (R43317) Summary Cybersecurity vulnerabilities challenge

More information

Cyber Legislation & Policy Developments 2014

Cyber Legislation & Policy Developments 2014 Cyber Legislation & Policy Developments 2014 SESSION ID: LAW-Fo2 Michael A. Aisenberg, Esq. Chair, ABA Information Security Committee Policy Task Force ABA Section on Science & Technology Law Principal

More information

Legislative Language

Legislative Language Legislative Language SEC. 1. COORDINATION OF FEDERAL INFORMATION SECURITY POLICY. (a) IN GENERAL. Chapter 35 of title 44, United States Code, is amended by striking subchapters II and III and inserting

More information

Healthcare Cybersecurity Perspectives from the Michigan Healthcare Cybersecurity Council

Healthcare Cybersecurity Perspectives from the Michigan Healthcare Cybersecurity Council Healthcare Cybersecurity Perspectives from the Michigan Healthcare Cybersecurity Council Presented by Doug Copley, Chairman Michigan Healthcare Cybersecurity Council Mr. Chairman and Committee Members,

More information

Update on U.S. Critical Infrastructure and Cybersecurity Initiatives

Update on U.S. Critical Infrastructure and Cybersecurity Initiatives Update on U.S. Critical Infrastructure and Cybersecurity Initiatives Presented to Information Security Now! Seminar Helsinki, Finland May 8, 2013 MARK E. SMITH Assistant Director International Security

More information

THE HUMAN FACTOR AT THE CORE OF FEDERAL CYBERSECURITY

THE HUMAN FACTOR AT THE CORE OF FEDERAL CYBERSECURITY THE HUMAN FACTOR AT THE CORE OF FEDERAL CYBERSECURITY CYBER HYGIENE AND ORGANIZATIONAL PLANNING ARE AT LEAST AS INTEGRAL TO SECURING INFORMATION NETWORKS AS FIREWALLS AND ANTIVIRUS SOFTWARE Cybersecurity

More information

CYBER SECURITY GUIDANCE

CYBER SECURITY GUIDANCE CYBER SECURITY GUIDANCE With the pervasiveness of information technology (IT) and cyber networks systems in nearly every aspect of society, effectively securing the Nation s critical infrastructure requires

More information

Middle Class Economics: Cybersecurity Updated August 7, 2015

Middle Class Economics: Cybersecurity Updated August 7, 2015 Middle Class Economics: Cybersecurity Updated August 7, 2015 The President's 2016 Budget is designed to bring middle class economics into the 21st Century. This Budget shows what we can do if we invest

More information

GAO. CYBERSECURITY Threats Impacting the Nation

GAO. CYBERSECURITY Threats Impacting the Nation GAO For Release on Delivery Expected at 2:00 p.m. EDT Tuesday, April 24, 2012 United States Government Accountability Office Testimony Before the Subcommittee on Oversight, Investigations, and Management,

More information

How to get from laws to technical requirements

How to get from laws to technical requirements How to get from laws to technical requirements And how the OPM hack relates technology, policy, and law June 30, 2015 Isaac Potoczny-Jones ijones@galois.com www.galois.com Galois, Inc. Overview Outline!

More information

SECTION-BY-SECTION. Section 1. Short Title. The short title of the bill is the Cybersecurity Act of 2012.

SECTION-BY-SECTION. Section 1. Short Title. The short title of the bill is the Cybersecurity Act of 2012. SECTION-BY-SECTION Section 1. Short Title. The short title of the bill is the Cybersecurity Act of 2012. Section 2. Definitions. Section 2 defines terms including commercial information technology product,

More information

Cybersecurity: Authoritative Reports and Resources

Cybersecurity: Authoritative Reports and Resources Cybersecurity: Authoritative Reports and Resources Rita Tehan Information Research Specialist October 25, 2013 Congressional Research Service 7-5700 www.crs.gov R42507 c11173008 Cybersecurity: Authoritative

More information

Confrontation or Collaboration?

Confrontation or Collaboration? Confrontation or Collaboration? Congress and the Intelligence Community Cyber Security and the Intelligence Community Eric Rosenbach and Aki J. Peritz Cyber Security and the Intelligence Community The

More information

What are you trying to secure against Cyber Attack?

What are you trying to secure against Cyber Attack? Cybersecurity Legal Landscape Bonnie Harrington Executive Counsel EHS and Product Safety & Cybersecurity GE Energy Management Imagination at work. What are you trying to secure against Cyber Attack? Personally

More information

Cybersecurity Audit Why are we still Vulnerable? November 30, 2015

Cybersecurity Audit Why are we still Vulnerable? November 30, 2015 Cybersecurity Audit Why are we still Vulnerable? November 30, 2015 John R. Robles, CISA, CISM, CRISC www.johnrrobles.com jrobles@coqui.net 787-647-3961 John R. Robles- 787-647-3961 1 9/11-2001 The event

More information

FEDERAL INFORMATION SECURITY. Mixed Progress in Implementing Program Components; Improved Metrics Needed to Measure Effectiveness

FEDERAL INFORMATION SECURITY. Mixed Progress in Implementing Program Components; Improved Metrics Needed to Measure Effectiveness United States Government Accountability Office Report to Congressional Committees September 2013 FEDERAL INFORMATION SECURITY Mixed Progress in Implementing Program Components; Improved Metrics Needed

More information

114 th Congress March, 2015. Cybersecurity Legislation and Executive Branch Activity I. ADMINSTRATION S CYBERSECURITY PROPOSALS

114 th Congress March, 2015. Cybersecurity Legislation and Executive Branch Activity I. ADMINSTRATION S CYBERSECURITY PROPOSALS 114 th Congress March, 2015 Cybersecurity Legislation and Executive Branch Activity I. ADMINSTRATION S CYBERSECURITY PROPOSALS On January 13, 2015, the Administration wrote a letter to Congress urging

More information

Sharing Cybersecurity Threat Info With the Government -- Should You Be Afraid To Do So?

Sharing Cybersecurity Threat Info With the Government -- Should You Be Afraid To Do So? Sharing Cybersecurity Threat Info With the Government -- Should You Be Afraid To Do So? Bruce Heiman K&L Gates September 10, 2015 Bruce.Heiman@klgates.com (202) 661-3935 Why share information? Prevention

More information

Statement for the Record. Dr. Andy Ozment Assistant Secretary, Cybersecurity and Communications U.S. Department of Homeland Security

Statement for the Record. Dr. Andy Ozment Assistant Secretary, Cybersecurity and Communications U.S. Department of Homeland Security Statement for the Record Dr. Andy Ozment Assistant Secretary, Cybersecurity and Communications U.S. Department of Homeland Security Before the United States House of Representatives Committee on Homeland

More information

S. ll IN THE SENATE OF THE UNITED STATES

S. ll IN THE SENATE OF THE UNITED STATES OLL0 TH CONGRESS ST SESSION S. ll To secure the United States against cyber attack, to improve communication and collaboration between the private sector and the Federal Government, to enhance American

More information

Research Note The Fight to Define U.S. Cybersecurity and Information Sharing Policy

Research Note The Fight to Define U.S. Cybersecurity and Information Sharing Policy Research Note The Fight to Define U.S. Cybersecurity and Information Sharing Policy By: Dan Arnaudo Copyright 2013, ASA Institute for Risk & Innovation Keywords: Congress, CISPA, Critical Infrastructure,

More information

Implementation of the Cybersecurity Executive Order

Implementation of the Cybersecurity Executive Order Implementation of the Cybersecurity Executive Order November 13 th, 2013 Ben Beeson, Partner, Lockton Companies Gerald J. Ferguson, Partner, BakerHostetler Mark Weatherford, Principal, The Chertoff Group

More information

Cybersecurity: Authoritative Reports and Resources

Cybersecurity: Authoritative Reports and Resources Cybersecurity: Authoritative Reports and Resources Rita Tehan Information Research Specialist September 20, 2013 Congressional Research Service 7-5700 www.crs.gov R42507 Cybersecurity: Authoritative Reports

More information

Data Breaches in the Government Sector. A Rapid7 Research Report

Data Breaches in the Government Sector. A Rapid7 Research Report Data Breaches in the Government Sector A Rapid7 Research Report Summary of Report Across all industries, data breaches and the protection of business-critical data remain a top concern. While the government

More information

New York State Energy Planning Board. Cyber Security and the Energy Infrastructure

New York State Energy Planning Board. Cyber Security and the Energy Infrastructure New York State Energy Planning Board Cyber Security and the Energy Infrastructure New York State Division of Homeland Security and Emergency Services Office of Cyber Security Office of Cyber Security Overview

More information

Cybersecurity: Authoritative Reports and Resources

Cybersecurity: Authoritative Reports and Resources Cybersecurity: Authoritative Reports and Resources Rita Tehan Information Research Specialist October 25, 2013 Congressional Research Service 7-5700 www.crs.gov R42507 Report Documentation Page Form Approved

More information

Comparison of Information Sharing, Monitoring and Countermeasures Provisions in the Cybersecurity Bills

Comparison of Information Sharing, Monitoring and Countermeasures Provisions in the Cybersecurity Bills April 4, 2012 Comparison of Information Sharing, Monitoring and Countermeasures Provisions in the Cybersecurity Bills The chart below compares on civil liberties grounds four bills that seek to promote

More information

Legislative Language

Legislative Language Legislative Language SECTION 1. DEPARTMENT OF HOMELAND SECURITY CYBERSECURITY AUTHORITY. Title II of the Homeland Security Act of 2002 (6 U.S.C. 121 et seq.) is amended (a) in section 201(c) by striking

More information

Cybersecurity: Authoritative Reports and Resources

Cybersecurity: Authoritative Reports and Resources Cybersecurity: Authoritative Reports and Resources Rita Tehan Information Research Specialist July 11, 2013 CRS Report for Congress Prepared for Members and Committees of Congress Congressional Research

More information

CYBERSECURITY INFORMATION SHARING BILLS FALL SHORT ON PRIVACY PROTECTIONS

CYBERSECURITY INFORMATION SHARING BILLS FALL SHORT ON PRIVACY PROTECTIONS CYBERSECURITY INFORMATION SHARING BILLS FALL SHORT ON PRIVACY PROTECTIONS April 22, 2015 The Center for Democracy and Technology opposes the two cybersecurity information sharing bills that are coming

More information

FBI AND CYBER SECURITY

FBI AND CYBER SECURITY FBI AND CYBER SECURITY SSA John Caruthers SSA Ken Schmutz SSA Tom Winterhalter Mission The FBI is the only U.S. agency charged with the authority to investigate both criminal and national security investigations.

More information

How Cybersecurity Initiatives May Impact Operators. Ross A. Buntrock, Partner ross.buntrock@agg.com 202.669.0495

How Cybersecurity Initiatives May Impact Operators. Ross A. Buntrock, Partner ross.buntrock@agg.com 202.669.0495 How Cybersecurity Initiatives May Impact Operators Ross A. Buntrock, Partner ross.buntrock@agg.com 202.669.0495 Agenda! Rise in Data Breaches! Effects of Increase in Cybersecurity Threats! Cybersecurity

More information

Cybersecurity: Authoritative Reports and Resources

Cybersecurity: Authoritative Reports and Resources Cybersecurity: Authoritative Reports and Resources Rita Tehan Information Research Specialist August 16, 2013 Congressional Research Service 7-5700 www.crs.gov R42507 Cybersecurity: Authoritative Reports

More information

Testimony of Matthew Rhoades Director Cyberspace & Security Program Truman National Security Project & Center for National Policy

Testimony of Matthew Rhoades Director Cyberspace & Security Program Truman National Security Project & Center for National Policy Testimony of Matthew Rhoades Director Cyberspace & Security Program Truman National Security Project & Center for National Policy House Committee on Homeland Security Subcommittee on Cybersecurity, Infrastructure

More information

NH!ISAC"ADVISORY"201.13" NATIONAL"CRITICAL"INFRASTRUCTURE"RESILIENCE"ANALYSIS"REPORT""

NH!ISACADVISORY201.13 NATIONALCRITICALINFRASTRUCTURERESILIENCEANALYSISREPORT National(Health#ISAC#(NH!ISAC) GlobalInstituteforCybersecurity+Research7GlobalSituationalAwarenessCenter NASA SpaceLifeSciencesLaboratory KennedySpaceCenter,FL NH!ISACADVISORY201.13 NATIONALCRITICALINFRASTRUCTURERESILIENCEANALYSISREPORT

More information

Billing Code: 3510-EA

Billing Code: 3510-EA Billing Code: 3510-EA DEPARTMENT OF COMMERCE Office of the Secretary National Institute of Standards and Technology National Telecommunications and Information Administration [Docket Number: 130206115-3115-01]

More information

NATIONAL CYBER SECURITY AWARENESS MONTH

NATIONAL CYBER SECURITY AWARENESS MONTH NATIONAL CYBER SECURITY AWARENESS MONTH Tip 1: Security is everyone s responsibility. Develop an awareness framework that challenges, educates and empowers your customers and employees to be part of the

More information

Cybersecurity and United States Policy Issues

Cybersecurity and United States Policy Issues Global Security Studies, Summer 2014, Volume 5, Issue 3 Cybersecurity and United States Policy Issues Cristina Berriz Peace, War and Defense Program University of North Carolina at Chapel Hill Chapel Hill,

More information

The Department of Homeland Security The Department of Justice

The Department of Homeland Security The Department of Justice The Department of Homeland Security The Department of Justice to Assist Non-Federal Entities to Share Cyber Threat Indicators and Defensive Measures with Federal Entities under the Cybersecurity Information

More information

Legislative Proposals for the Maryland Commission on Cyber Security Innovation and Excellence

Legislative Proposals for the Maryland Commission on Cyber Security Innovation and Excellence Legislative Proposals for the Maryland Commission on Cyber Security Innovation and Excellence December 6, 2012 Michael Greenberger Professor of Law Founder and Director, CHHS Legislative Proposals Maryland

More information

THE WHITE HOUSE Office of the Press Secretary

THE WHITE HOUSE Office of the Press Secretary FOR IMMEDIATE RELEASE February 13, 2015 THE WHITE HOUSE Office of the Press Secretary FACT SHEET: White House Summit on Cybersecurity and Consumer Protection As a nation, the United States has become highly

More information

Cyber Side-Effects: How Secure is the Personal Information Entered into the Flawed Healthcare.gov? Statement for the Record

Cyber Side-Effects: How Secure is the Personal Information Entered into the Flawed Healthcare.gov? Statement for the Record Cyber Side-Effects: How Secure is the Personal Information Entered into the Flawed Healthcare.gov? Statement for the Record Roberta Stempfley Acting Assistant Secretary for Cybersecurity and Communications

More information

Cybersecurity: Authoritative Reports and Resources

Cybersecurity: Authoritative Reports and Resources Cybersecurity: Authoritative Reports and Resources Rita Tehan Information Research Specialist July 18, 2013 CRS Report for Congress Prepared for Members and Committees of Congress Congressional Research

More information

1851 (d) RULE OF CONSTRUCTION. Nothing in this section shall be construed to (1) require a State to report data under subsection

1851 (d) RULE OF CONSTRUCTION. Nothing in this section shall be construed to (1) require a State to report data under subsection U:\REPT\OMNI\FinalOmni\CPRT--HPRT-RU00-SAHR-AMNT.xml 0 (d) RULE OF CONSTRUCTION. Nothing in this section shall be construed to () require a State to report data under subsection (a); or () require a non-federal

More information

CYBER-SURVEILLANCE BILL SET TO MOVE TO SENATE FLOOR

CYBER-SURVEILLANCE BILL SET TO MOVE TO SENATE FLOOR CYBER-SURVEILLANCE BILL SET TO MOVE TO SENATE FLOOR July 28, 2015 The Senate is expected to consider the Cybersecurity Information Sharing Act (CISA, S. 754 1 ) on the Senate floor soon. The bill was marked

More information

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015 Community Bank Auditors Group Cybersecurity What you need to do now June 9, 2015 By: Gerald Gagne MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2015 Wolf & Company, P.C. Cybersecurity

More information

ITL BULLETIN FOR SEPTEMBER 2012 REVISED GUIDE HELPS ORGANIZATIONS HANDLE SECURITY-RELATED INCIDENTS

ITL BULLETIN FOR SEPTEMBER 2012 REVISED GUIDE HELPS ORGANIZATIONS HANDLE SECURITY-RELATED INCIDENTS ITL BULLETIN FOR SEPTEMBER 2012 REVISED GUIDE HELPS ORGANIZATIONS HANDLE SECURITY-RELATED INCIDENTS Shirley Radack, Editor Computer Security Division Information Technology Laboratory National Institute

More information

One Hundred Twelfth Congress of the United States of America

One Hundred Twelfth Congress of the United States of America S. 3454 One Hundred Twelfth Congress of the United States of America AT THE SECOND SESSION Begun and held at the City of Washington on Tuesday, the third day of January, two thousand and twelve An Act

More information

PRESENTATION TO THE UNIVERSITY SYSTEM OF MARYLAND S BOARD OF REGENTS

PRESENTATION TO THE UNIVERSITY SYSTEM OF MARYLAND S BOARD OF REGENTS CYBERSECURITY PRESENTATION TO THE UNIVERSITY SYSTEM OF MARYLAND S BOARD OF REGENTS by Dr. Lawrence A. Gordon (Lgordon@rhsmith.umd.edu) EY Professor of Managerial Accounting and Information Assurance Affiliate

More information

Lessons from Defending Cyberspace

Lessons from Defending Cyberspace Lessons from Defending Cyberspace The Challenge of Addressing National Cyber Risk Andy Purdy Workshop on Cyber Security Center for American Studies, Christopher Newport College 10 28-2009 Cyber Threat

More information

REVIEW OF MEDICARE CONTRACTOR INFORMATION SECURITY PROGRAM EVALUATIONS FOR FISCAL YEAR 2013

REVIEW OF MEDICARE CONTRACTOR INFORMATION SECURITY PROGRAM EVALUATIONS FOR FISCAL YEAR 2013 Department of Health and Human Services OFFICE OF INSPECTOR GENERAL REVIEW OF MEDICARE CONTRACTOR INFORMATION SECURITY PROGRAM EVALUATIONS FOR FISCAL YEAR 2013 Inquiries about this report may be addressed

More information

PREPUBLICATION COPY. More Intelligent, More Effective Cybersecurity Protection

PREPUBLICATION COPY. More Intelligent, More Effective Cybersecurity Protection More Intelligent, More Effective Cybersecurity Protection January 2013 Business Roundtable (BRT) is an association of chief executive officers of leading U.S. companies with more than $7.3 trillion in

More information

Cyber After Snowden. Can DC Help Protect Your Networks? Matthew Rhoades, Director, Cyberspace & Security Program

Cyber After Snowden. Can DC Help Protect Your Networks? Matthew Rhoades, Director, Cyberspace & Security Program Cyber After Snowden Can DC Help Protect Your Networks? Matthew Rhoades, Director, Cyberspace & Security Program Truman Project Members Cyberspace & Security Program Agenda Looking Back How we got here

More information

Presidential Summit Reveals Cybersecurity Concerns, Trends

Presidential Summit Reveals Cybersecurity Concerns, Trends Portfolio Media. Inc. 860 Broadway, 6th Floor New York, NY 10003 www.law360.com Phone: +1 646 783 7100 Fax: +1 646 783 7161 customerservice@law360.com Presidential Summit Reveals Cybersecurity Concerns,

More information

S. 21 IN THE SENATE OF THE UNITED STATES

S. 21 IN THE SENATE OF THE UNITED STATES II 11TH CONGRESS 1ST SESSION S. 1 To secure the United States against cyber attack, to enhance American competitiveness and create jobs in the information technology industry, and to protect the identities

More information

NIST Cybersecurity Framework Impacting Your Company? April 24, 2014 Presented By Sheila FitzPatrick, NetApp Jeff Greene, Symantec Andy Serwin, MoFo

NIST Cybersecurity Framework Impacting Your Company? April 24, 2014 Presented By Sheila FitzPatrick, NetApp Jeff Greene, Symantec Andy Serwin, MoFo 2014 Morrison & Foerster LLP All Rights Reserved mofo.com NIST Cybersecurity Framework Impacting Your Company? April 24, 2014 Presented By Sheila FitzPatrick, NetApp Jeff Greene, Symantec Andy Serwin,

More information

Cybersecurity: Authoritative Reports and Resources

Cybersecurity: Authoritative Reports and Resources Cybersecurity: Authoritative Reports and Resources Rita Tehan Information Research Specialist April 17, 2013 CRS Report for Congress Prepared for Members and Committees of Congress Congressional Research

More information

White Paper on Financial Industry Regulatory Climate

White Paper on Financial Industry Regulatory Climate White Paper on Financial Industry Regulatory Climate According to a 2014 report on threats to the financial services sector, 45% of financial services organizations polled had suffered economic crime during

More information

Integrating Cybersecurity with Emergency Operations Plans (EOPs) for Institutions of Higher Education (IHEs)

Integrating Cybersecurity with Emergency Operations Plans (EOPs) for Institutions of Higher Education (IHEs) Integrating Cybersecurity with Emergency Operations Plans (EOPs) for Institutions of Higher Education (IHEs) Amy Banks, U.S. Department of Education, Center for School Preparedness, Office of Safe and

More information

NSA Surveillance, National Security and Privacy

NSA Surveillance, National Security and Privacy NSA Surveillance, National Security and Privacy Ir Roy Ko Former HKCERT Manager 20 August 2014 HKIE Veneree Club 1 Agenda Background Edward Snowden National Security Agency (NSA) What NSA has done PRISM

More information

DEFINING CYBERSECURITY GROWTH CATALYSTS & LEGISLATION

DEFINING CYBERSECURITY GROWTH CATALYSTS & LEGISLATION DEFINING CYBERSECURITY GROWTH CATALYSTS & LEGISLATION GROWTH CATALYSTS & LEGISLATION The current policy funding and policy landscape surrounding cybersecurity initiatives and funding is convoluted with

More information

working group on foreign policy and grand strategy

working group on foreign policy and grand strategy A GRAND STRATEGY ESSAY Managing the Cyber Security Threat by Abraham Sofaer Working Group on Foreign Policy and Grand Strategy www.hoover.org/taskforces/foreign-policy Cyber insecurity is now well established

More information

DIVISION N CYBERSECURITY ACT OF 2015

DIVISION N CYBERSECURITY ACT OF 2015 H. R. 2029 694 DIVISION N CYBERSECURITY ACT OF 2015 SEC. 1. SHORT TITLE; TABLE OF CONTENTS. (a) SHORT TITLE. This division may be cited as the Cybersecurity Act of 2015. (b) TABLE OF CONTENTS. The table

More information

Computer Network Security & Privacy Protection

Computer Network Security & Privacy Protection Overview Computer Network Security & Privacy Protection The Nation s electronic information infrastructure is vital to the functioning of the Government as well as maintaining the Nation s economy and

More information

Why you should adopt the NIST Cybersecurity Framework

Why you should adopt the NIST Cybersecurity Framework www.pwc.com/cybersecurity Why you should adopt the NIST Cybersecurity Framework May 2014 The National Institute of Standards and Technology Cybersecurity Framework may be voluntary, but it offers potential

More information

POLICIES TO MITIGATE CYBER RISK

POLICIES TO MITIGATE CYBER RISK POLICIES TO MITIGATE CYBER RISK http://www.tutorialspoint.com/information_security_cyber_law/policies_to_mitigate_cyber_risk.htm Copyright tutorialspoint.com This chapter takes you through the various

More information

v. 03/03/2015 Page ii

v. 03/03/2015 Page ii The Trident University International (Trident) catalog consists of two parts: Policy Handbook and Academic Programs, which reflect current academic policies, procedures, program and degree offerings, course

More information

H. R. 5005 11 SEC. 201. DIRECTORATE FOR INFORMATION ANALYSIS AND INFRA STRUCTURE PROTECTION.

H. R. 5005 11 SEC. 201. DIRECTORATE FOR INFORMATION ANALYSIS AND INFRA STRUCTURE PROTECTION. H. R. 5005 11 (d) OTHER OFFICERS. To assist the Secretary in the performance of the Secretary s functions, there are the following officers, appointed by the President: (1) A Director of the Secret Service.

More information

Cyber Threat Intelligence and Incident Coordination Center (C 3 ) Protecting the Healthcare Industry from Cyber Attacks

Cyber Threat Intelligence and Incident Coordination Center (C 3 ) Protecting the Healthcare Industry from Cyber Attacks Cyber Threat Intelligence and Incident Coordination Center (C 3 ) Protecting the Healthcare Industry from Cyber Attacks July 2014 Cyber Threat Intelligence and Incident Coordination Center: Protecting

More information

The Comprehensive National Cybersecurity Initiative

The Comprehensive National Cybersecurity Initiative The Comprehensive National Cybersecurity Initiative President Obama has identified cybersecurity as one of the most serious economic and national security challenges we face as a nation, but one that we

More information

Internet Safety and Security: Strategies for Building an Internet Safety Wall

Internet Safety and Security: Strategies for Building an Internet Safety Wall Internet Safety and Security: Strategies for Building an Internet Safety Wall Sylvanus A. EHIKIOYA, PhD Director, New Media & Information Security Nigerian Communications Commission Abuja, NIGERIA Internet

More information

Department of Homeland Security

Department of Homeland Security Department of Homeland Security Cybersecurity Awareness for Colleges and Universities EDUCAUSE Live! July 24, 2014 Overview Dramatic increase in cyber intrusions, data breaches, and attacks at institutions

More information

GAO CYBERSECURITY. National Strategy, Roles, and Responsibilities Need to Be Better Defined and More Effectively Implemented

GAO CYBERSECURITY. National Strategy, Roles, and Responsibilities Need to Be Better Defined and More Effectively Implemented GAO United States Government Accountability Office Report to Congressional Addressees February 2013 CYBERSECURITY National Strategy, Roles, and Responsibilities Need to Be Better Defined and More Effectively

More information

Virginia Joint Commission on Technology and Science. Cybersecurity Legislation

Virginia Joint Commission on Technology and Science. Cybersecurity Legislation Virginia Joint Commission on Technology and Science Cybersecurity Legislation Pending Legislation Widespread agreement of need for legislation Three approaches CISPA Cybersecurity Act of 2012 SECURE IT

More information

Integrating Cybersecurity with Emergency Operations Plans (EOPs) for K-12 Education

Integrating Cybersecurity with Emergency Operations Plans (EOPs) for K-12 Education Integrating Cybersecurity with Emergency Operations Plans (EOPs) for K-12 Education Amy Banks, U.S. Department of Education, Center for School Preparedness, Office of Safe and Healthy Students Hamed Negron-Perez,

More information

2 Gabi Siboni, 1 Senior Research Fellow and Director,

2 Gabi Siboni, 1 Senior Research Fellow and Director, Cyber Security Build-up of India s National Force 2 Gabi Siboni, 1 Senior Research Fellow and Director, Military and Strategic Affairs and Cyber Security Programs, Institute for National Security Studies,

More information

Statement for the Record. Richard Bejtlich. Chief Security Strategist. FireEye, Inc. Before the. U.S. House of Representatives

Statement for the Record. Richard Bejtlich. Chief Security Strategist. FireEye, Inc. Before the. U.S. House of Representatives Statement for the Record Richard Bejtlich Chief Security Strategist FireEye, Inc. Before the U.S. House of Representatives Committee on Energy and Commerce Subcommittee on Oversight and Investigations

More information

Cybersecurity and Information Sharing: Comparison of H.R. 1560 and H.R. 1731

Cybersecurity and Information Sharing: Comparison of H.R. 1560 and H.R. 1731 Cybersecurity and Information Sharing: Comparison of H.R. 1560 and H.R. 1731 Eric A. Fischer Senior Specialist in Science and Technology April 20, 2015 Congressional Research Service 7-5700 www.crs.gov

More information

Section by Section DEPARTMENT OF HOMELAND SECURITY CYBERSECURITY AUTHORITY AND INFORMATION SHARING

Section by Section DEPARTMENT OF HOMELAND SECURITY CYBERSECURITY AUTHORITY AND INFORMATION SHARING Section by Section DEPARTMENT OF HOMELAND SECURITY CYBERSECURITY AUTHORITY AND INFORMATION SHARING Sec. 1. Department of Homeland Security Cybersecurity Authority Section 1(a) amends Title II of the Homeland

More information

The Dow Chemical Company. statement for the record. David E. Kepler. before

The Dow Chemical Company. statement for the record. David E. Kepler. before The Dow Chemical Company statement for the record of David E. Kepler Chief Sustainability Officer, Chief Information Officer, Business Services and Executive Vice President before The Senate Committee

More information

The 2009 State of Cybersecurity from the Federal CISO s Perspective An (ISC) 2 Report. April 2009

The 2009 State of Cybersecurity from the Federal CISO s Perspective An (ISC) 2 Report. April 2009 The 2009 State of Cybersecurity from the Federal CISO s Perspective An (ISC) 2 Report April 2009 The State of Cybersecurity from the Federal CISO s Perspective An (ISC) 2 Report Executive summary Governments

More information

Defending Against Data Beaches: Internal Controls for Cybersecurity

Defending Against Data Beaches: Internal Controls for Cybersecurity Defending Against Data Beaches: Internal Controls for Cybersecurity Presented by: Michael Walter, Managing Director and Chris Manning, Associate Director Protiviti Atlanta Office Agenda Defining Cybersecurity

More information