The Landscape of Cyber, critical infrastructure and how Regulation fits in

Size: px

Start display at page:

Download "The Landscape of Cyber, critical infrastructure and how Regulation fits in"

Jocelyn Darlene Edwards
8 years ago
Views:

1 The Landscape of Cyber, critical infrastructure and how Regulation fits in National Security and Critical infrastructure: New Perspectives for Private-Public Cooperation, Madrid, April 14th Jonathan Sage Government and Regulatory Affairs Cyber Security Policy Lead, Europe

2 Cyber-attackers are better funded and more organized than ever before Cyber-attacks cost public and private enterprises an enormous amount of money Your personal data is always on the line. Something as normal and innocuous as downloading a new gaming app could lead to your data being stolen

3 Banking, government, social media, and Hollywood... These days, top headlines are filled with severe news about cyber-attacks

4 Can we become (more) resilient? National Security, Economic Espionage Nation-state actors, APTs Stuxnet, Aurora, APT-1 Narrow focus Targeted attacks / APTs Low frequency, high impact Notoriety, Activism, Defamation Hactivists Lulzsec, Anonymous, Islamist threats Monetary Gain Organized crime Zeus, ZeroAccess, Blackhole Exploit Pack Broad focus Large scale / industrialized Commodity attacks Botnets 4

The number of security events is increasing at a rapid pace, it is vital to apply intelligence upfront to dramatically reduce attack surface Security events Security attacks Security incidents Annual

5 The number of security events is increasing at a rapid pace, it is vital to apply intelligence upfront to dramatically reduce attack surface Security events Security attacks Security incidents Annual 91,765,453 Monthly 7,647,121 Weekly 1,764,121 Annual 16,857 Monthly 1,405 Weekly 324 Annual Monthly 9.11 Weekly 2.10 Security Intelligence Correlation and analytics tools Security Intelligence Human security analysts Events: up 12% year on year to 91m Observable occurrences in a system or network Attacks: Increased efficiencies achieved More efficiency in security processing to help clients focus on identified malicious events Incidents: up 22% year on year Attacks deemed worthy of deeper investigation

Are we learning anything? 1,764,121 Represents the number of security events the average organization of 15000 employees will capture weekly 324 of these events represent actual attacks, per week 2.

6 Are we learning anything? 1,764,121 Represents the number of security events the average organization of employees will capture weekly 324 of these events represent actual attacks, per week 2.1 of these attacks will result in an incident, per week, - a 22% annual increase 2014 IBM Cybersecurity Intelligence Index 95% of incidents analyzed logged human error as a contributing factor Stolen or lost laptop or mobile device, Mistaken address/disposition/ of SPI, Double clicking (malware), Poor system hygiene: failure to patch, configure, or update Failure to delete dormant user accounts, use of default passwords IBM Cybersecurity Intelligence Team 1 out of 100 security compromises are ever detected General Keith Alexander, Head of U.S. Cyber Command, in a speech to the American Enterprise Institute 3 % of all incidents analyzed by IBM Response Services could be considered noteworthy (potentially material or significant impact) 2014 IBM Cybersecurity Intelligence Team 6

7 Plays of Governments in Cyber Security We see two different approaches: Focus by Governments on what is truly critical critical infrastructure, using strong incentives to ensure that market operators are well prepared to deal with threats Wider, catch all approach, mandating security breach reporting and covering more than critical infrastructure operators all internet enablers And at the same time there is a risk of discussions based on what is effective for better cybersecurity to a broader political debate using cybersecurity as a pretext for other objectives, such as putting up barriers to trade, addressing competition matters. NIST Framework in the US Obama s executive order of 2015 European Commission s Network and Information Security Directive proposal 2013 Council discussions different Government positions Risks losing sight of original objectives

8 Focus on NIS Directive 8 Developed by European Commission in 2012 as a proposal for a Directive Process co decision - Legal base is Internal Market Harmonisation Premise that there is a wider problem in companies not reporting security incidents and that consumers are being harmed Broad scope all internet enablers required to report incidents to a government authority, including search engines, social networks, cloud, e-payment gateways etc Proposed role of the European Commission in coordinating and in disseminating intelligence Collection of European standards that are applicable

9 Problems that industry sees with the Commission proposal Overly broad scope finding the needle in the haystack linking back to the number of security events and the number of really critical incidents that we need to focus on. Market Operator definition how do you define who is a market operator and under which conditions the operator needs to report an incident Who is the government agency that the Market Operator reports to and under what conditions for instance liability and confidentiality provisions. Progress has been made on many other fronts more sensible collaboration approach in latest proposal. Co-decision status European Parliament currently opposes wide scope wants focus on smaller subset of critical operations. Wants more harmonisation of the pan European approach than currently foreseen. Council under the Latvian Presidency trying to find a common position not yet achieved Commission staying with its original proposal on the key issues of scope and definition 9

10 Specific example Cloud Computing Broad concept of Cloud computing depending on the definition could be equivalent of nearly all IT Services Not everything is critical depends on for what purpose cloud is used Customer Data Controller Normal reporting process in a services agreement Problems facing cloud providers in an enterprise environment if they have to report an incident out to another authority Cloud provider 1 Different Cloud providers Cloud provider 3 Causes conflict between cloud user (data controller) and cloud provider (data processor) Cloud provider 5 Cloud provider 2 Cloud provider 4 Used for different purposes and functions 10

Some closing thoughts Bearing in mind the opening description of the cyber landscape, less is more attention of governments to what is really critical matters Ever-increasing proliferation of cyber

11 Some closing thoughts Bearing in mind the opening description of the cyber landscape, less is more attention of governments to what is really critical matters Ever-increasing proliferation of cyber threat intelligence feeds Information sharing is the holy grail this is the future swift operational exchange of information on emerging threats Already the amount of internal and external threat intelligence can be overwhelming we need a combination of advanced analytics and human expertise to spot what really matters Internal intelligence External intelligence Not compliance with government rules and regulations.. Optimised advanced data analytics and human intelligence combined 11

12 Thank you IBM Corporation

Can We Become Resilient to Cyber Attacks?

Can We Become Resilient to Cyber Attacks? Nick Coleman, Global Head Cyber Security Intelligence Services December 2014 Can we become resilient National Security, Economic Espionage Nation-state actors,