Technological Evolution

Transcription

1 Technological Evolution The Impact of Social Media, Big Data and Privacy on Business Government Regulation, Enforcement and Legislation on Privacy, Cyber Security and Social Media Jeff Brueggeman Vice President & Deputy Chief Privacy Officer AT&T Jeremy Grant Senior Executive Advisor for Identity Management, NSTIC NIST Howard Waltzman Partner Mayer Brown LLP

2 Jeff Brueggeman VP Global Public Policy & Deputy Chief Privacy Officer AT&T Jeremy Grant Senior Executive Advisor for Identity Management, NSTIC NIST Howard Waltzman Partner Mayer Brown LLP 2

3 Privacy Landscape 3

4 The Internet s Implications for Privacy Consumers conduct an increasing amount of communications, commerce, education and entertainment online. More recently, not only are consumers connected to the Internet, but so are devices, from cars to home appliances to medical devices. (Internet of Things) Businesses collect, use and share lots of information gathered about consumers from their online activities. 4

5 Policymakers Are Concerned about Broad Data Collection Efforts Consumers may not understand the extent to which their information is being collected, used and shared. Consumer information is being used to create profiles that may impact credit, employment or other decisions. The Administration released the Consumer Privacy Bill of Rights, which would attempt to increase transparency in data collection and use practices and provide greater control to consumers over the use of sensitive information, and largely be enforced through industry-managed codes of conduct. 5

6 Cyber Security Landscape 6

7 Wide Range of Cyber Threats Evolution of Malware / Botnets Security In The Cloud Insider Attacks Cyber Protests / Events Advanced Persistent Threats Ipv4/Ipv6 Attacks Mobile Device Security Logical Attacks Against Physical Infrastructure Compliance Re-emergence of Old Attacks Social Media and Geolocation 7

8 Federal Cyber Policy Landscape White House Commerce NIST Framework (Best Practices) NTIA Internet Task Force Industry Botnet Group (IBG) National Cybersecurity Center Excellence NIST Information Security Privacy Advisory Board (FISMA) (ISPAB) National Strategy Trusted Identities in Cyberspace (NSTIC) Executive Order Presidential Policy Directive 21 (PPD-21) National Security Telecommunications Advisory Council (NSTAC) DOJ Anti-trust policy statement National Cybersecurity Incident Joint Task Force (NCIJTF) (FBI) Congress CSIPA (Rogers/Ruppersberger) - Info Sharing/Liability Protections McCaul (House Homeland) - DHS CISA (Feinstein/Chambliss) (Senate Intel) - Info Sharing/Liability Protections Rockefeller/Thune (Senate E&C) - DHS DOD Enduring Security Framework (ESF) DIB Pilot (now ECS) FEDERAL CYBER POLICY LANDSCAPE SEC SEC reporting Board governance FTC Data Breach Mobile Security Review FCC GSA AT&T Proprietary (Internal Use Only) Not for use or disclosure outside the AT&T companies except under written agreement CSRIC IV (Best Practices) WG#4 Framework WG#5 DDoS Best Practices WG#6 Internet protocol security (DNS/BGP) Technology Advisory Council (TAC) (Role of FCC in cyber) DHS Comms Sector Specific Agency C 3 Voluntary Program National Cybersecurity Integration Center (NCIC) National Security Information Exchange (NSIE) National Infrastructure Protection Plan (NIPP) Enhanced Cybersecurity Services (ECS) E3A (Einstein Program) Federal Procurement (Applying framework to Federal procurement)

9 NIST Cyber Security Framework On November 12, 2013, President Obama issued Executive Order 13636, which facilitated the creation of the NIST Cyber-Security Framework The Framework is based on industry expertise and best practices and ultimately is intended to be administered outside the government Adoption of the Framework and participation in the DHS program is voluntary The Framework reflects a risk-based approach to cyber security: It is not one-size-fits-all It is not a checklist It is not technology-specific 9

10 Private Sector Response to the NIST Framework Companies should make informed business decisions about their cyber security this is not just a technical issue Key considerations include: The leverage the Framework is intended to exert on industry Possible regulatory activity based on the Framework Possible efforts to use the Framework in litigation Critical infrastructure companies are most directly affected, but other companies also will be wise to consider the implications of the Framework 10

11 Further Responses to Cyber Security On February 12, 2015, President Obama signed a new Executive Order, which: encourages the development of information sharing and analysis organizations (ISAOs) to focus private sector cyber security information sharing and collaboration efforts facilitates information sharing between the National Cyber Security and Communications Integration Center and ISAOs Congress continues to pursue legislation to enhance cyber threat information sharing between the private sector and the federal government, as well as among private sector entities, including by providing liability protection and other exemptions from certain laws for such sharing, which the Administration cannot provide 11

12 Public-Private Partnerships to Enhance Privacy and Security NSTIC GSMA Pilot ISACs/ISAOs Other Public-Private Partnerships 12

13 April 2011: NSTIC Launched An Identity Ecosystem with 4 Guiding Principles 13

14 Why NSTIC? Identity Is Central To 14

15 Why NSTIC? There is a marketplace today but there are barriers the market has not yet addressed on its own Government can serve as a convener and facilitator, as well as a catalyst 15

16 What Does NSTIC Call For? Private sector will lead the effort Federal government will provide support Not a government-run identity program Private sector is in the best position to drive technologies and solutions and ensure the Identity Ecosystem offers improved online trust and better customer experiences Help develop a private sector-led governance model Facilitate and lead development of interoperable standards Provide clarity on national policy and legal issues (i.e., liability and privacy) Fund pilots to stimulate the marketplace Act as an early adopter to stimulate demand 16

17 Key Implementation Steps Convene the Private Sector August 2012: Launched privately led Identity Ecosystem Steering Group (IDESG). Funded by NIST grant, IDESG tasked with crafting standards and policies for the Identity Ecosystem Framework October 2013: IDESG incorporates as 501(c)3, prepares to raise private funds Leadership includes Citi, Lexis-Nexis, Symantec, Salesforce, Oracle, Aetna, US Bank and Neiman Marcus, as well as AARP, Patient Privacy Rights and other advocates Fund Innovative Pilots to Advance the Ecosystem 4 rounds of pilot grants since 2012; 5 th round expected in September 15 pilots funded in total; 12 now active Government as an early adopter to stimulate demand White House effort to create Connect.gov, a single service for identity at public facing government applications October 2015: Executive Order 13681, requiring all USG digital applications that release personal data to require Multi Factor Authentication (MFA) + an effective identity proofing process 17

18 Pilot: GSMA Mobile Connect for the US (MC4US) $822k cooperative agreement awarded by NIST to GSMA September 2014 Pilot goals: Mobile phone as the tool for authentication Easy to use across all use-cases and channels Security level according to use-case needs Privacy principles for maintaining user control and building trust Globally consistent across operators and regions Single integration for service providers reaching all service users 18

19 GSMA NSTIC Project (MC4US) 19

20 Information Sharing Examples Trusted Peers Formal/Informal Peer Organizations (Ex. Ops Trust) Network information Network Service Providers group (subset of Comm-ISAC) Network information Trusted Commercial Partners Government Contracts DHS/ CS&C ECS/E3A Customers Classified Threat Signatures ISP (NOTE: All Information Received is Validated Prior to Action) NCCIC/Other Agencies NCC Comm- ISAC CIPAC High-level network vulnerability information /Aggregated/No PII FBI NCIJTF, NCFTA, Infra Guard Sector ISACs Law Enforcement Commercial Security Services/Third-Party Partners Threats discovered by ISPs/vendors (zero days, infected IPs) Internal IT Enterprise Systems/ ISP Network ISP Uses Consumers / Managed Security Customers Local Law Enforcement Ex. ISP Incidents

21 Other Partnerships and Collaborative Efforts 21

22 Mayer Brown is a global legal services organization comprising legal practices that are separate entities ("Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP, a limited liability partnership established in the United States; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales; Mayer Brown JSM, a Hong Kong partnership, and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.