THE 411 ON CYBERSECURITY, INFORMATION SHARING AND PRIVACY

Transcription

1 THE 411 ON CYBERSECURITY, INFORMATION SHARING AND PRIVACY

2 DISCLAIMER Views expressed in this presentation are not necessarily those of our respective Departments Any answers to questions are our own opinions and not those of our respective Departments 2

3 AGENDA The Cybersecurity Threat in 2013 Public v. Private Sector Threats EINSTEIN a Public Sector Response Policy Responses Public-Private Partnerships Policy Challenges 3

4 OVERVIEW Increasingly skilled cyber threats Variety of malicious actions Attempts to penetrate USG from: Outside Inside within our IT capabilities Potential theft of classified info Theft of intellectual property Threat to national security 4

5 OVERVIEW 5

7 UNDERSTANDING THE THREAT U.S. Government cybersecurity organization National Security Federal Civilian Networks Critical Infrastructure Commercial Non-Critical Infrastructure 7

8 UNDERSTANDING THE THREAT U.S. Critical Infrastructure 8

9 US-CERT MISSION Lead efforts to improve the Nation s cybersecurity posture Coordinate cyber information sharing Proactively manage cyber risks to the Nation All while protecting the constitutional rights of Americans. 9

10 US-CERT MISSION US Computer Emergency Readiness Team Operations Operations Coordination & Integration Future Operations Incident Management Analyze, reduce impact of threats & vulnerabilities, Disseminate warning information, Coordinate to achieve shared situational awareness Provide response & recovery support for national assets Advise on national-level cybersecurity policy and guidance. 10

11 RESPONSE AND ASSISTANCE Dedicated teams provide technical assistance at the right level of subject matter expertise, including: Digital Media & Malware Analysis Defensive Analysis Mitigation Strategy Development Threat/Attack Vector Analysis Vendor Analysis Coordination 11

12 SHARED SITUATIONAL AWARENESS US-CERT develops information sharing products on a scheduled and as-needed basis. US-CERT also develops and distributes analytical information notices specific to its communities of interest. 12

13 NCAS: NATIONAL CYBER AWARENESS SYSTEM A cohesive national cybersecurity system for identifying, analyzing, and prioritizing emerging vulnerabilities and threats Current Activity Cyber Security Alerts Cyber Security Tips Cyber Security Bulletins 13

14 SHARED SITUATIONAL AWARENESS 14

16 EINSTEIN MONITORING EINSTEIN Network Analysts monitor sensor outputs to conduct network security analysis, which can lead to operational restoration and remediation. 16

17 KEY EINSTEIN CAPABILITIES EINSTEIN 1 (E1): Flow Collection Initial analytics and information sharing capabilities EINSTEIN 2 (E2): Intrusion Detection Improved sensors to identify malicious activity EINSTEIN 3A (E3A): Intrusion Prevention To improve protection to prevent malicious activity 17

18 FAIR INFORMATION PRACTICE PRINCIPLES 18

19 EINSTIN PRIVACY PROTECTIONS Minimization of data collection Limitation of uses to cyber threats Restrictions on info sharing and use Privacy cybersecurity webpage transparency of cyberstrategy & initiatives. Compliance Review by DHS Privacy Office 19

20 DHS ADMINISTRATIVE PRIVACY PROTECTIONS MOA with each participating Agency Notice to users computer banners privacy policies published compliance documentation Standard Operating Procedures for PII Collaboration w/cpos/clos, NSS, EOP Training and awareness workshops on cybersecurity and privacy open to federal employees, contractors 20

22 MECHANISMS Executive Branch actions Legislation Public-private partnerships 22

23 ADMINISTRATION CYBERSECURITY PROPOSAL Released in 2011 Critical infrastructure focus DHS regulatory authority Liability limitations for information sharing 23

24 EXECUTIVE ORDER IMPROVING CRITICAL INFRASTRUCTURE CYBERSECURITY Signed on Feb. 12, 2013 Main provisions: Cyber threat information sharing Framework for cybersecurity standards, methodologies, procedures, processes Program to coordinate sectors, provide incentives 24

25 PRIVACY SAFEGUARDS Agencies apply FIPPs to EO activities DHS to assess, report on, minimize or mitigate privacy risks in EO activities 25

26 LEGISLATION: EXPANDING INFORMATION SHARING Information sharing supported by liability limitations SECURE IT (S. 2151) No movement in Senate CISPA (H.R. 3523) Passed House; Administration threatened veto Reintroduced in 113 th Congress 26

27 LEGISLATION: CYBERSECURITY ACT OF 2012 S / S Information sharing through liability limitations Use limitations on USG-held data Best practices coordinated through National Cybersecurity Council 27

29 PUBLIC PRIVATE PARTNERSHIPS What is the Dept of Commerce doing to advance cybersecurity in the private sector? Voluntary consensus standards and practices Working through NIST Other bureau and agency involvement in consensus-based practices 29

30 PUBLIC PRIVATE PARTNERSHIPS Cybersecurity education and centers of excellence Smart Grid Interoperability Panel National Strategy for Trusted Identities in Cyberspace 30

32 POLICY CHALLENGES: STATUTORY RESTRICTIONS Census and other statistical data Disclosures to respondent Administrative burden Possible strategies? Use of enclaves Designating agents Others 32

33 POLICY CHALLENGES: STATUTORY RESTRICTIONS Subject matter confidentiality FERPA Part 2 (substance abuse treatment) Welfare Reform Domestic violence Asylees & refugees Other specific confidentiality statutes? 33

34 POLICY CHALLENGES: STATUTORY RESTRICTIONS Possible solutions for subjectmatter confidentiality statutes? Limitation on authority to obtain info Limitation on uses to cybersecurity Limitation on secondary disclosures Do these pose problems for security or law enforcement? 34

35 POLICY CHALLENGES: LAW ENFORCEMENT NEEDS Grand Jury Secrecy Witness Protection information Prisoner Population Are similar solutions appropriate as for other confidential information? 35

36 POLICY CHALLENGES: COMMERCIAL INFORMATION Trade Secrets Act Intellectual property protections Procurement Information Confidential commercial info under FOIA (b)(4) and EO 12666? Are similar solutions appropriate as for other confidential information? 36

37 POLICY CHALLENGES: WHY DIDN T WE MENTION The Privacy Act of 1974? The HIPAA Privacy Rule? Are there other statutes in the same category? 37

38 POLICY CHALLENGES: JURISDICTIONAL ISSUES Multiple agencies have jurisdiction DHS Intelligence Community Cabinet agencies for their sectors White House/National Security Staff (coordination role) 38

39 KEY TAKE AWAYS The cyber threat is real and urgent U.S. Government is working hard, partnering to address challenges Complex technical, legal, policy, and organizational issues No easy fixes 39

40 White House RESOURCES Administration s Privacy Blueprint: Executive Order # Improving Critical Infrastructure Cybersecurity (Feb 12, 2013) Commerce NSTIC FIPPs: rategy_ pdf 112 th Congress S. 2151: S. 3414: H.R. 3523: th Congress: TBD 40

41 RESOURCES DHS DHS US-CERT: DHS Privacy Office: DHS Cybersecurity: HHS Part 2 Substance Abuse Treatment Confidentiality, 42 USC 290dd-2, regulations at 42 CFR Part 2 Revised.pdf HIPAA Privacy Rules 45 CFR, 160 & ndex.html Child Support Information: Social Security Act 453(j), codified at 42 USC 653(j) 41

42 RESOURCES FBI Economic Espionage Act Education Family Education Rights & Privacy Act (FERPA) Confidential Information Protection and Statistical Efficiency Act (CIPSEA), Title V of the E-Government Act of 2002 (Pub. L , 44 USC 101) The Privacy Act of 1974 (Pub. L , 5 USC 552a) 42