TITLE HERE Subtitle here. Cloud Standards Customer Council Cloud Industry Symposium June 18, 2014 Boston, MA

Transcription

1 TITLE HERE Subtitle here Cloud Standards Customer Council Cloud Industry Symposium June 18, 2014 Boston, MA

2 The New England goal and opportunity The Goal: The New England region is committed to be a global leader in confronting current and future cyber security challenges and to reinvigorate Route 128 to be the national cyber security beltway. ACSC and MGHPP White Paper Executive Summary The Opportunity: New England has the right balance of technology firms with security expertise, along with colleges and universities that focus on critical thinking skills and computer science to be a key player in the space Other parts of the country have pieces of the puzzle, but not the whole mix Together we can leverage this opportunity as a key contributor to collectively improve our Cyber security posture Technology alone will not solve security problems 2

3 The snowballing problem According to information provided by the state Office of Consumer Affairs and Business Regulation, there were 1,555 reported data breaches in Massachusetts in 2013, a 30 percent spike over the 1,143 recorded a year earlier. Prior to 2012, the state had never recorded more than 613 reported breaches in a calendar year. Source: Massachusetts data breaches, large and small, hit record level in 2013, Craig Douglas, Boston Business Journal, January 29, 2014 Source: Symantec. Internet Security Threat Report. Vol. 18. Symantec Corporation, April Web. 5 July

4 Who wants in? 4

5 Cyber attacks should be a top concern to all industries Intellectual Property theft Source: Symantec. Internet Security Threat Report. Vol. 18. Symantec Corporation, April Web. 5 July These industries may be attacked less frequently, but the attacks on these industries would cause massive problems. 5

6 The costs of a cyber attack are significant and hard to estimate Estimated global cost $300 billion- $1 trillion Estimated cost to the USA $24 billion- $120 billion Estimated cost of one breach/attack $92,000- $8.9 million Average Cost of a Breach or Targeted Attack $92,000 $2.4 million $3.7 million $8 million $8.9 million Small/ medium company Large company direct financial losses NetDiligence 2012 study CEO of Akami at Xconomy summit on innovation, technology and entrepreneurship in June 2013 with high of $1 billion Average cost of cyber crime in 2012 Cost of Cyber Study US by Ponemon Institute with range of $1.4 million- $46 million $100 billion annual loss from cyber espionage = 508,000 lost jobs 6

7 Perimeter defense is dead: Solving the problem Collaboration Information Sharing Whole Picture The more people and industries that share information the clearer the picture becomes and everyone is better positioned to defend against cyber attacks Sharing information is key to increasing the knowledge and sophistication of your security staff and solutions No one firm is able to see the entire cyber attack puzzle Joint Capability No one industry is positioned to fully defend against all types of attacks 7

8 Enter the Advanced Cyber Security Center UNIVERSITY ASSETS ACSC FEDERAL PRIORITIES INDUSTRY NEEDS The Advanced Cyber Security Center is a trusted cross-sector collaboration organized to help protect the New England region s organizations from the rapidly evolving advanced and persistent cyber threats and to support New England s role as a center for cyber security R+D, education, talent and jobs. 8

9 Members by sector Technology Akamai Bit9 Confer Courion Facebook RSA/EMC Corporation Veracode Financial Services Eastern Bank Federal Reserve Bank of Boston John Hancock Financial Services Liberty Mutual Group State Street Corporation Defense Draper Laboratory MIT Lincoln Laboratory The MITRE Corporation Biotech/Pharmaceuticals Biogen Idec Boston Scientific Corporation Pfizer Inc. Health Care Blue Cross Blue Shield of Massachusetts Harvard Pilgrim Health Care Government Commonwealth of Massachusetts Legal Foley Hoag University Boston University Harvard University MIT Northeastern University University of Massachusetts Worcester Polytechnic Institute 9

10 Three key initiatives Information Sharing R&D and Education Policy Development Identify new threat indicators Share best practices Build cross-sector network in NE Development of Cyber Workforce Address hardest R+D challenges Government, Industry & Higher Ed Funded ACSC as best practice laboratory Research on information sharing Federal legislation 10

11 Threat evaluation and information sharing model Face-to-Face Tactical: cyber defenders meet bi-weekly - Cyber Tuesday; (MA NG included beginning in 2014) Strategic: senior leaders meet quarterly - Cyber Exchange Forum; (MA NG and USAF included beginning in 2014) MITRE hosts incubation space in Bedford Virtual Cyber threat information sharing portal: wiki and forum list server Structured threat information database and analysis platform: Collaborative Research Into Threats (CRITs) Ahead: standards-based automated sharing of cyber threat information via CRITs enabled by STIX and TAXII 11

12 It s the results that count getting actionable intelligence? participation driven changes or enhancements in defense posture? your enterprise more secure? developed security skill as a result of participation? 12

13 Facilitating secure cloud computing debate 13

14 University-Industry partnerships Cybersecurity research Consortia Explore, evaluate and implement successful university-industry collaboration models Coordinating a small forum of university and industry decision makers to discuss and agree on a plan and process for the Forum with two principal goals in mind: 1) establishing an ongoing forum to identify those over the horizon technology challenges/opportunities that are priorities for industry and the federal government; and 2) identifying those mechanisms and models that will satisfy industry and academic requirements and provide the incentives for both sides to come to the table Advance R&D projects Cybersecurity Risk Analysis for Enterprise Security A Platform for Data-Intensive Cybersecurity Monitoring Develop a virtual industry data warehouse to support the next phase of research projects Data Sharing Agreement between the Federal Reserve, Liberty Mutual, UMASS and BU 14

15 Pursuit of policy initiatives Policy Working Group Consists of partners from major Boston and DC law firms Identify common cybersecurity policy concerns at the state and federal levels Legislation and policy subject matter expertise Education and advocacy for state and federal cybersecurity strategies and programs Examples include Open Letter supporting regional threat sharing capabilities in the national framework, DoD Secure Cloud Computing Act, MA Cybersecurity talent pipeline development Bond Bill Focus issues include threat sharing liability protection and privacy and data breach regulation consistency Explore the opportunity for a small cluster of Boston law firms to work together, and establish themselves as leaders in protecting client data 15

16 Recognizing the value of the model - White House Blog, Getting Serious about Information Sharing for Cybersecurity : Calls ACSC one of the premier non-profit information sharing organizations that has shown value in building smaller trust networks across sectors in metropolitan areas. - On a recent trade mission to Israel, MA Governor Deval Patrick outlined the value of the Commonwealth s participation in ACSC and the importance of our mission during a Cyber Security Panel with members of the Massachusetts-Israel Innovation Partnership Mission Congressman Bill Keating (D-MA), Homeland Security Committee, Cybersecurity Subcommittee: ACSC, in particular, has developed the unique ability to establish real-time, peer-to-peer threat sharing that is moving the nation to a better understanding of the root causes of cyber attacks and from where threats are derived. - Christian Science Monitor, How Obama should work with business to combat China cyberspying : The US Department of Homeland Security needs to use its authority to incentivize and enable the creation of trusted federations of companies, like the Advanced Cyber Security Center in Massachusetts, that share cyberthreat information and best practices for cyberprotection. 16