Cybersecurity Primer

Transcription

1 Cybersecurity Primer August 15, 2014 National Journal Presentation Credits Producer: David Stauffer Director: Jessica Guzik

2 Cybersecurity: Key Terms Cybersecurity Information security applied to computers and networks Cyber incident Cyber attack Cyber threat intelligence National Security System Critical infrastructure A violation of an organization s security policy as a means to access networks or spread malicious codes An attack targeting an enterprise s use of cyberspace to disrupt, disable, destroy, or control a computing infrastructure and its data; types of attacks include, but are not limited to denials-of-service, viruses, malware, and phishing schemes Information about vulnerability of or threat to a government or private sector entity s network; includes information about a network s protection from attackers Any information system that involves intelligence activities, cryptologic activities related to national security, command and control of military forces, or direct fulfillment of military or intelligence missions Physical or virtual assets and systems vital to society; destruction or damage to such assets could debilitate national security, the economy, public health or safety, or the environment Source: Government Accountability Office, 2013; U.S. Department of Commerce, 2003; Center for Strategic and International Studies, 2013, NIST

3 Number of Cyber Incidents Reported Among Federal Agencies Has Increased Nearly Ninefold Since 2006 Number of Incidents Reported to U.S. Computer Emergency Readiness Team (US-CERT), FY Number of reported cyber incidents has lead to a growing concern about cybersecurity and the destructive impact cyber attacks could have on the government, military, private sector, and even personal operations Number of reported cyber incidents has prompted many to urge the U.S. government to provide a greater level of protection from such attacks Rise in reported incidents may also be partially attributed to better reporting; a growing awareness of cyber attacks has led agencies and companies that are part of critical infrastructure to be more forthcoming about threats and incidents Source: Government Accountability Office, 2013; Ellen Nakashima and Danielle Douglas, More Companies Reporting Cybersecurity Incidents, The Washington Post, March 1,

4 Federal Agencies are Vulnerable to a Variety of Cyber Incidents Types of Incidents Reported to US-CERT, FY Scans, probes, attempted access Unauthorized access Unknown or under investigation Malicious code Improper usage Spreading malicious codes, unauthorized access, and improper usage are the most common types of cyber incidents, accounting for 55% of total incidents reported According to the Government Accountability Office, many of these incidents resulted in data loss, data theft, computer intrusions, privacy breaches, and economic loss Source: Government Accountability Office,

5 Threats to Cybersecurity are Decentralized and Diverse Actors Threatening Private and Public Cybersecurity Spyware or Malware Authors Individuals or organizations producing and distributing malware/spyware Business Competitors Companies obtaining sensitive information from rival or target companies to improve their competitive edge Criminal Groups Groups attacking systems for monetary gain Spammers Individuals or organizations distributing unsolicited s with hidden or false information Threats to Cybersecurity Insiders Organization insiders gaining network access to damage or steal system data (e.g. NSA s Edward Snowden) Bot-net Operators Networks of remotely controlled systems coordinating cyber attacks Hackers Individuals or groups gaining unauthorized access into networks for various reasons Nations Foreign governments seeking information to develop information warfare doctrine, programs, and capabilities Phishers Individuals or groups stealing identities or information for monetary gain International Corporate Spies Spies conducting economic and industrial espionage Terrorists Individuals or groups seeking to destroy, incapacitate, or exploit critical infrastructure Cyber threats are caused by individuals and organizations motivated by financial gain, political advantage, and ideological causes Many cyber attacks fall under multiple categories, e.g. a terrorist and a phisher can be one in the same Source: Government Accountability Office, 2013; Congressional Research Service, 2013; 5

6 Government Agencies and Organizations Protect Federal, Private Organizations Against Cyber Threats Agencies Tasked with Protecting Nation s Cybersecurity Department of Homeland Security Responds quickly to cyber vulnerabilities Partners with owners and operators of critical infrastructure, to release actionable cyber alerts Investigates and arrests criminals Educates public on cyber safety Within DHS, United States Computer Emergency Readiness Team (US-CERT) provides cyber threat warning information and coordinates responses Office of Management and Budget Develops and oversees implementation of policies, principles, standards, and guidelines on information security in federal agencies Annually reviews and approves agency information security programs Department of Commerce Oversees Internet Policy Task Force Researches and reviews cybersecurity standards in the commercial sector Within the Department of Commerce, the National Institute of Standards and Technology (NIST) develops minimum security standards for agencies and guidelines for identifying information systems critical to national security Source: Government Accountability Office, 2013; Department of Homeland Security, 2013; Department of Commerce,

7 Cybersecurity Became a Legislative Priority in Past Decade Timeline of Enacted Cybersecurity Legislation Federal Information Security Management Act (FISMA) Establishes a comprehensive, riskbased framework to ensure information security controls over information resources supporting federal operations and assets Comprehensive National Cybersecurity Plan Establishes frontline of defense against network intrusion, enhances U.S. counterintelligence capabilities and expands cyber education National Infrastructure Protection Plan Provides framework integrating a range of efforts and partnerships designed to make the nation s critical infrastructure more safe Executive Order Improving Critical Infrastructure of Cybersecurity, Failure of CISPA EO requires government to share cybersecurity threats with private sector and directs NIST to create best practices for cybersecurity in the private sector; House passes, but Senate does not take action on, major cybersecurity bill CISPA Source: National Journal Research; White House, 2000; Government Accountability Office, 2013; Department of Homeland Security, 2009; Central Intelligence Agency, 2008; Gerry Smith, Senate Won t Vote on CISPA, Deals Blow to Controversial Cyber Bill, HuffPost Tech, April 25,

8 In Executive Order, Private Sector Cooperation Encouraged But Voluntary Cybersecurity Executive Order (EO) Flow of Information Mandated Course of Action Recommendations and detected threats U.S. Executive Branch Ordered National Institute of Standards and Technology (NIST) to create a cybersecurity framework to identify threats and establish guidelines for protection; a first draft was released in February of 2014 Ordered NIST to assess its own performance on privacy Directs all government agencies to provide alerts to the private sector in the event of a threat Private Sector May help NIST develop framework May volunteer to comply with cybersecurity framework May help to protect critical infrastructure, e.g., electrical grids, banking systems, and water treatment plants Voluntary Course of Action Obama s 2013 executive order aimed to enhance cybersecurity by establishing a synergetic framework between the private sector and government agencies Government agencies must share information about alerts, threats, and vulnerabilities with private sector In return, private sector entities are advised, though not required, to help NIST develop a stronger cybersecurity framework Source: Brian Fung, Why Some Privacy Advocates Are Grinning Over Obama s Cybersecurity Order, National Journal, Feb. 13, 2013; Michael S. Schmidt and Nicole Perlroth, Obama Order Gives Firms Cyberthreat Information, New York Times, Feb. 12, 2013; Chenxi Wang, Obama s Cybersecurity Executive Order: Heart in the Right Place But There Is Little Teeth, Forbes, Feb. 14, National Institute of Standards and Technology, Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0, Feb. 12,

9 Executive Order Struggles with Implementation Process of Implementing Cybersecurity Information Sharing EO DHS Communications Service Providers Critical Infrastructure Sectors Participating Not Participating Defense Telecomm Energy Chemical Certifies To provide sharing services and utilities to Critical Manufacturing Dams Emergency Services Food and Agriculture Financial Services Health Care Nuclear Water IT Transportation Government Facilities Commercial Facilities The information sharing program outlined in the 2013 EO has only reached three of 16 critical infrastructure industries DHS does not directly advertise or maintain the program, instead relying on private service providers for those functions; government information provided through the program is free, but companies must purchase the data sharing services and utilities from private providers Currently, only two service providers, CenturyLink and AT&T, have applied and been approved for the program Source: Aliya Sternstein, Who Receives Hacker Threat Info From DHS? NextGov, August 11, 2014; Department of Homeland Security, Critical Infrastructure Sectors. 9

10 Program Has a Chicken-and-Egg Problem of Low Participation Barriers to Participation in Information Sharing Program Limited number of communications service providers participating Because critical infrastructure sectors aren t participating, because The executive order currently has a chicken-and-egg problem; the program needs more service providers to expand the service to all 16 critical infrastructure sectors, but because so few sectors are currently involved, few service providers are interested in expanding into the program Moreover, there are barriers for service providers: the current accreditation process for service providers takes eight months, and the investment that companies need to make to get clearance for employees to view the information and build secure communications networks to protect the information is formidable Source: Aliya Sternstein, Who Receives Hacker Threat Info From DHS?, NextGov, August 11, 2014; Department of Homeland Security, Critical Infrastructure Sectors. 10

11 In 2014, Congress Advanced Legislation to Increase Cybersecurity Sharing Participation Timeline of Recent Legislative Action on Cybersecurity June 2014 July July 28, 2014 July 31, 2014 The Cyber Information Sharing Act (CISA) is introduced in the Senate, removing legal barriers for companies to share information about cybersecurity threats and providing liability protection for companies who share such information The Senate Select Committee on Intelligence approves CISA and sends it to the Senate floor for debate Liability protection would allow protection from civil action, regardless of prior contracts that may prevent sharing information without a customer s consent The House passes three bills: The National Cybersecurity and Critical Infrastructure Protection Act, which creates a civilian agency under DHS to handle cyber information sharing between the government and private industries and organizations for security purposes; The Critical Infrastructure Research and Development Advancement Act, which directs DHS to develop a strategic plan for cybersecurity protection; and The Homeland Security Boots-On-The-Ground Act, which requires DHS to develop occupation classifications for individuals performing cybersecurity functions The Cyber Information Sharing Tax Credit Act is introduced in the Senate, providing tax credits to private companies who share information regarding cybersecurity threats with security research organizations Sources: Gregory S. McNeal, Controversial Cybersecurity Bill Known As CISA Advances Out Of Senate Committee, Forbes, July 9, 2014; Steve Augustino, Jameson Dempsy and Dawn Damschen, Could 2014 Be The Year for Cybersecurity Sharing Legislation? Above The Law, July 14, 2014; Mary-Louise Hoffman, Sen. Kirsten Gillibrand Proposes Tax Incentves To Spur Cyber Intel Sharing, ExecutiveGov, August 4, 2014; Eric Chabrow, How House Passed 3 Cybersecurity Bills, Bank Info Security, July 29,

12 NIST Framework s Tiers Rate Organizational Preparedness Against Cyber Threats NIST Tiers Risk Management Process Integrated Risk Management Program External Participation Tier I Partial No formalized process, ad hoc and reactive to threats, not informed by organizational needs or current trends Limited awareness of cybersecurity risk and no organization-wide approach to risk management No processes in place to participate in coordination with other entities on cybersecurity Tier II Risk Informed Risk management practices are approved by management but may not be organization-wide policy; risk management may be informed by organizational needs or current trends Awareness of cybersecurity risk at the organizational level, no organizational approach The organization understands it is part of a larger ecosystem but has no formal system for external interaction Tier III Repeatable The organization s risk management practices are formally approved and expressed as policy, and the organization changes those practices based on updated organizational needs and current trends A consistent organization-wide approach to risk management The organization understands its partners and dependencies and receives information from those entities that allows for collaboration and informed responses to threats Tier IV Adaptive A formalized and continuously updating system of cybersecurity practices based on information from previous and current cybersecurity activities An organization-wide approach to managing cybersecurity risk using risk-informed policies and procedures, with cybersecurity risk management as a part of organizational culture Actively shares information with partners to ensure systemic security and defense against a cybersecurity breach Source: National Institute of Standards and Technology, Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0, Feb. 12, 2014.

13 Cyber Attacks Cost Private Sector Millions Average Annual Cost of Cyber Attack Damages Per Sector in FY 2012 In millions of dollars Cyber attacks were most costly to defense, utilities and energy, and financial services sectors in FY 2012; these sectors spent an average of $19.4 million on cyber attack damages, while all other sectors shown spent an average of $5.7 million Cyber attacks are mostly likely to target defense, utilities, and financial services sectors because they contribute to the nation s critical infrastructure Consumer products, hospitality, and retail sectors spend the least on cyber attack damages because they rarely possess information pertinent to the nation s critical infrastructure * Data is based on survey of 56 companies; cost refers to cost of addressing cyber attack damages Source: 2012 Cost of Cyber Crime Study: United States, Ponemon Institute, October

14 Cyber Attacks Prompt Private Sector to Take Precautions Proactive vs. Reactive Corporate Spending Against Cyber Threats, 2010 Annual Gross Written Premiums for Cybersecurity Private Liability Insurance In millions of dollars Companies spent more on proactive measures labor, capital, or services that assist in avoiding cyber incidents and data breaches in 2010 than on reactive measures expenditures made in response to cyber incidents and data breaches Aligning with this trend is the growth of the cybserinsurance market, which commanded $1 billion in annual premiums in 2012, a 40% increase compared to 2010 Source: Adam Mazmanian, The Cyber Premium, National Journal, June 15, 2012; NIST,