Public Private Partnerships and National Input to International Cyber Security

Similar documents
Legal Issues / Estonia Cyber Incident

(U) Appendix E: Case for Developing an International Cybersecurity Policy Framework

Mitigating and managing cyber risk: ten issues to consider

On the European experience in critical infrastructure protection

NATIONAL CYBERSECURITY STRATEGIES: AUSTRALIA AND CANADA

PROTECTION OF CRITICAL INFRASTRUCTURE AND THE ROLE OF INVESTMENT POLICIES RELATING TO NATIONAL SECURITY. May 2008

CYBER SECURITY GUIDANCE

Germany: Report on Developments in the Field of Information and Telecommunications in the Context of International Security (RES 69/28),

NATIONAL STRATEGY FOR GLOBAL SUPPLY CHAIN SECURITY

JOINT EXPLANATORY STATEMENT TO ACCOMPANY THE CYBERSECURITY ACT OF 2015

ISO? ISO? ISO? LTD ISO?

Rogers Insurance Client Presentation

Final Draft/Pre-Decisional/Do Not Cite. Forging a Common Understanding for Critical Infrastructure. Shared Narrative

Harmful Interference into Satellite Telecommunications by Cyber Attack

Critical Infrastructure Security and Resilience

The data breach lifecycle: From prevention to response IAPP global privacy summit March 6, 2014 (4:30-5:30) Draft v

Comparison of Information Sharing, Monitoring and Countermeasures Provisions in the Cybersecurity Bills

Cyber Security Strategy for Germany

CYBER SECURITY INFORMATION SHARING & COLLABORATION

MEMORANDUM. Date: October 28, Federally Regulated Financial Institutions. Subject: Cyber Security Self-Assessment Guidance

THE NEW REALITY OF RISK CYBER RISK: TRENDS AND SOLUTIONS

The Comprehensive National Cybersecurity Initiative

Data breach! cyber and privacy risks. Brian Wright Michael Guidry Lloyd Guidry LLC

Cyber intelligence exchange in business environment : a battle for trust and data

Lessons from Defending Cyberspace

Information Security Policy

Government Decision No. 1139/2013 (21 March) on the National Cyber Security Strategy of Hungary

Business Continuity & Disaster Recovery

EEI Business Continuity. Threat Scenario Project (TSP) April 4, EEI Threat Scenario Project

Information Security Management System Policy

CYBER RISK SECURITY, NETWORK & PRIVACY

Cybersecurity for Nonprofits: How to Protect Your Organization's Data While Still Fulfilling Your Mission. June 25, 2015

2 Gabi Siboni, 1 Senior Research Fellow and Director,

Joint ICTP-IAEA School of Nuclear Energy Management November Nuclear Security Fundamentals Module 9 topic 2

Cybersecurity y Managing g the Risks

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015

Cyber Resilience Implementing the Right Strategy. Grant Brown Security specialist,

Cloud Computing: Legal Risks and Best Practices

Logging In: Auditing Cybersecurity in an Unsecure World

MynxNet Broadband Terms and Conditions

Information Security Management System Information Security Policy

CYBER SECURITY STRATEGY OF THE CZECH REPUBLIC FOR THE PERIOD

Legislative Language

Cyber Security Strategy

Cybercrimes: A Multidisciplinary Analysis

Cyber/ Network Security. FINEX Global

Information Security Law: Control of Digital Assets.

ISO Controls and Objectives

Cyber Risks and Insurance Solutions Malaysia, November 2013

Data breach, cyber and privacy risks. Brian Wright Lloyd Wright Consultants Ltd

DIVISION N CYBERSECURITY ACT OF 2015

Navigating Cyber Risk Exposure and Insurance. Stephen Wares EMEA Cyber Risk Practice Leader Marsh

To improve cybersecurity in the United States through enhanced sharing of information about cybersecurity threats, and for other purposes.

Actions and Recommendations (A/R) Summary

ENSURING SECURITY IN AND FACILITATING INTERNATIONAL TRADE. Measures toward enhancing maritime cybersecurity. Submitted by Canada SUMMARY

Cyber Risks Management. Nikos Georgopoulos, MBA, cyrm Cyber Risks Advisor

Trends Concerning Cyberspace

Ten Questions Your Board Should be asking about Cyber Security. Eric M. Wright, Shareholder

Presidency of the Council of Ministers THE NATIONAL PLAN FOR CYBERSPACE PROTECTION AND ICT SECURITY

THE WHITE HOUSE. Office of the Press Secretary. For Immediate Release February 12, February 12, 2013

Cyber Liability Insurance Data Security, Privacy and Multimedia Protection

A Community Position paper on. Law of CyberWar. Paul Shaw. 12 October Author note

Building Blocks of a Cyber Resilience Program. Monika Josi monika.josi@safis.ch

U. S. Attorney Office Northern District of Texas March 2013

Cyber Security Strategy

Cyber and Data Security. Proposal form

Five Principles for Shaping Cybersecurity Norms

H. R SEC DIRECTORATE FOR INFORMATION ANALYSIS AND INFRA STRUCTURE PROTECTION.

Cybersecurity Information Sharing Legislation Protecting Cyber Networks Act (PCNA) National Cybersecurity Protection Advancement (NCPA) Act

CYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility

BUDGET LETTER PEER-TO-PEER FILE SHARING , , EXECUTIVE ORDER S-16-04

working group on foreign policy and grand strategy

Attachment A. Identification of Risks/Cybersecurity Governance

Law & Ethics, Policies & Guidelines, and Security Awareness

APIP - Cyber Liability Insurance Coverages, Limits, and FAQ

Enterprise PrivaProtector 9.0

Cloud Computing Contract Clauses

Legislative Language

Government Decision No. 1139/2013 (21 March) on the National Cyber Security Strategy of Hungary

Summary of CIP Version 5 Standards

Insurance Considerations Related to Data Security and Breach in Outsourcing Agreements

Cyber Diplomacy A New Component of Foreign Policy 6

Certification for Information System Security Professional (CISSP)

The Battlefield. critical infrastructure:

Cyber Security. BDS PhantomWorks. Boeing Energy. Copyright 2011 Boeing. All rights reserved.

Industry. Cyber Security. Information Sharing at the Technical Level. Guidelines

CYBERSECURITY IN FINANCIAL SERVICES POINT OF VIEW CHALLENGE 1 REGULATORY COMPLIANCE ACROSS GEOGRAPHIES

Internet Safety and Security: Strategies for Building an Internet Safety Wall

National Cyber Security Policy -2013

ADP Ambassador / Referral Rewards Program Terms and Conditions of Use

PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES

Subject: Critical Infrastructure Identification, Prioritization, and Protection

Cyber and data Policy wording

Transcription:

Public Private Partnerships and National Input to International Cyber Security 10 September 2009 Tallinn, Estonia Maeve Dion Center for Infrastructure Protection George Mason University School of Law Arlington, Virginia. U.S.A.

CIP and National Inputs Law Organization Strategy / Policy Breakout Sessions

Sample* Areas of Law Security Regulations by Industry / Sector Information Sharing (Open Government, Privacy) Antitrust / Competition Criminal Law Tort Law Private Ordering (Contracts) National Security & Defense Law International Agreements / Law

Legal Complexities (?) in Cyber Military support to civil authorities (e.g., Estonia, U.S.) Agency? Clarity re: when business may be acting as agent of the state all parties understand when that happens and the ramifications (business expectations). Primers?

CIP and National Inputs Law Organization Strategy / Policy Breakout Sessions

Organization Private Sector networks Government hierarchical Decisive leadership and vision Organization whom to go to to get things done Expertise Speed of solution Authorities for coordination Appropriations / Funding CERT MOD, Civilian

Organization Threat Mitigation (all state powers of coercion, private sector, users) State Defense (military, intelligence, interior / homeland) private sector when?

CIP and National Inputs Law Organization Strategy / Policy Breakout Sessions

Strategy / Policy Strategy led, not tool led (mitigation, offense, defense) Strategy incorporates law & policy (permissible & preferable)

Strategy / Policy Examples re: CIP Cyber conflict between countries X & Y. Effects on CI in country A. Strategy for interference (harm to life, vs economy) Effects on CI in countries A, B, C. Coordinated strategies for interference? What if potential effects are worse in country B (size of economy, type of information society / vulnerabilities), and needs assistance in interference from country A (politically sensitive?) Risk Management (methodologies)

Methodologies Respondents identified 124 unique methodologies or techniques for security risk analysis. The top five accounted for only 28% of all responses. Top 5 Methodologies CARVER 14 RAM-x (C, D, W) 14 ARM/CRM 12 MSRAM 6 OPSEC 6 Some other answers: SHIRA, TRAM, RAMCAP, HLS-CAM

CIP and National Inputs Law Organization Strategy / Policy Breakout Sessions

Measures for Security

Measures for Security

Measures for Security (flexibility? Coordination?)

TECH-LAW-POLICY RELATIONSHIP TECHNOLOGY the Possible* POLICY the Preferable* LAW the Permissible*

TECH-LAW-POLICY RELATIONSHIP TECHNOLOGY the Possible* POLICY the Preferable* LAW the Permissible*

TECH-LAW-POLICY RELATIONSHIP TECHNOLOGY the Possible* POLICY the Preferable* LAW the Permissible*

TECH-LAW-POLICY RELATIONSHIP LAW the Permissible* TECHNOLOGY the Possible* POLICY the Preferable*

LAW OF CYBER CONFLICT information society law criminal law law of armed conflict privacy digital evidence slas e-commerce information society services isp liability e-government access to public information domain names intellectual property freedom of expression it procurements criminal proceedings sanctions crimes wiretapping forensics war crimes terrorist crimes critical information infrastructure protection jus ad bellum jus in bello neutrality

LAW OF CYBER CONFLICT information society law criminal law law of armed conflict privacy digital evidence slas e-commerce information society services isp liability e-government access to public information domain names intellectual property freedom of expression it procurements criminal proceedings sanctions crimes wiretapping forensics jus ad bellum war crimes terrorist crimes critical information infrastructure protection jus in bello neutrality

LAW OF CYBER CONFLICT information society law criminal law law of armed conflict privacy digital evidence slas e-commerce information society services isp liability e-government access to public information domain names intellectual property freedom of expression it procurements criminal proceedings sanctions crimes wiretapping forensics jus ad bellum war crimes terrorist crimes critical information infrastructure protection jus in bello neutrality

Breakout Sessions Laws and procedures are different per country (not necessarily endorsing consensus) Different threats Different vulnerabilities Different social groundworks International Heli: minimum standards, NATO Practical Effects (e.g., rapid response teams)

CIP and National Inputs Law Organization Strategy / Policy Breakout Sessions QUESTIONS?

Critical Information Infrastructure Protection Law CCD COE Training 8 September 2009 Tallinn, Estonia Maeve Dion Center for Infrastructure Protection George Mason University School of Law Arlington, Virginia. U.S.A.

CIIP Law Definitions & Lexicon (CIIP as part of CIP) Sample* Areas of Law Policy Considerations for CIIP

Defining CI 2007 Survey Netherlands France New Zealand Germany [A] sector was deemed critical if its breakdown or serious disruption could lead to damage on a national scale. All infrastructures that are vital to the maintenance of primary social and economic processes are considered critical sectors.... infrastructure necessary to provide critical services. Critical services are those whose interruption would have a serious adverse effect on New Zealand as a whole or on a large proportion of the population, and which would require immediate reinstatement. Critical infrastructures (CI) are organisations and facilities of major importance to the community whose failure or impairment would cause a sustained shortage of supplies, significant disruptions to public order or other dramatic consequences.

Defining CIP 2007 Survey Australia Canada U.K.... those physical facilities, supply chains, information technologies and communication networks which, if destroyed, degraded or rendered unavailable for an extended period, would significantly impact on the social or economic well being of the nation, or affect Australia s ability to conduct national defence and ensure national security.... those physical and information technology facilities, networks, services and assets which, if disrupted or destroyed, would have a serious impact on the health, safety, security or economic well being of Canadians or the effective functioning of governments in Canada.... those assets, services and systems that support the economic, political and social life of the UK whose importance is such that loss could: cause large scale loss of life have a serious impact on the national economy have other grave social consequences for the community be of immediate concern to the national government.

Defining CIP 2007 Survey Belgium Finland... identifies three types of critical infrastructure: vital points, i.e. facilities that require protection because of their socio economic importance, e.g. nuclear plants, bridges, ports, etc.; sensitive points, i.e. facilities that require protection because of their importance for the national or allied defence potential; critical points, i.e. persons, public authorities, communities, buildings, facilities, places and goods which face a real or potential threat of political or criminal nature. Critical Infrastructure to Be Secured: Technological infrastructure of society Transportation, logistics and distribution systems Food supply Energy supply Social and health care arrangements Industry and systems related to national defence

CIIP Law Definitions & Lexicon (CIIP as part of CIP) Sample* Areas of Law Policy Considerations for CIIP

Sample* Areas of Law Security Regulations by Industry / Sector Information Sharing (Open Government, Privacy) Antitrust / Competition Criminal Law Tort Law Private Ordering (Contracts) National Security & Defense Law International Agreements / Law

Security Regulations by Industry Industry / Sector Specific Limited? Interconnections? Operations vs. safety vs. security Comprehensive? Culture / Policy Accountability

Information Sharing Required vs. Voluntary Public vs. Private Vulnerabilities AND Threats Third Party Access to Information Proprietary Info / Market Strength Increased Regulation Private lawsuits Privacy / Open Government Laws Within / Between Governments

Antitrust / Competition Law Private Sector Collaboration & Cooperation Information Sharing Relationship with Regulators Structures for Exemptions / Approvals Timely? Costly?

Criminal Law Wrongful Activity: Alteration / Deletion of Content Degradation / Damage to System Unauthorized Access Traditional Crimes (theft, insider trading, etc.) Intent (act vs. consequential harm) Damage Requirements Aggregation Timing Corporate Accountability Investigation & Enforcement (international)

Tort Law ISPs = Publisher or Distributor Slander / Defamation (waiver / immunity) Contributory Infringement (copyright) Negligence vs. Negligent Enablement E.g., Breach Notifications (legislative) Consequential Harm Evolution of Foreseeable (reasonableness) Likelihood of Bad Activity Likelihood of Harm (> intervening criminal act) Least Cost Avoider Contractual Relationship (definition of legal duty )

Private Ordering (Contracts) Private Re distribution of Risk Waivers / Immunities (e.g., software) User s Negligence Trumps (e.g., U.K. banking) Risk Assessment based on Knowledge Unequal Knowledge of Risks? Private Risk = Based on Business Practice Risk to Business Profitability Risk of Damage to Assets Risks when Government = Customer Awareness of Threat Levels Costs for Mitigation of Risks (e.g., Estonia vs. U.S.)

National Security & Defense Balance of Government Interests Security / Defense Intelligence Law Enforcement Emergency Powers Resource Allocation Control of Systems Prioritization of Restoration War Powers Use of the Military to Support Civil Authorities State Secrets Foreign Ownership (access & control)

International Agreements / Law Humanitarian Law NATO Mutual Cooperation Agreements (law enforcement)

CIIP Law Definitions & Lexicon (CIIP as part of CIP) Sample* Areas of Law Policy Considerations for CIIP

Policy Considerations for CIIP Access & Availability Identification, authentication, access controls, and auditing. Intrusion detection, firewalls, antivirus software. Network resilience, redundancy. Data storage, integrity, encryption. Protecting CII Human Factors Training / certification for technological capabilities. Organizational security programs, training, and oversight. End user education. Organizational Responsiveness To law enforcement and intelligence: technical requirements, information demands, etc. To regulators: Informational auditing, security plans, licensing requirements, etc. Proactive Abilities Awareness and monitoring of interdependencies. Threat identification and prediction.

Policy Considerations for CIIP Threats Threats to CII, and threats via CII (disruption & weaponization) WHO? HOW? WHY? Natural disaster. Insider. Associate (contractor / vendor). External (competitor / enemy). Human error (development or operations). Failure of awareness (human error at policy & management level). Deliberate act. Accident. To hurt the infrastructure operator. To hurt an entity reliant upon the infrastructure. Theft / Extortion. To hurt an economy.

Policy Considerations for CIIP CIIP Needs Credible monitoring of activity in the Internet and the network backbone. Early warning system. Incident tracking. Response protocols to escalation of incidents. Clearly defined frameworks for response and reconstitution. Trusted processes that enable intelligence transfer between public and private sectors. Alignment of physical CIP and cyber CIP. Establishment of common definitions, taxonomy, and standards. Dedication to the next generation (education & training). Decisive leadership & vision.

CIIP Law Definitions & Lexicon (CIIP as part of CIP) Sample* Areas of Law Policy Considerations for CIIP QUESTIONS?

SPECTRUM OF CYBER CONFLICT not patching the software breach of internal policy or regulations illegal interception crime armed attack cyber warfare breach of a legal obligation ISPs not reporting illegal activity terrorist activity + purpose to force the government or interfere with social structure of the state

LAW OF CYBER CONFLICT information society law not patching the software breach of internal policy or regulations criminal law illegal interception crime law of armed conflict armed attack cyber warfare breach of a legal obligation terrorist activity ISPs not reporting illegal activity + purpose to force the government or interfere with social structure of the state

LAW OF CYBER CONFLICT information society law criminal law law of armed conflict privacy digital evidence slas e-commerce information society services isp liability e-government access to public information domain names intellectual property freedom of expression it procurements criminal proceedings sanctions crimes wiretapping forensics war crimes terrorist crimes critical information infrastructure protection jus ad bellum jus in bello neutrality

INTERNATIONAL ORGANISATIONS NATO ICANN OECD COUNCIL OF EUROPE EUROPEAN UNION UN OSCE INTERNATIONAL TELECOMMUNICATIONS UNION UNESCO UNCITRAL

LEVELS OF CYBER INCIDENT MANAGEMENT INTERNATIONAL STATE ORGANISATION USER

LEVELS AND SOURCES OF LAW international treaties bilateral agreements customary law national constitution statutes regulations case law organisation contracts internal regulations soft standards best practices

AREAS OF CYBER INCIDENT MANAGEMENT DIPLOMACY INTELLIGENCE MILITARY POLICY LAW ECONOMICS

TECH-LAW-POLICY RELATIONSHIP TECHNOLOGY the Possible* POLICY the Preferable* LAW the Permissible*

THE BOX

LEGAL AUTOMATION

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information