Update on U.S. Critical Infrastructure and Cybersecurity Initiatives

Similar documents
THE WHITE HOUSE. Office of the Press Secretary. For Immediate Release February 12, February 12, 2013

No. 33 February 19, The President

September 28, MEMORANDUM FOR. MR. ANTONY BLINKEN Deputy Assistant to the President and National Security Advisor to the Vice President

CLIENT UPDATE CRITICAL INFRASTRUCTURE CYBERSECURITY: U.S. GOVERNMENT RESPONSE AND IMPLICATIONS

Critical Infrastructure Security and Resilience

Subject: Critical Infrastructure Identification, Prioritization, and Protection

Preventing and Defending Against Cyber Attacks November 2010

December 17, 2003 Homeland Security Presidential Directive/Hspd-7

Cybersecurity and Corporate America: Finding Opportunities in the New Executive Order

The Comprehensive National Cybersecurity Initiative

NH!ISAC"ADVISORY"201.13" NATIONAL"CRITICAL"INFRASTRUCTURE"RESILIENCE"ANALYSIS"REPORT""

JOINT EXPLANATORY STATEMENT TO ACCOMPANY THE CYBERSECURITY ACT OF 2015

SECTION-BY-SECTION. Section 1. Short Title. The short title of the bill is the Cybersecurity Act of 2012.

OUTCOME OF PROCEEDINGS

An Overview of Large US Military Cybersecurity Organizations

Billing Code: 3510-EA

Department of Homeland Security Information Sharing Strategy

DEFINING CYBERSECURITY GROWTH CATALYSTS & LEGISLATION

How To Write A National Cybersecurity Act

(U) Appendix E: Case for Developing an International Cybersecurity Policy Framework

Preventing and Defending Against Cyber Attacks June 2011

National Cyber Threat Information Sharing. System Strengthening Study

Why you should adopt the NIST Cybersecurity Framework

STATEMENT OF MR. THOMAS ATKIN ACTING ASSISTANT SECRETARY OF DEFENSE FOR HOMELAND DEFENSE AND GLOBAL SECURITY OFFICE OF THE SECRETARY OF DEFENSE;

Legislative Language

Why Cybersecurity Matters in Government Contracting. Robert Nichols, Covington & Burling LLP

Actions and Recommendations (A/R) Summary

Legislative Language

THE WHITE HOUSE Office of the Press Secretary

What are you trying to secure against Cyber Attack?

Cybersecurity Audit Why are we still Vulnerable? November 30, 2015

FFIEC Cybersecurity Assessment Tool Overview for Chief Executive Officers and Boards of Directors

Germany: Report on Developments in the Field of Information and Telecommunications in the Context of International Security (RES 69/28),

How To Write A Cybersecurity Framework

Department of Defense DIRECTIVE

Preventing and Defending Against Cyber Attacks October 2011

Homeland Security Presidential Directive/HSPD-5 1

Cybersecurity: Authoritative Reports and Resources

Cybersecurity Primer

NIPP Partnering for Critical Infrastructure Security and Resilience

Government Decision No. 1139/2013 (21 March) on the National Cyber Security Strategy of Hungary

PACB One-Day Cybersecurity Workshop

Cybersecurity Converged Resilience :

U.S. Cyber Security Readiness

Why you should adopt the NIST Cybersecurity Framework

Cybersecurity Framework. Executive Order Improving Critical Infrastructure Cybersecurity

Cyber Security Strategy for Germany

Which cybersecurity standard is most relevant for a water utility?

NATIONAL CYBERSECURITY STRATEGIES: AUSTRALIA AND CANADA

PREPUBLICATION COPY. More Intelligent, More Effective Cybersecurity Protection

How To Understand And Manage Cybersecurity Risk

JOB ANNOUNCEMENT. Chief Security Officer, Cheniere Energy, Inc.

Cybersecurity in the Utilities Sector Best Practices and Implementation 2014 Canadian Utilities IT & Telecom Conference September 24, 2014

Myths and Facts about the Cyber Intelligence Sharing and Protection Act (CISPA)

How To Protect Yourself From Cyber Crime

ICS-CERT Year in Review. Industrial Control Systems Cyber Emergency Response Team. National Cybersecurity and Communications Integration Center

Department of Defense DIRECTIVE

NIST Cybersecurity Framework. ARC World Industry Forum 2014

On the European experience in critical infrastructure protection

Diane Honeycutt National Institute of Standards and Technology (NIST) 100 Bureau Drive, Stop 8930 Gaithersburg, MD 20899

Re: Request for Comments on the Preliminary Cybersecurity Framework

United States Coast Guard Cyber Command. Achieving Cyber Security Together. Homeland Security

El Camino College Homeland Security Spring 2016 Courses

CYBER SECURITY STRATEGY OF THE CZECH REPUBLIC FOR THE PERIOD

Cyber Side-Effects: How Secure is the Personal Information Entered into the Flawed Healthcare.gov? Statement for the Record

Government Decision No. 1139/2013 (21 March) on the National Cyber Security Strategy of Hungary

Cybersecurity: Authoritative Reports and Resources

NATIONAL STRATEGY FOR GLOBAL SUPPLY CHAIN SECURITY

DoD Strategy for Defending Networks, Systems, and Data

Sempra Energy Utilities response Department of Commerce Inquiry on Cyber Security Incentives APR

RE: Experience with the Framework for Improving Critical Infrastructure Cybersecurity

Water Critical Infrastructure and Key Resources Sector-Specific Plan as input to the National Infrastructure Protection Plan Executive Summary

Written Testimony. Dr. Andy Ozment. Assistant Secretary for Cybersecurity and Communications. U.S. Department of Homeland Security.

PROTECTING CRITICAL CONTROL AND SCADA SYSTEMS WITH A CYBER SECURITY MANAGEMENT SYSTEM

TEXAS HOMELAND SECURITY STRATEGIC PLAN : PRIORITY ACTIONS

Cyberspace Situational Awarness in National Security System

The Dow Chemical Company. statement for the record. David E. Kepler. before

INTRODUCTION TO INFORMATION TECHNOLOGY SECTOR CRITICAL INFRASTRUCTURE PROTECTION...

Commonwealth Approach to Cybergovernance and Cybersecurity. By the Commonwealth Telecommunications Organisation

Department of Defense DIRECTIVE

National Cyber Security Strategies: United States

Westlaw Journal. What is the Cybersecurity Framework? Risk Management Process And Pathway to Corporate Liability? Expert Analysis

Middle Class Economics: Cybersecurity Updated August 7, 2015

Privacy and Security in Healthcare

(U) Appendix D: Evaluation of the Comprehensive National Cybersecurity Initiative

CYBER SECURITY GUIDANCE

CENTRE FOR STRATEGIC CYBERSPACE + SECURITY SCIENCE LEADERSHIP. RESEARCH. DEFENCE.

Final Draft/Pre-Decisional/Do Not Cite. Forging a Common Understanding for Critical Infrastructure. Shared Narrative

Cyber Security Strategy

2. OVERVIEW OF THE PRIVATE INFRASTRUCTURE

While interagency education and training have long been staples of the intelligence and

Testimony of. Mr. Anish Bhimani. On behalf of the. Financial Services Information Sharing and Analysis Center (FS-ISAC) before the

Executive Order 13636: The Healthcare Sector and the Cybersecurity Framework. September 23, 2014

MESSAGE FROM THE SECRETARY... ii EXECUTIVE SUMMARY... iii INTRODUCTION... 1 THE FUTURE WE SEEK... 5

CYBER SECURITY AND CYBER DEFENCE IN THE EUROPEAN UNION OPPORTUNITIES, SYNERGIES AND CHALLENGES

DHS, National Cyber Security Division Overview

Cybersecurity Enhancement Account. FY 2017 President s Budget

Challenges in Cybersecurity. Major General Bret Daugherty, The Adjutant General, Washington Army and Air National Guard

Department of Defense DIRECTIVE

U.S. Military Cybersecurity-related Provisions Comparison Fiscal Year 2014 Space Foundation Page 1 of 13

Transcription:

Update on U.S. Critical Infrastructure and Cybersecurity Initiatives Presented to Information Security Now! Seminar Helsinki, Finland May 8, 2013 MARK E. SMITH Assistant Director International Security Programs Office of the Under Secretary of Defense (Policy) Defense Technology Security Administration

International Security Programs Functions Establish national and DOD policies on foreign disclosure of classified military information and materiel Administer the interagency National Military Information Disclosure Policy Committee (NDPC) Evaluate capability of foreign governments and international organizations to provide protection Negotiate general and industrial security agreements Monitor security arrangements for security assistance/arms cooperation programs Establish policy on Foreign Government visits and personnel assignments Implement NATO security policy within the U.S. Government Liaison with foreign government security officials

Former Secretary of State Clinton and Finnish Foreign Minister Tuomioja Signing U.S.-Finland General Security of Information Agreement June 27, 2012

Critical Infrastructure and Cyber security Ten Rules for Cyber Security (Eneken Tikk, 2011) Territoriality Duty of Care Early Warning Access to Information Criminality Self-Defense Mandate Responsibility Cooperation Data Protection

Finland, EU and U.S. Strategies On January 24, 2013, Finland adapted its Cyber Security Strategy and strategic guidelines Identify/define cyber threats Create collaborative model between authorities & other actors Improve situation awareness through increased info sharing Maintain/improve abilities to detect and identify cyber disturbances Ensure police have sufficient capabilities to prevent, expose and solve cybercrime Finnish Defense Forces will create a cyber defense capability Strength through collaboration Improve cyber expertise and awareness of all societal actors

Finland, EU and U.S. Strategies February 7, 2013: European Commission launched its cybersecurity strategy for the European Union Objective is to increase technical and organizational capabilities and preparedness to manage risks and address security incidents in network and information systems Proposed Directive on Network and Information Security Obligation for operators of critical network infrastructure to report security incidents to competent national authorities

Finland, EU and U.S. Strategies On February 12, 2013, the Office of the President issued Executive Order 13636, Improving Critical Infrastructure Cybersecurity and Presidential Policy Directive (PPD) 21, Critical Infrastructure Security and Resilience.

Finland, EU and U.S. Strategies Proclaims the policy of the U.S is to, enhance the security and resilience of the Nation s critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties. Achievement of goals through partnership with the owners and operators of critical infrastructure to improve cybersecurity information sharing and collaboratively develop and implement riskbased standards

Finland, EU and U.S. Strategies Focus on the following initiatives: Enhanced information sharing between intelligence community, federal executive agencies and private CIS operators on emerging and targeted entities; Expansion of the Enhanced Cybersecurity Services program to provide classified information regarding threat and technical information to eligible CIS companies and commercial service providers of security services to CIS and; A voluntary Cybersecurity Framework of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks to CIS

Finland, EU and U.S. Strategies As a result of the voluntary nature of the Framework, the E.O. mandates both incentives designed to promote participation in the Framework, and; a comprehensive review of cybersecurity-related regulations and government contracting standards in order to achieve harmony and standardization within existing procurement requirements, and merits of incorporating security standards into acquisition planning and contract administration

Focus on Critical Infrastructure PPD-21 identifies 16 critical infrastructure sectors: Chemical, Commercial Facilities, Communications, Critical Manufacturing, Dams, Defense Industrial Base, Emergency Services, Energy; Financial, Food and Agriculture, Government Facilities, Healthcare and Public Health, Information Technology, Nuclear Reactors, Materials and Waste, Transportation and Water/Wastewater Systems

Focus on Critical Infrastructure A key piece of the Executive Order requires federal agencies overseeing critical infrastructure areas to identify organizations, "where a cybersecurity incident could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security." Upon annual review, such entities will then be designated as part of the U.S. critical infrastructure.

Focus on Critical Infrastructure Endeavor is a shared responsibility among Federal, state, local, tribal and territorial entities, public and private owners and operators of CIS Federal Government must also manage its own in terms of security and resilience for the continuity of national essential functions, and organize itself to better partner with CIS owners and operators The Federal Government shall also engage with international partners toward strengthening domestic CIS located outside of the U.S. on which the nation depends

PPD-21: Three Strategic Imperatives Refine and Clarify Functional Relationships across the Federal Government Enable Efficient information Exchange by Identifying Baseline Data and Systems Requirements for the Federal Government Implement an Integration and Analysis Function to Inform Planning and Operational Decisions regarding CIS Aid in prioritizing assets Anticipate interdependencies Recommend security and resilience measures before, during and after an event Support incident management and restoration efforts

Role and Obligations of the Department of Defense The Under Secretary of Defense (Policy) serves as the Principal Staff Assistant to the Secretary of Defense on risk management of Defense Critical Infrastructure (DCI) Establishes policy for promoting DCI Program information sharing with other federal departments and agencies, State, local, regional, territorial and tribal entities, intergovernmental organizations, the private sector and foreign countries Manages the sector-specific agency requirements for the national Defense Industrial Base sector Serves as principal DoD representative for DCI Program-related matters with Congress, Executive Office

Role and Obligations of the Department of Defense DoD Cyber Command Fully operational in 2010, charged with pulling together existing cyberspace resources, creating synergy and synchronizing war-fighting effects to defend the information security environment. USCYBERCOM is subordinate to U. S. Strategic Command (USSTRATCOM) Directs activities to operate and defend the Department of Defense information networks and, when directed, conducts full-spectrum military cyberspace operations (in accordance with all applicable laws and regulations) Defensive Strategy - Rests on five pillars: treat cyber as a domain; employ more active defenses; support the Department of Homeland Security in protecting critical infrastructure networks; practice collective defense with allies and international partners; and reduce the advantages attackers have on the Internet

The Future Many milestones and deadlines associated with any PPD or Executive Order 120 day, 150 day, 180 day, 240 days, 2 years Means as of today, all analysis, capability, implementation, planning, policy coordination, public hearing, dispute resolution and inprogress reviews are still a work in progress amongst Executive Branch agencies and affected public and private sector THIS IS NORMAL All toward the greater good in considering options to streamline processes for collaboration and information exchange, meet the needs of individual sectors, and provide a focused and disciplined approach toward CIS owners and operators

In the meantime Multinational Industrial Security Working Group (MISWG) Ad Hoc Working Group 8 (Cyber Best Practices) Created to devise a primer on best practices to address cyber threats, vulnerabilities and countermeasures Take into consideration those elements of information technology and cybersecurity that directly apply to cooperative programs and contracts between MISWG nations Limit scope to industrial security and application of national practices, and to assist those member nations possessing a less robust approach to cybersecurity

Summary (Pros) The Ten Rules are alive and well and embodied in part by current policies and strategies on both sides of the Atlantic Similarities amongst Finland, EU and U.S. pertaining to participation, collaboration, information sharing, and awareness Collaboration Information Sharing Incentive-based considerations to promote participation National Critical Infrastructure Security and Resilience R&D Plan

Summary (Challenges) Promoting safety, security, business confidentiality, privacy, and civil liberties Inherent challenges requiring salesmanship, trust-building, or at the very least, coexistence At odds with the threat, and state, proxy and independent actors who do not share similar concerns Standards, standards, standards Already concerns voiced regarding rigorous requirements At odds with what IT and business management strategies regarding efficiencies, system design and strategic information sharing Nothing beats awareness and basic best practices always a daily battle

Open Forum

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information