Global Cybersecurity Outlook: Legislative, Regulatory and Policy Landscapes

Global Cybersecurity Outlook: Legislative, Regulatory and Policy Landscapes June 23, 2015 Start Time: 9am US Pacific /12 noon US Eastern/ 5pm London Time #ISSAWebConf 1

T Brought to you by ISSA International #ISSAWebConf 2

Welcome Conference Moderator Allan Wall MSc., FBCS, CISSP, A.Inst.ISP Senior Consultant, Information Risk Management, HP Enterprise Security Services June 23, 2015 Start Time: 9am US Pacific 12pm US Eastern/5pm London Time 3

Speaker Introduction Brian Engle- Executive Director, Retail Cyber Intelligence Sharing Center Mathieu Gorge- CEO & Founder, VigiTrust Michael F. Angelo- CRISC, CISSP Remember to type in your question in the Chat area of your screen. You may need to click on the double arrows to open this function. 4

US Cybersecurity Legislation R-CISC Perspectives Brian Engle Executive Director Retail Cyber Intelligence Sharing Center

About the Retail Cyber Intelligence Sharing Center Non-profit organization enabling the community for cybersecurity intelligence and information sharing Membership model inclusive of wide variety of consumer oriented businesses as well as solution providers Operation of the Retail and Commercial Services Information Sharing and Analysis Center (RCS-ISAC) Conducting research on emerging threats, significant challenges, and effective solutions for cybersecurity issues 6

Previous Noteworthy Legislation National Cybersecurity Protection Act of 2014 Signed in December of 2014 Codified the National Cybersecurity Communications Integration Center (NCCIC) along with functions / responsibilities of DHS cybersecurity role Expedition of cybersecurity information sharing agreements with non-federal entities Information Sharing and Analysis Organizations, Clearances and support of industry through civilian interface 7

Previous Noteworthy Legislation Cybersecurity Enhancement Act of 2014 Signed in December of 2014 Authorizes the Department of Commerce through the National Institute of Standards (NIST) to develop voluntary standards to reduce cybersecurity risks to critical infrastructure Requires the Office of Science and Technology Policy to develop a federal cybersecurity research and development plan 8

In Flight US Cybersecurity Legislation Information Sharing Cybersecurity Information Sharing Act of 2015 (S. 754 Burr) Cyber Threat Sharing Act of 2015 (S. 456 Carper) Cyber Intelligence Sharing and Protection Act (HR 234 Ruppersberger Cybersecurity Governance Protecting Cyber Networks Act (HR 1560 Nunez) National Cybersecurity Protection Advancement Act of 2015 (HR 1731 McCaul) Data Security and Breach Notification Act of 2015/2016 (HR 1770 S. 177) Visit Congress.gov to follow progress on Cybersecurity legislation. 9

Cybersecurity Sharing Proposed Bills Common Traits Various stages of the process, but essentially somewhere on one side or the other of House/Senate Not overly contentious (discretionary not mandatory) Key Traits to Look For Exemptions from FOIA for cybersecurity information shared with government Exemptions from anti-trust Limitations of use, and lifecycle 10

Protecting Cyber Networks Act (HR 1560 Nunez) Amends the National Security Act of 1947 to require Director of National Intelligence (DNI) to develop procedures for timely sharing of classified and declassified cyber threat indicators with private entities and non-federal government agencies Prohibits defensive measures from being used to destroy, render unstable or inaccessible, or substantially harm an information system that is not owned by the operator or entity authorizing the operator of the defensive measure 11

National Cybersecurity Protection Advancement Act (HR 1731 McCaul) Amends the Homeland Security Act of 2002 Expands inclusion of ISACs and non-federal representatives in NCCIC Requires NCCIC to be the lead civilian interface for multi-directional and cross sector sharing of cyber threat information, including international partners Includes generally expected reporting to Congress along with defined details on DHS NCCIC authorized activities 12

Data Security and Breach Notification Act (HR 1770 S. 177) Requires certain commercial entities and non-profit organizations that use, access, transmit, store, collect or dispose of nonpublic personal information to notify affected US residents when a reasonable risk that a breach has or will result in identity theft, economic harm, or financial fraud Preempts state information security and notification laws, but does not replace them Expands audience for requirements of security practices and notification standards currently enforced by the FCC 13

Thank You! Brian Engle Executive Director Retail Cyber Intelligence Sharing Center 14

Question and Answer Brian Engle Executive Director Retail Cyber Intelligence Sharing Center To ask a question, type your question in the Chat area of your screen. You may need to click on the double arrows to open this function. #ISSAWebConf 15

Thank you! Brian Engle Executive Director Retail Cyber Intelligence Sharing Center 16

Global Cybersecurity Outlook: Legislative, Regulatory and Policy Landscapes Mathieu Gorge CEO, VigiTrust Mathieu.gorge@vigitrust.com https://ie.linkedin.com/in/mgorge

Agenda Setting the Scene EU Global Data Protection Regulation EU NIS US-EU Convergence Other frameworks Key Considerations for compliance with Legal, Regulatory and Policy compliance in 2016-2018 Q&A 18

Setting The Scene Disclaimer 19

EU General Data Protection Regulation (1) GDPR is a replacement for EU Data Protection Directive 95/46/EC In the making for 4+ years but European Council Approved EU GDPR draft (June 2015) Next stage is for the Parliament and EC to jointly agree GDPR to come into force two years after date of publication National DP laws to remain effective in the meantime. Jurisdiction will extend to outside the EU: If goods or services are offered to or allow monitoring of EU data subjects Non EU data controllers (of EU Data subjects info) will need to appoint an EU DP representative. 20

EU General Data Protection Regulation (2) Data Subject Rights Info on DS must be accurate, for a specific purpose, appropriately protected, etc DS must receive an explanation of the rights they have wrt to their data Must be told if any type of profiling is performed Big Data: primary or secondary use restrictions (must not conflict) Controllers & processors Controllers must have extended internal data processing record keeping activities P&Ps Processors can be liable as well as Controllers Right to be forgotten Data portability High Risk Activities require a Data Impact Assessment Security Officers are not required under GDPR but Member States may require it at local levels*. 21

EU General Data Protection Regulation (3) Data Breach Notification is included: Notify applicable supervisory authorities within 72 hours One stop shop supervisory authority is somewhat changed especially wrt to multi-jurisdictional breaches so all MS supervisory authorities can be involved in a data breach case Notify affected data subjects without undue delay Article 29 Working Party European Data Protection Board Provide interpretation of GDPR & related matters Fines Up to 2% of an enterprise s global turnover capped at 1m Infractions to be tiered. 22

EU Network Information Security (1) Means a transformation of Information Security Regulation in the EU EU Cybersecurity Strategy implementation framework Key Objectives To provide a Secure & Trustworthy Environment To protect businesses against always evolving threats Protect users to drive consumer confidence How did it come about? Consultation & Impact assessment July-Oct 2012 EU Member States Conference July 2012 Private sector feedback 2012 European Cybercrime Centre (EUROPOL) focal point re cybercrime in the EU (2013) European Parliament successfully votes NIS Directive (2014) US-EU Workshops (2014) Full adoption 2015? 23

Who/ How does the EU Network Information Security apply to (1): EU Member States who now have a minimum level of national capabilities by: Establishing competent authorities for NIS @ national level Setting Up Computer Emergency Response Teams (CERTs), and Adopting national strategies and national cooperation plans Also required to exchange information and cooperate to counter NIS threats & Incidents on the basis of European NIS plan Ensuring that a culture of risk management develops and that information is shared between public & private sectors. EU Member States must require operators of Critical Infrastructure (CI) to: a) Adopt appropriate steps to manage security risks b) Report incidents to the national competent authorities. 24

Who/ How does the EU Network Information Security apply to (2): CI sectors in scope for compliance with NIS: Energy, transport, banking, financial market infrastructures, health sector All of the above must work with CERTs to (a) monitor & respond to national level incidents, have public/private coop, promote good practices for incident management Market Operators aka providers of information society services in scope for compliance with NIS: Social networks, Search engines, Cloud Computing services Commerce platforms, Internet Payment gateways, application stores All of the above must have: Technical & organizational measures to manage security risks Perform risk/security assessments Investigate non compliance & notify where required Are encouraged to use available security standards 25

NIS Application in Practical Terms: At member States / Regional Levels Monitor compliance as against other EU countries & take corrective action Co-ordinate with multiple new authorities (national competent authorities & CERT(s) Ensure they continually enhance Incident management processes NIS focus on Security Awareness: Employees involved in or directly responsible for the management of global systems (including CI) must understand and comply with NIS & MS laws Committee members and IT/Business Decision makers affecting technical & management security controls in the EU must be trained up Staff of 2 nd & 3 rd lines of defense providing oversight or auditing security/it in the EU must all be trained 26

US - EU Convergence Historical perspective Data Protection vs Data Breach Notification EU vs US approach to addressing data security challenges Cybersecurity risks are often cross-sectorial yet regulations are often regional or sectorial Must address both dimensions at the same time Of MA 201, GDPR and NIST Cybersecurity framework & NIS. Information sharing seems to be a key driver on both sides of the Atlantic yet: Is real information really being shared shared the right way? Can we really achieve true Public-private information sharing? US/EU Information sharing? 27

Other Frameworks PSD2 Update to existing PSD Pilot implementation to run from 2015-2017 Applies to all payment service providers offering payment services (from Internet card payments to online credit transfers, ACH/Direct debit) Requires two key things from a security perspective: Annual Security & Risk Assessment Breach notification PCI DSS ISO 27001:2013 AML & KYC considerations 28

Key Considerations for compliance with Legal, Regulatory and Policy compliance in 2016-2018 Convergence & Overlap in scope of applicability as well as regional applicability in legal & industry security frameworks C-Level involved Focus on Security Awareness is much more obvious Data Breach Notification Risk Based Approach within each mandate not a tick box exercise But really.we should all be doing this already! 29

Thank You Mathieu Gorge CEO, VigiTrust Mathieu.gorge@vigitrust.com https://ie.linkedin.com/in/mgorge

Question and Answer Mathieu Gorge CEO, VigiTrust To ask a question, type your question in the Chat area of your screen. You may need to click on the double arrows to open this function #ISSAWebConf 31

Thank you! Mathieu Gorge CEO VigiTrust 32

A Cautionary Note Michael F. Angelo CRISC, CISSP michael.angelo@netiq.com Twitter: @mfa0007

A Cautionary Note 34

Averted Disasters Massachusetts Early PII Data Encryption defense against PII violation Original draft specified AES

Averted Disasters German Digital Signature Law No repudiation for digitally signed items I owe you $100 or $1,000,000

Beware of Secure Touch-n-Pay Biometric Access Corp June 2002 http://lubbockonline.com/stories/060902/bus_0609020013.sh tml#.vyb2-zjbjre

Corporate Assets Their Database Financial Information protected Names and Fingerprints 2002 not defined status Legislation Names and Fingerprints use limited to the use they were provided for and not transferrable as an asset without explicit permission of the owners.

Morphing Laws Sarbanes Oxley - 2002 In part protects against destruction of information in a crime. Directed at ENRON type events What happens if you: Clear your cache Defragment your drive

Morphing Laws Prosecutors do not have to show that the person deleting evidence knew there was an investigation underway So in the normal course of system maintenance you could destroy data that you did not know was evidence, and be convicted of violating Sarbanes Oxley

New Laws Royce https://www.congress.gov/bill/113th-congress/house-bill/5793 Bill of materials and other requirements DHS & UL Bill of materials Assertion that you have no known vulnerabilities at release You have a mechanism to repair vulnerabilities More to come

Export Controls Encryption 1997 moved from ITAR to commerce Original controls set at 56, 80, 512 bits Over years decontrol technology or exemptions Secure operating systems Added Controls

2013 Wassenaar Agreement for additions to list of dual-use goods: systems, equipment or components specially designed for the generation, operation or delivery of, or communication with, intrusion software; software specially designed or modified for the development or production of such systems, equipment or components; software specially designed for the generation, operation or delivery of, or communication with, intrusion software; technology required for the development of intrusion software; Internet Protocol (IP) network communications surveillance systems or equipment and test, inspection, production equipment, specially designed components therefor, and development and production software and technology

Wassenaar Implementation Used to have security controls in Cat 5. Part 1 Networking Part 2 Encryption, Certified O/S, Quantum Encryption Proposed Rules Published -Federal Register /Vol. 80, No. 97 /Wednesday, May 20, 2015

Wassenaar Implementation Changes 4A005 - ( systems, equipment, or components therefor, specially designed for the generation, operation or delivery of, or communication with, intrusion software 4D004 - ( software specially designed for the generation, operation or delivery of, or communication with, intrusion software 4E001 (to control technology required for the development of intrusion software. ) Why National Security (NS) Regional Stability (RS) Anti-Terrorism (AT)

In Addition 5A001.j Internet Protocol (IP) Network Communications Surveillance Systems or Equipment and Test, Inspection, Production Equipment, Specially Designed Components Therefor

Not Done Yet 740.13 Removes Cybersecurity software from mass market provision cybersecurity items classified in cybersecurity ECCNs, - (4A005, 4D004, 4E001, 5A001, 5A002, 5D002 and 5E002) all cybersecurity items using or incorporating encryption or other information security functionality classified under ECCNs 5A002, 5D002, 5A992.c, 5D992.c or 5E002, must also satisfy the registration, review and reporting requirements set forth in 740.17, 742.15(b) and 748.3(d) of the EAR, including submissions to the ENC Encryption Request Coordinator, Ft. Meade, MD.

Good News ish Comments: submit to the Federal rulemaking portal www.regulations.gov The regulations.gov ID for this rule is: BIS 2015 0011. email to publiccomments@bis.doc.gov Physical Regulatory Policy Division, Bureau of Industry and Security, Room 2099B, U.S. Department of Commerce, 14th St. and Pennsylvania Ave. NW., Washington, DC 20230. Please refer to RIN 0694 AG49 in all comments and subject line of email

Summary Security experts need to examine the impact of environmental changes in order to validate their security controls, before implementation. If not, expect more prescriptive legislation If you don t comment or participate in the decision Don t complain about the results

Thank You Michael F. Angelo CRISC, CISSP michael.angelo@netiq.com Twitter: @mfa0007

Question and Answer Michael F. Angelo CRISC, CISSP To ask a question, type your question in the Chat area of your screen. You may need to click on the double arrows to open this function. #ISSAWebConf 51

Thank you! Michael F. Angelo CRISC, CISSP michael.angelo@netiq.com Twitter: @mfa0007 52

Open Panel with Audience Q&A Brian Engle Executive Director, Retail Cyber Intelligence Sharing Center Mathieu Gorge CEO & Founder, VigiTrust Michael F. Angelo CRISC, CISSP To ask a question, type your question in the Chat area of your screen. You may need to click on the double arrows to open this function. #ISSAWebConf 53

Closing Remarks I would like to thank Brian, Mathieu and Michael for lending their time and expertise to this ISSA Educational Program. Thank you Citrix for donating the Webcast service. #ISSAWebConf 54

CPE Credit Within 24 hours of the conclusion of this webcast, you will receive a link via email to a post Web Conference quiz. After the successful completion of the quiz you will be given an opportunity to PRINT a certificate of attendance to use for the submission of CPE credits. On-Demand Viewers Quiz Link: http://www.surveygizmo.com/s3/2198454/issa-web- Conference-June-23-2015-Global-Cybersecurity- Outlook-Legislative-Regulatory-and-Policy-Landscapes #ISSAWebConf 55