THE 411 ON CYBERSECURITY, INFORMATION SHARING AND PRIVACY

Similar documents
Middle Class Economics: Cybersecurity Updated August 7, 2015

Written Testimony. Dr. Andy Ozment. Assistant Secretary for Cybersecurity and Communications. U.S. Department of Homeland Security.

US-CERT Year in Review. United States Computer Emergency Readiness Team

Preservation of longstanding, roles and missions of civilian and intelligence agencies

Network Security Deployment Obligation and Expenditure Report

No. 33 February 19, The President

IAPP Global Privacy Summit Protecting Privacy Under the Cybersecurity Microscope

Sharing Cybersecurity Threat Info With the Government -- Should You Be Afraid To Do So?

GAO. INFORMATION SECURITY Persistent Weaknesses Highlight Need for Further Improvement

I. U.S. Government Privacy Laws

Keynote: FBI Wednesday, February 4 noon 1:10 p.m.

Integrating Cybersecurity with Emergency Operations Plans (EOPs) for K-12 Education

Working with the FBI

Cybersecurity and Corporate America: Finding Opportunities in the New Executive Order

CLIENT UPDATE CRITICAL INFRASTRUCTURE CYBERSECURITY: U.S. GOVERNMENT RESPONSE AND IMPLICATIONS

NIST Cybersecurity Framework What It Means for Energy Companies

Cybersecurity and Data Breach: Mitigating Risk and How Government Policymakers Approach These Critical Issues

Actions and Recommendations (A/R) Summary

September 28, MEMORANDUM FOR. MR. ANTONY BLINKEN Deputy Assistant to the President and National Security Advisor to the Vice President

What are you trying to secure against Cyber Attack?

Cybersecurity Primer

Integrating Cybersecurity with Emergency Operations Plans (EOPs) for Institutions of Higher Education (IHEs)

Myths and Facts about the Cyber Intelligence Sharing and Protection Act (CISPA)

Preventing and Defending Against Cyber Attacks November 2010

Preventing and Defending Against Cyber Attacks June 2011

JOINT EXPLANATORY STATEMENT TO ACCOMPANY THE CYBERSECURITY ACT OF 2015

THE WHITE HOUSE. Office of the Press Secretary. For Immediate Release February 12, February 12, 2013

Billing Code: 3510-EA

Lessons from Defending Cyberspace

Cyber Incident Annex. Cooperating Agencies: Coordinating Agencies:

The U.S. Department of Homeland Security s Response to Senator Franken s July 1, 2015 letter

Legislative Language

Cybersecurity & Public Utility Commissions

How To Write A National Cybersecurity Act

The Comprehensive National Cybersecurity Initiative

Why Cybersecurity Matters in Government Contracting. Robert Nichols, Covington & Burling LLP

Department of Homeland Security

CYBER SECURITY GUIDANCE

SECTION-BY-SECTION. Section 1. Short Title. The short title of the bill is the Cybersecurity Act of 2012.

Report on CAP Cybersecurity November 5, 2015

National Cyber Security Policy -2013

EINSTEIN 3 - Accelerated (E 3 A)

The Aviation Information Sharing and Analysis Center (A-ISAC)

NH!ISAC"ADVISORY"201.13" NATIONAL"CRITICAL"INFRASTRUCTURE"RESILIENCE"ANALYSIS"REPORT""

Cybersecurity for Medical Devices

Cybersecurity for Nonprofits: How to Protect Your Organization's Data While Still Fulfilling Your Mission. June 25, 2015

Cyberprivacy and Cybersecurity for Health Data

Cyber Threat Intelligence and Incident Coordination Center (C 3 ) Protecting the Healthcare Industry from Cyber Attacks

DHS, National Cyber Security Division Overview

Docket No. DHS , Notice of Request for Public Comment Regarding Information Sharing and Analysis Organizations

SCAC Annual Conference. Cybersecurity Demystified

How Cybersecurity Initiatives May Impact Operators. Ross A. Buntrock, Partner

H. R SEC DIRECTORATE FOR INFORMATION ANALYSIS AND INFRA STRUCTURE PROTECTION.

Using the HITRUST CSF to Assess Cybersecurity Preparedness 1 of 6

S. ll IN THE SENATE OF THE UNITED STATES

LEGAL ISSUES IN SHARING CYBER THREAT INTELLIGENCE: WHAT ARE THE REAL CONCERNS?

Corporate Perspectives On Cybersecurity: A Survey Of Execs

FINAL // FOR OFFICIAL USE ONLY. William Noonan

INFRAGARD.ORG. Portland FBI. Unclassified 1

Attachment A. Identification of Risks/Cybersecurity Governance

CYBERSECURITY BEST PRACTICES FOR SMALL AND MEDIUM PENNSYLVANIA UTILITIES

HEALTH INSURANCE MARKETPLACES GENERALLY PROTECTED PERSONALLY IDENTIFIABLE INFORMATION BUT COULD IMPROVE CERTAIN INFORMATION SECURITY CONTROLS

Cyber Incident Annex. Federal Coordinating Agencies. Coordinating Agencies. ITS-Information Technology Systems

NATIONAL CYBERSECURITY PROTECTION ACT OF 2014

How To Protect Yourself From Cyber Crime

Confrontation or Collaboration?

How To Write A Cybersecurity Framework

Department of Homeland Security

Report: An Analysis of US Government Proposed Cyber Incentives. Author: Joe Stuntz, MBA EP 14, McDonough School of Business

Legislative Language

Cybersecurity: Authoritative Reports and Resources

Testimony of. Before the United States House of Representatives Committee on Oversight and Government Reform And the Committee on Homeland Security

I N T E L L I G E N C E A S S E S S M E N T

Privacy and Security in Healthcare

Information Security Policy and Handbook Overview. ITSS Information Security June 2015

Ed McMurray, CISA, CISSP, CTGA CoNetrix

Transcription:

THE 411 ON CYBERSECURITY, INFORMATION SHARING AND PRIVACY

DISCLAIMER Views expressed in this presentation are not necessarily those of our respective Departments Any answers to questions are our own opinions and not those of our respective Departments 2

AGENDA The Cybersecurity Threat in 2013 Public v. Private Sector Threats EINSTEIN a Public Sector Response Policy Responses Public-Private Partnerships Policy Challenges 3

OVERVIEW Increasingly skilled cyber threats Variety of malicious actions Attempts to penetrate USG from: Outside Inside within our IT capabilities Potential theft of classified info Theft of intellectual property Threat to national security 4

OVERVIEW 5

AGENDA The Cybersecurity Threat in 2013 Public v. Private Sector Threats EINSTEIN a Public Sector Response Policy Responses Public-Private Partnerships Policy Challenges 6

UNDERSTANDING THE THREAT U.S. Government cybersecurity organization National Security Federal Civilian Networks Critical Infrastructure Commercial Non-Critical Infrastructure 7

UNDERSTANDING THE THREAT U.S. Critical Infrastructure 8

US-CERT MISSION Lead efforts to improve the Nation s cybersecurity posture Coordinate cyber information sharing Proactively manage cyber risks to the Nation All while protecting the constitutional rights of Americans. 9

US-CERT MISSION US Computer Emergency Readiness Team Operations Operations Coordination & Integration Future Operations Incident Management Analyze, reduce impact of threats & vulnerabilities, Disseminate warning information, Coordinate to achieve shared situational awareness Provide response & recovery support for national assets Advise on national-level cybersecurity policy and guidance. 10

RESPONSE AND ASSISTANCE Dedicated teams provide technical assistance at the right level of subject matter expertise, including: Digital Media & Malware Analysis Defensive Analysis Mitigation Strategy Development Threat/Attack Vector Analysis Vendor Analysis Coordination 11

SHARED SITUATIONAL AWARENESS US-CERT develops information sharing products on a scheduled and as-needed basis. US-CERT also develops and distributes analytical information notices specific to its communities of interest. 12

NCAS: NATIONAL CYBER AWARENESS SYSTEM A cohesive national cybersecurity system for identifying, analyzing, and prioritizing emerging vulnerabilities and threats Current Activity Cyber Security Alerts Cyber Security Tips Cyber Security Bulletins 13

SHARED SITUATIONAL AWARENESS 14

AGENDA The Cybersecurity Threat in 2013 Public v. Private Sector Threats EINSTEIN a Public Sector Response Policy Responses Public-Private Partnerships Policy Challenges 15

EINSTEIN MONITORING EINSTEIN Network Analysts monitor sensor outputs to conduct network security analysis, which can lead to operational restoration and remediation. 16

KEY EINSTEIN CAPABILITIES EINSTEIN 1 (E1): Flow Collection Initial analytics and information sharing capabilities EINSTEIN 2 (E2): Intrusion Detection Improved sensors to identify malicious activity EINSTEIN 3A (E3A): Intrusion Prevention To improve protection to prevent malicious activity 17

FAIR INFORMATION PRACTICE PRINCIPLES 18

EINSTIN PRIVACY PROTECTIONS Minimization of data collection Limitation of uses to cyber threats Restrictions on info sharing and use Privacy cybersecurity webpage transparency of cyberstrategy & initiatives. Compliance Review by DHS Privacy Office 19

DHS ADMINISTRATIVE PRIVACY PROTECTIONS MOA with each participating Agency Notice to users computer banners privacy policies published compliance documentation Standard Operating Procedures for PII Collaboration w/cpos/clos, NSS, EOP Training and awareness workshops on cybersecurity and privacy open to federal employees, contractors 20

AGENDA The Cybersecurity Threat in 2013 Public v. Private Sector Threats EINSTEIN a Public Sector Response Policy Responses Public-Private Partnerships Policy Challenges 21

MECHANISMS Executive Branch actions Legislation Public-private partnerships 22

ADMINISTRATION CYBERSECURITY PROPOSAL Released in 2011 Critical infrastructure focus DHS regulatory authority Liability limitations for information sharing 23

EXECUTIVE ORDER IMPROVING CRITICAL INFRASTRUCTURE CYBERSECURITY Signed on Feb. 12, 2013 Main provisions: Cyber threat information sharing Framework for cybersecurity standards, methodologies, procedures, processes Program to coordinate sectors, provide incentives 24

PRIVACY SAFEGUARDS Agencies apply FIPPs to EO activities DHS to assess, report on, minimize or mitigate privacy risks in EO activities 25

LEGISLATION: EXPANDING INFORMATION SHARING Information sharing supported by liability limitations SECURE IT (S. 2151) No movement in Senate CISPA (H.R. 3523) Passed House; Administration threatened veto Reintroduced in 113 th Congress 26

LEGISLATION: CYBERSECURITY ACT OF 2012 S. 2105 / S. 3414 Information sharing through liability limitations Use limitations on USG-held data Best practices coordinated through National Cybersecurity Council 27

AGENDA The Cybersecurity Threat in 2013 Public v. Private Sector Threats EINSTEIN a Public Sector Response Policy Responses Public-Private Partnerships Policy Challenges 28

PUBLIC PRIVATE PARTNERSHIPS What is the Dept of Commerce doing to advance cybersecurity in the private sector? Voluntary consensus standards and practices Working through NIST Other bureau and agency involvement in consensus-based practices 29

PUBLIC PRIVATE PARTNERSHIPS Cybersecurity education and centers of excellence Smart Grid Interoperability Panel National Strategy for Trusted Identities in Cyberspace 30

AGENDA The Cybersecurity Threat in 2013 Public v. Private Sector Threats EINSTEIN a Public Sector Response Policy Responses Public-Private Partnerships Policy Challenges 31

POLICY CHALLENGES: STATUTORY RESTRICTIONS Census and other statistical data Disclosures to respondent Administrative burden Possible strategies? Use of enclaves Designating agents Others 32

POLICY CHALLENGES: STATUTORY RESTRICTIONS Subject matter confidentiality FERPA Part 2 (substance abuse treatment) Welfare Reform Domestic violence Asylees & refugees Other specific confidentiality statutes? 33

POLICY CHALLENGES: STATUTORY RESTRICTIONS Possible solutions for subjectmatter confidentiality statutes? Limitation on authority to obtain info Limitation on uses to cybersecurity Limitation on secondary disclosures Do these pose problems for security or law enforcement? 34

POLICY CHALLENGES: LAW ENFORCEMENT NEEDS Grand Jury Secrecy Witness Protection information Prisoner Population Are similar solutions appropriate as for other confidential information? 35

POLICY CHALLENGES: COMMERCIAL INFORMATION Trade Secrets Act Intellectual property protections Procurement Information Confidential commercial info under FOIA (b)(4) and EO 12666? Are similar solutions appropriate as for other confidential information? 36

POLICY CHALLENGES: WHY DIDN T WE MENTION The Privacy Act of 1974? The HIPAA Privacy Rule? Are there other statutes in the same category? 37

POLICY CHALLENGES: JURISDICTIONAL ISSUES Multiple agencies have jurisdiction DHS Intelligence Community Cabinet agencies for their sectors White House/National Security Staff (coordination role) 38

KEY TAKE AWAYS The cyber threat is real and urgent U.S. Government is working hard, partnering to address challenges Complex technical, legal, policy, and organizational issues No easy fixes 39

White House RESOURCES Administration s Privacy Blueprint: http://www.whitehouse.gov/sites/default/files/privacy-final.pdf Executive Order # Improving Critical Infrastructure Cybersecurity (Feb 12, 2013) http://www.whitehouse.gov/thepress-office/2013/02/12/executive-order-improving-criticalinfrastructure-cybersecurity Commerce NSTIC FIPPs: http://www.whitehouse.gov/sites/default/files/rss_viewer/nsticst rategy_041511.pdf 112 th Congress S. 2151: http://thomas.loc.gov/home/gpoxmlc112/s2151_is.xml S. 3414: http://thomas.loc.gov/home/gpoxmlc112/s3414_pcs.xml H.R. 3523: http://thomas.loc.gov/home/gpoxmlc112/h3523_eh.xml 113 th Congress: TBD 40

RESOURCES DHS DHS US-CERT: http://www.us-cert.gov/ DHS Privacy Office: http://www.dhs.gov/topic/privacy DHS Cybersecurity: http://www.dhs.gov/cybersecurity HHS Part 2 Substance Abuse Treatment Confidentiality, 42 USC 290dd-2, regulations at 42 CFR Part 2 http://www.samhsa.gov/about/laws/samhsa_42cfrpart2faqii_ Revised.pdf HIPAA Privacy Rules 45 CFR, 160 & 164 http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/i ndex.html Child Support Information: Social Security Act 453(j), codified at 42 USC 653(j) http://www.socialsecurity.gov/op_home/ssact/title04/0453.htm 41

RESOURCES FBI Economic Espionage Act http://www.fbi.gov/aboutus/investigate/counterintelligence/economic-espionage Education Family Education Rights & Privacy Act (FERPA) http://www2.ed.gov/policy/gen/guid/fpco/ferpa/index.html Confidential Information Protection and Statistical Efficiency Act (CIPSEA), Title V of the E-Government Act of 2002 (Pub. L. 107 347, 44 USC 101) http://www.eia.gov/oss/cipsea.pdf The Privacy Act of 1974 (Pub. L. 93-579, 5 USC 552a) http://www.justice.gov/opcl/privstat.htm 42

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information