Cybersecurity Primer

Similar documents
CLIENT UPDATE CRITICAL INFRASTRUCTURE CYBERSECURITY: U.S. GOVERNMENT RESPONSE AND IMPLICATIONS

Myths and Facts about the Cyber Intelligence Sharing and Protection Act (CISPA)

JOINT EXPLANATORY STATEMENT TO ACCOMPANY THE CYBERSECURITY ACT OF 2015

National Cyber Threat Information Sharing. System Strengthening Study

Cybersecurity and Corporate America: Finding Opportunities in the New Executive Order

NIST Cybersecurity Framework What It Means for Energy Companies

THE 411 ON CYBERSECURITY, INFORMATION SHARING AND PRIVACY

How To Write A National Cybersecurity Act

GAO. INFORMATION SECURITY Persistent Weaknesses Highlight Need for Further Improvement

Cybersecurity: Legislation, Hearings, and Executive Branch Documents

Cybersecurity Information Sharing Legislation Protecting Cyber Networks Act (PCNA) National Cybersecurity Protection Advancement (NCPA) Act

Cybersecurity: Legislation, Hearings, and Executive Branch Documents

Preservation of longstanding, roles and missions of civilian and intelligence agencies

Westlaw Journal. What is the Cybersecurity Framework? Risk Management Process And Pathway to Corporate Liability? Expert Analysis

Business Continuity for Cyber Threat

Cybersecurity: Legislation, Hearings, and Executive Branch Documents

Cyber Security and the White House

Cyber Legislation & Policy Developments 2014

Legislative Language

Healthcare Cybersecurity Perspectives from the Michigan Healthcare Cybersecurity Council

Update on U.S. Critical Infrastructure and Cybersecurity Initiatives

How to get from laws to technical requirements

THE HUMAN FACTOR AT THE CORE OF FEDERAL CYBERSECURITY

CYBER SECURITY GUIDANCE

How To Protect Yourself From Cyber Crime

What are you trying to secure against Cyber Attack?

GAO. CYBERSECURITY Threats Impacting the Nation

114 th Congress March, Cybersecurity Legislation and Executive Branch Activity I. ADMINSTRATION S CYBERSECURITY PROPOSALS

S. ll IN THE SENATE OF THE UNITED STATES

Middle Class Economics: Cybersecurity Updated August 7, 2015

FEDERAL INFORMATION SECURITY. Mixed Progress in Implementing Program Components; Improved Metrics Needed to Measure Effectiveness

Confrontation or Collaboration?

Cybersecurity Audit Why are we still Vulnerable? November 30, 2015

Implementation of the Cybersecurity Executive Order

Cybersecurity: Authoritative Reports and Resources

Research Note The Fight to Define U.S. Cybersecurity and Information Sharing Policy

Data Breaches in the Government Sector. A Rapid7 Research Report

Cybersecurity and United States Policy Issues

Sharing Cybersecurity Threat Info With the Government -- Should You Be Afraid To Do So?

Statement for the Record. Dr. Andy Ozment Assistant Secretary, Cybersecurity and Communications U.S. Department of Homeland Security

New York State Energy Planning Board. Cyber Security and the Energy Infrastructure

Cybersecurity: Authoritative Reports and Resources

Cybersecurity: Authoritative Reports and Resources

SECTION-BY-SECTION. Section 1. Short Title. The short title of the bill is the Cybersecurity Act of 2012.

THE WHITE HOUSE Office of the Press Secretary

Cybersecurity: Authoritative Reports and Resources

NATIONAL CYBER SECURITY AWARENESS MONTH

Comparison of Information Sharing, Monitoring and Countermeasures Provisions in the Cybersecurity Bills

CYBERSECURITY INFORMATION SHARING BILLS FALL SHORT ON PRIVACY PROTECTIONS

FBI AND CYBER SECURITY

CYBER-SURVEILLANCE BILL SET TO MOVE TO SENATE FLOOR

PRESENTATION TO THE UNIVERSITY SYSTEM OF MARYLAND S BOARD OF REGENTS

NH!ISAC"ADVISORY"201.13" NATIONAL"CRITICAL"INFRASTRUCTURE"RESILIENCE"ANALYSIS"REPORT""

Cybersecurity: Authoritative Reports and Resources

How Cybersecurity Initiatives May Impact Operators. Ross A. Buntrock, Partner

ITL BULLETIN FOR SEPTEMBER 2012 REVISED GUIDE HELPS ORGANIZATIONS HANDLE SECURITY-RELATED INCIDENTS

Testimony of Matthew Rhoades Director Cyberspace & Security Program Truman National Security Project & Center for National Policy

PREPUBLICATION COPY. More Intelligent, More Effective Cybersecurity Protection

The Department of Homeland Security The Department of Justice

S. 21 IN THE SENATE OF THE UNITED STATES

Presidential Summit Reveals Cybersecurity Concerns, Trends

NIST Cybersecurity Framework Impacting Your Company? April 24, 2014 Presented By Sheila FitzPatrick, NetApp Jeff Greene, Symantec Andy Serwin, MoFo

DEFINING CYBERSECURITY GROWTH CATALYSTS & LEGISLATION

Cybersecurity: Authoritative Reports and Resources

Cyber After Snowden. Can DC Help Protect Your Networks? Matthew Rhoades, Director, Cyberspace & Security Program

Legislative Proposals for the Maryland Commission on Cyber Security Innovation and Excellence

Cyber Side-Effects: How Secure is the Personal Information Entered into the Flawed Healthcare.gov? Statement for the Record

Legislative Language

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015

working group on foreign policy and grand strategy

POLICIES TO MITIGATE CYBER RISK

GAO CYBERSECURITY. National Strategy, Roles, and Responsibilities Need to Be Better Defined and More Effectively Implemented

GAO CYBERSECURITY HUMAN CAPITAL. Initiatives Need Better Planning and Coordination

The Comprehensive National Cybersecurity Initiative

1851 (d) RULE OF CONSTRUCTION. Nothing in this section shall be construed to (1) require a State to report data under subsection

Cyber Threat Intelligence and Incident Coordination Center (C 3 ) Protecting the Healthcare Industry from Cyber Attacks

Lessons from Defending Cyberspace

The Dow Chemical Company. statement for the record. David E. Kepler. before

The 2009 State of Cybersecurity from the Federal CISO s Perspective An (ISC) 2 Report. April 2009

Why you should adopt the NIST Cybersecurity Framework

Billing Code: 3510-EA

White Paper on Financial Industry Regulatory Climate

DIVISION N CYBERSECURITY ACT OF 2015

Cybersecurity Awareness. Part 1

Computer Network Security & Privacy Protection

Defending Against Data Beaches: Internal Controls for Cybersecurity

The FBI Cyber Program. Bauer Advising Symposium //UNCLASSIFIED

2 Gabi Siboni, 1 Senior Research Fellow and Director,

One Hundred Twelfth Congress of the United States of America

REVIEW OF MEDICARE CONTRACTOR INFORMATION SECURITY PROGRAM EVALUATIONS FOR FISCAL YEAR 2013

H. R SEC DIRECTORATE FOR INFORMATION ANALYSIS AND INFRA STRUCTURE PROTECTION.

Internet Safety and Security: Strategies for Building an Internet Safety Wall

Cybersecurity Executive Order

STATEMENT OF JOSEPH M. DEMAREST, JR. ASSISTANT DIRECTOR CYBER DIVISION FEDERAL BUREAU OF INVESTIGATION

Statement for the Record. Richard Bejtlich. Chief Security Strategist. FireEye, Inc. Before the. U.S. House of Representatives

The NIST Cybersecurity Framework

Cybersecurity and Information Sharing: Comparison of H.R and H.R. 1731

Cyber security Time for a new paradigm. Stéphane Hurtaud Partner Information & Technology Risk Deloitte

Transcription:

Cybersecurity Primer August 15, 2014 National Journal Presentation Credits Producer: David Stauffer Director: Jessica Guzik

Cybersecurity: Key Terms Cybersecurity Information security applied to computers and networks Cyber incident Cyber attack Cyber threat intelligence National Security System Critical infrastructure A violation of an organization s security policy as a means to access networks or spread malicious codes An attack targeting an enterprise s use of cyberspace to disrupt, disable, destroy, or control a computing infrastructure and its data; types of attacks include, but are not limited to denials-of-service, viruses, malware, and phishing schemes Information about vulnerability of or threat to a government or private sector entity s network; includes information about a network s protection from attackers Any information system that involves intelligence activities, cryptologic activities related to national security, command and control of military forces, or direct fulfillment of military or intelligence missions Physical or virtual assets and systems vital to society; destruction or damage to such assets could debilitate national security, the economy, public health or safety, or the environment Source: Government Accountability Office, 2013; U.S. Department of Commerce, 2003; Center for Strategic and International Studies, 2013, NIST 2013. 2

Number of Cyber Incidents Reported Among Federal Agencies Has Increased Nearly Ninefold Since 2006 Number of Incidents Reported to U.S. Computer Emergency Readiness Team (US-CERT), FY 2006-2012 Number of reported cyber incidents has lead to a growing concern about cybersecurity and the destructive impact cyber attacks could have on the government, military, private sector, and even personal operations Number of reported cyber incidents has prompted many to urge the U.S. government to provide a greater level of protection from such attacks Rise in reported incidents may also be partially attributed to better reporting; a growing awareness of cyber attacks has led agencies and companies that are part of critical infrastructure to be more forthcoming about threats and incidents Source: Government Accountability Office, 2013; Ellen Nakashima and Danielle Douglas, More Companies Reporting Cybersecurity Incidents, The Washington Post, March 1, 2013. 3

Federal Agencies are Vulnerable to a Variety of Cyber Incidents Types of Incidents Reported to US-CERT, FY 2006-2012 Scans, probes, attempted access Unauthorized access Unknown or under investigation Malicious code Improper usage Spreading malicious codes, unauthorized access, and improper usage are the most common types of cyber incidents, accounting for 55% of total incidents reported According to the Government Accountability Office, many of these incidents resulted in data loss, data theft, computer intrusions, privacy breaches, and economic loss Source: Government Accountability Office, 2013. 4

Threats to Cybersecurity are Decentralized and Diverse Actors Threatening Private and Public Cybersecurity Spyware or Malware Authors Individuals or organizations producing and distributing malware/spyware Business Competitors Companies obtaining sensitive information from rival or target companies to improve their competitive edge Criminal Groups Groups attacking systems for monetary gain Spammers Individuals or organizations distributing unsolicited e-mails with hidden or false information Threats to Cybersecurity Insiders Organization insiders gaining network access to damage or steal system data (e.g. NSA s Edward Snowden) Bot-net Operators Networks of remotely controlled systems coordinating cyber attacks Hackers Individuals or groups gaining unauthorized access into networks for various reasons Nations Foreign governments seeking information to develop information warfare doctrine, programs, and capabilities Phishers Individuals or groups stealing identities or information for monetary gain International Corporate Spies Spies conducting economic and industrial espionage Terrorists Individuals or groups seeking to destroy, incapacitate, or exploit critical infrastructure Cyber threats are caused by individuals and organizations motivated by financial gain, political advantage, and ideological causes Many cyber attacks fall under multiple categories, e.g. a terrorist and a phisher can be one in the same Source: Government Accountability Office, 2013; Congressional Research Service, 2013; 5

Government Agencies and Organizations Protect Federal, Private Organizations Against Cyber Threats Agencies Tasked with Protecting Nation s Cybersecurity Department of Homeland Security Responds quickly to cyber vulnerabilities Partners with owners and operators of critical infrastructure, to release actionable cyber alerts Investigates and arrests criminals Educates public on cyber safety Within DHS, United States Computer Emergency Readiness Team (US-CERT) provides cyber threat warning information and coordinates responses Office of Management and Budget Develops and oversees implementation of policies, principles, standards, and guidelines on information security in federal agencies Annually reviews and approves agency information security programs Department of Commerce Oversees Internet Policy Task Force Researches and reviews cybersecurity standards in the commercial sector Within the Department of Commerce, the National Institute of Standards and Technology (NIST) develops minimum security standards for agencies and guidelines for identifying information systems critical to national security Source: Government Accountability Office, 2013; Department of Homeland Security, 2013; Department of Commerce, 2013. 6

Cybersecurity Became a Legislative Priority in Past Decade Timeline of Enacted Cybersecurity Legislation 2002 2006 2008 2013 Federal Information Security Management Act (FISMA) Establishes a comprehensive, riskbased framework to ensure information security controls over information resources supporting federal operations and assets Comprehensive National Cybersecurity Plan Establishes frontline of defense against network intrusion, enhances U.S. counterintelligence capabilities and expands cyber education National Infrastructure Protection Plan Provides framework integrating a range of efforts and partnerships designed to make the nation s critical infrastructure more safe Executive Order Improving Critical Infrastructure of Cybersecurity, Failure of CISPA EO requires government to share cybersecurity threats with private sector and directs NIST to create best practices for cybersecurity in the private sector; House passes, but Senate does not take action on, major cybersecurity bill CISPA Source: National Journal Research; White House, 2000; Government Accountability Office, 2013; Department of Homeland Security, 2009; Central Intelligence Agency, 2008; Gerry Smith, Senate Won t Vote on CISPA, Deals Blow to Controversial Cyber Bill, HuffPost Tech, April 25, 2013. 7

In Executive Order, Private Sector Cooperation Encouraged But Voluntary Cybersecurity Executive Order (EO) Flow of Information Mandated Course of Action Recommendations and detected threats U.S. Executive Branch Ordered National Institute of Standards and Technology (NIST) to create a cybersecurity framework to identify threats and establish guidelines for protection; a first draft was released in February of 2014 Ordered NIST to assess its own performance on privacy Directs all government agencies to provide alerts to the private sector in the event of a threat Private Sector May help NIST develop framework May volunteer to comply with cybersecurity framework May help to protect critical infrastructure, e.g., electrical grids, banking systems, and water treatment plants Voluntary Course of Action Obama s 2013 executive order aimed to enhance cybersecurity by establishing a synergetic framework between the private sector and government agencies Government agencies must share information about alerts, threats, and vulnerabilities with private sector In return, private sector entities are advised, though not required, to help NIST develop a stronger cybersecurity framework Source: Brian Fung, Why Some Privacy Advocates Are Grinning Over Obama s Cybersecurity Order, National Journal, Feb. 13, 2013; Michael S. Schmidt and Nicole Perlroth, Obama Order Gives Firms Cyberthreat Information, New York Times, Feb. 12, 2013; Chenxi Wang, Obama s Cybersecurity Executive Order: Heart in the Right Place But There Is Little Teeth, Forbes, Feb. 14, 2013. National Institute of Standards and Technology, Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0, Feb. 12, 2014. 8

Executive Order Struggles with Implementation Process of Implementing Cybersecurity Information Sharing EO DHS Communications Service Providers Critical Infrastructure Sectors Participating Not Participating Defense Telecomm Energy Chemical Certifies To provide sharing services and utilities to Critical Manufacturing Dams Emergency Services Food and Agriculture Financial Services Health Care Nuclear Water IT Transportation Government Facilities Commercial Facilities The information sharing program outlined in the 2013 EO has only reached three of 16 critical infrastructure industries DHS does not directly advertise or maintain the program, instead relying on private service providers for those functions; government information provided through the program is free, but companies must purchase the data sharing services and utilities from private providers Currently, only two service providers, CenturyLink and AT&T, have applied and been approved for the program Source: Aliya Sternstein, Who Receives Hacker Threat Info From DHS? NextGov, August 11, 2014; Department of Homeland Security, Critical Infrastructure Sectors. 9

Program Has a Chicken-and-Egg Problem of Low Participation Barriers to Participation in Information Sharing Program Limited number of communications service providers participating Because critical infrastructure sectors aren t participating, because The executive order currently has a chicken-and-egg problem; the program needs more service providers to expand the service to all 16 critical infrastructure sectors, but because so few sectors are currently involved, few service providers are interested in expanding into the program Moreover, there are barriers for service providers: the current accreditation process for service providers takes eight months, and the investment that companies need to make to get clearance for employees to view the information and build secure communications networks to protect the information is formidable Source: Aliya Sternstein, Who Receives Hacker Threat Info From DHS?, NextGov, August 11, 2014; Department of Homeland Security, Critical Infrastructure Sectors. 10

In 2014, Congress Advanced Legislation to Increase Cybersecurity Sharing Participation Timeline of Recent Legislative Action on Cybersecurity June 2014 July 8. 2014 July 28, 2014 July 31, 2014 The Cyber Information Sharing Act (CISA) is introduced in the Senate, removing legal barriers for companies to share information about cybersecurity threats and providing liability protection for companies who share such information The Senate Select Committee on Intelligence approves CISA and sends it to the Senate floor for debate Liability protection would allow protection from civil action, regardless of prior contracts that may prevent sharing information without a customer s consent The House passes three bills: The National Cybersecurity and Critical Infrastructure Protection Act, which creates a civilian agency under DHS to handle cyber information sharing between the government and private industries and organizations for security purposes; The Critical Infrastructure Research and Development Advancement Act, which directs DHS to develop a strategic plan for cybersecurity protection; and The Homeland Security Boots-On-The-Ground Act, which requires DHS to develop occupation classifications for individuals performing cybersecurity functions The Cyber Information Sharing Tax Credit Act is introduced in the Senate, providing tax credits to private companies who share information regarding cybersecurity threats with security research organizations Sources: Gregory S. McNeal, Controversial Cybersecurity Bill Known As CISA Advances Out Of Senate Committee, Forbes, July 9, 2014; Steve Augustino, Jameson Dempsy and Dawn Damschen, Could 2014 Be The Year for Cybersecurity Sharing Legislation? Above The Law, July 14, 2014; Mary-Louise Hoffman, Sen. Kirsten Gillibrand Proposes Tax Incentves To Spur Cyber Intel Sharing, ExecutiveGov, August 4, 2014; Eric Chabrow, How House Passed 3 Cybersecurity Bills, Bank Info Security, July 29, 2014. 11

NIST Framework s Tiers Rate Organizational Preparedness Against Cyber Threats NIST Tiers Risk Management Process Integrated Risk Management Program External Participation Tier I Partial No formalized process, ad hoc and reactive to threats, not informed by organizational needs or current trends Limited awareness of cybersecurity risk and no organization-wide approach to risk management No processes in place to participate in coordination with other entities on cybersecurity Tier II Risk Informed Risk management practices are approved by management but may not be organization-wide policy; risk management may be informed by organizational needs or current trends Awareness of cybersecurity risk at the organizational level, no organizational approach The organization understands it is part of a larger ecosystem but has no formal system for external interaction Tier III Repeatable The organization s risk management practices are formally approved and expressed as policy, and the organization changes those practices based on updated organizational needs and current trends A consistent organization-wide approach to risk management The organization understands its partners and dependencies and receives information from those entities that allows for collaboration and informed responses to threats Tier IV Adaptive A formalized and continuously updating system of cybersecurity practices based on information from previous and current cybersecurity activities An organization-wide approach to managing cybersecurity risk using risk-informed policies and procedures, with cybersecurity risk management as a part of organizational culture Actively shares information with partners to ensure systemic security and defense against a cybersecurity breach Source: National Institute of Standards and Technology, Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0, Feb. 12, 2014.

Cyber Attacks Cost Private Sector Millions Average Annual Cost of Cyber Attack Damages Per Sector in FY 2012 In millions of dollars Cyber attacks were most costly to defense, utilities and energy, and financial services sectors in FY 2012; these sectors spent an average of $19.4 million on cyber attack damages, while all other sectors shown spent an average of $5.7 million Cyber attacks are mostly likely to target defense, utilities, and financial services sectors because they contribute to the nation s critical infrastructure Consumer products, hospitality, and retail sectors spend the least on cyber attack damages because they rarely possess information pertinent to the nation s critical infrastructure * Data is based on survey of 56 companies; cost refers to cost of addressing cyber attack damages Source: 2012 Cost of Cyber Crime Study: United States, Ponemon Institute, October 2012. 13

Cyber Attacks Prompt Private Sector to Take Precautions Proactive vs. Reactive Corporate Spending Against Cyber Threats, 2010 Annual Gross Written Premiums for Cybersecurity Private Liability Insurance In millions of dollars Companies spent more on proactive measures labor, capital, or services that assist in avoiding cyber incidents and data breaches in 2010 than on reactive measures expenditures made in response to cyber incidents and data breaches Aligning with this trend is the growth of the cybserinsurance market, which commanded $1 billion in annual premiums in 2012, a 40% increase compared to 2010 Source: Adam Mazmanian, The Cyber Premium, National Journal, June 15, 2012; NIST, 2013. 14

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information