THE 411 ON CYBERSECURITY, INFORMATION · PDF fileThe 411 on Cybersecurity 3 AGENDA The...

THE 411 ON CYBERSECURITY, INFORMATION SHARING AND PRIVACY

2 The 411 on Cybersecurity

DISCLAIMER

Views expressed in this presentation are not necessarily those of our respective Departments

Any answers to questions are our own opinions and not those of our respective Departments

AGENDA

The Cybersecurity Threat in 2013

• Public v. Private Sector Threats

• EINSTEIN – a Public Sector Response

• Policy Responses

• Public-Private Partnerships

• Policy Challenges

OVERVIEW

• Increasingly skilled cyber threats

• Variety of malicious actions

• Attempts to penetrate USG from: – Outside

– Inside

– within our IT capabilities

• Potential theft of classified info

• Theft of intellectual property

• Threat to national security

OVERVIEW

AGENDA

• The Cybersecurity Threat in 2013

Public v. Private Sector Threats

National Security

Federal Civilian

Networks

Critical Infra-

structure

CommercialNon-Critical

Infra-structure

U.S. Government cybersecurity organization

UNDERSTANDING THE THREAT

U.S. Critical Infrastructure

US-CERT MISSION

• Lead efforts to improve the Nation’s cybersecurity posture

• Coordinate cyber information sharing

• Proactively manage cyber risks to the Nation

• All while protecting the constitutional rights of Americans.

US-CERT MISSION

• Analyze, reduce impact of threats & vulnerabilities,

• Disseminate warning information,

• Coordinate to achieve shared situational awareness

• Provide response & recovery support for national assets

• Advise on national-level cybersecurity policy and guidance.

US Computer Emergency

Readiness Team

Operations

Operations Coordination & Integration

Future Operations

Incident Management

RESPONSE AND ASSISTANCE

Dedicated teams provide technical assistance at the right level of subject matter expertise, including:

• Digital Media & Malware Analysis

• Defensive Analysis

• Mitigation Strategy Development

• Threat/Attack Vector Analysis

• Vendor Analysis Coordination

SHARED

SITUATIONAL AWARENESS

US-CERT develops information sharing products on a scheduled and as-needed basis. US-CERT also develops and distributes analytical information notices specific to its communities of interest.

NCAS: NATIONAL

CYBER AWARENESS SYSTEM

A cohesive national cybersecurity system for identifying, analyzing, and prioritizing emerging vulnerabilities and threats

• Current Activity

• Cyber Security Alerts

• Cyber Security Tips

• Cyber Security Bulletins

SHARED SITUATIONAL AWARENESS

AGENDA

EINSTEIN – a Public Sector Response

EINSTEIN MONITORING

EINSTEIN Network Analysts monitor sensor outputs to conduct network security analysis, which can lead to operational restoration and remediation.

KEY EINSTEIN CAPABILITIES

• EINSTEIN 1 (E1): Flow Collection Initial analytics and information sharing

capabilities

• EINSTEIN 2 (E2): Intrusion Detection Improved sensors to identify malicious activity

• EINSTEIN 3A (E3A): Intrusion Prevention To improve protection to prevent malicious

activity

FAIR INFORMATION PRACTICE PRINCIPLES

EINSTIN PRIVACY PROTECTIONS

• Minimization of data collection

• Limitation of uses to cyber threats

• Restrictions on info sharing and use

• Privacy cybersecurity webpage —transparency of cyberstrategy & initiatives.

• Compliance Review by DHS Privacy Office

DHS ADMINISTRATIVE PRIVACY PROTECTIONS

• MOA with each participating Agency

• Notice to users – computer banners

– privacy policies

– published compliance documentation

• Standard Operating Procedures for PII

• Collaboration w/CPOs/CLOs, NSS, EOP

• Training and awareness workshops on cybersecurity and privacy – open to federal employees, contractors

AGENDA

Policy Responses

MECHANISMS

• Executive Branch actions

• Legislation

• Public-private partnerships

ADMINISTRATION

CYBERSECURITY PROPOSAL

• Released in 2011

• Critical infrastructure focus

• DHS regulatory authority

• Liability limitations for information sharing

EXECUTIVE ORDER “IMPROVING CRITICAL INFRASTRUCTURE CYBERSECURITY”

• Signed on Feb. 12, 2013

• Main provisions:

– Cyber threat information sharing

– Framework for cybersecurity standards, methodologies, procedures, processes

– Program to coordinate sectors, provide incentives

PRIVACY SAFEGUARDS

• Agencies apply FIPPs to EO activities

• DHS to assess, report on, minimize or mitigate privacy risks in EO activities

LEGISLATION: EXPANDING INFORMATION SHARING

• Information sharing supported by liability limitations

• SECURE IT (S. 2151)

–No movement in Senate

• CISPA (H.R. 3523)

–Passed House; Administration threatened veto

–Reintroduced in 113th Congress

LEGISLATION:

CYBERSECURITY ACT OF 2012

• S. 2105 / S. 3414

• Information sharing through liability limitations

– Use limitations on USG-held data

• Best practices coordinated through National Cybersecurity Council

AGENDA

Public-Private Partnerships

PUBLIC – PRIVATE PARTNERSHIPS

What is the Dept of Commerce doing to advance cybersecurity in the private sector?

• Voluntary consensus standards and practices

• Working through NIST

• Other bureau and agency involvement in consensus-based practices

PUBLIC – PRIVATE PARTNERSHIPS

• Cybersecurity education and centers of excellence

• Smart Grid Interoperability Panel

• National Strategy for Trusted Identities in Cyberspace

AGENDA

Public-Private Partnerships

POLICY CHALLENGES:

STATUTORY RESTRICTIONS

• Census and other statistical data

– Disclosures to respondent

– Administrative burden

• Possible strategies?

– Use of enclaves

– Designating “agents”

– Others

POLICY CHALLENGES:

Subject matter confidentiality

• FERPA

• “Part 2” (substance abuse treatment)

• Welfare Reform

– Domestic violence

– Asylees & refugees

• Other specific confidentiality statutes?

POLICY CHALLENGES:

• Possible solutions for subject-matter confidentiality statutes?

– Limitation on authority to obtain info

– Limitation on uses to cybersecurity

– Limitation on secondary disclosures

• Do these pose problems for security or law enforcement?

POLICY CHALLENGES:

LAW ENFORCEMENT NEEDS

• Grand Jury Secrecy

• Witness Protection information

• Prisoner Population

• Are similar solutions appropriate as for other confidential information?

POLICY CHALLENGES:

COMMERCIAL INFORMATION

• Trade Secrets Act

• Intellectual property protections

• Procurement Information

• Confidential commercial info under FOIA (b)(4) and EO 12666?

• Are similar solutions appropriate as for other confidential information?

POLICY CHALLENGES:

WHY DIDN’T WE MENTION…

• The Privacy Act of 1974?

• The HIPAA Privacy Rule?

• Are there other statutes in the same category?

POLICY CHALLENGES:

JURISDICTIONAL ISSUES

Multiple agencies have jurisdiction

• DHS

• Intelligence Community

• Cabinet agencies for their sectors

• White House/National Security Staff (coordination role)

KEY TAKE AWAYS

• The cyber threat is real and urgent

• U.S. Government is working hard, partnering to address challenges

• Complex technical, legal, policy, and organizational issues

• No easy fixes

RESOURCES • White House

– Administration’s Privacy Blueprint: http://www.whitehouse.gov/sites/default/files/privacy-final.pdf

– Executive Order #________ “Improving Critical Infrastructure Cybersecurity” (Feb 12, 2013) http://www.whitehouse.gov/the-press-office/2013/02/12/executive-order-improving-critical-infrastructure-cybersecurity

• Commerce

– NSTIC FIPPs: http://www.whitehouse.gov/sites/default/files/rss_viewer/NSTICstrategy_041511.pdf

• 112th Congress

– S. 2151: http://thomas.loc.gov/home/gpoxmlc112/s2151_is.xml

– S. 3414: http://thomas.loc.gov/home/gpoxmlc112/s3414_pcs.xml

– H.R. 3523: http://thomas.loc.gov/home/gpoxmlc112/h3523_eh.xml

• 113th Congress: TBD

RESOURCES

• DHS

– DHS US-CERT: http://www.us-cert.gov/

– DHS Privacy Office: http://www.dhs.gov/topic/privacy

– DHS Cybersecurity: http://www.dhs.gov/cybersecurity

• HHS

– “Part 2” Substance Abuse Treatment Confidentiality, 42 USC § 290dd-2, regulations at 42 CFR Part 2 http://www.samhsa.gov/about/laws/SAMHSA_42CFRPART2FAQII_Revised.pdf

– HIPAA Privacy Rules 45 CFR, §§ 160 & 164 http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/index.html

– Child Support Information: Social Security Act § 453(j), codified at 42 USC 653(j) http://www.socialsecurity.gov/OP_Home/ssact/title04/0453.htm

RESOURCES

• FBI

– Economic Espionage Act http://www.fbi.gov/about-us/investigate/counterintelligence/economic-espionage

• Education

– Family Education Rights & Privacy Act (FERPA) http://www2.ed.gov/policy/gen/guid/fpco/ferpa/index.html

• Confidential Information Protection and Statistical Efficiency Act (CIPSEA), Title V of the E-Government Act of 2002 (Pub. L. 107–347, 44 USC § 101) http://www.eia.gov/oss/CIPSEA.pdf

• The Privacy Act of 1974 (Pub. L. 93-579, 5 USC 552a) http://www.justice.gov/opcl/privstat.htm

THE 411 ON CYBERSECURITY, INFORMATION · PDF fileThe 411 on Cybersecurity 3 AGENDA The...

Documents

Financial Services Sector Specific Cybersecurity … A Complex Regulatory and Cybersecurity Environment for Financial Services Financial Services Sector Specific Cybersecurity “Profile”

Chemical Sector Cybersecurity Framework Implementation ... · Chemical Sector Cybersecurity Framework Implementation Guidance 3 • Prioritized funding or technical assistance —

Guide to the Distributed Energy Resources Cybersecurity ... · The Distributed Energy Resources Cybersecurity Framework (DERCF) builds on the Electric Sector Cybersecurity Capability

D4.3 INTER-SECTOR CYBERSECURITY TECHNOLOGY ROADMAP

Cross-Sector Roadmap for Cybersecurity of Control Systems

Nuclear Sector Cybersecurity Framework Implementation ... · Nuclear Sector Cybersecurity Framework Implementation Guidance for U.S ... Nuclear Sector Cybersecurity Framework Implementation

NCCoE Strengthening Public Sector Cybersecurity · 2018. 9. 27. · Strengthening Public Sector Cybersecurity Federal Computer Security Managers Forum January 27, 2016 . STRATEGY

Dams Sector Cybersecurity Capability Maturity Model (C2M2 ... · Dams Sector Cybersecurity Capability Maturity Model: Implementation Guide 2 The following briefly summarizes the elements

Working to Achieve Cybersecurity in the Energy Sector · PDF fileWorking to Achieve Cybersecurity in the Energy Sector ... • Tennessee Valley Authority ... (DNP3) Security for

Cybersecurity Activities in the Oil and Gas Sector

Dams Sector Cybersecurity Capability Maturity Model (C2M2) … · 2019-03-11 · Dams Sector Cybersecurity Capability Maturity Model: Implementation Guide 2 The following briefly

Cybersecurity in Water Sectorc.ymcdn.com/.../CYBER/Cyber_Security_Presentation.pdf · • Water Sector Cyber Risk Management ... Water Sector & Cybersecurity ... Process Control System

ECONOMISCHE KANSEN NEDERLANDSE CYBERSECURITY-SECTOR · 2020. 10. 12. · sector, is een analyse gemaakt van de sterkten, zwakten, kansen en bedreigingen van de Nederlandse cybersecurity-sector

Texas Cybersecurity Strategic Plan...As stewards of cybersecurity in the public sector, state cybersecurity professionals have the important responsibility of maintaining the public’s

Addressing the Private Sector Cybersecurity Predicament

Cybersecurity Regulatory Framework (CRF) for the ICT Sector · Framework (CRF)with the objective to increase the cybersecurity maturity of the Information and Telecommunications sector

The National Energy Sector Cybersecurity Organizationsummit.energysec.org/files/2016/05/EnergySec-2016-Summit... · Cybersecurity Organization The National Energy Sector Anaheim,

Cybersecurity in the energy sector · Cybersecurity in the energy sector ... DG ENER,B.3 . Cyber Security in the Energy Sector ... European Smart Grid Task Force

Working to Achieve Cybersecurity in the Energy Sector · Rita Wells Idaho National Laboratory Working to Achieve Cybersecurity in the Energy Sector “Cybersecurity for Energy Delivery

Sector Comment Wireless 411