dbryant-cybersecurity challenge
TRANSCRIPT
Cybersecurity Challenge: Information Sharing between the
Public-Private SectorsDeloris Bryant
CRJ-475Z Senior Project
Dr. Shanna Van Slyke
May 12, 2015
Public
Private
Information
Information sharing between the Pubic and the Private Sector Importance of information sharing Private sector concerns Unite in the fight against cybercrimes
Cybersecurity Challenge
Public Sector Private Sector
Are we doing enough to protect ourselves against cybercrimes? Cybersecurity is a critical issue Need to navigate through the cyber process together 75% of the country’s computers have been exploited by
criminals (Hearing before the Committee on Armed Services, House of Representatives, 12th Congress, March 16, 2011)
Estimated loss of $100 billion in intellectual property alone in the U.S. This estimate is about 0.6% of the U.S. economy and this number does not even include other types of cybercrimes (Nakashima & Peterson, 2014).
Importance of Information Sharing
Survey conducted by the Ponemon Institute with Hewlett-Packard (Ponemon Institute LLC, 2014) Cyberattacks increased 176% in the last 4 years Average time to detect attack – 170 days Resolution time once detected – 45 days
Financial losses incurred during this time could be in the millions.
Importance of Information Sharing
Another survey conducted by the Ponemon Institute sponsored by IBM (Ponemon Institute LLC, 2014) The cost of data breaches incurred by organizations, on
average, was $5.9 million Cost incurred the previous year was $5.4 million
Loss of business cost went from $3.03 million to $3.2 million Cost includes:
Reputation loss Loss of customers Acquire new customers
Importance of Information Sharing
Different agenda for the public-private sectors Private sector - profit earnings and the bottom line Public sector - not divulging intelligence as it relates to national security
Cost-effective Early detection Termination Prevention Financial savings and manpower
“Real-time awareness” (Norton, 2014) “the backbone of security” (Rosenbush, 2014)
Importance of Information Sharing
Private Sector Concerns Giving up control
Company process In-house strategies to handle security issues Fear that public sector will mandate a change in security
strategies Risk allowing other entities to explore privileged information
which can be discoverable through a Freedom of Information Act (FOIA) request (United States Department of Justice, n.d.)
Private Sector Concerns
Timing of information Constraints and bureaucratic hoops The time to quickly implement a solution could be lost Not knowing what agency, department or appropriate
individual to contact in a breach situation National security obligations which may involve clearance
issues restrict the release of some critical information Proper public-private sector information sharing needs to
happen more smoothly
Private Sector Concerns
Negative exposure Type of information disclosed When it is disclosed Company put in a bad light due to breach Company needs time to thoroughly investigate the
issue Liability
Corporate executives held responsible for inadequate protection
Information not release in a timely manner to protect customer’s private information
How well the company responded and how quickly the issue is resolved
Private Sector Concerns
Trust Need assurance from the public sector Proprietary information will not be divulged Need open communication
Provide quantifiable information Coordination is needed for preemptive measures
Risks Misrepresentation about the severity of cyber issue if
information is not released in a timely manner Trigger complaints of negligence, inadequate security
protection Absorb loss incurred rather than reveal weakness
Private Sector Concerns
Regulatory issues Regulatory laws and requirements Fear of public sector agencies
SEC, FTC, FCC, CFPB and others alike Federal Trade Commission (FTC)
Enforcing data security Issued guidelines for organizations with regards to
data security Failure in the proper data security procedures could
result in litigation
Private Sector Concerns
Security and Exchange Commission (SEC) Oversight for security measures that companies are expected to
follow and maintain Released guidance for public traded companies
Obligation to release and disclose incidents of cyberattacks (Clarke & Olcott, 2014)
Private Sector Concerns
Collaboration is key to unite in the fight against cybercrimes Promote awareness Educate each other Share timely information that is actionable
Public sector contribution Executive Order
Addresses privacy concerns along with concerns regarding private sector liability
Cybersecurity Framework
Unite in the Fight Against Cybercrimes
Comprehensive National Cybersecurity Initiative (CNCI) Front line of defense against immediate threats Defend against threats Strengthen future cybersecurity environment
Protecting Cyber Networks Act (sponsor: Rep. Nunes, Devin (R-CA-22) (Congress, 2015) Passed the house and was received in the senate aims to help
the private sector share cyber threat information by removing some legal obstacles (Congress, 2015)
Unite in the Fight Against Cybercrimes
Cyber Intelligence Sharing and Protection Act (CISPA) (Congress, 2015) is introduced to address the “real-time sharing of actionable,
situational cyber threat information” (Congress, 2015) The Cybersecurity Information Sharing Act of 2015
(CISA) (U.S. Senate Committee, 2015) This bill was approved by the Senate Select Committee on
Intelligence. This bill allows for the sharing of information between the
government and the private sector with liability protection so as to facilitate the sharing of data relating to cybersecurity threats.
Unite in the Fight Against Cybercrimes
National Cybersecurity Protection Advancement Act of 2015 This bill has passed the House and is an amendment to the
Homeland Security Act of 2002 that improves the sharing of information in addition to clarifying privacy protection as it relates to cybersecurity risk (Congress, 2015).
The key to any policy, strategy or initiative is “real-time” information sharing and “actionable intelligence” (U.S., 2014) which many of the above bills reiterate.
Unite in the Fight Against Cybercrimes
For public-private collaboration to work, they need to be on the same page and speak the same language when sharing information.
Three tools that will aid the collection and distribution of cyber threats between the two sectors Structured Threat Information Expression (STIX)
The MITRE Corp. and The Department of Homeland Security collaborated in developing this tool to address issues like interoperability, threat indicators and mitigation efforts (Barnum, 2014)
Public-Private Sectors Collaboration
Cyber Observables eXpression (CybOX) A tool for “addressing cyber observables across
and among this full range of use cases improving consistency, efficiency, interoperability, and overall situational awareness” (Corporation, 2015)
Trusted Automated eXchange of Indicator Information (TAXII) (TAXII) is the means by which both STIX and CybOX
information is transported. (Connolly, Davison, Richard, & Skorupka, 2012)
Public-Private Sectors Collaboration
Both individuals and companies collaborating to produce methods to share data securely
The United States Patent and Trademark Office (USPTO) is enthusiastic about examining cybersecurity patents. The top 5 companies filing patent applications in the field
of information security are: IBM (173 patents), Symantec (103 patents), Google (71 patents), Microsoft (67 patents) and Samsung (64 patents) (United States Patent and Trademark Office, 2014)
Private Sector Contribution
Large corporations are not the only organizations that are developing improved responses to cyber threats. Swan Island Networks, Inc. launched:
The Trusted Information Exchange Service (TIES) “help protect more than 250 large enterprises and 20% of Fortune
100 companies every day”. (Swan Island Networks, 2015) filed a patent application in April 2013 for “Human-
Authorized Trust Service”, patent application number 20130312115 define methods that allow trusted access to data between two
parties (Jennings & Jones)
Private Sector Contribution
Norse Corporation filed a patent application (
patent application number: 61508493) in July 2012 defines systems and methods for “ gathering, classifying, and
evaluating real time security intelligence data concerning security threats presented by an IP address, and reporting in real time the degree and character of such security threats” (USPTO, 2012).
Private Sector Contribution
Cybersecurity poses a growing and real threat Private sector communicated concerns Improvements by public sector include:
Introducing new legislation Updating previous ones to address current concerns
President Obama’s presidential term is coming to an end His cybersecurity initiative needs to be a top priority for
the next administration.
Conclusion
Barnum, S. (2014, February 20). Standardizing cyber threat intelligence information with the Structured Threat Information eXpression (STIX). MITRE Corporation, v1.1, Rev. 1. Retrieved from http://stix.mitre.org/about/documents/STIX_Whitepaper_v1.1.pdf
Clarke, R., & Olcott, J. (2014, March). The board's role in cybersecurity. Retrieved from http://www.kispertgroup.com/wp-content/uploads/2014/06/Good_Harbor_Directors_Note_Cyber.pdf
Congress, 1. (2015, February 2). H.R.234 - Cyber Intelligence Sharing and Protection Act. Retrieved from http://https://www.congress.gov/bill/114th-congress/house-bill/234?q=%7B%22search%22%3A%5B%22cyber+intelligence%22%5D%7D
Reference
Congress, 1. (2015, April 22). H.R.1560 - Protecting cyber networks act. Retrieved from http://https://www.congress.gov/bill/114th-congress/house-bill/1560?q=%7B%22search%22%3A%5B%22The+Protecting+Cyber+Networks+Act%22%5D%7D
Congress, 1. (2015, April 23). H.R.1731 - National cybersecurity protection advancement act of 2015. Retrieved from http://https://www.congress.gov/bill/114th-congress/house-bill/1731?q=%7B%22search%22%3A%5B%22cybersecurity%22%5D%7D
Connolly, J., Davidson, M., Richard, M., & Skorupka, C. (2012, November 8). The trusted automated eXchange of indicator information (TAXII). Retrieved from http://taxii.mitre.org/about/documents/Introduction_to_TAXII_White_Paper_November_2012.pdf
Reference
Corporation, MITRE. (2015, April 14). CybOX, v2.1. Retrieved from http://cybox.mitre.org/
Hearing before the Committee on Armed Services, House of Representatives, 12th Congress (March 16, 2011). National defense authorization act for fiscal year 2012: (H.A.S.C. No. 112-26). (statement of General Keith B. Alexander, US Cyber Command). Retrieved from http://fas.org/irp/congress/2011_hr/cybercom.pdf
Jennings, C., & Jones, D. M. (2013, November 21). Publication 20130312115 - Human-authorized trust service. Retrieved from http://www.ptodirect.com/Results/Publications?p=1&r=34&query=%40PD%3E%3D20131119%3C%3D20131125
Reference
Nakashima, E., & Peterson, A. (2014, June 9). Report: Cybercrime and espionage costs $445 billion annually. Retrieved from http://www.washingtonpost.com/world/national-security/report-cybercrime-and-espionage-costs-445-billion-annually/2014/06/08/8995291c-ecce-11e3-9f5c-9075d5508f0a_story.html
Norton, S. (2014, September 30). Former NSA director: Better information sharing needed on cybersecurity. Retrieved from http://blogs.wsj.com/cio/2014/09/30/former-nsa-director-better-information-sharing-needed-on-cybersecurity/
Ponemon Institute LLC. (2014, May). 2014 cost of data breach study: United States. Retrieved from http://www-01.ibm.com/common/ssi/cgi-bin/ssialias?subtype=WH&infotype=SA&appname=GTSE_SE_SE_USEN&htmlfid=SEL03017USEN&attachment=SEL03017USEN.PDF#loaded
Reference
Ponemon Institute LLC. (2014, October). 2014 Global report on the cost of cyber crime. Retrieved from http://https://ssl.www8.hp.com/ww/en/secure/pdf/4aa5-5207enw.pdf
Rosenbush, S. (2014, June 20). Former NSA Chief Mike McConnell says culture, not tech, is key to cyber defense. Retrieved from http://blogs.wsj.com/cio/2014/06/20/former-nsa-chief-mike-mcconnell-says-culture-not-tech-is-key-to-cyber-defense/
Swan Island Networks. (2015). About Swan Island Networks, Inc. doi:swanisland.net/company
U.S. (2014, November 3). Partners in cybercrime prevention. Retrieved from http://www.nationaljournal.com/library/198396
Reference
USPTO. (2012, July 16). Norse Corporation Patent Appl. No.: 13/550,354. Retrieved from http://patft.uspto.gov/netacgi/nph-Parser?Sect1=PTO2&Sect2=HITOFF&p=1&u=%2Fnetahtml%2FPTO%2Fsearch-bool.html&r=3&f=G&l=50&co1=AND&d=PTXT&s1=cybersecurity&s2=google&OS=cybersecurity+AND+google&RS=cybersecurity+AND+google
United States Department of Justice. (n.d.). What is FOIA? Retrieved from http://www.foia.gov/index.html
Reference
United States Patent and Trademark Office. (2014, November 14). Cybersecurity partnership. Retrieved from http://www.uspto.gov/about/contacts/phone_directory/pat_tech/nov2014-cybersecurity-partnership-presentation.pdf
United States Senate Committee. (2015, March 12). Sen. Carper statement on the cybersecurity information sharing act (CISA). Retrieved from http://www.hsgac.senate.gov/media/minority-media/sen-carper-statement-on-the-cybersecurity-information-sharing-act-cisa
Reference