information sharing and eu cybersecurity/media/files/insights... · *this webinar is offered for...
TRANSCRIPT
www.dlapiper.com 0
INFORMATION SHARING AND EU CYBERSECURITY
Senator Saxby Chambliss, DLA PiperMatt Shabat, Department of Homeland SecurityGiulio Coraggio, DLA Piper
If you cannot hear us speaking, please make sure you have called into the teleconferencenumber on your invite information. � US participants: 1 800 908 9284 � Outside the US: 212 231 2909 � The audio portion is available via conference call. It is not broadcast through your computer.*This webinar is offered for informational purposes only, and the content should not be construed as legal advice on any matter.
www.dlapiper.com 1
Speakers
Senator Saxby ChamblissPartner, AtlantaDLA [email protected]
Giulio CoraggioPartner, MilanDLA [email protected]+39 02 80 618 619
Matt ShabatDirector of Performance ManagementOffice of Cybersecurity & CommunicationsDepartment of Homeland [email protected]
www.dlapiper.com 2
� Who are the attackers?
– Nation states
– Russia
– China
– Iran
– North Korea to a lesser extent
– Common criminals
– Experimental hackers
Evolution of cyber-risk
www.dlapiper.com 3
� Financial information
� Classified/proprietary
� Personal information
� Ransomware
� 2014 – 2 prominent attacks
What are attackers seeking?
www.dlapiper.com 4
� USG (NSA, DHS) is very sophisticated in the world of cyber
� Commonality, i.e., data breach laws
� Only Congress can grant protections
Does the federal government have a role?
www.dlapiper.com 5
� Comprehensive vs. info sharing
� Voluntary vs. mandatory
CISA is the first step
www.dlapiper.com 6
� Only if privacy rules adhered to
� Private to private; private to USG
Liability protection and antitrust exemption
www.dlapiper.com 7
� Very important to find commonality
� Particularly important to work with our friends
Must coordinate with other countries
www.dlapiper.com 8
� Data breach
� Encryption
Next USG domestic step
www.dlapiper.com 9
� DHS guidelines
� CISA implementation
Methods of sharing
June 2016
Homeland SecurityOffice of Cybersecurity & Communications
Cybersecurity Information Sharing Act of 2015
www.dlapiper.com 11
� Title 1: Cybersecurity Information Sharing Act of 2015
– Establishes procedures, privacy protections, liability and other legal protections
� Title 2: National Cybersecurity Advancement
– Enhances NCCIC’s intrusion detection and prevention capabilities
– Further defines NCCIC’s information sharing authorities
� Other titles cover
– Federal cybersecurity workforce assessment
– DHS mobile device study
– HHS healthcare sector task force with NIST and DHS
– Statewide Interoperability Coordinator reporting cybersecurity matters to NCCIC; NCCIC provides analysis and support
Cybersecurity Act of 2015
www.dlapiper.com 12
� Authorizes companies to share cyber threat indicators and defensive measures with each other and with DHS, with liability protection
� Identifies permitted uses of cyber threat indicators and defensive measures
� Authorizes companies to monitor their own information systems and to operate defensive measures on their systems
� Establishes privacy protections required of the sharing entity and receiving government agency
Cybersecurity Information Sharing Act of 2015
www.dlapiper.com 13
� Four implementation documents:– Guidelines for sharing information by the federal
government
– Guidance to companies and non-federal entities for sharing cyber threat indicators and defensive measures with the federal government
– Operational procedures for sharing cyber threat indicators and defensive measures with the federal government
– Privacy and civil liberties guidelines
� Secretary of Homeland Security March 17 certification that automated capability authorized by Act is operational
CISA deliverables
www.dlapiper.com 14
Guidelines for sharing information by the federal government
– Summary: Describes the current mechanisms through which the appropriate Federal entities share information with non‐Federal entities.
– Due Date: Final at 60 days (February 16, 2016)
CISA deliverables
www.dlapiper.com 15
Operational procedures for sharing cyber threat indicators and defensive measures with the federal government
– Summary: Establishes procedures relating to the receipt of certain cyber threat indicators and defensive measures by all Federal entities under CISA. Describes the processes for receiving, handling, and disseminating information that is shared pursuant to CISA, including through operation of the DHS Automated Indicator Sharing capability.
– Due Date: Interim at 60 days (February 16, 2016), Final at 180 days (June 15, 2016)
CISA deliverables
www.dlapiper.com 16
Guidance to companies and other non-federal entities for sharing cyber threat indicators and defensive measures with the federal government
– Summary: Provides information to assist non-federal entities who voluntarily elect to share cyber threat indicators with the federal government to do so in accordance with CISA. Assists non-federal entities to identify defensive measures and explain how to share them with federal entities as provided by CISA. Describes the protections non-federal entities receive under CISA.
– Due Date: Final at 60 days (February 16, 2016); updated June 15, 2016.
CISA deliverables
www.dlapiper.com 17
Cyber threat indicators and defensive measures
www.dlapiper.com 18
� CISA extends liability protection to private entities for sharing of a cyber threat indicator or defensive measure through the federal government’s capability and process operated by DHS
– As long as the sharing is conducted in accordance with the Act.
� For more information please see:
– Guidance to Assist Non-Federal Entities to Share Cyber Threat Indicators and Defensive Measures with Federal Entities under the Cybersecurity Information Sharing Act of 2015 (available at www.us-cert.gov/ais) or
– Section 106 of CISA
Liability protection
www.dlapiper.com 19
� Law enforcement use
– SLTT government that receives a cyber threat indicator or defensive measure under CISAmay use it for specified purposes, such as a cybersecurity purpose, identifying a cybersecurity threat, identifying a security vulnerability, responding to or preventing/mitigating a specific threat of death, serious bodily harm serious threat to a minor or serious economic harm, or prosecuting offenses under 18 U.S.C. 1028-1030
� Exemption from disclosure
– A cyber threat indicator or defensive measure shared by or with an SLTT government, including a component of such government that is a private entity, under CISA is deemed voluntarily shared information and exempt from disclosure under state, tribal or local freedom of information, open government, open records, sunshine or similar laws
� Regulatory authority
– Cyber threat indicator or defensive measure cannot be used to regulate the lawful activity of a non-federal entity
– Exception: They may be used consistent with a regulatory authority specifically relating to the prevention of mitigation of cybersecurity threats to inform development or implementation of such regulation
SLTT-specific provisions
www.dlapiper.com 20
Privacy and civil liberties guidelines
– Summary: Establishes privacy and civil liberties guidelines for the receipt, retention, use, and dissemination of cyber threat indicators by a federal entity obtained in connection with the activities authorized by CISA, consistent with the need to protect information systems from cybersecurity threats, any other applicable provisions of law, and the Fair Information Practice Principles
– Due Date: Interim at 60 days (February 16, 2016); Final at 180 days (June 15, 2016) Requires review every 2 years
CISA deliverables
www.dlapiper.com 21
� CISA includes various privacy protections for the receipt, retention, use and dissemination of cyber threat indicators
� One main privacy protection requires federal and non-federal entities, prior to sharing to:
– Review such cyber threat indicator to assess whether such cyber threat indicator contains any information not directly related to a cybersecurity threat that such federal/non-federal entity knows at the time of sharing to be personal information of a specific individual or information that identifies a specific individual and remove such information; or
– Implement and utilize a technical capability configured to remove any information not directly related to a cybersecurity threat that the federal/non-federal entity knows at the time of sharing to be personal information of a specific individual or information that identifies a specific individual.
Privacy protections in CISA
www.dlapiper.com 22
� Under AIS, DHS will receive cyber threat indicators and defensive measures through that portal in a standard, automated format and apply unanimously agreed upon controls as described in the Section 105(a)(1)-(3) procedures
� DHS will use automated processing for mitigation of remaining personal information risks through schema restrictions, controlled vocabulary, regular expressions (i.e., pattern matching), known good values, and auto-generated text
� Any fields that do not meet certain predetermined criteria defined through the AIS Profile and in the submission guidance will be referred for human review to ensure the field does not contain personal information of specific individuals or information that identifies specific individuals not directly related to the cybersecurity threat
� When a field within a cyber threat indicator or defensive measure is referred for human review, DHS will still transmit the fields that do not require human review to the appropriate Federal entities without delay
DHS AIS privacy scrub
www.dlapiper.com 23
� Automated real-time capability: Automated Indicator Sharing (AIS)
– Uses the Structured Threat Information eXpression (STIX) standard (xml format with a series of machine-readable fields) and Trusted Automated eXchange of Indication Information (TAXII) protocol
� Web form and email options
– www.us-cert.gov/ais
� Privacy scrub
CISA capabilities
www.dlapiper.com 24
Automated Indicator Sharing
www.dlapiper.com 25
1. Sign and return the appropriate participation agreement
– Terms of use (non-federal entities)
– Multilateral Information Sharing Agreement (for federal agencies)
2. Next, have something that can talk TAXII
– You can use the DHS TAXII client, an open source implementation or purchase a commercial solution
3. Sign an Interconnection Security Agreement to document the connection and capture relevant security information
4. Finally, we exchange certificates and you give us the IP you’re coming from so it can get whitelisted
How to sign up for AIS
www.dlapiper.com 26
� For more information:
– www.DHS.gov/AIS
– www.us-cert.gov/AIS
� Additional questions?
� Matt Shabat
Director of Performance Management
Office of Cybersecurity & Communications
703-235-5338
DHS Office of Cybersecurity & Communicationscontact information
www.dlapiper.com 27
What is the EU approach to cybersecurity?
Betterdefence
Contribution from private sector
Increased cyber security capabilities
Enhancingcooperation between
Member States
www.dlapiper.com 28
Upcoming adoption of Network and Information Security Directive
www.dlapiper.com 29
General Data Protection Regulation is a revolutionon privacy compliance…
Put May 25, 2018 on your calendar
www.dlapiper.com 30
It applies wherever you are located
both
www.dlapiper.com 31
Sets stringent security obligations
Data Protection
Officer
Security by
design
Adequatesecurity
measures
www.dlapiper.com 32
And in case of data breach…
www.dlapiper.com 33
The potential sanctions are massive
of the global turnover
New accountability principle…
www.dlapiper.com 34
Public-private partnership (cPPP)
Public Consultation
Technical Standards
www.dlapiper.com 35
Questions?
� Contact us to learn more
Senator Saxby ChamblissPartner, AtlantaDLA [email protected]
Giulio CoraggioPartner, MilanDLA [email protected]+39 02 80 618 619
Matt ShabatDirector of Performance ManagementOffice of Cybersecurity & CommunicationsDepartment of Homeland [email protected]