Cyber Security Issues and Responses

Andrew Rogoyski

Head of Cyber Security Services

CGI UK

andrew.rogoyski@cgi.com

CGI in cyber security

2

• We have over 35 years of experience working

with government and commercial as a trusted

advisor

• We work with clients using state of the art

facilities, including a world-class innovation lab

and one of the only companies with three

accredited security certification facilities, one

in the US, one in the UK and one in Canada

• CGI is completing its 10th Security Operations

Centre which operate globally

• Our managed services support over 100 clients

in 16 countries across all industries

• We defend against 43 million cyber attack

incidents each day on military and intelligence

networks and infrastructure

• Business-focused approach to security

Credentials Clients

“IA” The era of early connectedness

3

The changing shape of IT security issues

2000 2014 1984

1986: Lawrence Berkeley

NL discovers attempt to

copy US Government

Information on Arpanet

1988: First worm

created at Cornell

1990: Arpanet becomes

the Internet

2000: ILOVEYOU worm

2003: DHS creates

National Cyber

Security Division

2009: The Aurora

attacks, hit Google

and 33 companies

2010: US Cyber

Command becomes

operational

2010: Stuxnet

2001: Budapest

Convention on Cybercrime

2007: Cyber attack on

Estonian Government

2010: US Intelligence

on Wikileaks

2008: Marathon Oil,

ExxonMobil and

ConocoPhillips hacked for

oil discovery data

2011: RSA and

Lockheed attacked

2011: Sony Playstation

network hacked,

costing $170m

2012: Aramco

loses 30,000

PCs to attack

2013: South

Korean media

and banks

attacked

2013: Edward

Snowden

reveals stolen

NSA data

2007: iPhone 3 launched

2010: iPad launched

2004: Facebook

launched

1998: Google

Founded

2003: Slammer

worm

“Cyber” The era of mass interdependence

Drivers for Change:

1. Industrialised Cyber

espionage

2. Militarisation of cyberspace

3. Rise of hacktivism

4. Organised cybercrime

5. Growing dependency on the

Internet

6. The rise of the devices

7. Privacy and Data Protection

What are the emerging trends and responses?

It‟s not all about technology…

4

• More: targeted attacks, social engineering,

attacks against mobile, more sophistication

• More: government involvement – carrying

the economic and security risk

• More: international government involvement

and co-operation, with focus on CNI

• More: regulation, legislation, obligatory

reporting around privacy and breaches

• More: Competition for scarce skills and

know-how

• Change: to cloud, mobile,

interconnectedness, including managed

security services

The UK Cyber Security Strategy

5

HMG Vision

• Our vision is for the UK in 2015 to derive huge economic and social value from a vibrant, resilient and secure cyberspace, where our actions, guided by our core values of liberty, fairness, transparency and the rule of law, enhance prosperity, national security and a strong society.

• Published in November 2011 with a £650m budget

• 1 of 33 national cyber strategies

Themes

• Cyber crime

• Resilience to cyber attack

• Shape an open, stable and vibrant internet

• Build knowledge, skills and capabilities to underpin all the objectives

CISP and CERT

• The Cyber Security Information Sharing Partnership

• Pilot in 2011/12

• Collaboration between industry and HMG

• Technical infrastructure for sharing technical and tactical cyber attack information

• Building trust relationships

• Establish a „fusion cell‟

• The CERT-UK

• Launched in April 2014

• Subsumes CISP

• National Cyber Security Incident Management.

• Support to Critical National Infrastructure companies to handle cyber security incidents.

• Promotes cyber security situational awareness across industry, academia, and the public sector.

• Provides the single international point of contact for co-ordination and collaboration between national CERTs.

6

Government Guidance for Cyber Security

7

April 2014 Sep 2012

Cyber Education, Skills and Know-How

8

• Initiatives

• Promote cyber security learning in

schools

• Competitions to attract people into the

profession

• Funding for graduate and post

graduate students in cyber studies

• Accredited 11 universities as

Academic Centres of Excellence in

Cyber Security Research

• Set up 3 new Research Institutes and

funded 2 Centres for Doctoral

Training in cyber

• Strengthened the cyber security

profession through the introduction of

CESG‟s1 Certified Professional

Scheme

March 2014

Cyber in Corporate Finance

9

• Threats

• Individuals, nation states, hacktivists,

employees & contractors, organised

crime and competitors

• Targeting Transactions

• The very act of putting information

together may trigger interest, it may also

create an attractive target

• A complex mix of external advisors,

short timescales and high stakes leads

to vulnerabilities

• Issues

• How secure is each contributor and

stakeholder in this transaction?

• Who needs to know?

• Can you monitor access to information?

• What is your strategy for breaches?

• Do you have a security partner?

March 2014

The National Cyber Security Programme

10

New Priorities in the UK

• Additional £210m, plus one year

• Focus on Critical National Infrastructure (CNI)

• The February 2014 Summit with Government and regulators (ONR, BoE, FCA, PRA, Ofcom, Ofgem and Ofwat):

• “Strong cyber security in the firms and markets we oversee is fundamental to meeting regulatory objectives…”

• “there is a need to work with international partners to understand our risk and increase the level of network and information security, including at the EU level”

• Work to embed cyber security in the firms and markets that they oversee;

• Assess the state of cyber security across each sector;

• Identify aggregated cyber security risks within and across sectors;

• Working with industry, increase information flows on threat, vulnerabilities and mitigation strategies across each sector;

• Support sectors to develop effective incident detection and management capabilities.

11

Questions under consideration

• Regulation or guidance?

• Is UK Government advice to the energy sector sufficient, should they

broaden out (i.e. to extraction and (conventional) generation)?

• Should UK Government adopt US or European cyber

frameworks/standards or develop UK versions? (e.g. the NIST

framework)

• At what level should the standards be pitched ? (too low level and

they don‟t engage or are seen as prescriptive, too high level and no

action is taken).

• Should UK focus on the detail that the US‟ NIST frameworks are

perceived to be missing?

• What impact could related regulation from Europe have? (e.g. the

General Data Protection Regulation (GDPR) or the Network and

Information Security Directive (NISD)

12

NIST Cyber Framework

13

NIST Feb 2014

President issued Executive Order 13636, “Improving Critical Infrastructure

Cybersecurity,” on February 12, 2013, which established that “[i]t is the Policy

of the United States to enhance the security and resilience of the Nation‟s

critical infrastructure and to maintain a cyber environment that encourages

efficiency, innovation, and economic prosperity while promoting safety, security,

business confidentiality, privacy, and civil liberties

Summary

14

• The threat landscape is becoming more

sophisticated, more targeted and more

aggressive

• Security responses are becoming more

complex – technically challenging and more all

encompassing

• Government intervention (in various forms) is

on the rise

• The skills and experience to run solutions are

becoming highly sought after – it is difficult to

create and maintain critical mass of expertise

• There will be a convergence with managed

security services and IT outsourcing

Questions/Discussion

15

• What are your views on Government intervention to improve the security of the UK’s critical infrastructure – what is the most effective way to intervene?

• Are UK frameworks better than international version? Are overseas interventions influencing your UK businesses?

• What would help you make the investments – regulation, awareness or business case?

• What are you prepared to share, in terms of cyber attack experiences and information?

• Do you have the skills to meet these requirements or will you look for a trusted partner?

• Do you know the questions to ask of your own organisation and do you have confidence in the replies you receive?