the 411 on cybersecurity, information · pdf filethe 411 on cybersecurity 3 agenda the...
TRANSCRIPT
THE 411 ON CYBERSECURITY, INFORMATION SHARING AND PRIVACY
2 The 411 on Cybersecurity
DISCLAIMER
Views expressed in this presentation are not necessarily those of our respective Departments
Any answers to questions are our own opinions and not those of our respective Departments
3 The 411 on Cybersecurity
AGENDA
The Cybersecurity Threat in 2013
• Public v. Private Sector Threats
• EINSTEIN – a Public Sector Response
• Policy Responses
• Public-Private Partnerships
• Policy Challenges
4 The 411 on Cybersecurity
OVERVIEW
• Increasingly skilled cyber threats
• Variety of malicious actions
• Attempts to penetrate USG from: – Outside
– Inside
– within our IT capabilities
• Potential theft of classified info
• Theft of intellectual property
• Threat to national security
5 The 411 on Cybersecurity
OVERVIEW
6 The 411 on Cybersecurity
AGENDA
• The Cybersecurity Threat in 2013
Public v. Private Sector Threats
• EINSTEIN – a Public Sector Response
• Policy Responses
• Public-Private Partnerships
• Policy Challenges
7 The 411 on Cybersecurity
National Security
Federal Civilian
Networks
Critical Infra-
structure
CommercialNon-Critical
Infra-structure
U.S. Government cybersecurity organization
UNDERSTANDING THE THREAT
8 The 411 on Cybersecurity
UNDERSTANDING THE THREAT
U.S. Critical Infrastructure
9 The 411 on Cybersecurity
US-CERT MISSION
• Lead efforts to improve the Nation’s cybersecurity posture
• Coordinate cyber information sharing
• Proactively manage cyber risks to the Nation
• All while protecting the constitutional rights of Americans.
10 The 411 on Cybersecurity
US-CERT MISSION
• Analyze, reduce impact of threats & vulnerabilities,
• Disseminate warning information,
• Coordinate to achieve shared situational awareness
• Provide response & recovery support for national assets
• Advise on national-level cybersecurity policy and guidance.
US Computer Emergency
Readiness Team
Operations
Operations Coordination & Integration
Future Operations
Incident Management
11 The 411 on Cybersecurity
RESPONSE AND ASSISTANCE
Dedicated teams provide technical assistance at the right level of subject matter expertise, including:
• Digital Media & Malware Analysis
• Defensive Analysis
• Mitigation Strategy Development
• Threat/Attack Vector Analysis
• Vendor Analysis Coordination
12 The 411 on Cybersecurity
SHARED
SITUATIONAL AWARENESS
US-CERT develops information sharing products on a scheduled and as-needed basis. US-CERT also develops and distributes analytical information notices specific to its communities of interest.
13 The 411 on Cybersecurity
NCAS: NATIONAL
CYBER AWARENESS SYSTEM
A cohesive national cybersecurity system for identifying, analyzing, and prioritizing emerging vulnerabilities and threats
• Current Activity
• Cyber Security Alerts
• Cyber Security Tips
• Cyber Security Bulletins
14 The 411 on Cybersecurity
SHARED SITUATIONAL AWARENESS
15 The 411 on Cybersecurity
AGENDA
• The Cybersecurity Threat in 2013
• Public v. Private Sector Threats
EINSTEIN – a Public Sector Response
• Policy Responses
• Public-Private Partnerships
• Policy Challenges
16 The 411 on Cybersecurity
EINSTEIN MONITORING
EINSTEIN Network Analysts monitor sensor outputs to conduct network security analysis, which can lead to operational restoration and remediation.
17 The 411 on Cybersecurity
KEY EINSTEIN CAPABILITIES
• EINSTEIN 1 (E1): Flow Collection Initial analytics and information sharing
capabilities
• EINSTEIN 2 (E2): Intrusion Detection Improved sensors to identify malicious activity
• EINSTEIN 3A (E3A): Intrusion Prevention To improve protection to prevent malicious
activity
18 The 411 on Cybersecurity
FAIR INFORMATION PRACTICE PRINCIPLES
19 The 411 on Cybersecurity
EINSTIN PRIVACY PROTECTIONS
• Minimization of data collection
• Limitation of uses to cyber threats
• Restrictions on info sharing and use
• Privacy cybersecurity webpage —transparency of cyberstrategy & initiatives.
• Compliance Review by DHS Privacy Office
20 The 411 on Cybersecurity
DHS ADMINISTRATIVE PRIVACY PROTECTIONS
• MOA with each participating Agency
• Notice to users – computer banners
– privacy policies
– published compliance documentation
• Standard Operating Procedures for PII
• Collaboration w/CPOs/CLOs, NSS, EOP
• Training and awareness workshops on cybersecurity and privacy – open to federal employees, contractors
21 The 411 on Cybersecurity
AGENDA
• The Cybersecurity Threat in 2013
• Public v. Private Sector Threats
• EINSTEIN – a Public Sector Response
Policy Responses
• Public-Private Partnerships
• Policy Challenges
22 The 411 on Cybersecurity
MECHANISMS
• Executive Branch actions
• Legislation
• Public-private partnerships
23 The 411 on Cybersecurity
ADMINISTRATION
CYBERSECURITY PROPOSAL
• Released in 2011
• Critical infrastructure focus
• DHS regulatory authority
• Liability limitations for information sharing
24 The 411 on Cybersecurity
EXECUTIVE ORDER “IMPROVING CRITICAL INFRASTRUCTURE CYBERSECURITY”
• Signed on Feb. 12, 2013
• Main provisions:
– Cyber threat information sharing
– Framework for cybersecurity standards, methodologies, procedures, processes
– Program to coordinate sectors, provide incentives
25 The 411 on Cybersecurity
PRIVACY SAFEGUARDS
• Agencies apply FIPPs to EO activities
• DHS to assess, report on, minimize or mitigate privacy risks in EO activities
26 The 411 on Cybersecurity
LEGISLATION: EXPANDING INFORMATION SHARING
• Information sharing supported by liability limitations
• SECURE IT (S. 2151)
–No movement in Senate
• CISPA (H.R. 3523)
–Passed House; Administration threatened veto
–Reintroduced in 113th Congress
27 The 411 on Cybersecurity
LEGISLATION:
CYBERSECURITY ACT OF 2012
• S. 2105 / S. 3414
• Information sharing through liability limitations
– Use limitations on USG-held data
• Best practices coordinated through National Cybersecurity Council
28 The 411 on Cybersecurity
AGENDA
• The Cybersecurity Threat in 2013
• Public v. Private Sector Threats
• EINSTEIN – a Public Sector Response
• Policy Responses
Public-Private Partnerships
• Policy Challenges
29 The 411 on Cybersecurity
PUBLIC – PRIVATE PARTNERSHIPS
What is the Dept of Commerce doing to advance cybersecurity in the private sector?
• Voluntary consensus standards and practices
• Working through NIST
• Other bureau and agency involvement in consensus-based practices
30 The 411 on Cybersecurity
PUBLIC – PRIVATE PARTNERSHIPS
• Cybersecurity education and centers of excellence
• Smart Grid Interoperability Panel
• National Strategy for Trusted Identities in Cyberspace
31 The 411 on Cybersecurity
AGENDA
• The Cybersecurity Threat in 2013
• Public v. Private Sector Threats
• EINSTEIN – a Public Sector Response
• Policy Responses
Public-Private Partnerships
• Policy Challenges
32 The 411 on Cybersecurity
POLICY CHALLENGES:
STATUTORY RESTRICTIONS
• Census and other statistical data
– Disclosures to respondent
– Administrative burden
• Possible strategies?
– Use of enclaves
– Designating “agents”
– Others
33 The 411 on Cybersecurity
POLICY CHALLENGES:
STATUTORY RESTRICTIONS
Subject matter confidentiality
• FERPA
• “Part 2” (substance abuse treatment)
• Welfare Reform
– Domestic violence
– Asylees & refugees
• Other specific confidentiality statutes?
34 The 411 on Cybersecurity
POLICY CHALLENGES:
STATUTORY RESTRICTIONS
• Possible solutions for subject-matter confidentiality statutes?
– Limitation on authority to obtain info
– Limitation on uses to cybersecurity
– Limitation on secondary disclosures
• Do these pose problems for security or law enforcement?
35 The 411 on Cybersecurity
POLICY CHALLENGES:
LAW ENFORCEMENT NEEDS
• Grand Jury Secrecy
• Witness Protection information
• Prisoner Population
• Are similar solutions appropriate as for other confidential information?
36 The 411 on Cybersecurity
POLICY CHALLENGES:
COMMERCIAL INFORMATION
• Trade Secrets Act
• Intellectual property protections
• Procurement Information
• Confidential commercial info under FOIA (b)(4) and EO 12666?
• Are similar solutions appropriate as for other confidential information?
37 The 411 on Cybersecurity
POLICY CHALLENGES:
WHY DIDN’T WE MENTION…
• The Privacy Act of 1974?
• The HIPAA Privacy Rule?
• Are there other statutes in the same category?
38 The 411 on Cybersecurity
POLICY CHALLENGES:
JURISDICTIONAL ISSUES
Multiple agencies have jurisdiction
• DHS
• Intelligence Community
• Cabinet agencies for their sectors
• White House/National Security Staff (coordination role)
39 The 411 on Cybersecurity
KEY TAKE AWAYS
• The cyber threat is real and urgent
• U.S. Government is working hard, partnering to address challenges
• Complex technical, legal, policy, and organizational issues
• No easy fixes
40 The 411 on Cybersecurity
RESOURCES • White House
– Administration’s Privacy Blueprint: http://www.whitehouse.gov/sites/default/files/privacy-final.pdf
– Executive Order #________ “Improving Critical Infrastructure Cybersecurity” (Feb 12, 2013) http://www.whitehouse.gov/the-press-office/2013/02/12/executive-order-improving-critical-infrastructure-cybersecurity
• Commerce
– NSTIC FIPPs: http://www.whitehouse.gov/sites/default/files/rss_viewer/NSTICstrategy_041511.pdf
• 112th Congress
– S. 2151: http://thomas.loc.gov/home/gpoxmlc112/s2151_is.xml
– S. 3414: http://thomas.loc.gov/home/gpoxmlc112/s3414_pcs.xml
– H.R. 3523: http://thomas.loc.gov/home/gpoxmlc112/h3523_eh.xml
• 113th Congress: TBD
41 The 411 on Cybersecurity
RESOURCES
• DHS
– DHS US-CERT: http://www.us-cert.gov/
– DHS Privacy Office: http://www.dhs.gov/topic/privacy
– DHS Cybersecurity: http://www.dhs.gov/cybersecurity
• HHS
– “Part 2” Substance Abuse Treatment Confidentiality, 42 USC § 290dd-2, regulations at 42 CFR Part 2 http://www.samhsa.gov/about/laws/SAMHSA_42CFRPART2FAQII_Revised.pdf
– HIPAA Privacy Rules 45 CFR, §§ 160 & 164 http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/index.html
– Child Support Information: Social Security Act § 453(j), codified at 42 USC 653(j) http://www.socialsecurity.gov/OP_Home/ssact/title04/0453.htm
42 The 411 on Cybersecurity
RESOURCES
• FBI
– Economic Espionage Act http://www.fbi.gov/about-us/investigate/counterintelligence/economic-espionage
• Education
– Family Education Rights & Privacy Act (FERPA) http://www2.ed.gov/policy/gen/guid/fpco/ferpa/index.html
• Confidential Information Protection and Statistical Efficiency Act (CIPSEA), Title V of the E-Government Act of 2002 (Pub. L. 107–347, 44 USC § 101) http://www.eia.gov/oss/CIPSEA.pdf
• The Privacy Act of 1974 (Pub. L. 93-579, 5 USC 552a) http://www.justice.gov/opcl/privstat.htm