Cybersecurity: Escalating Threats, Morphing Duties ... Threats, Morphing Duties & Intensifying...
Transcript of Cybersecurity: Escalating Threats, Morphing Duties ... Threats, Morphing Duties & Intensifying...
Cybersecurity:
Escalating Threats, Morphing
Duties & Intensifying Oversight
American Bar Association David Z. Bodenheimer
Public Contract Law Section Crowell & Moring LLP
Cybersecurity Committee January 11, 2010
Washington, DC
© 2010 Crowell & Moring LLP
2
Urgency for Cyber Defense
The Cyber Crisis is Now!! – Everyone Agrees
Congress: “time to combat cyber terror was yesterday”(Senators Rockefeller & Snowe, May 29, 2009)
Whitehouse: “This status quo is no longer acceptable”
(President Obama, May 29, 2009)
Industry: “Quite frankly, the bad guys are winning”
(Cyber Security Industry Alliance testimony, Mar. 12, 2008)
Cyber Report: “one of the most urgent national securityproblems” (CSIS Commission on Cybersecurity, Dec. 2008)
4
342 Million Breaches
80 Million Records
Breached in ½ Year
Records with sensitive personalinformation involved in security
breaches in U.S. since Jan. 2005:
342,101,335 recordsJan. 6, 2010
262,442,156 recordsJune 11, 2009
[www.privacyrights.org]
“According to the Privacy RightsClearinghouse, more than 340million records containing sensitivepersonal information have beeninvolved in data security breachessince 2005.”
5
Cyber-Crime > $100 Billion
Hacking is More Lucrative than Doping
INTERNET LAW – “Cyber-Crime Hits $100 Billion in 2007,
Out-earning Illegal Drug Trade” (IBLS Internet Law, Oct. 15, 2007)
>
“$1 trillion globally in lost intellectualproperty and expenditures for repairingthe damage” (House Homeland SecurityCommittee Hearing, Mar. 31, 2009)
6
Omnipresent ID Theft
Identity Theft Stays Atop Complaint List
“According to recent studies, identity theftaffected nearly 10 million Americans in2008 alone, an increase of 22 percent from2007. It is estimated that the averagecosts to consumers and businesses top $49billion. Identity theft is now the No. 1consumer complaint received by the[FTC].” [Rep. Clay]
“But we’ve had to learn a whole newvocabulary just to stay ahead of the cybercriminals who would do us harm –spyware and malware and spoofing andphishing and botnets. Millions ofAmericans have been victimized, theirprivacy violated, their identities stolen,their lives upended, and their walletsemptied.”
7
President’s Data Breached
Hackers Hit the Whitehouse
“Source In Iran Sees Plansfor President’s Chopper”(USA Today, Mar. 2, 2009)
“The U.S. Navy is investigating how anunauthorized user in Iran gained onlineaccess to blueprints and other informationabout a helicopter in President Obama’sfleet.”
Hacking Obama’s Website
“It’s no secret that my presidentialcampaign harnessed the Internet andtechnology to transform politics. Whatisn’t widely known is that during thegeneral election hackers managed topenetrate our computer systems.”
(President Obama, May 29, 2009)
8
Security Breach Is Personal
No One Is Immune from Security Breach
“U.S. Supreme Court:Justice Breyer and SeveralLawyers Were Victims ofData Breach” (ABA LawNews, July 9, 2008)
“Navy CIO'sPII Exposedfor Sixth Time”
[Robert Carey,
Navy CIO]
“The personal identifiable information ofthe Navy chief information officer has beencompromised, again. And, it isn't just thesecond or third or fourth or even fifth timeRobert Carey's PII has been exposed, butthe sixth instance.”[Chabrow, Gov Info Security, Jan. 4, 2010]
9
Everyone’s On-Board
Government & Industry Agree“Cybersecurity . . . a top priority”
(DHS Secretary nominee Janet Napolitano, Jan. 15, 2009)
“DHS Puts Cybersecurity Toward Top of 2008 To-Do List”
(DHS Secretary Chertoff, Federal Computer Week, Dec. 13, 2007)
“Data Breach Likely to be Hot Topic at Porn Summit”
(Technology Daily, Jan. 14, 2008)
Law Enforcement & XXX = !?
11
Federal Information
800-Pound Information Gorilla
“The Federal government is the largestsingle producer, collector, consumer, anddisseminator of information in the UnitedStates and perhaps the world.” (OMB, 2007)
US IT Budgets
• $72.9 billion – (FY O9)
• $75.8 billion – (FY 10)
12
US Federal Information
Information Treasure Trove
• National Security
• Personal Data
• Infrastructure Data
• Technology
• Trade Secrets
13
Federal Security Breaches
Privacy Clearinghouse ('09)
1/5/09 Library of Congress1/26/09 U.S. Military1/27/09 U.S. Consulate2/9/09 Federal Aviation Administration2/9/09 U.S. Postal Service2/11/09 Los Alamos National Lab3/6/09 Federal Emergency Management Agency3/7/09 Idaho National Lab3/12/09 U.S. Army3/23/09 Federal District Court (Baltimore, MD)4/27/09 Federal Reserve Bank (NY)5/19/09 National Archives5/21/09 Internal Revenue Service8/3/09 National Finance Center8/13/09 National Guard Bureau9/2/09 Naval Hospital (Pensacola)10/2/09 U.S. Military Veterans10/5/09 U.S. Army Special Forces11/6/09 National Archives & Records Admin.
14
Agency Security Breaches
“In a massive security breach, theTransportation Security Administration(TSA) inadvertently posted online its airportscreening procedures manual, includingsome of the most closely guarded secretsregarding special rules for diplomats andCIA and law enforcement officers.”
“The document shows sample CIA,Congressional and law enforcementcredentials which experts say would make iteasy for terrorists to duplicate.”[ABCNews.com]
16
Federal Cyber Markets
Cyber Markets
“Contractors Vie for PlumWork, Hacking for U.S.”
“Nearly all of the largest militarycompanies – including NorthropGrumman, General Dynamics,Lockheed Martin, and Raytheon –have major cyber contracts with themilitary and intelligence agencies.”(NYT, May 31, 2009)
Cyber Goldrush
• “IT Providers to Gain fromCyberpush,” Reuters Analysis(Feb. 13, 2009)
• “Ex-Officials Tell EntrepreneursHow to Pitch Cybersecurity toFeds,” Warren’s WashingtonInternet Daily (Oct. 21, 2009)
• “Big Government Buys: SomeSmall Companies Stand to GainFrom Tougher Rules on PowerPlant Pollution & Cybersecurity,”Forbes (July 13, 2009)
18
Information Security Law
The Law
• FISMA (44 USC § 3541-49)
– Information security for federal agencies
• Federal Acquisition Regulation (FAR)– Flows security requirements to contractors
– Leaves details to agencies (NASA rules)
• OMB & NIST Rules– Standards referenced in FAR
19
Information Security Law
Scope of FISMA
• Federal Information Security Mgmt. Act
– 44 USC § 3541-49
• Broad Scope
– Information collected/maintained for agency
– Information system used/operated by agency
– Information system of agency contractor
• Commensurate with Risk/Harm
20
Information Security Law
FISMA Requirements:Contractor Coverage
“information collected or maintained. . . on behalf of an agency”
“information collected or maintained. . . by a contractor of an agency”
“information and informationsystems that support the operationsand assets of the agency, includingthose provided or managed byanother agency, contractor, orother source”
44 U.S.C. §§ 3544(a)(1), (b)
FAR Requirements:Contractor Coverage
“Section 301 of FISMA (44 U.S.C. 3544requires that contractors be heldaccountable to the same securitystandards as Government employeeswhen collecting or maintaining informationor using or operating information systemson behalf of an agency.”
“The law requires that contractors andFederal employees be subjected to thesame requirements in accessingFederal IT systems and data.”
(70 Fed. Reg. 57451 (Sept. 2005))
21
Information Security Law
OMB (whitehouse.gov/omb)
OMB Circular A-130, TransmittalMemorandum #4, Management ofFederal Information Resources(Nov. 28, 2000)
OMB Memo M-08-09,New FISMA Privacy ReportingRequirements for FY 2008 (Jan. 18,2008)
OMB Memo M-07-16,Safeguarding Against andResponding to the Breach ofPersonally Identifiable Information(May 22, 2007)
NIST (csrc.nist.gov)
SP 800-53 A Guide for Assessing the SecurityControls in Federal Information Systems (July2008)
SP 800-53 Rev. 3 DRAFT RecommendedSecurity Controls for Federal Information Systemsand Organizations (Feb. 5, 2009)
SP 800-61 Rev. Computer Security IncidentHandling Guide (Mar. 2008)
SP 800-83 Guide to Malware Incident Preventionand Handling (Nov. 2005)
SP 800-100 Information Security Handbook: AGuide for Managers (Oct. 2006)
SP 800-122 DRAFT Guide to Protecting theConfidentiality of Personally IdentifiableInformation (PII) (Jan. 13, 2009)
22
Information Security Law
NIST Security Program
• Establishing SecurityObjectives
– Integrity
– Confidentiality
– Availability
• Identifying Security Needs– Requirements identification– Risk assessment– Cost-effectiveness assessment– Appropriate level of security– Life-cycle security
NIST Security (cont.)
• Implementing the SecurityProgram– Policies & procedures– Security controls– Configuration controls– Continuity of operations
• Ensuring Compliance– Training– Periodic testing & evaluation– Accountability– Security incident detection &
reporting– Remedial actions
23
Legal Risks for Breaches
Criminal & Civil Penalties
• Criminal Sanctions
• Civil Penalties
• State Actions
Thompson, Langevin DemandInvestigation into DepartmentCyber Attacks (Sept. 24, 2007)
“criminal investigation”
“fraudulent statement”
24
Legal Risks for Breaches
Contractual Risks
• Contract Breach
• Nonresponsibility
• Debarment
• Past Performance
Wednesday, February 15, 2006
Firm Fired by Ohiofor Lax PrivacyProtectionPursuing OutsourcedIRS Tax CollectionWork
Cybersecurity:
Presidential & Congressional
Priorities, Players & Oversight
© 2010 Crowell & Moring LLP
26
Cyber Power Players
New Cyber Czar
“Obama Names Howard Schmidtas Cybersecurity Coordinator”(Washington Post, Dec. 22, 2009)
“Seven months after President Obamavowed to "personally select" an adviserto orchestrate the government's strategyfor protecting computer systems, theWhite House will name a former Bushadministration official to the jobTuesday.Howard A. Schmidt, who was a cyber-adviser in President George W. Bush'sWhite House, will be Obama's newcybersecurity coordinator, anadministration official said Mondaynight.”
Howard Schmidt’s Background
• President, Information SecurityForum (non-profit consortium)
• Special Advisor, National Strategy toSecure Cyberspace (2001-03)
• Chief Security Officer, Microsoft• Chief Information Security Officer,
eBay• Active-duty & Civilian, Air Force• Head, FBI National Drug Intelligence
Center
27
Cyber Power Players
• President Barack Obama
• Howard Schmidt (WhitehouseCybersecurity Coordinator)
• Vivek Kundra (Federal ChiefInformation Officer)
• Gen. Keith Alexander (NSADirector & Cyber CommanderNominee)
• Robert Carey (Navy ChiefInformation Officer)
• John Streufert (State Dept.Deputy CIO for Security)
• Sen. Joseph Lieberman(Chairman, Comm. on HomelandSecurity & Gov. Affairs)
• Philip Reitinger (DHS DeputyUndersecretary & NationalCybersecurity Center Director)
• Ron Ross (NIST SeniorComputer Scientist & FISMAImplementation Project Leader)
• Rep. James Langevin(Congressional CybersecurityCaucus Co-Chair & Commissionfor Cybersecurity Co-Chair)
Gov Infor Security’s Top 10 Cyber Players for 2010
28
Presidential Priority
Presidential Priority
“My administration will pursue anew comprehensive approach tosecuring America’s digitalinfrastructure. This new approachstarts at the top with thiscommitment from me: Fromnow on, our digital infrastructure –the networks and computers wedepend on every day – will betreated as they should be: as astrategic national asset.Protecting this infrastructure willbe a national security priority.”
(President Obama, May 29, 2009)
29
Congress’ Cyber Scrutiny
Congressional Pressure(2008-2009 Actions)
• Congressional Scrutiny– Over 30 Hearings & Actions– 9 Different Committees
• GAO Reviews– Congress’ Investigative Arm– 22 Reports on Cyber Issues
• Legislative Actions– Senate Bill (S. 773)– House Bill (H.R. 2195)
30
New Cyber Legislation
Cybersecurity Act of 2009
• Commerce Dept. cyber duties forfederal IT systems & networks
• NIST standards for federalagencies & contractors
• NIST responsibility for internationalcyber standards development
• National licensing & certificationfor cyber professionals
• NSF support for R&D & testbeds
• Cyber Clearinghouse for threats &vulnerabilities (including access)
• Secure Products & ServicesAcquisition Board (Approval Seal)
31
New Cyber Legislation
Personal Data Privacy &Security Act of 2009
• Consumer access & correction ofpersonal information held by databrokers
• Data security & privacy programrequired for databases with over10,000 records
• Mandatory notice requirements fordata security breaches
• Enforcement with criminal penalties(e.g., concealing breach) and civilsanctions ($5,000 per day)
• Preemption of certain state securitybreach notification requirements
33
Cross-Border Attacks
International Attacks
“Did China Copy U.S. CommerceSecretary’s Laptop Computer?”“Surreptitious copying is believedto have occurred when a laptop wasleft unattended during [CommerceSecretary Carlos] Gutierrez’s trip toBeijing for trade talks inDecember.” (ABA Law Journal
News, May 29, 2008)
Cross-Border Transfers
“B.C. civil servant accused ofsending personal data to U.S.border guard”
“A B.C. government employeeunder investigation for an allegedprivacy breach is accused of e-mailing personal data aboutgovernment clients to an Americanborder guard in Washington state.”(BC News, Dec. 19, 2009)
34
Global Security Initiatives
“European Union:ePrivacy Directive Close toEnactment: Improvementson Security Breach,Cookies, and Enforcement”“The new provisions will bring vitalimprovements in the protection ofthe privacy and personal data of allEuropeans active in the onlineenvironment. The improvementsrelate to security breaches, spyware,cookies, spam, and enforcement ofrules.” (Internet Business LawServices, Dec. 22, 2009).
“In Shift, U.S. Talks toRussia on InternetSecurity”“The United States has begun talkswith Russia and a United Nationsarms control committee aboutstrengthening Internet security andlimiting military use of
cyberspace.” (NYT, Dec. 13, 2009)
35
Global Cyber Initiatives
Global Arms Race
“Cyber security the new‘arms race’” Van Loan
“I really look at [cybersecurity]almost as the new arms race.There isn’t a day that goes bywithout someone somewheretrying to breach the Governmentof Canada’s informationsystems.” (Public Safety MinisterVan Loan, CTV News, May 27,2009)
June 2009
36
Privacy vs. Security
“Canadian Airlines Pleadwith Government to SolveU.S. Security Dilemma”“Canada’s major airlines say theywill be forced either to breakprivacy laws or to ignore newAmerican air security rules unlessthe federal government comes upwith a response to U.S. demands forpassenger information.” (TheCanadian Press, Jan. 1, 2010).
GAO Report (2004) onPassenger Screening
“obtaining internationalcooperation for access to this[passenger screening] dataremains a substantialchallenge. The EuropeanUnion has objected to itscitizens’ data being used . . .[because it] violates the civilliberties and privacy rightsof its citizens.”