Cybersecurity:

Escalating Threats, Morphing

Duties & Intensifying Oversight

American Bar Association David Z. Bodenheimer

Public Contract Law Section Crowell & Moring LLP

Cybersecurity Committee January 11, 2010

Washington, DC

© 2010 Crowell & Moring LLP

2

Urgency for Cyber Defense

The Cyber Crisis is Now!! – Everyone Agrees

Congress: “time to combat cyber terror was yesterday”(Senators Rockefeller & Snowe, May 29, 2009)

Whitehouse: “This status quo is no longer acceptable”

(President Obama, May 29, 2009)

Industry: “Quite frankly, the bad guys are winning”

(Cyber Security Industry Alliance testimony, Mar. 12, 2008)

Cyber Report: “one of the most urgent national securityproblems” (CSIS Commission on Cybersecurity, Dec. 2008)

Signs of the

Cyber Apocalypse

© 2010 Crowell & Moring LLP

4

342 Million Breaches

80 Million Records

Breached in ½ Year

Records with sensitive personalinformation involved in security

breaches in U.S. since Jan. 2005:

342,101,335 recordsJan. 6, 2010

262,442,156 recordsJune 11, 2009

[www.privacyrights.org]

“According to the Privacy RightsClearinghouse, more than 340million records containing sensitivepersonal information have beeninvolved in data security breachessince 2005.”

5

Cyber-Crime > $100 Billion

Hacking is More Lucrative than Doping

INTERNET LAW – “Cyber-Crime Hits $100 Billion in 2007,

Out-earning Illegal Drug Trade” (IBLS Internet Law, Oct. 15, 2007)

>

“$1 trillion globally in lost intellectualproperty and expenditures for repairingthe damage” (House Homeland SecurityCommittee Hearing, Mar. 31, 2009)

6

Omnipresent ID Theft

Identity Theft Stays Atop Complaint List

“According to recent studies, identity theftaffected nearly 10 million Americans in2008 alone, an increase of 22 percent from2007. It is estimated that the averagecosts to consumers and businesses top $49billion. Identity theft is now the No. 1consumer complaint received by the[FTC].” [Rep. Clay]

“But we’ve had to learn a whole newvocabulary just to stay ahead of the cybercriminals who would do us harm –spyware and malware and spoofing andphishing and botnets. Millions ofAmericans have been victimized, theirprivacy violated, their identities stolen,their lives upended, and their walletsemptied.”

7

President’s Data Breached

Hackers Hit the Whitehouse

“Source In Iran Sees Plansfor President’s Chopper”(USA Today, Mar. 2, 2009)

“The U.S. Navy is investigating how anunauthorized user in Iran gained onlineaccess to blueprints and other informationabout a helicopter in President Obama’sfleet.”

Hacking Obama’s Website

“It’s no secret that my presidentialcampaign harnessed the Internet andtechnology to transform politics. Whatisn’t widely known is that during thegeneral election hackers managed topenetrate our computer systems.”

(President Obama, May 29, 2009)

8

Security Breach Is Personal

No One Is Immune from Security Breach

“U.S. Supreme Court:Justice Breyer and SeveralLawyers Were Victims ofData Breach” (ABA LawNews, July 9, 2008)

“Navy CIO'sPII Exposedfor Sixth Time”

[Robert Carey,

Navy CIO]

“The personal identifiable information ofthe Navy chief information officer has beencompromised, again. And, it isn't just thesecond or third or fourth or even fifth timeRobert Carey's PII has been exposed, butthe sixth instance.”[Chabrow, Gov Info Security, Jan. 4, 2010]

9

Everyone’s On-Board

Government & Industry Agree“Cybersecurity . . . a top priority”

(DHS Secretary nominee Janet Napolitano, Jan. 15, 2009)

“DHS Puts Cybersecurity Toward Top of 2008 To-Do List”

(DHS Secretary Chertoff, Federal Computer Week, Dec. 13, 2007)

“Data Breach Likely to be Hot Topic at Porn Summit”

(Technology Daily, Jan. 14, 2008)

Law Enforcement & XXX = !?

Cybersecurity:

Federal Information

Targets & Budgets

© 2009 Crowell & Moring LLP

11

Federal Information

800-Pound Information Gorilla

“The Federal government is the largestsingle producer, collector, consumer, anddisseminator of information in the UnitedStates and perhaps the world.” (OMB, 2007)

US IT Budgets

• $72.9 billion – (FY O9)

• $75.8 billion – (FY 10)

12

US Federal Information

Information Treasure Trove

• National Security

• Personal Data

• Infrastructure Data

• Technology

• Trade Secrets

13

Federal Security Breaches

Privacy Clearinghouse ('09)

1/5/09 Library of Congress1/26/09 U.S. Military1/27/09 U.S. Consulate2/9/09 Federal Aviation Administration2/9/09 U.S. Postal Service2/11/09 Los Alamos National Lab3/6/09 Federal Emergency Management Agency3/7/09 Idaho National Lab3/12/09 U.S. Army3/23/09 Federal District Court (Baltimore, MD)4/27/09 Federal Reserve Bank (NY)5/19/09 National Archives5/21/09 Internal Revenue Service8/3/09 National Finance Center8/13/09 National Guard Bureau9/2/09 Naval Hospital (Pensacola)10/2/09 U.S. Military Veterans10/5/09 U.S. Army Special Forces11/6/09 National Archives & Records Admin.

14

Agency Security Breaches

“In a massive security breach, theTransportation Security Administration(TSA) inadvertently posted online its airportscreening procedures manual, includingsome of the most closely guarded secretsregarding special rules for diplomats andCIA and law enforcement officers.”

“The document shows sample CIA,Congressional and law enforcementcredentials which experts say would make iteasy for terrorists to duplicate.”[ABCNews.com]

15

Federal Cyber Markets

FedBizOpps

16

Federal Cyber Markets

Cyber Markets

“Contractors Vie for PlumWork, Hacking for U.S.”

“Nearly all of the largest militarycompanies – including NorthropGrumman, General Dynamics,Lockheed Martin, and Raytheon –have major cyber contracts with themilitary and intelligence agencies.”(NYT, May 31, 2009)

Cyber Goldrush

• “IT Providers to Gain fromCyberpush,” Reuters Analysis(Feb. 13, 2009)

• “Ex-Officials Tell EntrepreneursHow to Pitch Cybersecurity toFeds,” Warren’s WashingtonInternet Daily (Oct. 21, 2009)

• “Big Government Buys: SomeSmall Companies Stand to GainFrom Tougher Rules on PowerPlant Pollution & Cybersecurity,”Forbes (July 13, 2009)

Cybersecurity:

Existing Rules & Standards

© 2010 Crowell & Moring LLP

18

Information Security Law

The Law

• FISMA (44 USC § 3541-49)

– Information security for federal agencies

• Federal Acquisition Regulation (FAR)– Flows security requirements to contractors

– Leaves details to agencies (NASA rules)

• OMB & NIST Rules– Standards referenced in FAR

19

Information Security Law

Scope of FISMA

• Federal Information Security Mgmt. Act

– 44 USC § 3541-49

• Broad Scope

– Information collected/maintained for agency

– Information system used/operated by agency

– Information system of agency contractor

• Commensurate with Risk/Harm

20

Information Security Law

FISMA Requirements:Contractor Coverage

“information collected or maintained. . . on behalf of an agency”

“information collected or maintained. . . by a contractor of an agency”

“information and informationsystems that support the operationsand assets of the agency, includingthose provided or managed byanother agency, contractor, orother source”

44 U.S.C. §§ 3544(a)(1), (b)

FAR Requirements:Contractor Coverage

“Section 301 of FISMA (44 U.S.C. 3544requires that contractors be heldaccountable to the same securitystandards as Government employeeswhen collecting or maintaining informationor using or operating information systemson behalf of an agency.”

“The law requires that contractors andFederal employees be subjected to thesame requirements in accessingFederal IT systems and data.”

(70 Fed. Reg. 57451 (Sept. 2005))

21

Information Security Law

OMB (whitehouse.gov/omb)

OMB Circular A-130, TransmittalMemorandum #4, Management ofFederal Information Resources(Nov. 28, 2000)

OMB Memo M-08-09,New FISMA Privacy ReportingRequirements for FY 2008 (Jan. 18,2008)

OMB Memo M-07-16,Safeguarding Against andResponding to the Breach ofPersonally Identifiable Information(May 22, 2007)

NIST (csrc.nist.gov)

SP 800-53 A Guide for Assessing the SecurityControls in Federal Information Systems (July2008)

SP 800-53 Rev. 3 DRAFT RecommendedSecurity Controls for Federal Information Systemsand Organizations (Feb. 5, 2009)

SP 800-61 Rev. Computer Security IncidentHandling Guide (Mar. 2008)

SP 800-83 Guide to Malware Incident Preventionand Handling (Nov. 2005)

SP 800-100 Information Security Handbook: AGuide for Managers (Oct. 2006)

SP 800-122 DRAFT Guide to Protecting theConfidentiality of Personally IdentifiableInformation (PII) (Jan. 13, 2009)

22

Information Security Law

NIST Security Program

• Establishing SecurityObjectives

– Integrity

– Confidentiality

– Availability

• Identifying Security Needs– Requirements identification– Risk assessment– Cost-effectiveness assessment– Appropriate level of security– Life-cycle security

NIST Security (cont.)

• Implementing the SecurityProgram– Policies & procedures– Security controls– Configuration controls– Continuity of operations

• Ensuring Compliance– Training– Periodic testing & evaluation– Accountability– Security incident detection &

reporting– Remedial actions

23

Legal Risks for Breaches

Criminal & Civil Penalties

• Criminal Sanctions

• Civil Penalties

• State Actions

Thompson, Langevin DemandInvestigation into DepartmentCyber Attacks (Sept. 24, 2007)

“criminal investigation”

“fraudulent statement”

24

Legal Risks for Breaches

Contractual Risks

• Contract Breach

• Nonresponsibility

• Debarment

• Past Performance

Wednesday, February 15, 2006

Firm Fired by Ohiofor Lax PrivacyProtectionPursuing OutsourcedIRS Tax CollectionWork

Cybersecurity:

Presidential & Congressional

Priorities, Players & Oversight

© 2010 Crowell & Moring LLP

26

Cyber Power Players

New Cyber Czar

“Obama Names Howard Schmidtas Cybersecurity Coordinator”(Washington Post, Dec. 22, 2009)

“Seven months after President Obamavowed to "personally select" an adviserto orchestrate the government's strategyfor protecting computer systems, theWhite House will name a former Bushadministration official to the jobTuesday.Howard A. Schmidt, who was a cyber-adviser in President George W. Bush'sWhite House, will be Obama's newcybersecurity coordinator, anadministration official said Mondaynight.”

Howard Schmidt’s Background

• President, Information SecurityForum (non-profit consortium)

• Special Advisor, National Strategy toSecure Cyberspace (2001-03)

• Chief Security Officer, Microsoft• Chief Information Security Officer,

eBay• Active-duty & Civilian, Air Force• Head, FBI National Drug Intelligence

Center

27

Cyber Power Players

• President Barack Obama

• Howard Schmidt (WhitehouseCybersecurity Coordinator)

• Vivek Kundra (Federal ChiefInformation Officer)

• Gen. Keith Alexander (NSADirector & Cyber CommanderNominee)

• Robert Carey (Navy ChiefInformation Officer)

• John Streufert (State Dept.Deputy CIO for Security)

• Sen. Joseph Lieberman(Chairman, Comm. on HomelandSecurity & Gov. Affairs)

• Philip Reitinger (DHS DeputyUndersecretary & NationalCybersecurity Center Director)

• Ron Ross (NIST SeniorComputer Scientist & FISMAImplementation Project Leader)

• Rep. James Langevin(Congressional CybersecurityCaucus Co-Chair & Commissionfor Cybersecurity Co-Chair)

Gov Infor Security’s Top 10 Cyber Players for 2010

28

Presidential Priority

Presidential Priority

“My administration will pursue anew comprehensive approach tosecuring America’s digitalinfrastructure. This new approachstarts at the top with thiscommitment from me: Fromnow on, our digital infrastructure –the networks and computers wedepend on every day – will betreated as they should be: as astrategic national asset.Protecting this infrastructure willbe a national security priority.”

(President Obama, May 29, 2009)

29

Congress’ Cyber Scrutiny

Congressional Pressure(2008-2009 Actions)

• Congressional Scrutiny– Over 30 Hearings & Actions– 9 Different Committees

• GAO Reviews– Congress’ Investigative Arm– 22 Reports on Cyber Issues

• Legislative Actions– Senate Bill (S. 773)– House Bill (H.R. 2195)

30

New Cyber Legislation

Cybersecurity Act of 2009

• Commerce Dept. cyber duties forfederal IT systems & networks

• NIST standards for federalagencies & contractors

• NIST responsibility for internationalcyber standards development

• National licensing & certificationfor cyber professionals

• NSF support for R&D & testbeds

• Cyber Clearinghouse for threats &vulnerabilities (including access)

• Secure Products & ServicesAcquisition Board (Approval Seal)

31

New Cyber Legislation

Personal Data Privacy &Security Act of 2009

• Consumer access & correction ofpersonal information held by databrokers

• Data security & privacy programrequired for databases with over10,000 records

• Mandatory notice requirements fordata security breaches

• Enforcement with criminal penalties(e.g., concealing breach) and civilsanctions ($5,000 per day)

• Preemption of certain state securitybreach notification requirements

Cyber Goes Global:

International Risks & Issues

© 2010 Crowell & Moring LLP

33

Cross-Border Attacks

International Attacks

“Did China Copy U.S. CommerceSecretary’s Laptop Computer?”“Surreptitious copying is believedto have occurred when a laptop wasleft unattended during [CommerceSecretary Carlos] Gutierrez’s trip toBeijing for trade talks inDecember.” (ABA Law Journal

News, May 29, 2008)

Cross-Border Transfers

“B.C. civil servant accused ofsending personal data to U.S.border guard”

“A B.C. government employeeunder investigation for an allegedprivacy breach is accused of e-mailing personal data aboutgovernment clients to an Americanborder guard in Washington state.”(BC News, Dec. 19, 2009)

34

Global Security Initiatives

“European Union:ePrivacy Directive Close toEnactment: Improvementson Security Breach,Cookies, and Enforcement”“The new provisions will bring vitalimprovements in the protection ofthe privacy and personal data of allEuropeans active in the onlineenvironment. The improvementsrelate to security breaches, spyware,cookies, spam, and enforcement ofrules.” (Internet Business LawServices, Dec. 22, 2009).

“In Shift, U.S. Talks toRussia on InternetSecurity”“The United States has begun talkswith Russia and a United Nationsarms control committee aboutstrengthening Internet security andlimiting military use of

cyberspace.” (NYT, Dec. 13, 2009)

35

Global Cyber Initiatives

Global Arms Race

“Cyber security the new‘arms race’” Van Loan

“I really look at [cybersecurity]almost as the new arms race.There isn’t a day that goes bywithout someone somewheretrying to breach the Governmentof Canada’s informationsystems.” (Public Safety MinisterVan Loan, CTV News, May 27,2009)

June 2009

36

Privacy vs. Security

“Canadian Airlines Pleadwith Government to SolveU.S. Security Dilemma”“Canada’s major airlines say theywill be forced either to breakprivacy laws or to ignore newAmerican air security rules unlessthe federal government comes upwith a response to U.S. demands forpassenger information.” (TheCanadian Press, Jan. 1, 2010).

GAO Report (2004) onPassenger Screening

“obtaining internationalcooperation for access to this[passenger screening] dataremains a substantialchallenge. The EuropeanUnion has objected to itscitizens’ data being used . . .[because it] violates the civilliberties and privacy rightsof its citizens.”

37

Questions?

David Z. Bodenheimer

Crowell & Moring LLP

dbodenheimer@crowell.com

(202) 624-2713

10024518