INFORMATION SHARING AND EU CYBERSECURITY/media/Files/Insights... · *This webinar is offered for...
Transcript of INFORMATION SHARING AND EU CYBERSECURITY/media/Files/Insights... · *This webinar is offered for...
![Page 1: INFORMATION SHARING AND EU CYBERSECURITY/media/Files/Insights... · *This webinar is offered for informational purposes only, and the content should not be construed as legal advice](https://reader036.fdocuments.in/reader036/viewer/2022071217/604cee38ae485a7e051f88e1/html5/thumbnails/1.jpg)
www.dlapiper.com 0
INFORMATION SHARING AND EU CYBERSECURITY
Senator Saxby Chambliss, DLA PiperMatt Shabat, Department of Homeland SecurityGiulio Coraggio, DLA Piper
If you cannot hear us speaking, please make sure you have called into the teleconferencenumber on your invite information. � US participants: 1 800 908 9284 � Outside the US: 212 231 2909 � The audio portion is available via conference call. It is not broadcast through your computer.*This webinar is offered for informational purposes only, and the content should not be construed as legal advice on any matter.
![Page 2: INFORMATION SHARING AND EU CYBERSECURITY/media/Files/Insights... · *This webinar is offered for informational purposes only, and the content should not be construed as legal advice](https://reader036.fdocuments.in/reader036/viewer/2022071217/604cee38ae485a7e051f88e1/html5/thumbnails/2.jpg)
www.dlapiper.com 1
Speakers
Senator Saxby ChamblissPartner, AtlantaDLA [email protected]
Giulio CoraggioPartner, MilanDLA [email protected]+39 02 80 618 619
Matt ShabatDirector of Performance ManagementOffice of Cybersecurity & CommunicationsDepartment of Homeland [email protected]
![Page 3: INFORMATION SHARING AND EU CYBERSECURITY/media/Files/Insights... · *This webinar is offered for informational purposes only, and the content should not be construed as legal advice](https://reader036.fdocuments.in/reader036/viewer/2022071217/604cee38ae485a7e051f88e1/html5/thumbnails/3.jpg)
www.dlapiper.com 2
� Who are the attackers?
– Nation states
– Russia
– China
– Iran
– North Korea to a lesser extent
– Common criminals
– Experimental hackers
Evolution of cyber-risk
![Page 4: INFORMATION SHARING AND EU CYBERSECURITY/media/Files/Insights... · *This webinar is offered for informational purposes only, and the content should not be construed as legal advice](https://reader036.fdocuments.in/reader036/viewer/2022071217/604cee38ae485a7e051f88e1/html5/thumbnails/4.jpg)
www.dlapiper.com 3
� Financial information
� Classified/proprietary
� Personal information
� Ransomware
� 2014 – 2 prominent attacks
What are attackers seeking?
![Page 5: INFORMATION SHARING AND EU CYBERSECURITY/media/Files/Insights... · *This webinar is offered for informational purposes only, and the content should not be construed as legal advice](https://reader036.fdocuments.in/reader036/viewer/2022071217/604cee38ae485a7e051f88e1/html5/thumbnails/5.jpg)
www.dlapiper.com 4
� USG (NSA, DHS) is very sophisticated in the world of cyber
� Commonality, i.e., data breach laws
� Only Congress can grant protections
Does the federal government have a role?
![Page 6: INFORMATION SHARING AND EU CYBERSECURITY/media/Files/Insights... · *This webinar is offered for informational purposes only, and the content should not be construed as legal advice](https://reader036.fdocuments.in/reader036/viewer/2022071217/604cee38ae485a7e051f88e1/html5/thumbnails/6.jpg)
www.dlapiper.com 5
� Comprehensive vs. info sharing
� Voluntary vs. mandatory
CISA is the first step
![Page 7: INFORMATION SHARING AND EU CYBERSECURITY/media/Files/Insights... · *This webinar is offered for informational purposes only, and the content should not be construed as legal advice](https://reader036.fdocuments.in/reader036/viewer/2022071217/604cee38ae485a7e051f88e1/html5/thumbnails/7.jpg)
www.dlapiper.com 6
� Only if privacy rules adhered to
� Private to private; private to USG
Liability protection and antitrust exemption
![Page 8: INFORMATION SHARING AND EU CYBERSECURITY/media/Files/Insights... · *This webinar is offered for informational purposes only, and the content should not be construed as legal advice](https://reader036.fdocuments.in/reader036/viewer/2022071217/604cee38ae485a7e051f88e1/html5/thumbnails/8.jpg)
www.dlapiper.com 7
� Very important to find commonality
� Particularly important to work with our friends
Must coordinate with other countries
![Page 9: INFORMATION SHARING AND EU CYBERSECURITY/media/Files/Insights... · *This webinar is offered for informational purposes only, and the content should not be construed as legal advice](https://reader036.fdocuments.in/reader036/viewer/2022071217/604cee38ae485a7e051f88e1/html5/thumbnails/9.jpg)
www.dlapiper.com 8
� Data breach
� Encryption
Next USG domestic step
![Page 10: INFORMATION SHARING AND EU CYBERSECURITY/media/Files/Insights... · *This webinar is offered for informational purposes only, and the content should not be construed as legal advice](https://reader036.fdocuments.in/reader036/viewer/2022071217/604cee38ae485a7e051f88e1/html5/thumbnails/10.jpg)
www.dlapiper.com 9
� DHS guidelines
� CISA implementation
Methods of sharing
![Page 11: INFORMATION SHARING AND EU CYBERSECURITY/media/Files/Insights... · *This webinar is offered for informational purposes only, and the content should not be construed as legal advice](https://reader036.fdocuments.in/reader036/viewer/2022071217/604cee38ae485a7e051f88e1/html5/thumbnails/11.jpg)
June 2016
Homeland SecurityOffice of Cybersecurity & Communications
Cybersecurity Information Sharing Act of 2015
![Page 12: INFORMATION SHARING AND EU CYBERSECURITY/media/Files/Insights... · *This webinar is offered for informational purposes only, and the content should not be construed as legal advice](https://reader036.fdocuments.in/reader036/viewer/2022071217/604cee38ae485a7e051f88e1/html5/thumbnails/12.jpg)
www.dlapiper.com 11
� Title 1: Cybersecurity Information Sharing Act of 2015
– Establishes procedures, privacy protections, liability and other legal protections
� Title 2: National Cybersecurity Advancement
– Enhances NCCIC’s intrusion detection and prevention capabilities
– Further defines NCCIC’s information sharing authorities
� Other titles cover
– Federal cybersecurity workforce assessment
– DHS mobile device study
– HHS healthcare sector task force with NIST and DHS
– Statewide Interoperability Coordinator reporting cybersecurity matters to NCCIC; NCCIC provides analysis and support
Cybersecurity Act of 2015
![Page 13: INFORMATION SHARING AND EU CYBERSECURITY/media/Files/Insights... · *This webinar is offered for informational purposes only, and the content should not be construed as legal advice](https://reader036.fdocuments.in/reader036/viewer/2022071217/604cee38ae485a7e051f88e1/html5/thumbnails/13.jpg)
www.dlapiper.com 12
� Authorizes companies to share cyber threat indicators and defensive measures with each other and with DHS, with liability protection
� Identifies permitted uses of cyber threat indicators and defensive measures
� Authorizes companies to monitor their own information systems and to operate defensive measures on their systems
� Establishes privacy protections required of the sharing entity and receiving government agency
Cybersecurity Information Sharing Act of 2015
![Page 14: INFORMATION SHARING AND EU CYBERSECURITY/media/Files/Insights... · *This webinar is offered for informational purposes only, and the content should not be construed as legal advice](https://reader036.fdocuments.in/reader036/viewer/2022071217/604cee38ae485a7e051f88e1/html5/thumbnails/14.jpg)
www.dlapiper.com 13
� Four implementation documents:– Guidelines for sharing information by the federal
government
– Guidance to companies and non-federal entities for sharing cyber threat indicators and defensive measures with the federal government
– Operational procedures for sharing cyber threat indicators and defensive measures with the federal government
– Privacy and civil liberties guidelines
� Secretary of Homeland Security March 17 certification that automated capability authorized by Act is operational
CISA deliverables
![Page 15: INFORMATION SHARING AND EU CYBERSECURITY/media/Files/Insights... · *This webinar is offered for informational purposes only, and the content should not be construed as legal advice](https://reader036.fdocuments.in/reader036/viewer/2022071217/604cee38ae485a7e051f88e1/html5/thumbnails/15.jpg)
www.dlapiper.com 14
Guidelines for sharing information by the federal government
– Summary: Describes the current mechanisms through which the appropriate Federal entities share information with non‐Federal entities.
– Due Date: Final at 60 days (February 16, 2016)
CISA deliverables
![Page 16: INFORMATION SHARING AND EU CYBERSECURITY/media/Files/Insights... · *This webinar is offered for informational purposes only, and the content should not be construed as legal advice](https://reader036.fdocuments.in/reader036/viewer/2022071217/604cee38ae485a7e051f88e1/html5/thumbnails/16.jpg)
www.dlapiper.com 15
Operational procedures for sharing cyber threat indicators and defensive measures with the federal government
– Summary: Establishes procedures relating to the receipt of certain cyber threat indicators and defensive measures by all Federal entities under CISA. Describes the processes for receiving, handling, and disseminating information that is shared pursuant to CISA, including through operation of the DHS Automated Indicator Sharing capability.
– Due Date: Interim at 60 days (February 16, 2016), Final at 180 days (June 15, 2016)
CISA deliverables
![Page 17: INFORMATION SHARING AND EU CYBERSECURITY/media/Files/Insights... · *This webinar is offered for informational purposes only, and the content should not be construed as legal advice](https://reader036.fdocuments.in/reader036/viewer/2022071217/604cee38ae485a7e051f88e1/html5/thumbnails/17.jpg)
www.dlapiper.com 16
Guidance to companies and other non-federal entities for sharing cyber threat indicators and defensive measures with the federal government
– Summary: Provides information to assist non-federal entities who voluntarily elect to share cyber threat indicators with the federal government to do so in accordance with CISA. Assists non-federal entities to identify defensive measures and explain how to share them with federal entities as provided by CISA. Describes the protections non-federal entities receive under CISA.
– Due Date: Final at 60 days (February 16, 2016); updated June 15, 2016.
CISA deliverables
![Page 18: INFORMATION SHARING AND EU CYBERSECURITY/media/Files/Insights... · *This webinar is offered for informational purposes only, and the content should not be construed as legal advice](https://reader036.fdocuments.in/reader036/viewer/2022071217/604cee38ae485a7e051f88e1/html5/thumbnails/18.jpg)
www.dlapiper.com 17
Cyber threat indicators and defensive measures
![Page 19: INFORMATION SHARING AND EU CYBERSECURITY/media/Files/Insights... · *This webinar is offered for informational purposes only, and the content should not be construed as legal advice](https://reader036.fdocuments.in/reader036/viewer/2022071217/604cee38ae485a7e051f88e1/html5/thumbnails/19.jpg)
www.dlapiper.com 18
� CISA extends liability protection to private entities for sharing of a cyber threat indicator or defensive measure through the federal government’s capability and process operated by DHS
– As long as the sharing is conducted in accordance with the Act.
� For more information please see:
– Guidance to Assist Non-Federal Entities to Share Cyber Threat Indicators and Defensive Measures with Federal Entities under the Cybersecurity Information Sharing Act of 2015 (available at www.us-cert.gov/ais) or
– Section 106 of CISA
Liability protection
![Page 20: INFORMATION SHARING AND EU CYBERSECURITY/media/Files/Insights... · *This webinar is offered for informational purposes only, and the content should not be construed as legal advice](https://reader036.fdocuments.in/reader036/viewer/2022071217/604cee38ae485a7e051f88e1/html5/thumbnails/20.jpg)
www.dlapiper.com 19
� Law enforcement use
– SLTT government that receives a cyber threat indicator or defensive measure under CISAmay use it for specified purposes, such as a cybersecurity purpose, identifying a cybersecurity threat, identifying a security vulnerability, responding to or preventing/mitigating a specific threat of death, serious bodily harm serious threat to a minor or serious economic harm, or prosecuting offenses under 18 U.S.C. 1028-1030
� Exemption from disclosure
– A cyber threat indicator or defensive measure shared by or with an SLTT government, including a component of such government that is a private entity, under CISA is deemed voluntarily shared information and exempt from disclosure under state, tribal or local freedom of information, open government, open records, sunshine or similar laws
� Regulatory authority
– Cyber threat indicator or defensive measure cannot be used to regulate the lawful activity of a non-federal entity
– Exception: They may be used consistent with a regulatory authority specifically relating to the prevention of mitigation of cybersecurity threats to inform development or implementation of such regulation
SLTT-specific provisions
![Page 21: INFORMATION SHARING AND EU CYBERSECURITY/media/Files/Insights... · *This webinar is offered for informational purposes only, and the content should not be construed as legal advice](https://reader036.fdocuments.in/reader036/viewer/2022071217/604cee38ae485a7e051f88e1/html5/thumbnails/21.jpg)
www.dlapiper.com 20
Privacy and civil liberties guidelines
– Summary: Establishes privacy and civil liberties guidelines for the receipt, retention, use, and dissemination of cyber threat indicators by a federal entity obtained in connection with the activities authorized by CISA, consistent with the need to protect information systems from cybersecurity threats, any other applicable provisions of law, and the Fair Information Practice Principles
– Due Date: Interim at 60 days (February 16, 2016); Final at 180 days (June 15, 2016) Requires review every 2 years
CISA deliverables
![Page 22: INFORMATION SHARING AND EU CYBERSECURITY/media/Files/Insights... · *This webinar is offered for informational purposes only, and the content should not be construed as legal advice](https://reader036.fdocuments.in/reader036/viewer/2022071217/604cee38ae485a7e051f88e1/html5/thumbnails/22.jpg)
www.dlapiper.com 21
� CISA includes various privacy protections for the receipt, retention, use and dissemination of cyber threat indicators
� One main privacy protection requires federal and non-federal entities, prior to sharing to:
– Review such cyber threat indicator to assess whether such cyber threat indicator contains any information not directly related to a cybersecurity threat that such federal/non-federal entity knows at the time of sharing to be personal information of a specific individual or information that identifies a specific individual and remove such information; or
– Implement and utilize a technical capability configured to remove any information not directly related to a cybersecurity threat that the federal/non-federal entity knows at the time of sharing to be personal information of a specific individual or information that identifies a specific individual.
Privacy protections in CISA
![Page 23: INFORMATION SHARING AND EU CYBERSECURITY/media/Files/Insights... · *This webinar is offered for informational purposes only, and the content should not be construed as legal advice](https://reader036.fdocuments.in/reader036/viewer/2022071217/604cee38ae485a7e051f88e1/html5/thumbnails/23.jpg)
www.dlapiper.com 22
� Under AIS, DHS will receive cyber threat indicators and defensive measures through that portal in a standard, automated format and apply unanimously agreed upon controls as described in the Section 105(a)(1)-(3) procedures
� DHS will use automated processing for mitigation of remaining personal information risks through schema restrictions, controlled vocabulary, regular expressions (i.e., pattern matching), known good values, and auto-generated text
� Any fields that do not meet certain predetermined criteria defined through the AIS Profile and in the submission guidance will be referred for human review to ensure the field does not contain personal information of specific individuals or information that identifies specific individuals not directly related to the cybersecurity threat
� When a field within a cyber threat indicator or defensive measure is referred for human review, DHS will still transmit the fields that do not require human review to the appropriate Federal entities without delay
DHS AIS privacy scrub
![Page 24: INFORMATION SHARING AND EU CYBERSECURITY/media/Files/Insights... · *This webinar is offered for informational purposes only, and the content should not be construed as legal advice](https://reader036.fdocuments.in/reader036/viewer/2022071217/604cee38ae485a7e051f88e1/html5/thumbnails/24.jpg)
www.dlapiper.com 23
� Automated real-time capability: Automated Indicator Sharing (AIS)
– Uses the Structured Threat Information eXpression (STIX) standard (xml format with a series of machine-readable fields) and Trusted Automated eXchange of Indication Information (TAXII) protocol
� Web form and email options
– www.us-cert.gov/ais
� Privacy scrub
CISA capabilities
![Page 25: INFORMATION SHARING AND EU CYBERSECURITY/media/Files/Insights... · *This webinar is offered for informational purposes only, and the content should not be construed as legal advice](https://reader036.fdocuments.in/reader036/viewer/2022071217/604cee38ae485a7e051f88e1/html5/thumbnails/25.jpg)
www.dlapiper.com 24
Automated Indicator Sharing
![Page 26: INFORMATION SHARING AND EU CYBERSECURITY/media/Files/Insights... · *This webinar is offered for informational purposes only, and the content should not be construed as legal advice](https://reader036.fdocuments.in/reader036/viewer/2022071217/604cee38ae485a7e051f88e1/html5/thumbnails/26.jpg)
www.dlapiper.com 25
1. Sign and return the appropriate participation agreement
– Terms of use (non-federal entities)
– Multilateral Information Sharing Agreement (for federal agencies)
2. Next, have something that can talk TAXII
– You can use the DHS TAXII client, an open source implementation or purchase a commercial solution
3. Sign an Interconnection Security Agreement to document the connection and capture relevant security information
4. Finally, we exchange certificates and you give us the IP you’re coming from so it can get whitelisted
How to sign up for AIS
![Page 27: INFORMATION SHARING AND EU CYBERSECURITY/media/Files/Insights... · *This webinar is offered for informational purposes only, and the content should not be construed as legal advice](https://reader036.fdocuments.in/reader036/viewer/2022071217/604cee38ae485a7e051f88e1/html5/thumbnails/27.jpg)
www.dlapiper.com 26
� For more information:
– www.DHS.gov/AIS
– www.us-cert.gov/AIS
� Additional questions?
� Matt Shabat
Director of Performance Management
Office of Cybersecurity & Communications
703-235-5338
DHS Office of Cybersecurity & Communicationscontact information
![Page 28: INFORMATION SHARING AND EU CYBERSECURITY/media/Files/Insights... · *This webinar is offered for informational purposes only, and the content should not be construed as legal advice](https://reader036.fdocuments.in/reader036/viewer/2022071217/604cee38ae485a7e051f88e1/html5/thumbnails/28.jpg)
www.dlapiper.com 27
What is the EU approach to cybersecurity?
Betterdefence
Contribution from private sector
Increased cyber security capabilities
Enhancingcooperation between
Member States
![Page 29: INFORMATION SHARING AND EU CYBERSECURITY/media/Files/Insights... · *This webinar is offered for informational purposes only, and the content should not be construed as legal advice](https://reader036.fdocuments.in/reader036/viewer/2022071217/604cee38ae485a7e051f88e1/html5/thumbnails/29.jpg)
www.dlapiper.com 28
Upcoming adoption of Network and Information Security Directive
![Page 30: INFORMATION SHARING AND EU CYBERSECURITY/media/Files/Insights... · *This webinar is offered for informational purposes only, and the content should not be construed as legal advice](https://reader036.fdocuments.in/reader036/viewer/2022071217/604cee38ae485a7e051f88e1/html5/thumbnails/30.jpg)
www.dlapiper.com 29
General Data Protection Regulation is a revolutionon privacy compliance…
Put May 25, 2018 on your calendar
![Page 31: INFORMATION SHARING AND EU CYBERSECURITY/media/Files/Insights... · *This webinar is offered for informational purposes only, and the content should not be construed as legal advice](https://reader036.fdocuments.in/reader036/viewer/2022071217/604cee38ae485a7e051f88e1/html5/thumbnails/31.jpg)
www.dlapiper.com 30
It applies wherever you are located
both
![Page 32: INFORMATION SHARING AND EU CYBERSECURITY/media/Files/Insights... · *This webinar is offered for informational purposes only, and the content should not be construed as legal advice](https://reader036.fdocuments.in/reader036/viewer/2022071217/604cee38ae485a7e051f88e1/html5/thumbnails/32.jpg)
www.dlapiper.com 31
Sets stringent security obligations
Data Protection
Officer
Security by
design
Adequatesecurity
measures
![Page 33: INFORMATION SHARING AND EU CYBERSECURITY/media/Files/Insights... · *This webinar is offered for informational purposes only, and the content should not be construed as legal advice](https://reader036.fdocuments.in/reader036/viewer/2022071217/604cee38ae485a7e051f88e1/html5/thumbnails/33.jpg)
www.dlapiper.com 32
And in case of data breach…
![Page 34: INFORMATION SHARING AND EU CYBERSECURITY/media/Files/Insights... · *This webinar is offered for informational purposes only, and the content should not be construed as legal advice](https://reader036.fdocuments.in/reader036/viewer/2022071217/604cee38ae485a7e051f88e1/html5/thumbnails/34.jpg)
www.dlapiper.com 33
The potential sanctions are massive
of the global turnover
New accountability principle…
![Page 35: INFORMATION SHARING AND EU CYBERSECURITY/media/Files/Insights... · *This webinar is offered for informational purposes only, and the content should not be construed as legal advice](https://reader036.fdocuments.in/reader036/viewer/2022071217/604cee38ae485a7e051f88e1/html5/thumbnails/35.jpg)
www.dlapiper.com 34
Public-private partnership (cPPP)
Public Consultation
Technical Standards
![Page 36: INFORMATION SHARING AND EU CYBERSECURITY/media/Files/Insights... · *This webinar is offered for informational purposes only, and the content should not be construed as legal advice](https://reader036.fdocuments.in/reader036/viewer/2022071217/604cee38ae485a7e051f88e1/html5/thumbnails/36.jpg)
www.dlapiper.com 35
Questions?
� Contact us to learn more
Senator Saxby ChamblissPartner, AtlantaDLA [email protected]
Giulio CoraggioPartner, MilanDLA [email protected]+39 02 80 618 619
Matt ShabatDirector of Performance ManagementOffice of Cybersecurity & CommunicationsDepartment of Homeland [email protected]