THE 411 ON CYBERSECURITY, INFORMATION · PDF fileThe 411 on Cybersecurity 3 AGENDA The...

42
THE 411 ON CYBERSECURITY, INFORMATION SHARING AND PRIVACY

Transcript of THE 411 ON CYBERSECURITY, INFORMATION · PDF fileThe 411 on Cybersecurity 3 AGENDA The...

Page 1: THE 411 ON CYBERSECURITY, INFORMATION · PDF fileThe 411 on Cybersecurity 3 AGENDA The Cybersecurity Threat in 2013 • Public v. Private Sector Threats • EINSTEIN – a Public Sector

THE 411 ON CYBERSECURITY, INFORMATION SHARING AND PRIVACY

Page 2: THE 411 ON CYBERSECURITY, INFORMATION · PDF fileThe 411 on Cybersecurity 3 AGENDA The Cybersecurity Threat in 2013 • Public v. Private Sector Threats • EINSTEIN – a Public Sector

2 The 411 on Cybersecurity

DISCLAIMER

Views expressed in this presentation are not necessarily those of our respective Departments

Any answers to questions are our own opinions and not those of our respective Departments

Page 3: THE 411 ON CYBERSECURITY, INFORMATION · PDF fileThe 411 on Cybersecurity 3 AGENDA The Cybersecurity Threat in 2013 • Public v. Private Sector Threats • EINSTEIN – a Public Sector

3 The 411 on Cybersecurity

AGENDA

The Cybersecurity Threat in 2013

• Public v. Private Sector Threats

• EINSTEIN – a Public Sector Response

• Policy Responses

• Public-Private Partnerships

• Policy Challenges

Page 4: THE 411 ON CYBERSECURITY, INFORMATION · PDF fileThe 411 on Cybersecurity 3 AGENDA The Cybersecurity Threat in 2013 • Public v. Private Sector Threats • EINSTEIN – a Public Sector

4 The 411 on Cybersecurity

OVERVIEW

• Increasingly skilled cyber threats

• Variety of malicious actions

• Attempts to penetrate USG from: – Outside

– Inside

– within our IT capabilities

• Potential theft of classified info

• Theft of intellectual property

• Threat to national security

Page 5: THE 411 ON CYBERSECURITY, INFORMATION · PDF fileThe 411 on Cybersecurity 3 AGENDA The Cybersecurity Threat in 2013 • Public v. Private Sector Threats • EINSTEIN – a Public Sector

5 The 411 on Cybersecurity

OVERVIEW

Page 6: THE 411 ON CYBERSECURITY, INFORMATION · PDF fileThe 411 on Cybersecurity 3 AGENDA The Cybersecurity Threat in 2013 • Public v. Private Sector Threats • EINSTEIN – a Public Sector

6 The 411 on Cybersecurity

AGENDA

• The Cybersecurity Threat in 2013

Public v. Private Sector Threats

• EINSTEIN – a Public Sector Response

• Policy Responses

• Public-Private Partnerships

• Policy Challenges

Page 7: THE 411 ON CYBERSECURITY, INFORMATION · PDF fileThe 411 on Cybersecurity 3 AGENDA The Cybersecurity Threat in 2013 • Public v. Private Sector Threats • EINSTEIN – a Public Sector

7 The 411 on Cybersecurity

National Security

Federal Civilian

Networks

Critical Infra-

structure

CommercialNon-Critical

Infra-structure

U.S. Government cybersecurity organization

UNDERSTANDING THE THREAT

Page 8: THE 411 ON CYBERSECURITY, INFORMATION · PDF fileThe 411 on Cybersecurity 3 AGENDA The Cybersecurity Threat in 2013 • Public v. Private Sector Threats • EINSTEIN – a Public Sector

8 The 411 on Cybersecurity

UNDERSTANDING THE THREAT

U.S. Critical Infrastructure

Page 9: THE 411 ON CYBERSECURITY, INFORMATION · PDF fileThe 411 on Cybersecurity 3 AGENDA The Cybersecurity Threat in 2013 • Public v. Private Sector Threats • EINSTEIN – a Public Sector

9 The 411 on Cybersecurity

US-CERT MISSION

• Lead efforts to improve the Nation’s cybersecurity posture

• Coordinate cyber information sharing

• Proactively manage cyber risks to the Nation

• All while protecting the constitutional rights of Americans.

Page 10: THE 411 ON CYBERSECURITY, INFORMATION · PDF fileThe 411 on Cybersecurity 3 AGENDA The Cybersecurity Threat in 2013 • Public v. Private Sector Threats • EINSTEIN – a Public Sector

10 The 411 on Cybersecurity

US-CERT MISSION

• Analyze, reduce impact of threats & vulnerabilities,

• Disseminate warning information,

• Coordinate to achieve shared situational awareness

• Provide response & recovery support for national assets

• Advise on national-level cybersecurity policy and guidance.

US Computer Emergency

Readiness Team

Operations

Operations Coordination & Integration

Future Operations

Incident Management

Page 11: THE 411 ON CYBERSECURITY, INFORMATION · PDF fileThe 411 on Cybersecurity 3 AGENDA The Cybersecurity Threat in 2013 • Public v. Private Sector Threats • EINSTEIN – a Public Sector

11 The 411 on Cybersecurity

RESPONSE AND ASSISTANCE

Dedicated teams provide technical assistance at the right level of subject matter expertise, including:

• Digital Media & Malware Analysis

• Defensive Analysis

• Mitigation Strategy Development

• Threat/Attack Vector Analysis

• Vendor Analysis Coordination

Page 12: THE 411 ON CYBERSECURITY, INFORMATION · PDF fileThe 411 on Cybersecurity 3 AGENDA The Cybersecurity Threat in 2013 • Public v. Private Sector Threats • EINSTEIN – a Public Sector

12 The 411 on Cybersecurity

SHARED

SITUATIONAL AWARENESS

US-CERT develops information sharing products on a scheduled and as-needed basis. US-CERT also develops and distributes analytical information notices specific to its communities of interest.

Page 13: THE 411 ON CYBERSECURITY, INFORMATION · PDF fileThe 411 on Cybersecurity 3 AGENDA The Cybersecurity Threat in 2013 • Public v. Private Sector Threats • EINSTEIN – a Public Sector

13 The 411 on Cybersecurity

NCAS: NATIONAL

CYBER AWARENESS SYSTEM

A cohesive national cybersecurity system for identifying, analyzing, and prioritizing emerging vulnerabilities and threats

• Current Activity

• Cyber Security Alerts

• Cyber Security Tips

• Cyber Security Bulletins

Page 14: THE 411 ON CYBERSECURITY, INFORMATION · PDF fileThe 411 on Cybersecurity 3 AGENDA The Cybersecurity Threat in 2013 • Public v. Private Sector Threats • EINSTEIN – a Public Sector

14 The 411 on Cybersecurity

SHARED SITUATIONAL AWARENESS

Page 15: THE 411 ON CYBERSECURITY, INFORMATION · PDF fileThe 411 on Cybersecurity 3 AGENDA The Cybersecurity Threat in 2013 • Public v. Private Sector Threats • EINSTEIN – a Public Sector

15 The 411 on Cybersecurity

AGENDA

• The Cybersecurity Threat in 2013

• Public v. Private Sector Threats

EINSTEIN – a Public Sector Response

• Policy Responses

• Public-Private Partnerships

• Policy Challenges

Page 16: THE 411 ON CYBERSECURITY, INFORMATION · PDF fileThe 411 on Cybersecurity 3 AGENDA The Cybersecurity Threat in 2013 • Public v. Private Sector Threats • EINSTEIN – a Public Sector

16 The 411 on Cybersecurity

EINSTEIN MONITORING

EINSTEIN Network Analysts monitor sensor outputs to conduct network security analysis, which can lead to operational restoration and remediation.

Page 17: THE 411 ON CYBERSECURITY, INFORMATION · PDF fileThe 411 on Cybersecurity 3 AGENDA The Cybersecurity Threat in 2013 • Public v. Private Sector Threats • EINSTEIN – a Public Sector

17 The 411 on Cybersecurity

KEY EINSTEIN CAPABILITIES

• EINSTEIN 1 (E1): Flow Collection Initial analytics and information sharing

capabilities

• EINSTEIN 2 (E2): Intrusion Detection Improved sensors to identify malicious activity

• EINSTEIN 3A (E3A): Intrusion Prevention To improve protection to prevent malicious

activity

Page 18: THE 411 ON CYBERSECURITY, INFORMATION · PDF fileThe 411 on Cybersecurity 3 AGENDA The Cybersecurity Threat in 2013 • Public v. Private Sector Threats • EINSTEIN – a Public Sector

18 The 411 on Cybersecurity

FAIR INFORMATION PRACTICE PRINCIPLES

Page 19: THE 411 ON CYBERSECURITY, INFORMATION · PDF fileThe 411 on Cybersecurity 3 AGENDA The Cybersecurity Threat in 2013 • Public v. Private Sector Threats • EINSTEIN – a Public Sector

19 The 411 on Cybersecurity

EINSTIN PRIVACY PROTECTIONS

• Minimization of data collection

• Limitation of uses to cyber threats

• Restrictions on info sharing and use

• Privacy cybersecurity webpage —transparency of cyberstrategy & initiatives.

• Compliance Review by DHS Privacy Office

Page 20: THE 411 ON CYBERSECURITY, INFORMATION · PDF fileThe 411 on Cybersecurity 3 AGENDA The Cybersecurity Threat in 2013 • Public v. Private Sector Threats • EINSTEIN – a Public Sector

20 The 411 on Cybersecurity

DHS ADMINISTRATIVE PRIVACY PROTECTIONS

• MOA with each participating Agency

• Notice to users – computer banners

– privacy policies

– published compliance documentation

• Standard Operating Procedures for PII

• Collaboration w/CPOs/CLOs, NSS, EOP

• Training and awareness workshops on cybersecurity and privacy – open to federal employees, contractors

Page 21: THE 411 ON CYBERSECURITY, INFORMATION · PDF fileThe 411 on Cybersecurity 3 AGENDA The Cybersecurity Threat in 2013 • Public v. Private Sector Threats • EINSTEIN – a Public Sector

21 The 411 on Cybersecurity

AGENDA

• The Cybersecurity Threat in 2013

• Public v. Private Sector Threats

• EINSTEIN – a Public Sector Response

Policy Responses

• Public-Private Partnerships

• Policy Challenges

Page 22: THE 411 ON CYBERSECURITY, INFORMATION · PDF fileThe 411 on Cybersecurity 3 AGENDA The Cybersecurity Threat in 2013 • Public v. Private Sector Threats • EINSTEIN – a Public Sector

22 The 411 on Cybersecurity

MECHANISMS

• Executive Branch actions

• Legislation

• Public-private partnerships

Page 23: THE 411 ON CYBERSECURITY, INFORMATION · PDF fileThe 411 on Cybersecurity 3 AGENDA The Cybersecurity Threat in 2013 • Public v. Private Sector Threats • EINSTEIN – a Public Sector

23 The 411 on Cybersecurity

ADMINISTRATION

CYBERSECURITY PROPOSAL

• Released in 2011

• Critical infrastructure focus

• DHS regulatory authority

• Liability limitations for information sharing

Page 24: THE 411 ON CYBERSECURITY, INFORMATION · PDF fileThe 411 on Cybersecurity 3 AGENDA The Cybersecurity Threat in 2013 • Public v. Private Sector Threats • EINSTEIN – a Public Sector

24 The 411 on Cybersecurity

EXECUTIVE ORDER “IMPROVING CRITICAL INFRASTRUCTURE CYBERSECURITY”

• Signed on Feb. 12, 2013

• Main provisions:

– Cyber threat information sharing

– Framework for cybersecurity standards, methodologies, procedures, processes

– Program to coordinate sectors, provide incentives

Page 25: THE 411 ON CYBERSECURITY, INFORMATION · PDF fileThe 411 on Cybersecurity 3 AGENDA The Cybersecurity Threat in 2013 • Public v. Private Sector Threats • EINSTEIN – a Public Sector

25 The 411 on Cybersecurity

PRIVACY SAFEGUARDS

• Agencies apply FIPPs to EO activities

• DHS to assess, report on, minimize or mitigate privacy risks in EO activities

Page 26: THE 411 ON CYBERSECURITY, INFORMATION · PDF fileThe 411 on Cybersecurity 3 AGENDA The Cybersecurity Threat in 2013 • Public v. Private Sector Threats • EINSTEIN – a Public Sector

26 The 411 on Cybersecurity

LEGISLATION: EXPANDING INFORMATION SHARING

• Information sharing supported by liability limitations

• SECURE IT (S. 2151)

–No movement in Senate

• CISPA (H.R. 3523)

–Passed House; Administration threatened veto

–Reintroduced in 113th Congress

Page 27: THE 411 ON CYBERSECURITY, INFORMATION · PDF fileThe 411 on Cybersecurity 3 AGENDA The Cybersecurity Threat in 2013 • Public v. Private Sector Threats • EINSTEIN – a Public Sector

27 The 411 on Cybersecurity

LEGISLATION:

CYBERSECURITY ACT OF 2012

• S. 2105 / S. 3414

• Information sharing through liability limitations

– Use limitations on USG-held data

• Best practices coordinated through National Cybersecurity Council

Page 28: THE 411 ON CYBERSECURITY, INFORMATION · PDF fileThe 411 on Cybersecurity 3 AGENDA The Cybersecurity Threat in 2013 • Public v. Private Sector Threats • EINSTEIN – a Public Sector

28 The 411 on Cybersecurity

AGENDA

• The Cybersecurity Threat in 2013

• Public v. Private Sector Threats

• EINSTEIN – a Public Sector Response

• Policy Responses

Public-Private Partnerships

• Policy Challenges

Page 29: THE 411 ON CYBERSECURITY, INFORMATION · PDF fileThe 411 on Cybersecurity 3 AGENDA The Cybersecurity Threat in 2013 • Public v. Private Sector Threats • EINSTEIN – a Public Sector

29 The 411 on Cybersecurity

PUBLIC – PRIVATE PARTNERSHIPS

What is the Dept of Commerce doing to advance cybersecurity in the private sector?

• Voluntary consensus standards and practices

• Working through NIST

• Other bureau and agency involvement in consensus-based practices

Page 30: THE 411 ON CYBERSECURITY, INFORMATION · PDF fileThe 411 on Cybersecurity 3 AGENDA The Cybersecurity Threat in 2013 • Public v. Private Sector Threats • EINSTEIN – a Public Sector

30 The 411 on Cybersecurity

PUBLIC – PRIVATE PARTNERSHIPS

• Cybersecurity education and centers of excellence

• Smart Grid Interoperability Panel

• National Strategy for Trusted Identities in Cyberspace

Page 31: THE 411 ON CYBERSECURITY, INFORMATION · PDF fileThe 411 on Cybersecurity 3 AGENDA The Cybersecurity Threat in 2013 • Public v. Private Sector Threats • EINSTEIN – a Public Sector

31 The 411 on Cybersecurity

AGENDA

• The Cybersecurity Threat in 2013

• Public v. Private Sector Threats

• EINSTEIN – a Public Sector Response

• Policy Responses

Public-Private Partnerships

• Policy Challenges

Page 32: THE 411 ON CYBERSECURITY, INFORMATION · PDF fileThe 411 on Cybersecurity 3 AGENDA The Cybersecurity Threat in 2013 • Public v. Private Sector Threats • EINSTEIN – a Public Sector

32 The 411 on Cybersecurity

POLICY CHALLENGES:

STATUTORY RESTRICTIONS

• Census and other statistical data

– Disclosures to respondent

– Administrative burden

• Possible strategies?

– Use of enclaves

– Designating “agents”

– Others

Page 33: THE 411 ON CYBERSECURITY, INFORMATION · PDF fileThe 411 on Cybersecurity 3 AGENDA The Cybersecurity Threat in 2013 • Public v. Private Sector Threats • EINSTEIN – a Public Sector

33 The 411 on Cybersecurity

POLICY CHALLENGES:

STATUTORY RESTRICTIONS

Subject matter confidentiality

• FERPA

• “Part 2” (substance abuse treatment)

• Welfare Reform

– Domestic violence

– Asylees & refugees

• Other specific confidentiality statutes?

Page 34: THE 411 ON CYBERSECURITY, INFORMATION · PDF fileThe 411 on Cybersecurity 3 AGENDA The Cybersecurity Threat in 2013 • Public v. Private Sector Threats • EINSTEIN – a Public Sector

34 The 411 on Cybersecurity

POLICY CHALLENGES:

STATUTORY RESTRICTIONS

• Possible solutions for subject-matter confidentiality statutes?

– Limitation on authority to obtain info

– Limitation on uses to cybersecurity

– Limitation on secondary disclosures

• Do these pose problems for security or law enforcement?

Page 35: THE 411 ON CYBERSECURITY, INFORMATION · PDF fileThe 411 on Cybersecurity 3 AGENDA The Cybersecurity Threat in 2013 • Public v. Private Sector Threats • EINSTEIN – a Public Sector

35 The 411 on Cybersecurity

POLICY CHALLENGES:

LAW ENFORCEMENT NEEDS

• Grand Jury Secrecy

• Witness Protection information

• Prisoner Population

• Are similar solutions appropriate as for other confidential information?

Page 36: THE 411 ON CYBERSECURITY, INFORMATION · PDF fileThe 411 on Cybersecurity 3 AGENDA The Cybersecurity Threat in 2013 • Public v. Private Sector Threats • EINSTEIN – a Public Sector

36 The 411 on Cybersecurity

POLICY CHALLENGES:

COMMERCIAL INFORMATION

• Trade Secrets Act

• Intellectual property protections

• Procurement Information

• Confidential commercial info under FOIA (b)(4) and EO 12666?

• Are similar solutions appropriate as for other confidential information?

Page 37: THE 411 ON CYBERSECURITY, INFORMATION · PDF fileThe 411 on Cybersecurity 3 AGENDA The Cybersecurity Threat in 2013 • Public v. Private Sector Threats • EINSTEIN – a Public Sector

37 The 411 on Cybersecurity

POLICY CHALLENGES:

WHY DIDN’T WE MENTION…

• The Privacy Act of 1974?

• The HIPAA Privacy Rule?

• Are there other statutes in the same category?

Page 38: THE 411 ON CYBERSECURITY, INFORMATION · PDF fileThe 411 on Cybersecurity 3 AGENDA The Cybersecurity Threat in 2013 • Public v. Private Sector Threats • EINSTEIN – a Public Sector

38 The 411 on Cybersecurity

POLICY CHALLENGES:

JURISDICTIONAL ISSUES

Multiple agencies have jurisdiction

• DHS

• Intelligence Community

• Cabinet agencies for their sectors

• White House/National Security Staff (coordination role)

Page 39: THE 411 ON CYBERSECURITY, INFORMATION · PDF fileThe 411 on Cybersecurity 3 AGENDA The Cybersecurity Threat in 2013 • Public v. Private Sector Threats • EINSTEIN – a Public Sector

39 The 411 on Cybersecurity

KEY TAKE AWAYS

• The cyber threat is real and urgent

• U.S. Government is working hard, partnering to address challenges

• Complex technical, legal, policy, and organizational issues

• No easy fixes

Page 40: THE 411 ON CYBERSECURITY, INFORMATION · PDF fileThe 411 on Cybersecurity 3 AGENDA The Cybersecurity Threat in 2013 • Public v. Private Sector Threats • EINSTEIN – a Public Sector

40 The 411 on Cybersecurity

RESOURCES • White House

– Administration’s Privacy Blueprint: http://www.whitehouse.gov/sites/default/files/privacy-final.pdf

– Executive Order #________ “Improving Critical Infrastructure Cybersecurity” (Feb 12, 2013) http://www.whitehouse.gov/the-press-office/2013/02/12/executive-order-improving-critical-infrastructure-cybersecurity

• Commerce

– NSTIC FIPPs: http://www.whitehouse.gov/sites/default/files/rss_viewer/NSTICstrategy_041511.pdf

• 112th Congress

– S. 2151: http://thomas.loc.gov/home/gpoxmlc112/s2151_is.xml

– S. 3414: http://thomas.loc.gov/home/gpoxmlc112/s3414_pcs.xml

– H.R. 3523: http://thomas.loc.gov/home/gpoxmlc112/h3523_eh.xml

• 113th Congress: TBD

Page 41: THE 411 ON CYBERSECURITY, INFORMATION · PDF fileThe 411 on Cybersecurity 3 AGENDA The Cybersecurity Threat in 2013 • Public v. Private Sector Threats • EINSTEIN – a Public Sector

41 The 411 on Cybersecurity

RESOURCES

• DHS

– DHS US-CERT: http://www.us-cert.gov/

– DHS Privacy Office: http://www.dhs.gov/topic/privacy

– DHS Cybersecurity: http://www.dhs.gov/cybersecurity

• HHS

– “Part 2” Substance Abuse Treatment Confidentiality, 42 USC § 290dd-2, regulations at 42 CFR Part 2 http://www.samhsa.gov/about/laws/SAMHSA_42CFRPART2FAQII_Revised.pdf

– HIPAA Privacy Rules 45 CFR, §§ 160 & 164 http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/index.html

– Child Support Information: Social Security Act § 453(j), codified at 42 USC 653(j) http://www.socialsecurity.gov/OP_Home/ssact/title04/0453.htm

Page 42: THE 411 ON CYBERSECURITY, INFORMATION · PDF fileThe 411 on Cybersecurity 3 AGENDA The Cybersecurity Threat in 2013 • Public v. Private Sector Threats • EINSTEIN – a Public Sector

42 The 411 on Cybersecurity

RESOURCES

• FBI

– Economic Espionage Act http://www.fbi.gov/about-us/investigate/counterintelligence/economic-espionage

• Education

– Family Education Rights & Privacy Act (FERPA) http://www2.ed.gov/policy/gen/guid/fpco/ferpa/index.html

• Confidential Information Protection and Statistical Efficiency Act (CIPSEA), Title V of the E-Government Act of 2002 (Pub. L. 107–347, 44 USC § 101) http://www.eia.gov/oss/CIPSEA.pdf

• The Privacy Act of 1974 (Pub. L. 93-579, 5 USC 552a) http://www.justice.gov/opcl/privstat.htm