Cybersecurity: What Does a Breach Mean to Your Job, Identity or … · 2012. 4. 9. · Cyber Contrarians Why Cyber Contrarians are Clueless ... National Counterintelligence Executive,
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Cybersecurity:
What Does a Breach Mean to
Your Job, Identity or Security?Your Job, Identity or Security?
“The $100 billion Washington will spend on cybersecurity inthe next decade may be less about guarding America froma real threat, and more about enriching revolving-door lobbyistsand satisfying pork-hungry politicians.”
“‘The notion that our power grid, air traffic control system,and financial networks are rigged to blow at the press of abutton would be terrifying if it were true,’ Brito and Watkinswrite. “But fear should not be a basis for public policymaking.’The public has been given no substantive basis for suchfears.” [Carney, The Washington Examiner (Apr. 28, 2011)]
“The Chinese are relentless and don’tseem to care about getting caught. Andwe have seen Chinese networkoperations inside certain of ourelectricity grids. Do I worry about thosegrids, and about air traffic control
5
grids, and about air traffic controlsystems, water supply systems, and soon? You bet I do.”
(Joel Brenner, head of U.S. Office ofNational Counterintelligence Executive,Apr. 21, 2009)
“Cyberspies have penetrated the U.S. electrical grid and leftbehind software programs that could be used to disrupt thesystem, according to current and former national securityofficials.
The spies came from China, Russia and other countries, theseofficials said, and were believed to be on a mission to navigatethe U.S. electrical system and its controls. The intrudershaven’t sought to damage the power grid or other keyinfrastructure, but officials warned they could try during a crisisor war.
“‘The Chinese have attempted to map our infrastructure, suchas the electrical grid,’ a senior intelligence official. ‘So havethe Russians.’”
• 40,000 Hackers: “There are fortythousand Chinese hackers who arecollecting intelligence off U.S.information systems and those of ourpartners.” (Adm. McConnell, Jan. 2008)
China Cyber Dominance
“According to its “Cyber WarfareDoctrine,” China’s military strategy isdesigned to achieve global “electronicdominance” by 2050, to include thecapability to disrupt financialmarkets, military and civilian
6
• Daily Attacks. “A defence force sourcesaid yesterday that attacks initiated fromChina occurred almost on a daily basis”(Australian Defense Force, Apr. 2009)
• Classified Data Compromised. “aChina-based cyber espionage network hadaccessed 1200 computers in 103 countriescontaining classified documents.” (MunkCentre for Int’l Studies, Apr. 2009)
markets, military and civiliancommunications capabilities, andthe electric grid prior to the initiationof traditional military operations.”*Securing the Modern Electric Grid fromPhysical and Cyber Attacks: House HomelandSecurity Subcomm. (July 21, 2009)
Grid Attack > $700 Billion
FERC Warning $700 Billion Threat
“For a society that runs on power, the
7
“greater than the August 2003 blackout”
“For a society that runs on power, thediscontinuity of electricity to chemicalplants, banks, refineries, hospitals, andwater systems presents a terrifyingscenario. Economists recentlysuggested that the loss of power to athird of the country for three monthswould result in losses of over $700billion.”
262 Million Breaches (2009)
Compromised Personal Records (‘09)
“2008 Data Breach Total Soars: 47% Increase over2007” Identity Theft News (Identity Theft Daily, Jan. 5, 2009)
Records with sensitive personal information involved in
8
Records with sensitive personal information involved insecurity breaches in the U.S. since January 2005:
262,442,156 records (Privacy Rights Clearinghouse, June 11, 2009)
“Millions of Americans have been victimized, their privacyviolated, their identities stolen, their lives upended, and their wallets
emptied.” (President Obama, May 29, 2009)
514 Million Breaches (2011)
271 Million RecordsExposed Since June 2009
Records with sensitive personalinformation involved in security breachesin United States since January 2005:
533,686,975 records
9
533,686,975 recordsJune 4, 2011
262,424,592 recordsJune 4, 2009
[www.privacyrights.org]
“According to the PrivacyRights Clearinghouse, morethan 340 million recordscontaining sensitive personalinformation have beeninvolved in data securitybreaches since 2005.”
“Cyber risk management is a critical corporateresponsibility. Federal securities law requirespublicly traded companies to disclose ‘material’risks and events, including cyber risks andnetwork breaches. A review of past disclosuressuggests that a significant number of companiesare failing to meet these requirements.” [NewsRelease, May 12, 2011]
Cyber Risks – Shareholders
Security Problem
- Risking personal data
Impact
Shareholder or private suits
$20 Million Suit. Countrywide’s lax
Sony Breach – 101 Million
“In addition to losing an estimated revenuestream of $10 million a week, Sony willprobably have to reimburse customers whopay for its premium service, rebuild itscomputer systems and beef up securitymeasures, said Michael Pachter, an analystwith Wedbush Securities who said the
Stock-Price Hit. “Sony fell 2.3percent to 2,262 yen” after securitybreach of 101 million records.[Bloomberg News (May 6, 2011)]
$6.75 Million/Incident. “averagecost per incident of a data breach” inU.S. [Sen. Comm. Hearings, Sept. 2010]
with Wedbush Securities who said theincident could cost the company $50million.” [L.A. Times, Apr. 28, 2011]
Cyber Risks – Lost IP
2x Library of Congress
“As an example of the threat, oneAmerican company had 38 terabytesof sensitive data and intellectualproperty exfiltrated from itscomputers – equivalent to nearlydouble the amount of text contained
double the amount of text containedin the Library of Congress.”[Sen. Sheldon Whitehouse (May 10,2010)]
2 x
“Greatest Damage” “The greatestdamage to the American economy fromcyber attacks is due to massive theftsof business information.” [Scott Borg(Dir., U.S. Cyber Consequences Unit)]
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
$400 Million Theft. “A singleemployee of an American companywas convicted of stealing intellectualproperty reportedly worth $400million.” [President Obama, 2009]
“PLASTILAM, INC. failed to takesufficient steps to safeguardconfidential data, including the namesand Social Security numbers of over100 Medicare beneficiaries. Theinvestigation revealed that a numberof misprinted beneficiary cards werediscarded, whole, in an unsecureddumpster.”
Cyber Risks – Suspension
Security Problem- Misuse of DoD data
Impact Suspension Loss of $5B Contract
L-3 Trips as LockheedSnatches $5 Billion Contract
“A disputed U.S. military contract worth up to$5 billion was finally awarded to LockheedMartin Corp. (LMT) this week after the U.S.
15
“But earlier this month the deputygeneral counsel of the U.S. Air Forcesuspended the L-3 unit responsiblefor the work from receiving neworders because of the investigation.Employees at L-3’s special supportprograms division were accused ofcopying government emails andforwarding them without the author’sknowledge.”
$5 billion was finally awarded to LockheedMartin Corp. (LMT) this week after the U.S.Air Force launched an investigation intopossibly inappropriate email activities at rivalL-3 Communications Corp. (LLL).
L-3, a New York-based provider of militaryand aerospace equipment, reduced its 2010outlook as a result of the lost contract, whichrepresented about 3% of its 2009 revenue,according to a government filing. Full-yearprofit is now expected to be in a range of$8.09 to $8.29 a share, compared to a priorview of $8.13 to $8.33 a share.”
Cyber Risks – Acquisitions
Security Problem
- Security as selection factor
Impact
Lost Government work
Major legislation & agency actions to
RFP Requirements
“The proposal will be evaluatedfor an effective plan and timelineto meet the DoD DIACAPdocumentation requirementswithin allowed timeframes.”
16
Major legislation & agency actions tomake cybersecurity a significantfactor in federal acquisitions
Senate & House legislation
President’s proposals
Agency competitions
Cyber Risks – Protests
Security Problem
- Multiple security breaches
Impact
Protests
“However, the USAJOBS screenshot,
Monster Hackers Also HitUSAJobs.gov (Aug. 31, 2007)
“It now appears that Monster.comknew about a breach of its systemsalmost a month before Symantec told
17
“However, the USAJOBS screenshot,memoranda from OPM and OMBdiscussing the Government’s policy onsafeguarding social security numbers,and the three sets of internetarticles discussing Monster’s pastsecurity breaches ensure thecompleteness of the administrativerecord and shall be admitted.”
Allied Tech. Group v. U.S., (Fed. Cl. 2010)
knew about a breach of its systemsalmost a month before Symantec toldMonster of a massive phishingoperation targeting Monster.comusers. That long of a lag is"inexcusable," said W. DavidStephenson, a homeland security andcorporate crisis managementconsultant, "after the legacy of pastproblems."
Thompson, Langevin DemandInvestigation into DepartmentCyber Attacks (Sept. 24, 2007)
18
False statement risk
Criminal exposure “criminal investigation”
“fraudulent statement”
Cyber Risks – State Actions
Florida AG vs. Certegy
• 5.9 million records stolen
• Florida Safeguards Rule
• Info Security Program– Designate accountable staff
19
– Designate accountable staff
– Assess risks
– Implement safeguards
• $850,000 Fine to AG
• $125,000 to Seniors Group
• Annual Security Report
• 5-Year Scrutiny
Cyber Risks – State Actions
Conn. AG Action
• Stolen computer drive
• 1.5 million medical &financial records (500,000Conn. Residents)
Another Conn. AG Action
Connecticut AG to Lead Coalitionof States Investigating Google
20
• Added InformationSecurity Safeguards
• $250,000 to Conn. AG
• $1 million of ID theftinsurance
• 2-year credit monitoring
“The Connecticut Attorney General’s Officewill lead a coalition of a ‘significant number ofstates’ in investigating Google Inc.’s collectionof data from unsecured wireless internetconnections, AG Richard Blumenthal (D) saidin a June 21 statement.”
of States Investigating Google
WiFi Data Collection(Privacy Law Watch, June 24, 2010)