THERE’S A CRIPPLING CYBERSECURITY ATTACK COMING YOUR WAY! Is Our Coordinated Response Ready to Stop It? Brian Dickard, Director – Enterprise Risk Management, First Data
Aug 06, 2015
THERE’S A CRIPPLING CYBERSECURITY ATTACK COMING YOUR WAY!
Is Our Coordinated Response Ready to Stop It?
Brian Dickard, Director – Enterprise Risk Management, First Data
2
Introduction
The threat is real and sophisticated
The damage could be catastrophic
Our current ability to mount a coordinated response is limited
It doesn’t have to be this way!
3
Top Threats to the USA
1. Terrorism We are still a huge target
2. Cyber Attack Especially to critical infrastructure
3. Still Weak US Economy No buffer in monetary policy
4. (Large Nation States) Will seek territorial expansion
5. Climate Change
Source: 2014 RSA Archer GRC Summit, Gen. Wesley Clark keynote address
4
Is Anyone Else Concerned?
Worldwide Survey of Security Professionals:
Do you expect a cyberattack to strike your organization in 2015? Yes = 48% ISACA “State of Cybersecurity Survey” reported Very Likely and Likely at a combined
83%
Do you think cyberattacks are among the three biggest threats facing organizations today? Yes = 83%
Source: 2015 ISACA Global Cybersecurity Status Report; State of Cybersecurity: Implications for 2015 (ISACA/RSA)
5
Is Anyone Else Concerned?
On a national level, what are you concerned about? 95% concerned about a cyberattack, physical attack or both
Is your organization prepared for a sophisticated cyberattack? Combined No and Unsure = 61%
Do you believe there is a shortage of skilled cybersecurity professionals? Yes = 86%
Source: 2015 ISACA Global Cybersecurity Status Report; State of Cybersecurity: Implications for 2015 (ISACA/RSA)
6
The Threat is Real
Nation-states (Russia, China, Iran) are more than willing to steal or destroy US digital property
Non-state actors (Hamas or Hezbollah) have demonstrated advanced cyberattack methods
US companies estimate $250 billion in IP losses alone each year
Source: The Heritage Foundation – A Congressional Guide: Seven Steps to US Security, Prosperity and Freedom in Cyberspace
7
Cyber Threat Tiers
Cyber Crime Ex. Identify Theft – 10’s of billions in losses each year
Cyber Espionage Ex. Stealing military secrets – trillions in US national
security interest IP has been stolen to date
Cyber Warfare Impair critical infrastructure as a stand-alone attack,
or in connection with a kinetic attack
9
American Blackout
Day 1: Nationwide rolling blackout initiated by a coordinated
cyberattack Widespread traffic gridlock within hours in metro areas Gas stations and ATMs no longer work
Day 2: Grid engineers report widespread physical grid damage
inflicted US work force unable to work; billions in immediate
negative economic impact Citizens advised to shelter in place
10
American Blackout
Day 3: No more running water or functioning toilets US food distribution network shuts down Remaining functional gas stations and grocery stores close as
stock sells out Sporadic food and water riots break out National state of emergency declared (dusk to dawn curfew) All US banks and financial markets remain closed Widespread criminal activity breaks out
Day 4: Fed government takes over food, water and gas supply distribution Riots more widespread Veneer of civilized behavior starting to fray
11
American Blackout
Day 5: Candles and generators cause widespread house fires
(no water to contain them) Generators at emergency and communication facilities
start to run out of fuel
Day 6: Red Cross camps stay open but are limited and
overwhelmed Hospitals treating emergencies only FEMA/military supervision of infrastructure increases Gang violence widespread
12
American Blackout
Day 8: President requests international aid Death toll from civil unrest rising Martial Law imminent
Day 9: US Allies unleash massive aid delivery Grid engineers close to limited power restore
Day 10: Widespread power restored; specific source of the
attack still not identified; no claim of responsibility
13
Fallout
Conservative projections: 10’s of thousands dead from civil unrest alone 100’s of billions in economic impact Physical grid repair will take years
Real Life Comparison: 2003 two day blackout in 8 NE US states 50 million people impacted, 11 deaths, $10 billion in
economic impact
Watch: https://www.youtube.com/watch?v=FYoXxVnTePA
14
Farfetched?
A USA Today study found that once every four days part of the US power grid is hit with a cyber or physical attack
Trend Micro Survey: 575 companies or agencies maintaining critical infrastructure 40% have faced malicious attacks seeking to shutdown
networks; 44% seeking to delete files; 54% attempted control system takeovers
Source: Reuters
Some of this is advance recon and planting malware for future use
15
State of Prevention and Response
Federal Legislation
Private Industry
The Attackers
Issues and Concerns
16
Federal Legislative History
Cyberspace Policy Review – 2009 Exec branch report encouraged info sharing and
coordinated incident response
Cybersecurity Legislative Proposal - 2011 National breach reporting Lots of debate, little action
International Strategy for Cyberspace – 2011 Let’s all play nice
17
Federal Legislative History
Cyber Intelligence Sharing and Protection Act of 2012 Provide for sharing cyber threat intelligence Passed House; stalled in Senate
Senate Cybersecurity Act of 2012 Similar info sharing provisions Protection of critical infrastructure Voted down by Senate Republicans
18
Federal Legislative History
2013 Executive Order: Improve Critical Infrastructure Cybersecurity Continued inaction in Congress
2015 Executive Order: Cybersecurity Legislative Proposal Info sharing with liability limits Cyber Threat Intelligence Integration Center
created (Office of Dir. National Intelligence)
19
Recently Enacted Legislation
Cybersecurity Enhancement Act of 2014 Voluntary public-private partnership to improve
cybersecurity
National Cybersecurity Protection Act Established National Cybersecurity and
Communications Integration Center (NCCIC)
Cybersecurity Workforce Assessment Act DoHS directed to conduct every three years
Source: ISACA Cybersecurity Legislation Watch Center
20
Modernizing Law Enforcement
Update Computer Fraud and Abuse Act Active prosecution for intentional attacks;
revisit Patriot Act provisions
April 2015: National Emergency declared Impose sanctions on entities that pose a
cyber threat (freeze assets; block potential attacks)
Includes stealing IP and fraud
21
Private Industry - Any Better?
Critical infrastructure largely privately owned and operated
March 2015: Joint letter to Congress to urge new legislation Lockheed Martin, Microsoft, Morgan
Stanley, Ford Did not sign: Apple, Google, Facebook
22
Private Industry - Any Better?
Facebook: “ThreatExchange”
Participants: Bitly, Dropbox, Facebook, Pinterest, Tumblr, Twitter, Yahoo
Share cyber threat information with strict controls on content sharing and data privacy
23
How About This One?
“Google Threatens to Air Microsoft and Apple’s Dirty Code” – Bloomberg Feb. 2015
“Project Zero” identified 39 critical vulns in Apple products, 20 Microsoft, 37 Adobe, 22 Freetype font library
Publish software vulnerabilities unless they are patched within 90 days
24
Cybersecurity Insurance
Participate in NCCIC/CTIIC or purchase cybersecurity event insurance?
Insurance purchases increased 32% in 2014 (Source: Business Insurance)
Issue: Can’t find enough underwriters
25
Cybercriminal Element
Waiting for legislated information sharing?
Growing more bold and sophisticated
They don’t care about: Your privacy or constitutional rights Your financial or emotional well being
26
Issues and Concerns
Should business wait or proceed on their own?
Is legislation the right approach given the threat?
Will info sharing expand government surveillance? NSA reforms needed – should Patriot Act
provisions be extended?
27
Issues and Concerns
Data Breach Notification What do you think of the US President’s
proposal to require companies to notify customers within 30 days of a data breach? 76% agree or strongly agree
What do you think the greatest challenge companies would face if they needed to notify consumers of a data breach? 55% = Concern over corporate reputation
Source: ISACA 2015 Global Security Status Report
28
Issues and Concerns
Audits of critical infrastructure and industrial automation systems – mandatory with state or federal oversight?
Implications of “safe harbor” provisions – should meeting a specific level of preparedness exempt you from breach liability?
Should participation in information sharing forums give you liability protection?
29
Issues and Concerns
Can companies be sued for violating data privacy or anti-trust provisions if they share information for cybersecurity purposes?
Cyber self-defense – counterattacks Should the government limit the extent of
countermeasures?
30
Key Components of Effective Legislation
Enabling information sharing instead of mandating it
Encouraging the development of a viable cybersecurity liability and insurance system
Creating a private-sector structure that fosters cyber-supply-chain security ratings
Defining limited cyber self-defense standards for industry
Source: The Heritage Foundation - A Congressional Guide: Seven Steps to US Security, Prosperity and Freedom in Cyberspace
31
Key Components of Effective Legislation
Advocating for more private-sector efforts to promote general awareness, education, and training across America
Reforming science, technology, engineering, and mathematics (STEM) education to create a strong cyber workforce within industry and government
Leading responsible international cyber engagement
Source: The Heritage Foundation - A Congressional Guide: Seven Steps to US Security, Prosperity and Freedom in Cyberspace
32
Bills Worth Watching USA Freedom Act Cyber Privacy Fortification Act (HR 104)
Cyber Intelligence Sharing and Protection Act (HR 234)
Federal Exchange Data Breach Notification Act (HR 555)
Data Accountability and Trust Act (HR 580)
Commercial Privacy Bill of Rights Act (HR 1053)
Protecting Cyber Networks Act (HR 1560)
Passed House on April 23
Source: ISACA Cybersecurity Legislation Watch Center
33
Bills Worth Watching National Cybersecurity Protection
Advancement Act (HR 1731)
Secure Data Act (S 135)
Data Security and Breach Notification Act (S 177)
Cyber Threat Sharing Act (S 456)
Commercial Privacy Bill of Rights Act (S 547)
Cybersecurity Information Sharing Act (S 754)
Source: ISACA Cybersecurity Legislation Watch Center
34
Call to Action
ISACA Cybersecurity Legislation Watch Center http://
www.isaca.org/cyber/Pages/cybersecuritylegislation.aspx
2015 Global Cybersecurity Status Report http://
www.isaca.org/pages/cybersecurity-global-status-report.aspx
State of Cybersecurity: Implications for 2015 http://www.isaca.org/cyber/Documents/State-of-Cybers
ecurity_Res_Eng_0415.pdf Presented in conjunction with the RSA Conference
35
Call to Action
ISACA / ISSA sponsorship with member advocacy and involvement:
National Strategic Risk Policy
Global Cyber Governance Framework
NIST Cybersecurity Framework Is there enough active involvement from ISACA
beyond supplying COBIT 5 as a reference model?
36
Call to Action
Get involved on a company, community, state and federal level
Encourage your company to participate in the private and government-sponsored cybersecurity information sharing forums
Lobby your congressional representatives for responsible legislation; enablers not absolutes