There's a Crippling Cyber Attack Coming Your Way! Are we prepared to stop it?

THERE’S A CRIPPLING CYBERSECURITY ATTACK COMING YOUR WAY!

Is Our Coordinated Response Ready to Stop It?

Brian Dickard, Director – Enterprise Risk Management, First Data

2

Introduction

The threat is real and sophisticated

The damage could be catastrophic

Our current ability to mount a coordinated response is limited

It doesn’t have to be this way!

3

Top Threats to the USA

1. Terrorism We are still a huge target

2. Cyber Attack Especially to critical infrastructure

3. Still Weak US Economy No buffer in monetary policy

4. (Large Nation States) Will seek territorial expansion

5. Climate Change

Source: 2014 RSA Archer GRC Summit, Gen. Wesley Clark keynote address

4

Is Anyone Else Concerned?

Worldwide Survey of Security Professionals:

Do you expect a cyberattack to strike your organization in 2015? Yes = 48% ISACA “State of Cybersecurity Survey” reported Very Likely and Likely at a combined

83%

Do you think cyberattacks are among the three biggest threats facing organizations today? Yes = 83%

Source: 2015 ISACA Global Cybersecurity Status Report; State of Cybersecurity: Implications for 2015 (ISACA/RSA)

5

Is Anyone Else Concerned?

On a national level, what are you concerned about? 95% concerned about a cyberattack, physical attack or both

Is your organization prepared for a sophisticated cyberattack? Combined No and Unsure = 61%

Do you believe there is a shortage of skilled cybersecurity professionals? Yes = 86%

Source: 2015 ISACA Global Cybersecurity Status Report; State of Cybersecurity: Implications for 2015 (ISACA/RSA)

6

The Threat is Real

Nation-states (Russia, China, Iran) are more than willing to steal or destroy US digital property

Non-state actors (Hamas or Hezbollah) have demonstrated advanced cyberattack methods

US companies estimate $250 billion in IP losses alone each year

Source: The Heritage Foundation – A Congressional Guide: Seven Steps to US Security, Prosperity and Freedom in Cyberspace

7

Cyber Threat Tiers

Cyber Crime Ex. Identify Theft – 10’s of billions in losses each year

Cyber Espionage Ex. Stealing military secrets – trillions in US national

security interest IP has been stolen to date

Cyber Warfare Impair critical infrastructure as a stand-alone attack,

or in connection with a kinetic attack

8

A Scary Scenario

9

American Blackout

Day 1: Nationwide rolling blackout initiated by a coordinated

cyberattack Widespread traffic gridlock within hours in metro areas Gas stations and ATMs no longer work

Day 2: Grid engineers report widespread physical grid damage

inflicted US work force unable to work; billions in immediate

negative economic impact Citizens advised to shelter in place

10

American Blackout

Day 3: No more running water or functioning toilets US food distribution network shuts down Remaining functional gas stations and grocery stores close as

stock sells out Sporadic food and water riots break out National state of emergency declared (dusk to dawn curfew) All US banks and financial markets remain closed Widespread criminal activity breaks out

Day 4: Fed government takes over food, water and gas supply distribution Riots more widespread Veneer of civilized behavior starting to fray

11

American Blackout

Day 5: Candles and generators cause widespread house fires

(no water to contain them) Generators at emergency and communication facilities

start to run out of fuel

Day 6: Red Cross camps stay open but are limited and

overwhelmed Hospitals treating emergencies only FEMA/military supervision of infrastructure increases Gang violence widespread

12

American Blackout

Day 8: President requests international aid Death toll from civil unrest rising Martial Law imminent

Day 9: US Allies unleash massive aid delivery Grid engineers close to limited power restore

Day 10: Widespread power restored; specific source of the

attack still not identified; no claim of responsibility

13

Fallout

Conservative projections: 10’s of thousands dead from civil unrest alone 100’s of billions in economic impact Physical grid repair will take years

Real Life Comparison: 2003 two day blackout in 8 NE US states 50 million people impacted, 11 deaths, $10 billion in

economic impact

Watch: https://www.youtube.com/watch?v=FYoXxVnTePA

14

Farfetched?

A USA Today study found that once every four days part of the US power grid is hit with a cyber or physical attack

Trend Micro Survey: 575 companies or agencies maintaining critical infrastructure 40% have faced malicious attacks seeking to shutdown

networks; 44% seeking to delete files; 54% attempted control system takeovers

Source: Reuters

Some of this is advance recon and planting malware for future use

15

State of Prevention and Response

Federal Legislation

Private Industry

The Attackers

Issues and Concerns

16

Federal Legislative History

Cyberspace Policy Review – 2009 Exec branch report encouraged info sharing and

coordinated incident response

Cybersecurity Legislative Proposal - 2011 National breach reporting Lots of debate, little action

International Strategy for Cyberspace – 2011 Let’s all play nice

17

Federal Legislative History

Cyber Intelligence Sharing and Protection Act of 2012 Provide for sharing cyber threat intelligence Passed House; stalled in Senate

Senate Cybersecurity Act of 2012 Similar info sharing provisions Protection of critical infrastructure Voted down by Senate Republicans

18

Federal Legislative History

2013 Executive Order: Improve Critical Infrastructure Cybersecurity Continued inaction in Congress

2015 Executive Order: Cybersecurity Legislative Proposal Info sharing with liability limits Cyber Threat Intelligence Integration Center

created (Office of Dir. National Intelligence)

19

Recently Enacted Legislation

Cybersecurity Enhancement Act of 2014 Voluntary public-private partnership to improve

cybersecurity

National Cybersecurity Protection Act Established National Cybersecurity and

Communications Integration Center (NCCIC)

Cybersecurity Workforce Assessment Act DoHS directed to conduct every three years

Source: ISACA Cybersecurity Legislation Watch Center

20

Modernizing Law Enforcement

Update Computer Fraud and Abuse Act Active prosecution for intentional attacks;

revisit Patriot Act provisions

April 2015: National Emergency declared Impose sanctions on entities that pose a

cyber threat (freeze assets; block potential attacks)

Includes stealing IP and fraud

21

Private Industry - Any Better?

Critical infrastructure largely privately owned and operated

March 2015: Joint letter to Congress to urge new legislation Lockheed Martin, Microsoft, Morgan

Stanley, Ford Did not sign: Apple, Google, Facebook

22

Private Industry - Any Better?

Facebook: “ThreatExchange”

Participants: Bitly, Dropbox, Facebook, Pinterest, Tumblr, Twitter, Yahoo

Share cyber threat information with strict controls on content sharing and data privacy

23

How About This One?

“Google Threatens to Air Microsoft and Apple’s Dirty Code” – Bloomberg Feb. 2015

“Project Zero” identified 39 critical vulns in Apple products, 20 Microsoft, 37 Adobe, 22 Freetype font library

Publish software vulnerabilities unless they are patched within 90 days

24

Cybersecurity Insurance

Participate in NCCIC/CTIIC or purchase cybersecurity event insurance?

Insurance purchases increased 32% in 2014 (Source: Business Insurance)

Issue: Can’t find enough underwriters

25

Cybercriminal Element

Waiting for legislated information sharing?

Growing more bold and sophisticated

They don’t care about: Your privacy or constitutional rights Your financial or emotional well being

26

Issues and Concerns

Should business wait or proceed on their own?

Is legislation the right approach given the threat?

Will info sharing expand government surveillance? NSA reforms needed – should Patriot Act

provisions be extended?

27

Issues and Concerns

Data Breach Notification What do you think of the US President’s

proposal to require companies to notify customers within 30 days of a data breach? 76% agree or strongly agree

What do you think the greatest challenge companies would face if they needed to notify consumers of a data breach? 55% = Concern over corporate reputation

Source: ISACA 2015 Global Security Status Report

28

Issues and Concerns

Audits of critical infrastructure and industrial automation systems – mandatory with state or federal oversight?

Implications of “safe harbor” provisions – should meeting a specific level of preparedness exempt you from breach liability?

Should participation in information sharing forums give you liability protection?

29

Issues and Concerns

Can companies be sued for violating data privacy or anti-trust provisions if they share information for cybersecurity purposes?

Cyber self-defense – counterattacks Should the government limit the extent of

countermeasures?

30

Key Components of Effective Legislation

Enabling information sharing instead of mandating it

Encouraging the development of a viable cybersecurity liability and insurance system

Creating a private-sector structure that fosters cyber-supply-chain security ratings

Defining limited cyber self-defense standards for industry

Source: The Heritage Foundation - A Congressional Guide: Seven Steps to US Security, Prosperity and Freedom in Cyberspace

31

Key Components of Effective Legislation

Advocating for more private-sector efforts to promote general awareness, education, and training across America

Reforming science, technology, engineering, and mathematics (STEM) education to create a strong cyber workforce within industry and government

Leading responsible international cyber engagement

Source: The Heritage Foundation - A Congressional Guide: Seven Steps to US Security, Prosperity and Freedom in Cyberspace

32

Bills Worth Watching USA Freedom Act Cyber Privacy Fortification Act (HR 104)

Cyber Intelligence Sharing and Protection Act (HR 234)

Federal Exchange Data Breach Notification Act (HR 555)

Data Accountability and Trust Act (HR 580)

Commercial Privacy Bill of Rights Act (HR 1053)

Protecting Cyber Networks Act (HR 1560)

Passed House on April 23

Source: ISACA Cybersecurity Legislation Watch Center

33

Bills Worth Watching National Cybersecurity Protection

Advancement Act (HR 1731)

Secure Data Act (S 135)

Data Security and Breach Notification Act (S 177)

Cyber Threat Sharing Act (S 456)

Commercial Privacy Bill of Rights Act (S 547)

Cybersecurity Information Sharing Act (S 754)

Source: ISACA Cybersecurity Legislation Watch Center

34

Call to Action

ISACA Cybersecurity Legislation Watch Center http://

www.isaca.org/cyber/Pages/cybersecuritylegislation.aspx

2015 Global Cybersecurity Status Report http://

www.isaca.org/pages/cybersecurity-global-status-report.aspx

State of Cybersecurity: Implications for 2015 http://www.isaca.org/cyber/Documents/State-of-Cybers

ecurity_Res_Eng_0415.pdf Presented in conjunction with the RSA Conference

35

Call to Action

ISACA / ISSA sponsorship with member advocacy and involvement:

National Strategic Risk Policy

Global Cyber Governance Framework

NIST Cybersecurity Framework Is there enough active involvement from ISACA

beyond supplying COBIT 5 as a reference model?

36

Call to Action

Get involved on a company, community, state and federal level

Encourage your company to participate in the private and government-sponsored cybersecurity information sharing forums

Lobby your congressional representatives for responsible legislation; enablers not absolutes

37

Thank You!

Questions?

[email protected]