SlideShare a Scribd company logo

DBryant-Cybersecurity Challenge

Download as PPTX, PDF
M
msdee3362

This document discusses cybersecurity challenges related to information sharing between the public and private sectors. It outlines concerns private sectors have about sharing information, including losing control and proprietary information being disclosed through FOIA requests. The importance of information sharing is discussed to help early detection, resolution, and prevention of cyberattacks. The document also proposes tools like STIX, CybOX and TAXII to help the public and private sectors better share threat information and collaborate on cybersecurity issues.

1 of 29
Cybersecurity Challenge: Information Sharing between the Public-Private Sectors Deloris Bryant CRJ-475Z Senior Project Dr. Shanna Van Slyke May 12, 2015 Public PrivateInformation
 Information sharing between the Pubic and the Private Sector  Importance of information sharing  Private sector concerns  Unite in the fight against cybercrimes Cybersecurity Challenge Public Sector Private Sector
 Are we doing enough to protect ourselves against cybercrimes?  Cybersecurity is a critical issue  Need to navigate through the cyber process together  75% of the country’s computers have been exploited by criminals (Hearing before the Committee on Armed Services, House of Representatives, 12th Congress, March 16, 2011)  Estimated loss of $100 billion in intellectual property alone in the U.S. This estimate is about 0.6% of the U.S. economy and this number does not even include other types of cybercrimes (Nakashima & Peterson, 2014). Importance of Information Sharing
 Survey conducted by the Ponemon Institute with Hewlett-Packard (Ponemon Institute LLC, 2014)  Cyberattacks increased 176% in the last 4 years  Average time to detect attack – 170 days  Resolution time once detected – 45 days  Financial losses incurred during this time could be in the millions. Importance of Information Sharing
 Another survey conducted by the Ponemon Institute sponsored by IBM (Ponemon Institute LLC, 2014)  The cost of data breaches incurred by organizations, on average, was $5.9 million  Cost incurred the previous year was $5.4 million  Loss of business cost went from $3.03 million to $3.2 million  Cost includes:  Reputation loss  Loss of customers  Acquire new customers Importance of Information Sharing
 Different agenda for the public-private sectors  Private sector - profit earnings and the bottom line  Public sector - not divulging intelligence as it relates to national security  Cost-effective  Early detection  Termination  Prevention  Financial savings and manpower  “Real-time awareness” (Norton, 2014)  “the backbone of security” (Rosenbush, 2014) Importance of Information Sharing
 Private Sector Concerns  Giving up control  Company process  In-house strategies to handle security issues  Fear that public sector will mandate a change in security strategies  Risk allowing other entities to explore privileged information which can be discoverable through a Freedom of Information Act (FOIA) request (United States Department of Justice, n.d.) Private Sector Concerns
 Timing of information  Constraints and bureaucratic hoops  The time to quickly implement a solution could be lost  Not knowing what agency, department or appropriate individual to contact in a breach situation  National security obligations which may involve clearance issues restrict the release of some critical information  Proper public-private sector information sharing needs to happen more smoothly Private Sector Concerns
 Negative exposure  Type of information disclosed  When it is disclosed  Company put in a bad light due to breach  Company needs time to thoroughly investigate the issue  Liability  Corporate executives held responsible for inadequate protection  Information not release in a timely manner to protect customer’s private information  How well the company responded and how quickly the issue is resolved Private Sector Concerns
 Trust  Need assurance from the public sector  Proprietary information will not be divulged  Need open communication  Provide quantifiable information  Coordination is needed for preemptive measures  Risks  Misrepresentation about the severity of cyber issue if information is not released in a timely manner  Trigger complaints of negligence, inadequate security protection  Absorb loss incurred rather than reveal weakness Private Sector Concerns
 Regulatory issues  Regulatory laws and requirements  Fear of public sector agencies  SEC, FTC, FCC, CFPB and others alike  Federal Trade Commission (FTC)  Enforcing data security  Issued guidelines for organizations with regards to data security  Failure in the proper data security procedures could result in litigation Private Sector Concerns
 Security and Exchange Commission (SEC)  Oversight for security measures that companies are expected to follow and maintain  Released guidance for public traded companies  Obligation to release and disclose incidents of cyberattacks (Clarke & Olcott, 2014) Private Sector Concerns
 Collaboration is key to unite in the fight against cybercrimes  Promote awareness  Educate each other  Share timely information that is actionable  Public sector contribution  Executive Order  Addresses privacy concerns along with concerns regarding private sector liability  Cybersecurity Framework Unite in the Fight Against Cybercrimes
 Comprehensive National Cybersecurity Initiative (CNCI)  Front line of defense against immediate threats  Defend against threats  Strengthen future cybersecurity environment  Protecting Cyber Networks Act (sponsor: Rep. Nunes, Devin (R-CA-22) (Congress, 2015)  Passed the house and was received in the senate aims to help the private sector share cyber threat information by removing some legal obstacles (Congress, 2015) Unite in the Fight Against Cybercrimes
 Cyber Intelligence Sharing and Protection Act (CISPA) (Congress, 2015)  is introduced to address the “real-time sharing of actionable, situational cyber threat information” (Congress, 2015)  The Cybersecurity Information Sharing Act of 2015 (CISA) (U.S. Senate Committee, 2015)  This bill was approved by the Senate Select Committee on Intelligence.  This bill allows for the sharing of information between the government and the private sector with liability protection so as to facilitate the sharing of data relating to cybersecurity threats. Unite in the Fight Against Cybercrimes
 National Cybersecurity Protection Advancement Act of 2015  This bill has passed the House and is an amendment to the Homeland Security Act of 2002 that improves the sharing of information in addition to clarifying privacy protection as it relates to cybersecurity risk (Congress, 2015).  The key to any policy, strategy or initiative is “real- time” information sharing and “actionable intelligence” (U.S., 2014) which many of the above bills reiterate. Unite in the Fight Against Cybercrimes
 For public-private collaboration to work, they need to be on the same page and speak the same language when sharing information.  Three tools that will aid the collection and distribution of cyber threats between the two sectors  Structured Threat Information Expression (STIX)  The MITRE Corp. and The Department of Homeland Security collaborated in developing this tool to address issues like interoperability, threat indicators and mitigation efforts (Barnum, 2014) Public-Private Sectors Collaboration
 Cyber Observables eXpression (CybOX)  A tool for “addressing cyber observables across and among this full range of use cases improving consistency, efficiency, interoperability, and overall situational awareness” (Corporation, 2015)  Trusted Automated eXchange of Indicator Information (TAXII)  (TAXII) is the means by which both STIX and CybOX information is transported. (Connolly, Davison, Richard, & Skorupka, 2012) Public-Private Sectors Collaboration
 Both individuals and companies collaborating to produce methods to share data securely  The United States Patent and Trademark Office (USPTO) is enthusiastic about examining cybersecurity patents.  The top 5 companies filing patent applications in the field of information security are: IBM (173 patents), Symantec (103 patents), Google (71 patents), Microsoft (67 patents) and Samsung (64 patents) (United States Patent and Trademark Office, 2014) Private Sector Contribution
 Large corporations are not the only organizations that are developing improved responses to cyber threats.  Swan Island Networks, Inc. launched:  The Trusted Information Exchange Service (TIES)  “help protect more than 250 large enterprises and 20% of Fortune 100 companies every day”. (Swan Island Networks, 2015)  filed a patent application in April 2013 for “Human- Authorized Trust Service”, patent application number 20130312115  define methods that allow trusted access to data between two parties (Jennings & Jones) Private Sector Contribution
 Norse Corporation  filed a patent application (patent application number: 61508493) in July 2012  defines systems and methods for “ gathering, classifying, and evaluating real time security intelligence data concerning security threats presented by an IP address, and reporting in real time the degree and character of such security threats” (USPTO, 2012). Private Sector Contribution
 Cybersecurity poses a growing and real threat  Private sector communicated concerns  Improvements by public sector include:  Introducing new legislation  Updating previous ones to address current concerns  President Obama’s presidential term is coming to an end  His cybersecurity initiative needs to be a top priority for the next administration. Conclusion
 Barnum, S. (2014, February 20). Standardizing cyber threat intelligence information with the Structured Threat Information eXpression (STIX). MITRE Corporation, v1.1, Rev. 1. Retrieved from http://stix.mitre.org/about/documents/STIX_Whitepaper_v1.1.pdf  Clarke, R., & Olcott, J. (2014, March). The board's role in cybersecurity. Retrieved from http://www.kispertgroup.com/wp- content/uploads/2014/06/Good_Harbor_Directors_Note_Cyber.pdf  Congress, 1. (2015, February 2). H.R.234 - Cyber Intelligence Sharing and Protection Act. Retrieved from http://https://www.congress.gov/bill/114th- congress/house- bill/234?q=%7B%22search%22%3A%5B%22cyber+intelligence%22%5D %7D Reference
 Congress, 1. (2015, April 22). H.R.1560 - Protecting cyber networks act. Retrieved from http://https://www.congress.gov/bill/114th-congress/house- bill/1560?q=%7B%22search%22%3A%5B%22The+Protecting+Cyber+Ne tworks+Act%22%5D%7D  Congress, 1. (2015, April 23). H.R.1731 - National cybersecurity protection advancement act of 2015. Retrieved from http://https://www.congress.gov/bill/114th-congress/house- bill/1731?q=%7B%22search%22%3A%5B%22cybersecurity%22%5D%7 D  Connolly, J., Davidson, M., Richard, M., & Skorupka, C. (2012, November 8). The trusted automated eXchange of indicator information (TAXII). Retrieved from http://taxii.mitre.org/about/documents/Introduction_to_TAXII_White_Pape r_November_2012.pdf Reference
 Corporation, MITRE. (2015, April 14). CybOX, v2.1. Retrieved from http://cybox.mitre.org/  Hearing before the Committee on Armed Services, House of Representatives, 12th Congress (March 16, 2011). National defense authorization act for fiscal year 2012: (H.A.S.C. No. 112-26). (statement of General Keith B. Alexander, US Cyber Command). Retrieved from http://fas.org/irp/congress/2011_hr/cybercom.pdf  Jennings, C., & Jones, D. M. (2013, November 21). Publication 20130312115 - Human-authorized trust service. Retrieved from http://www.ptodirect.com/Results/Publications?p=1&r=34&query=%40PD %3E%3D20131119%3C%3D20131125 Reference
 Nakashima, E., & Peterson, A. (2014, June 9). Report: Cybercrime and espionage costs $445 billion annually. Retrieved from http://www.washingtonpost.com/world/national-security/report- cybercrime-and-espionage-costs-445-billion- annually/2014/06/08/8995291c-ecce-11e3-9f5c-9075d5508f0a_story.html  Norton, S. (2014, September 30). Former NSA director: Better information sharing needed on cybersecurity. Retrieved from http://blogs.wsj.com/cio/2014/09/30/former-nsa-director-better- information-sharing-needed-on-cybersecurity/  Ponemon Institute LLC. (2014, May). 2014 cost of data breach study: United States. Retrieved from http://www-01.ibm.com/common/ssi/cgi- bin/ssialias?subtype=WH&infotype=SA&appname=GTSE_SE_SE_USEN &htmlfid=SEL03017USEN&attachment=SEL03017USEN.PDF#loaded Reference
 Ponemon Institute LLC. (2014, October). 2014 Global report on the cost of cyber crime. Retrieved from http://https://ssl.www8.hp.com/ww/en/secure/pdf/4aa5-5207enw.pdf  Rosenbush, S. (2014, June 20). Former NSA Chief Mike McConnell says culture, not tech, is key to cyber defense. Retrieved from http://blogs.wsj.com/cio/2014/06/20/former-nsa-chief-mike-mcconnell- says-culture-not-tech-is-key-to-cyber-defense/  Swan Island Networks. (2015). About Swan Island Networks, Inc. doi:swanisland.net/company  U.S. (2014, November 3). Partners in cybercrime prevention. Retrieved from http://www.nationaljournal.com/library/198396 Reference
 USPTO. (2012, July 16). Norse Corporation Patent Appl. No.: 13/550,354. Retrieved from http://patft.uspto.gov/netacgi/nph- Parser?Sect1=PTO2&Sect2=HITOFF&p=1&u=%2Fnetahtml%2FPTO%2Fs earch- bool.html&r=3&f=G&l=50&co1=AND&d=PTXT&s1=cybersecurity&s2=g oogle&OS=cybersecurity+AND+google&RS=cybersecurity+AND+google  United States Department of Justice. (n.d.). What is FOIA? Retrieved from http://www.foia.gov/index.html Reference
 United States Patent and Trademark Office. (2014, November 14). Cybersecurity partnership. Retrieved from http://www.uspto.gov/about/contacts/phone_directory/pat_tech/nov2014- cybersecurity-partnership-presentation.pdf  United States Senate Committee. (2015, March 12). Sen. Carper statement on the cybersecurity information sharing act (CISA). Retrieved from http://www.hsgac.senate.gov/media/minority-media/sen-carper-statement- on-the-cybersecurity-information-sharing-act-cisa Reference

Recommended

Global Partnership Key to Cyber Security
Global Partnership Key to Cyber SecurityGlobal Partnership Key to Cyber Security
Global Partnership Key to Cyber Security
Dominic Karunesudas
 
Online security – an assessment of the new
Online security – an assessment of the newOnline security – an assessment of the new
Online security – an assessment of the new
sunnyjoshi88
 
The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020
The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020
The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020
Jessica Graf
 
Clinton- Cyber IRT Balto 10_2012
Clinton- Cyber IRT Balto 10_2012Clinton- Cyber IRT Balto 10_2012
Clinton- Cyber IRT Balto 10_2012
Don Grauel
 
Cyber War, Cyber Peace, Stones and Glass Houses
Cyber War, Cyber Peace, Stones and Glass HousesCyber War, Cyber Peace, Stones and Glass Houses
Cyber War, Cyber Peace, Stones and Glass Houses
Paige Rasid
 
Introduction to National Critical Infrastructure Cyber Security: Background a...
Introduction to National Critical Infrastructure Cyber Security: Background a...Introduction to National Critical Infrastructure Cyber Security: Background a...
Introduction to National Critical Infrastructure Cyber Security: Background a...
Jack Whitsitt
 
Final presentation cyber security submit copy
Final presentation cyber security submit copyFinal presentation cyber security submit copy
Final presentation cyber security submit copy
smita mitra
 
Online security – an assessment of the new
Online security – an assessment of the newOnline security – an assessment of the new
Online security – an assessment of the new
sunnyjoshi88
 

Recommended

Global Partnership Key to Cyber Security
Global Partnership Key to Cyber SecurityGlobal Partnership Key to Cyber Security
Global Partnership Key to Cyber Security
Dominic Karunesudas
 
Online security – an assessment of the new
Online security – an assessment of the newOnline security – an assessment of the new
Online security – an assessment of the new
sunnyjoshi88
 
The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020
The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020
The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020
Jessica Graf
 
Clinton- Cyber IRT Balto 10_2012
Clinton- Cyber IRT Balto 10_2012Clinton- Cyber IRT Balto 10_2012
Clinton- Cyber IRT Balto 10_2012
Don Grauel
 
Cyber War, Cyber Peace, Stones and Glass Houses
Cyber War, Cyber Peace, Stones and Glass HousesCyber War, Cyber Peace, Stones and Glass Houses
Cyber War, Cyber Peace, Stones and Glass Houses
Paige Rasid
 
Introduction to National Critical Infrastructure Cyber Security: Background a...
Introduction to National Critical Infrastructure Cyber Security: Background a...Introduction to National Critical Infrastructure Cyber Security: Background a...
Introduction to National Critical Infrastructure Cyber Security: Background a...
Jack Whitsitt
 
Final presentation cyber security submit copy
Final presentation cyber security submit copyFinal presentation cyber security submit copy
Final presentation cyber security submit copy
smita mitra
 
Online security – an assessment of the new
Online security – an assessment of the newOnline security – an assessment of the new
Online security – an assessment of the new
sunnyjoshi88
 
DBryant-Cybersecurity Challenge
DBryant-Cybersecurity ChallengeDBryant-Cybersecurity Challenge
DBryant-Cybersecurity Challenge
msdee3362
 
Olaf Kolkman - FIRST Keynote on Collaborative Security
Olaf Kolkman - FIRST Keynote on Collaborative SecurityOlaf Kolkman - FIRST Keynote on Collaborative Security
Olaf Kolkman - FIRST Keynote on Collaborative Security
Internet Technology Matters (Internet Society)
 
Cloud security law cyber insurance issues phx 2015 06 19 v1
Cloud security law cyber insurance issues phx 2015 06 19 v1Cloud security law cyber insurance issues phx 2015 06 19 v1
Cloud security law cyber insurance issues phx 2015 06 19 v1
Michael C. Keeling, Esq.
 
Gebm os presentation final
Gebm os presentation finalGebm os presentation final
Gebm os presentation final
sunnyjoshi88
 
2020.10.11 international statement_end-to-end_encryption_and_public_safety_fo...
2020.10.11 international statement_end-to-end_encryption_and_public_safety_fo...2020.10.11 international statement_end-to-end_encryption_and_public_safety_fo...
2020.10.11 international statement_end-to-end_encryption_and_public_safety_fo...
sabrangsabrang
 
Need for Improved Critical Industrial Infrastructure Protection
Need for Improved Critical Industrial Infrastructure ProtectionNeed for Improved Critical Industrial Infrastructure Protection
Need for Improved Critical Industrial Infrastructure Protection
William McBorrough
 
clearswift-adaptive-redaction-brochure
clearswift-adaptive-redaction-brochureclearswift-adaptive-redaction-brochure
clearswift-adaptive-redaction-brochure
Lee Dalton
 
Marriage of Cyber Security with Emergency Management
Marriage of Cyber Security with Emergency ManagementMarriage of Cyber Security with Emergency Management
Marriage of Cyber Security with Emergency Management
David Sweigert
 
NIST Cybersecurity Framework Background and Review | Jack Whitsitt
NIST Cybersecurity Framework Background and Review | Jack WhitsittNIST Cybersecurity Framework Background and Review | Jack Whitsitt
NIST Cybersecurity Framework Background and Review | Jack Whitsitt
Jack Whitsitt
 
Effective Cybersecurity Communication Skills
Effective Cybersecurity Communication SkillsEffective Cybersecurity Communication Skills
Effective Cybersecurity Communication Skills
Jack Whitsitt
 
Cyber Critical Infrastructure Framework Panel
Cyber Critical Infrastructure Framework PanelCyber Critical Infrastructure Framework Panel
Cyber Critical Infrastructure Framework Panel
Paul Di Gangi
 
VFAC REVIEW issue12_extract_2016
VFAC REVIEW issue12_extract_2016VFAC REVIEW issue12_extract_2016
VFAC REVIEW issue12_extract_2016
Cameron Brown
 
Yours Anecdotally: Developing a Cybersecurity Problem Space
Yours Anecdotally: Developing a Cybersecurity Problem SpaceYours Anecdotally: Developing a Cybersecurity Problem Space
Yours Anecdotally: Developing a Cybersecurity Problem Space
Jack Whitsitt
 
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
Casey Ellis
 
Article 1 currently, smartphone, web, and social networking techno
Article 1 currently, smartphone, web, and social networking technoArticle 1 currently, smartphone, web, and social networking techno
Article 1 currently, smartphone, web, and social networking techno
honey690131
 
Vincent Ouma Mwando - strong encryption and protection of human rights-the vi...
Vincent Ouma Mwando - strong encryption and protection of human rights-the vi...Vincent Ouma Mwando - strong encryption and protection of human rights-the vi...
Vincent Ouma Mwando - strong encryption and protection of human rights-the vi...
Vincent Mwando
 
Vincent O. Mwando - Encryption
Vincent O. Mwando - EncryptionVincent O. Mwando - Encryption
Vincent O. Mwando - Encryption
Vincent Mwando
 
Improve Public Safety
Improve Public SafetyImprove Public Safety
Improve Public Safety
estotts75
 
Framework for cybersecurity info sharing
Framework for cybersecurity info sharingFramework for cybersecurity info sharing
Framework for cybersecurity info sharing
Roy Ramkrishna
 
Cyber risk challenge and the role of insurance
Cyber risk challenge and the role of insuranceCyber risk challenge and the role of insurance
Cyber risk challenge and the role of insurance
Munich Re
 
Brian Wrote There is a wide range of cybersecurity initiatives .docx
Brian Wrote There is a wide range of cybersecurity initiatives .docxBrian Wrote There is a wide range of cybersecurity initiatives .docx
Brian Wrote There is a wide range of cybersecurity initiatives .docx
hartrobert670
 
WCIT 2014 Matt Stamper - Information Assurance in a Global Context
WCIT 2014 Matt Stamper - Information Assurance in a Global ContextWCIT 2014 Matt Stamper - Information Assurance in a Global Context
WCIT 2014 Matt Stamper - Information Assurance in a Global Context
WCIT 2014
 

More Related Content

What's hot

DBryant-Cybersecurity Challenge
DBryant-Cybersecurity ChallengeDBryant-Cybersecurity Challenge
DBryant-Cybersecurity Challenge
msdee3362
 
Olaf Kolkman - FIRST Keynote on Collaborative Security
Olaf Kolkman - FIRST Keynote on Collaborative SecurityOlaf Kolkman - FIRST Keynote on Collaborative Security
Olaf Kolkman - FIRST Keynote on Collaborative Security
Internet Technology Matters (Internet Society)
 
Cloud security law cyber insurance issues phx 2015 06 19 v1
Cloud security law cyber insurance issues phx 2015 06 19 v1Cloud security law cyber insurance issues phx 2015 06 19 v1
Cloud security law cyber insurance issues phx 2015 06 19 v1
Michael C. Keeling, Esq.
 
Gebm os presentation final
Gebm os presentation finalGebm os presentation final
Gebm os presentation final
sunnyjoshi88
 
clearswift-adaptive-redaction-brochure
clearswift-adaptive-redaction-brochureclearswift-adaptive-redaction-brochure
clearswift-adaptive-redaction-brochure
Lee Dalton
 
NIST Cybersecurity Framework Background and Review | Jack Whitsitt
NIST Cybersecurity Framework Background and Review | Jack WhitsittNIST Cybersecurity Framework Background and Review | Jack Whitsitt
NIST Cybersecurity Framework Background and Review | Jack Whitsitt
Jack Whitsitt
 
VFAC REVIEW issue12_extract_2016
VFAC REVIEW issue12_extract_2016VFAC REVIEW issue12_extract_2016
VFAC REVIEW issue12_extract_2016
Cameron Brown
 
Yours Anecdotally: Developing a Cybersecurity Problem Space
Yours Anecdotally: Developing a Cybersecurity Problem SpaceYours Anecdotally: Developing a Cybersecurity Problem Space
Yours Anecdotally: Developing a Cybersecurity Problem Space
Jack Whitsitt
 

What's hot (20)

DBryant-Cybersecurity Challenge
DBryant-Cybersecurity ChallengeDBryant-Cybersecurity Challenge
DBryant-Cybersecurity Challenge
 
Olaf Kolkman - FIRST Keynote on Collaborative Security
Olaf Kolkman - FIRST Keynote on Collaborative SecurityOlaf Kolkman - FIRST Keynote on Collaborative Security
Olaf Kolkman - FIRST Keynote on Collaborative Security
 
Cloud security law cyber insurance issues phx 2015 06 19 v1
Cloud security law cyber insurance issues phx 2015 06 19 v1Cloud security law cyber insurance issues phx 2015 06 19 v1
Cloud security law cyber insurance issues phx 2015 06 19 v1
 
Gebm os presentation final
Gebm os presentation finalGebm os presentation final
Gebm os presentation final
 
2020.10.11 international statement_end-to-end_encryption_and_public_safety_fo...
2020.10.11 international statement_end-to-end_encryption_and_public_safety_fo...2020.10.11 international statement_end-to-end_encryption_and_public_safety_fo...
2020.10.11 international statement_end-to-end_encryption_and_public_safety_fo...
 
Need for Improved Critical Industrial Infrastructure Protection
Need for Improved Critical Industrial Infrastructure ProtectionNeed for Improved Critical Industrial Infrastructure Protection
Need for Improved Critical Industrial Infrastructure Protection
 
clearswift-adaptive-redaction-brochure
clearswift-adaptive-redaction-brochureclearswift-adaptive-redaction-brochure
clearswift-adaptive-redaction-brochure
 
Marriage of Cyber Security with Emergency Management
Marriage of Cyber Security with Emergency ManagementMarriage of Cyber Security with Emergency Management
Marriage of Cyber Security with Emergency Management
 
NIST Cybersecurity Framework Background and Review | Jack Whitsitt
NIST Cybersecurity Framework Background and Review | Jack WhitsittNIST Cybersecurity Framework Background and Review | Jack Whitsitt
NIST Cybersecurity Framework Background and Review | Jack Whitsitt
 
Effective Cybersecurity Communication Skills
Effective Cybersecurity Communication SkillsEffective Cybersecurity Communication Skills
Effective Cybersecurity Communication Skills
 
Cyber Critical Infrastructure Framework Panel
Cyber Critical Infrastructure Framework PanelCyber Critical Infrastructure Framework Panel
Cyber Critical Infrastructure Framework Panel
 
VFAC REVIEW issue12_extract_2016
VFAC REVIEW issue12_extract_2016VFAC REVIEW issue12_extract_2016
VFAC REVIEW issue12_extract_2016
 
Yours Anecdotally: Developing a Cybersecurity Problem Space
Yours Anecdotally: Developing a Cybersecurity Problem SpaceYours Anecdotally: Developing a Cybersecurity Problem Space
Yours Anecdotally: Developing a Cybersecurity Problem Space
 
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
 
Article 1 currently, smartphone, web, and social networking techno
Article 1 currently, smartphone, web, and social networking technoArticle 1 currently, smartphone, web, and social networking techno
Article 1 currently, smartphone, web, and social networking techno
 
Vincent Ouma Mwando - strong encryption and protection of human rights-the vi...
Vincent Ouma Mwando - strong encryption and protection of human rights-the vi...Vincent Ouma Mwando - strong encryption and protection of human rights-the vi...
Vincent Ouma Mwando - strong encryption and protection of human rights-the vi...
 
Vincent O. Mwando - Encryption
Vincent O. Mwando - EncryptionVincent O. Mwando - Encryption
Vincent O. Mwando - Encryption
 
Improve Public Safety
Improve Public SafetyImprove Public Safety
Improve Public Safety
 
Framework for cybersecurity info sharing
Framework for cybersecurity info sharingFramework for cybersecurity info sharing
Framework for cybersecurity info sharing
 
Cyber risk challenge and the role of insurance
Cyber risk challenge and the role of insuranceCyber risk challenge and the role of insurance
Cyber risk challenge and the role of insurance
 

Similar to DBryant-Cybersecurity Challenge

Brian Wrote There is a wide range of cybersecurity initiatives .docx
Brian Wrote There is a wide range of cybersecurity initiatives .docxBrian Wrote There is a wide range of cybersecurity initiatives .docx
Brian Wrote There is a wide range of cybersecurity initiatives .docx
hartrobert670
 
Cybersecurity Issues and Challenges
Cybersecurity Issues and ChallengesCybersecurity Issues and Challenges
Cybersecurity Issues and Challenges
Tam Nguyen
 
Cyber Security and Terrorism Research Article2Cybe.docx
Cyber Security and Terrorism Research Article2Cybe.docxCyber Security and Terrorism Research Article2Cybe.docx
Cyber Security and Terrorism Research Article2Cybe.docx
randyburney60861
 
1Annotated BibliographyTamika S. BouldinLibe
1Annotated BibliographyTamika S. BouldinLibe1Annotated BibliographyTamika S. BouldinLibe
1Annotated BibliographyTamika S. BouldinLibe
cargillfilberto
 
Running Head INFORMATION SECURITY VULNERABILITY 2.docx
Running Head INFORMATION SECURITY VULNERABILITY 2.docxRunning Head INFORMATION SECURITY VULNERABILITY 2.docx
Running Head INFORMATION SECURITY VULNERABILITY 2.docx
charisellington63520
 
Cyber intelligence sharing and protect act research
Cyber intelligence sharing and protect act researchCyber intelligence sharing and protect act research
Cyber intelligence sharing and protect act research
LaVerne Kemp
 
OverseeCyberSecurityAsHackersSeekToInfiltrate
OverseeCyberSecurityAsHackersSeekToInfiltrateOverseeCyberSecurityAsHackersSeekToInfiltrate
OverseeCyberSecurityAsHackersSeekToInfiltrate
Kashif Ali
 
Cybersecurity Business Risk, Literature Review
Cybersecurity Business Risk, Literature ReviewCybersecurity Business Risk, Literature Review
Cybersecurity Business Risk, Literature Review
Enow Eyong
 

Similar to DBryant-Cybersecurity Challenge (18)

Brian Wrote There is a wide range of cybersecurity initiatives .docx
Brian Wrote There is a wide range of cybersecurity initiatives .docxBrian Wrote There is a wide range of cybersecurity initiatives .docx
Brian Wrote There is a wide range of cybersecurity initiatives .docx
 
WCIT 2014 Matt Stamper - Information Assurance in a Global Context
WCIT 2014 Matt Stamper - Information Assurance in a Global ContextWCIT 2014 Matt Stamper - Information Assurance in a Global Context
WCIT 2014 Matt Stamper - Information Assurance in a Global Context
 
Gebm os presentation final
Gebm os presentation finalGebm os presentation final
Gebm os presentation final
 
Cybersecurity Issues and Challenges
Cybersecurity Issues and ChallengesCybersecurity Issues and Challenges
Cybersecurity Issues and Challenges
 
Cyber Security and Terrorism Research Article2Cybe.docx
Cyber Security and Terrorism Research Article2Cybe.docxCyber Security and Terrorism Research Article2Cybe.docx
Cyber Security and Terrorism Research Article2Cybe.docx
 
1Annotated BibliographyTamika S. BouldinLibe
1Annotated BibliographyTamika S. BouldinLibe1Annotated BibliographyTamika S. BouldinLibe
1Annotated BibliographyTamika S. BouldinLibe
 
Security - intelligence - maturity-model-ciso-whitepaper
Security - intelligence - maturity-model-ciso-whitepaperSecurity - intelligence - maturity-model-ciso-whitepaper
Security - intelligence - maturity-model-ciso-whitepaper
 
American Bar Association guidelines on Cyber Security standards
American Bar Association guidelines on Cyber Security standardsAmerican Bar Association guidelines on Cyber Security standards
American Bar Association guidelines on Cyber Security standards
 
Is Your Organization in Crisis?
Is Your Organization in Crisis?Is Your Organization in Crisis?
Is Your Organization in Crisis?
 
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal CounselBug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
 
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal CounselBug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
 
Cybersecurity - Sam Maccherola
Cybersecurity - Sam MaccherolaCybersecurity - Sam Maccherola
Cybersecurity - Sam Maccherola
 
Running Head INFORMATION SECURITY VULNERABILITY 2.docx
Running Head INFORMATION SECURITY VULNERABILITY 2.docxRunning Head INFORMATION SECURITY VULNERABILITY 2.docx
Running Head INFORMATION SECURITY VULNERABILITY 2.docx
 
There's a Crippling Cyber Attack Coming Your Way! Are we prepared to stop it?
There's a Crippling Cyber Attack Coming Your Way! Are we prepared to stop it?There's a Crippling Cyber Attack Coming Your Way! Are we prepared to stop it?
There's a Crippling Cyber Attack Coming Your Way! Are we prepared to stop it?
 
Cyber intelligence sharing and protect act research
Cyber intelligence sharing and protect act researchCyber intelligence sharing and protect act research
Cyber intelligence sharing and protect act research
 
OverseeCyberSecurityAsHackersSeekToInfiltrate
OverseeCyberSecurityAsHackersSeekToInfiltrateOverseeCyberSecurityAsHackersSeekToInfiltrate
OverseeCyberSecurityAsHackersSeekToInfiltrate
 
Impact of big data analytics in business economics
Impact of big data analytics in business economicsImpact of big data analytics in business economics
Impact of big data analytics in business economics
 
Cybersecurity Business Risk, Literature Review
Cybersecurity Business Risk, Literature ReviewCybersecurity Business Risk, Literature Review
Cybersecurity Business Risk, Literature Review
 

DBryant-Cybersecurity Challenge

  • 1. Cybersecurity Challenge: Information Sharing between the Public-Private Sectors Deloris Bryant CRJ-475Z Senior Project Dr. Shanna Van Slyke May 12, 2015 Public PrivateInformation
  • 2.  Information sharing between the Pubic and the Private Sector  Importance of information sharing  Private sector concerns  Unite in the fight against cybercrimes Cybersecurity Challenge Public Sector Private Sector
  • 3.  Are we doing enough to protect ourselves against cybercrimes?  Cybersecurity is a critical issue  Need to navigate through the cyber process together  75% of the country’s computers have been exploited by criminals (Hearing before the Committee on Armed Services, House of Representatives, 12th Congress, March 16, 2011)  Estimated loss of $100 billion in intellectual property alone in the U.S. This estimate is about 0.6% of the U.S. economy and this number does not even include other types of cybercrimes (Nakashima & Peterson, 2014). Importance of Information Sharing
  • 4.  Survey conducted by the Ponemon Institute with Hewlett-Packard (Ponemon Institute LLC, 2014)  Cyberattacks increased 176% in the last 4 years  Average time to detect attack – 170 days  Resolution time once detected – 45 days  Financial losses incurred during this time could be in the millions. Importance of Information Sharing
  • 5.  Another survey conducted by the Ponemon Institute sponsored by IBM (Ponemon Institute LLC, 2014)  The cost of data breaches incurred by organizations, on average, was $5.9 million  Cost incurred the previous year was $5.4 million  Loss of business cost went from $3.03 million to $3.2 million  Cost includes:  Reputation loss  Loss of customers  Acquire new customers Importance of Information Sharing
  • 6.  Different agenda for the public-private sectors  Private sector - profit earnings and the bottom line  Public sector - not divulging intelligence as it relates to national security  Cost-effective  Early detection  Termination  Prevention  Financial savings and manpower  “Real-time awareness” (Norton, 2014)  “the backbone of security” (Rosenbush, 2014) Importance of Information Sharing
  • 7.  Private Sector Concerns  Giving up control  Company process  In-house strategies to handle security issues  Fear that public sector will mandate a change in security strategies  Risk allowing other entities to explore privileged information which can be discoverable through a Freedom of Information Act (FOIA) request (United States Department of Justice, n.d.) Private Sector Concerns
  • 8.  Timing of information  Constraints and bureaucratic hoops  The time to quickly implement a solution could be lost  Not knowing what agency, department or appropriate individual to contact in a breach situation  National security obligations which may involve clearance issues restrict the release of some critical information  Proper public-private sector information sharing needs to happen more smoothly Private Sector Concerns
  • 9.  Negative exposure  Type of information disclosed  When it is disclosed  Company put in a bad light due to breach  Company needs time to thoroughly investigate the issue  Liability  Corporate executives held responsible for inadequate protection  Information not release in a timely manner to protect customer’s private information  How well the company responded and how quickly the issue is resolved Private Sector Concerns
  • 10.  Trust  Need assurance from the public sector  Proprietary information will not be divulged  Need open communication  Provide quantifiable information  Coordination is needed for preemptive measures  Risks  Misrepresentation about the severity of cyber issue if information is not released in a timely manner  Trigger complaints of negligence, inadequate security protection  Absorb loss incurred rather than reveal weakness Private Sector Concerns
  • 11.  Regulatory issues  Regulatory laws and requirements  Fear of public sector agencies  SEC, FTC, FCC, CFPB and others alike  Federal Trade Commission (FTC)  Enforcing data security  Issued guidelines for organizations with regards to data security  Failure in the proper data security procedures could result in litigation Private Sector Concerns
  • 12.  Security and Exchange Commission (SEC)  Oversight for security measures that companies are expected to follow and maintain  Released guidance for public traded companies  Obligation to release and disclose incidents of cyberattacks (Clarke & Olcott, 2014) Private Sector Concerns
  • 13.  Collaboration is key to unite in the fight against cybercrimes  Promote awareness  Educate each other  Share timely information that is actionable  Public sector contribution  Executive Order  Addresses privacy concerns along with concerns regarding private sector liability  Cybersecurity Framework Unite in the Fight Against Cybercrimes
  • 14.  Comprehensive National Cybersecurity Initiative (CNCI)  Front line of defense against immediate threats  Defend against threats  Strengthen future cybersecurity environment  Protecting Cyber Networks Act (sponsor: Rep. Nunes, Devin (R-CA-22) (Congress, 2015)  Passed the house and was received in the senate aims to help the private sector share cyber threat information by removing some legal obstacles (Congress, 2015) Unite in the Fight Against Cybercrimes
  • 15.  Cyber Intelligence Sharing and Protection Act (CISPA) (Congress, 2015)  is introduced to address the “real-time sharing of actionable, situational cyber threat information” (Congress, 2015)  The Cybersecurity Information Sharing Act of 2015 (CISA) (U.S. Senate Committee, 2015)  This bill was approved by the Senate Select Committee on Intelligence.  This bill allows for the sharing of information between the government and the private sector with liability protection so as to facilitate the sharing of data relating to cybersecurity threats. Unite in the Fight Against Cybercrimes
  • 16.  National Cybersecurity Protection Advancement Act of 2015  This bill has passed the House and is an amendment to the Homeland Security Act of 2002 that improves the sharing of information in addition to clarifying privacy protection as it relates to cybersecurity risk (Congress, 2015).  The key to any policy, strategy or initiative is “real- time” information sharing and “actionable intelligence” (U.S., 2014) which many of the above bills reiterate. Unite in the Fight Against Cybercrimes
  • 17.  For public-private collaboration to work, they need to be on the same page and speak the same language when sharing information.  Three tools that will aid the collection and distribution of cyber threats between the two sectors  Structured Threat Information Expression (STIX)  The MITRE Corp. and The Department of Homeland Security collaborated in developing this tool to address issues like interoperability, threat indicators and mitigation efforts (Barnum, 2014) Public-Private Sectors Collaboration
  • 18.  Cyber Observables eXpression (CybOX)  A tool for “addressing cyber observables across and among this full range of use cases improving consistency, efficiency, interoperability, and overall situational awareness” (Corporation, 2015)  Trusted Automated eXchange of Indicator Information (TAXII)  (TAXII) is the means by which both STIX and CybOX information is transported. (Connolly, Davison, Richard, & Skorupka, 2012) Public-Private Sectors Collaboration
  • 19.  Both individuals and companies collaborating to produce methods to share data securely  The United States Patent and Trademark Office (USPTO) is enthusiastic about examining cybersecurity patents.  The top 5 companies filing patent applications in the field of information security are: IBM (173 patents), Symantec (103 patents), Google (71 patents), Microsoft (67 patents) and Samsung (64 patents) (United States Patent and Trademark Office, 2014) Private Sector Contribution
  • 20.  Large corporations are not the only organizations that are developing improved responses to cyber threats.  Swan Island Networks, Inc. launched:  The Trusted Information Exchange Service (TIES)  “help protect more than 250 large enterprises and 20% of Fortune 100 companies every day”. (Swan Island Networks, 2015)  filed a patent application in April 2013 for “Human- Authorized Trust Service”, patent application number 20130312115  define methods that allow trusted access to data between two parties (Jennings & Jones) Private Sector Contribution
  • 21.  Norse Corporation  filed a patent application (patent application number: 61508493) in July 2012  defines systems and methods for “ gathering, classifying, and evaluating real time security intelligence data concerning security threats presented by an IP address, and reporting in real time the degree and character of such security threats” (USPTO, 2012). Private Sector Contribution
  • 22.  Cybersecurity poses a growing and real threat  Private sector communicated concerns  Improvements by public sector include:  Introducing new legislation  Updating previous ones to address current concerns  President Obama’s presidential term is coming to an end  His cybersecurity initiative needs to be a top priority for the next administration. Conclusion
  • 23.  Barnum, S. (2014, February 20). Standardizing cyber threat intelligence information with the Structured Threat Information eXpression (STIX). MITRE Corporation, v1.1, Rev. 1. Retrieved from http://stix.mitre.org/about/documents/STIX_Whitepaper_v1.1.pdf  Clarke, R., & Olcott, J. (2014, March). The board's role in cybersecurity. Retrieved from http://www.kispertgroup.com/wp- content/uploads/2014/06/Good_Harbor_Directors_Note_Cyber.pdf  Congress, 1. (2015, February 2). H.R.234 - Cyber Intelligence Sharing and Protection Act. Retrieved from http://https://www.congress.gov/bill/114th- congress/house- bill/234?q=%7B%22search%22%3A%5B%22cyber+intelligence%22%5D %7D Reference
  • 24.  Congress, 1. (2015, April 22). H.R.1560 - Protecting cyber networks act. Retrieved from http://https://www.congress.gov/bill/114th-congress/house- bill/1560?q=%7B%22search%22%3A%5B%22The+Protecting+Cyber+Ne tworks+Act%22%5D%7D  Congress, 1. (2015, April 23). H.R.1731 - National cybersecurity protection advancement act of 2015. Retrieved from http://https://www.congress.gov/bill/114th-congress/house- bill/1731?q=%7B%22search%22%3A%5B%22cybersecurity%22%5D%7 D  Connolly, J., Davidson, M., Richard, M., & Skorupka, C. (2012, November 8). The trusted automated eXchange of indicator information (TAXII). Retrieved from http://taxii.mitre.org/about/documents/Introduction_to_TAXII_White_Pape r_November_2012.pdf Reference
  • 25.  Corporation, MITRE. (2015, April 14). CybOX, v2.1. Retrieved from http://cybox.mitre.org/  Hearing before the Committee on Armed Services, House of Representatives, 12th Congress (March 16, 2011). National defense authorization act for fiscal year 2012: (H.A.S.C. No. 112-26). (statement of General Keith B. Alexander, US Cyber Command). Retrieved from http://fas.org/irp/congress/2011_hr/cybercom.pdf  Jennings, C., & Jones, D. M. (2013, November 21). Publication 20130312115 - Human-authorized trust service. Retrieved from http://www.ptodirect.com/Results/Publications?p=1&r=34&query=%40PD %3E%3D20131119%3C%3D20131125 Reference
  • 26.  Nakashima, E., & Peterson, A. (2014, June 9). Report: Cybercrime and espionage costs $445 billion annually. Retrieved from http://www.washingtonpost.com/world/national-security/report- cybercrime-and-espionage-costs-445-billion- annually/2014/06/08/8995291c-ecce-11e3-9f5c-9075d5508f0a_story.html  Norton, S. (2014, September 30). Former NSA director: Better information sharing needed on cybersecurity. Retrieved from http://blogs.wsj.com/cio/2014/09/30/former-nsa-director-better- information-sharing-needed-on-cybersecurity/  Ponemon Institute LLC. (2014, May). 2014 cost of data breach study: United States. Retrieved from http://www-01.ibm.com/common/ssi/cgi- bin/ssialias?subtype=WH&infotype=SA&appname=GTSE_SE_SE_USEN &htmlfid=SEL03017USEN&attachment=SEL03017USEN.PDF#loaded Reference
  • 27.  Ponemon Institute LLC. (2014, October). 2014 Global report on the cost of cyber crime. Retrieved from http://https://ssl.www8.hp.com/ww/en/secure/pdf/4aa5-5207enw.pdf  Rosenbush, S. (2014, June 20). Former NSA Chief Mike McConnell says culture, not tech, is key to cyber defense. Retrieved from http://blogs.wsj.com/cio/2014/06/20/former-nsa-chief-mike-mcconnell- says-culture-not-tech-is-key-to-cyber-defense/  Swan Island Networks. (2015). About Swan Island Networks, Inc. doi:swanisland.net/company  U.S. (2014, November 3). Partners in cybercrime prevention. Retrieved from http://www.nationaljournal.com/library/198396 Reference
  • 28.  USPTO. (2012, July 16). Norse Corporation Patent Appl. No.: 13/550,354. Retrieved from http://patft.uspto.gov/netacgi/nph- Parser?Sect1=PTO2&Sect2=HITOFF&p=1&u=%2Fnetahtml%2FPTO%2Fs earch- bool.html&r=3&f=G&l=50&co1=AND&d=PTXT&s1=cybersecurity&s2=g oogle&OS=cybersecurity+AND+google&RS=cybersecurity+AND+google  United States Department of Justice. (n.d.). What is FOIA? Retrieved from http://www.foia.gov/index.html Reference
  • 29.  United States Patent and Trademark Office. (2014, November 14). Cybersecurity partnership. Retrieved from http://www.uspto.gov/about/contacts/phone_directory/pat_tech/nov2014- cybersecurity-partnership-presentation.pdf  United States Senate Committee. (2015, March 12). Sen. Carper statement on the cybersecurity information sharing act (CISA). Retrieved from http://www.hsgac.senate.gov/media/minority-media/sen-carper-statement- on-the-cybersecurity-information-sharing-act-cisa Reference