How many of you think that the US power grid can be taken out for an extended time period by a cyberattack? The threat is real and sophisticated, and our ability to mount a coordinated response at both the government and private industry level is limited. This presentation explores the critical issues involved in making meaningful progress to detect and defend against this threat.
There's a Crippling Cyber Attack Coming Your Way! Are we prepared to stop it?
1. THERE’S A CRIPPLING
CYBERSECURITY ATTACK COMING
YOUR WAY!
Is Our Coordinated Response Ready to Stop It?
Brian Dickard, Director – Enterprise Risk Management, First Data
2. Introduction
The threat is real and sophisticated
The damage could be catastrophic
Our current ability to mount a
coordinated response is limited
It doesn’t have to be this way!
2
3. Top Threats to the USA
1. Terrorism
We are still a huge target
2. Cyber Attack
Especially to critical infrastructure
3. Still Weak US Economy
No buffer in monetary policy
4. (Large Nation States)
Will seek territorial expansion
5. Climate Change
Source: 2014 RSA Archer GRC Summit, Gen. Wesley Clark keynote address
3
4. Is Anyone Else Concerned?
Worldwide Survey of Security Professionals:
Do you expect a cyberattack to strike your
organization in 2015?
Yes = 48%
ISACA “State of Cybersecurity Survey” reported Very Likely and Likely at a
combined 83%
Do you think cyberattacks are among the three
biggest threats facing organizations today?
Yes = 83%
Source: 2015 ISACA Global Cybersecurity Status Report; State of Cybersecurity:
Implications for 2015 (ISACA/RSA)
4
5. Is Anyone Else Concerned?
On a national level, what are you concerned
about?
95% concerned about a cyberattack, physical attack or both
Is your organization prepared for a sophisticated
cyberattack?
Combined No and Unsure = 61%
Do you believe there is a shortage of skilled
cybersecurity professionals?
Yes = 86%
Source: 2015 ISACA Global Cybersecurity Status Report; State of Cybersecurity:
Implications for 2015 (ISACA/RSA)
5
6. The Threat is Real
Nation-states (Russia, China, Iran) are more
than willing to steal or destroy US digital property
Non-state actors (Hamas or Hezbollah) have
demonstrated advanced cyberattack methods
US companies estimate $250 billion in IP losses
alone each year
Source: The Heritage Foundation – A Congressional Guide: Seven Steps to US Security,
Prosperity and Freedom in Cyberspace
6
7. Cyber Threat Tiers
Cyber Crime
Ex. Identify Theft – 10’s of billions in losses each year
Cyber Espionage
Ex. Stealing military secrets – trillions in US national
security interest IP has been stolen to date
Cyber Warfare
Impair critical infrastructure as a stand-alone attack, or
in connection with a kinetic attack
7
9. American Blackout
Day 1:
Nationwide rolling blackout initiated by a
coordinated cyberattack
Widespread traffic gridlock within hours in metro
areas
Gas stations and ATMs no longer work
Day 2:
Grid engineers report widespread physical grid
damage inflicted
US work force unable to work; billions in
immediate negative economic impact
Citizens advised to shelter in place
9
10. American Blackout
Day 3:
No more running water or functioning toilets
US food distribution network shuts down
Remaining functional gas stations and grocery stores close
as stock sells out
Sporadic food and water riots break out
National state of emergency declared (dusk to dawn curfew)
All US banks and financial markets remain closed
Widespread criminal activity breaks out
Day 4:
Fed government takes over food, water and gas supply
distribution
Riots more widespread
Veneer of civilized behavior starting to fray
10
11. American Blackout
Day 5:
Candles and generators cause widespread house
fires (no water to contain them)
Generators at emergency and communication
facilities start to run out of fuel
Day 6:
Red Cross camps stay open but are limited and
overwhelmed
Hospitals treating emergencies only
FEMA/military supervision of infrastructure
increases
Gang violence widespread
11
12. American Blackout
Day 8:
President requests international aid
Death toll from civil unrest rising
Martial Law imminent
Day 9:
US Allies unleash massive aid delivery
Grid engineers close to limited power restore
Day 10:
Widespread power restored; specific source of the
attack still not identified; no claim of responsibility
12
13. Fallout
Conservative projections:
10’s of thousands dead from civil unrest alone
100’s of billions in economic impact
Physical grid repair will take years
Real Life Comparison:
2003 two day blackout in 8 NE US states
50 million people impacted, 11 deaths, $10 billion in
economic impact
Watch:
https://www.youtube.com/watch?v=FYoXxVnTePA
13
14. Farfetched?
A USA Today study found that once every four days
part of the US power grid is hit with a cyber or physical
attack
Trend Micro Survey:
575 companies or agencies maintaining critical infrastructure
40% have faced malicious attacks seeking to shutdown
networks; 44% seeking to delete files; 54% attempted
control system takeovers
Source: Reuters
Some of this is advance recon and planting malware
for future use
14
15. State of Prevention and Response
Federal Legislation
Private Industry
The Attackers
Issues and Concerns
15
16. Federal Legislative History
Cyberspace Policy Review – 2009
Exec branch report encouraged info sharing and
coordinated incident response
Cybersecurity Legislative Proposal - 2011
National breach reporting
Lots of debate, little action
International Strategy for Cyberspace – 2011
Let’s all play nice
16
17. Federal Legislative History
Cyber Intelligence Sharing and Protection
Act of 2012
Provide for sharing cyber threat intelligence
Passed House; stalled in Senate
Senate Cybersecurity Act of 2012
Similar info sharing provisions
Protection of critical infrastructure
Voted down by Senate Republicans
17
18. Federal Legislative History
2013 Executive Order: Improve Critical
Infrastructure Cybersecurity
Continued inaction in Congress
2015 Executive Order: Cybersecurity
Legislative Proposal
Info sharing with liability limits
Cyber Threat Intelligence Integration Center
created (Office of Dir. National Intelligence)
18
19. Recently Enacted Legislation
Cybersecurity Enhancement Act of 2014
Voluntary public-private partnership to improve
cybersecurity
National Cybersecurity Protection Act
Established National Cybersecurity and
Communications Integration Center (NCCIC)
Cybersecurity Workforce Assessment Act
DoHS directed to conduct every three years
Source: ISACA Cybersecurity Legislation Watch Center
19
20. Modernizing Law Enforcement
Update Computer Fraud and Abuse Act
Active prosecution for intentional attacks;
revisit Patriot Act provisions
April 2015: National Emergency declared
Impose sanctions on entities that pose a
cyber threat (freeze assets; block potential
attacks)
Includes stealing IP and fraud
20
21. Private Industry - Any Better?
Critical infrastructure largely privately
owned and operated
March 2015: Joint letter to Congress to
urge new legislation
Lockheed Martin, Microsoft, Morgan
Stanley, Ford
Did not sign: Apple, Google, Facebook
21
22. Private Industry - Any Better?
Facebook: “ThreatExchange”
Participants: Bitly, Dropbox, Facebook,
Pinterest, Tumblr, Twitter, Yahoo
Share cyber threat information with strict
controls on content sharing and data privacy
22
23. How About This One?
“Google Threatens to Air Microsoft and
Apple’s Dirty Code” – Bloomberg Feb. 2015
“Project Zero” identified 39 critical vulns
in Apple products, 20 Microsoft, 37
Adobe, 22 Freetype font library
Publish software vulnerabilities unless
they are patched within 90 days
23
24. Cybersecurity Insurance
Participate in NCCIC/CTIIC or purchase
cybersecurity event insurance?
Insurance purchases increased 32% in
2014 (Source: Business Insurance)
Issue: Can’t find enough underwriters
24
25. Cybercriminal Element
Waiting for legislated information sharing?
Growing more bold and sophisticated
They don’t care about:
Your privacy or constitutional rights
Your financial or emotional well being
25
26. Issues and Concerns
Should business wait or proceed on their
own?
Is legislation the right approach given the
threat?
Will info sharing expand government
surveillance?
NSA reforms needed – should Patriot Act
provisions be extended?
26
27. Issues and Concerns
Data Breach Notification
What do you think of the US President’s
proposal to require companies to notify
customers within 30 days of a data breach?
76% agree or strongly agree
What do you think the greatest challenge
companies would face if they needed to notify
consumers of a data breach?
55% = Concern over corporate reputation
Source: ISACA 2015 Global Security Status Report
27
28. Issues and Concerns
Audits of critical infrastructure and industrial
automation systems – mandatory with state
or federal oversight?
Implications of “safe harbor” provisions – should
meeting a specific level of preparedness exempt
you from breach liability?
Should participation in information sharing
forums give you liability protection?
28
29. Issues and Concerns
Can companies be sued for violating data
privacy or anti-trust provisions if they share
information for cybersecurity purposes?
Cyber self-defense – counterattacks
Should the government limit the extent of
countermeasures?
29
30. Key Components of Effective
Legislation
Enabling information sharing instead of
mandating it
Encouraging the development of a viable
cybersecurity liability and insurance system
Creating a private-sector structure that
fosters cyber-supply-chain security ratings
Defining limited cyber self-defense standards
for industry
Source: The Heritage Foundation - A Congressional Guide: Seven Steps to
US Security, Prosperity and Freedom in Cyberspace
30
31. Key Components of Effective
Legislation
Advocating for more private-sector efforts to
promote general awareness, education, and
training across America
Reforming science, technology, engineering,
and mathematics (STEM) education to create
a strong cyber workforce within industry and
government
Leading responsible international cyber
engagement
Source: The Heritage Foundation - A Congressional Guide: Seven Steps to
US Security, Prosperity and Freedom in Cyberspace
31
32. Bills Worth Watching
USA Freedom Act
Cyber Privacy Fortification Act (HR 104)
Cyber Intelligence Sharing and Protection Act
(HR 234)
Federal Exchange Data Breach Notification
Act (HR 555)
Data Accountability and Trust Act (HR 580)
Commercial Privacy Bill of Rights Act (HR 1053)
Protecting Cyber Networks Act (HR 1560)
Passed House on April 23
Source: ISACA Cybersecurity Legislation Watch Center
32
33. Bills Worth Watching
National Cybersecurity Protection
Advancement Act (HR 1731)
Secure Data Act (S 135)
Data Security and Breach Notification Act (S
177)
Cyber Threat Sharing Act (S 456)
Commercial Privacy Bill of Rights Act (S 547)
Cybersecurity Information Sharing Act (S 754)
Source: ISACA Cybersecurity Legislation Watch Center
33
34. Call to Action
ISACA Cybersecurity Legislation Watch Center
http://www.isaca.org/cyber/Pages/cybersecuritylegislation.as
px
2015 Global Cybersecurity Status Report
http://www.isaca.org/pages/cybersecurity-global-status-
report.aspx
State of Cybersecurity: Implications for 2015
http://www.isaca.org/cyber/Documents/State-of-
Cybersecurity_Res_Eng_0415.pdf
Presented in conjunction with the RSA Conference
34
35. Call to Action
ISACA / ISSA sponsorship with member
advocacy and involvement:
National Strategic Risk Policy
Global Cyber Governance Framework
NIST Cybersecurity Framework
Is there enough active involvement from ISACA
beyond supplying COBIT 5 as a reference model?
35
36. Call to Action
Get involved on a company, community,
state and federal level
Encourage your company to participate in the
private and government-sponsored
cybersecurity information sharing forums
Lobby your congressional representatives for
responsible legislation; enablers not absolutes
36