How many of you think that the US power grid can be taken out for an extended time period by a cyberattack? The threat is real and sophisticated, and our ability to mount a coordinated response at both the government and private industry level is limited. This presentation explores the critical issues involved in making meaningful progress to detect and defend against this threat.

1. THERE’S A CRIPPLING
CYBERSECURITY ATTACK COMING
YOUR WAY!
Is Our Coordinated Response Ready to Stop It?
Brian Dickard, Director – Enterprise Risk Management, First Data

2. Introduction
 The threat is real and sophisticated
 The damage could be catastrophic
 Our current ability to mount a
coordinated response is limited
 It doesn’t have to be this way!
2

3. Top Threats to the USA
1. Terrorism
 We are still a huge target
2. Cyber Attack
 Especially to critical infrastructure
3. Still Weak US Economy
 No buffer in monetary policy
4. (Large Nation States)
 Will seek territorial expansion
5. Climate Change
 Source: 2014 RSA Archer GRC Summit, Gen. Wesley Clark keynote address
3

4. Is Anyone Else Concerned?
Worldwide Survey of Security Professionals:
 Do you expect a cyberattack to strike your
organization in 2015?
 Yes = 48%
 ISACA “State of Cybersecurity Survey” reported Very Likely and Likely at a
combined 83%
 Do you think cyberattacks are among the three
biggest threats facing organizations today?
 Yes = 83%
 Source: 2015 ISACA Global Cybersecurity Status Report; State of Cybersecurity:
Implications for 2015 (ISACA/RSA)
4

5. Is Anyone Else Concerned?
 On a national level, what are you concerned
about?
 95% concerned about a cyberattack, physical attack or both
 Is your organization prepared for a sophisticated
cyberattack?
 Combined No and Unsure = 61%
 Do you believe there is a shortage of skilled
cybersecurity professionals?
 Yes = 86%
 Source: 2015 ISACA Global Cybersecurity Status Report; State of Cybersecurity:
Implications for 2015 (ISACA/RSA)
5

6. The Threat is Real
 Nation-states (Russia, China, Iran) are more
than willing to steal or destroy US digital property
 Non-state actors (Hamas or Hezbollah) have
demonstrated advanced cyberattack methods
 US companies estimate $250 billion in IP losses
alone each year
 Source: The Heritage Foundation – A Congressional Guide: Seven Steps to US Security,
Prosperity and Freedom in Cyberspace
6

7. Cyber Threat Tiers
 Cyber Crime
 Ex. Identify Theft – 10’s of billions in losses each year
 Cyber Espionage
 Ex. Stealing military secrets – trillions in US national
security interest IP has been stolen to date
 Cyber Warfare
 Impair critical infrastructure as a stand-alone attack, or
in connection with a kinetic attack
7

8. A Scary Scenario
8

9. American Blackout
 Day 1:
 Nationwide rolling blackout initiated by a
coordinated cyberattack
 Widespread traffic gridlock within hours in metro
areas
 Gas stations and ATMs no longer work
 Day 2:
 Grid engineers report widespread physical grid
damage inflicted
 US work force unable to work; billions in
immediate negative economic impact
 Citizens advised to shelter in place
9

10. American Blackout
 Day 3:
 No more running water or functioning toilets
 US food distribution network shuts down
 Remaining functional gas stations and grocery stores close
as stock sells out
 Sporadic food and water riots break out
 National state of emergency declared (dusk to dawn curfew)
 All US banks and financial markets remain closed
 Widespread criminal activity breaks out
 Day 4:
 Fed government takes over food, water and gas supply
distribution
 Riots more widespread
 Veneer of civilized behavior starting to fray
10

11. American Blackout
 Day 5:
 Candles and generators cause widespread house
fires (no water to contain them)
 Generators at emergency and communication
facilities start to run out of fuel
 Day 6:
 Red Cross camps stay open but are limited and
overwhelmed
 Hospitals treating emergencies only
 FEMA/military supervision of infrastructure
increases
 Gang violence widespread
11

12. American Blackout
 Day 8:
 President requests international aid
 Death toll from civil unrest rising
 Martial Law imminent
 Day 9:
 US Allies unleash massive aid delivery
 Grid engineers close to limited power restore
 Day 10:
 Widespread power restored; specific source of the
attack still not identified; no claim of responsibility
12

13. Fallout
 Conservative projections:
 10’s of thousands dead from civil unrest alone
 100’s of billions in economic impact
 Physical grid repair will take years
 Real Life Comparison:
 2003 two day blackout in 8 NE US states
 50 million people impacted, 11 deaths, $10 billion in
economic impact
 Watch:
https://www.youtube.com/watch?v=FYoXxVnTePA
13

14. Farfetched?
 A USA Today study found that once every four days
part of the US power grid is hit with a cyber or physical
attack
 Trend Micro Survey:
 575 companies or agencies maintaining critical infrastructure
 40% have faced malicious attacks seeking to shutdown
networks; 44% seeking to delete files; 54% attempted
control system takeovers
 Source: Reuters
 Some of this is advance recon and planting malware
for future use
14

15. State of Prevention and Response
 Federal Legislation
 Private Industry
 The Attackers
 Issues and Concerns
15

16. Federal Legislative History
 Cyberspace Policy Review – 2009
 Exec branch report encouraged info sharing and
coordinated incident response
 Cybersecurity Legislative Proposal - 2011
 National breach reporting
 Lots of debate, little action
 International Strategy for Cyberspace – 2011
 Let’s all play nice
16

17. Federal Legislative History
 Cyber Intelligence Sharing and Protection
Act of 2012
 Provide for sharing cyber threat intelligence
 Passed House; stalled in Senate
 Senate Cybersecurity Act of 2012
 Similar info sharing provisions
 Protection of critical infrastructure
 Voted down by Senate Republicans
17

18. Federal Legislative History
 2013 Executive Order: Improve Critical
Infrastructure Cybersecurity
 Continued inaction in Congress
 2015 Executive Order: Cybersecurity
Legislative Proposal
 Info sharing with liability limits
 Cyber Threat Intelligence Integration Center
created (Office of Dir. National Intelligence)
18

19. Recently Enacted Legislation
 Cybersecurity Enhancement Act of 2014
 Voluntary public-private partnership to improve
cybersecurity
 National Cybersecurity Protection Act
 Established National Cybersecurity and
Communications Integration Center (NCCIC)
 Cybersecurity Workforce Assessment Act
 DoHS directed to conduct every three years
 Source: ISACA Cybersecurity Legislation Watch Center
19

20. Modernizing Law Enforcement
 Update Computer Fraud and Abuse Act
 Active prosecution for intentional attacks;
revisit Patriot Act provisions
 April 2015: National Emergency declared
 Impose sanctions on entities that pose a
cyber threat (freeze assets; block potential
attacks)
 Includes stealing IP and fraud
20

21. Private Industry - Any Better?
 Critical infrastructure largely privately
owned and operated
 March 2015: Joint letter to Congress to
urge new legislation
 Lockheed Martin, Microsoft, Morgan
Stanley, Ford
 Did not sign: Apple, Google, Facebook
21

22. Private Industry - Any Better?
 Facebook: “ThreatExchange”
 Participants: Bitly, Dropbox, Facebook,
Pinterest, Tumblr, Twitter, Yahoo
 Share cyber threat information with strict
controls on content sharing and data privacy
22

23. How About This One?
 “Google Threatens to Air Microsoft and
Apple’s Dirty Code” – Bloomberg Feb. 2015
 “Project Zero” identified 39 critical vulns
in Apple products, 20 Microsoft, 37
Adobe, 22 Freetype font library
 Publish software vulnerabilities unless
they are patched within 90 days
23

24. Cybersecurity Insurance
 Participate in NCCIC/CTIIC or purchase
cybersecurity event insurance?
 Insurance purchases increased 32% in
2014 (Source: Business Insurance)
 Issue: Can’t find enough underwriters
24

25. Cybercriminal Element
 Waiting for legislated information sharing?
 Growing more bold and sophisticated
 They don’t care about:
 Your privacy or constitutional rights
 Your financial or emotional well being
25

26. Issues and Concerns
 Should business wait or proceed on their
own?
 Is legislation the right approach given the
threat?
 Will info sharing expand government
surveillance?
 NSA reforms needed – should Patriot Act
provisions be extended?
26

27. Issues and Concerns
 Data Breach Notification
 What do you think of the US President’s
proposal to require companies to notify
customers within 30 days of a data breach?
 76% agree or strongly agree
 What do you think the greatest challenge
companies would face if they needed to notify
consumers of a data breach?
 55% = Concern over corporate reputation
 Source: ISACA 2015 Global Security Status Report
27

28. Issues and Concerns
 Audits of critical infrastructure and industrial
automation systems – mandatory with state
or federal oversight?
 Implications of “safe harbor” provisions – should
meeting a specific level of preparedness exempt
you from breach liability?
 Should participation in information sharing
forums give you liability protection?
28

29. Issues and Concerns
 Can companies be sued for violating data
privacy or anti-trust provisions if they share
information for cybersecurity purposes?
 Cyber self-defense – counterattacks
 Should the government limit the extent of
countermeasures?
29

30. Key Components of Effective
Legislation
 Enabling information sharing instead of
mandating it
 Encouraging the development of a viable
cybersecurity liability and insurance system
 Creating a private-sector structure that
fosters cyber-supply-chain security ratings
 Defining limited cyber self-defense standards
for industry
 Source: The Heritage Foundation - A Congressional Guide: Seven Steps to
US Security, Prosperity and Freedom in Cyberspace
30

31. Key Components of Effective
Legislation
 Advocating for more private-sector efforts to
promote general awareness, education, and
training across America
 Reforming science, technology, engineering,
and mathematics (STEM) education to create
a strong cyber workforce within industry and
government
 Leading responsible international cyber
engagement
 Source: The Heritage Foundation - A Congressional Guide: Seven Steps to
US Security, Prosperity and Freedom in Cyberspace
31

32. Bills Worth Watching
 USA Freedom Act
 Cyber Privacy Fortification Act (HR 104)
 Cyber Intelligence Sharing and Protection Act
(HR 234)
 Federal Exchange Data Breach Notification
Act (HR 555)
 Data Accountability and Trust Act (HR 580)
 Commercial Privacy Bill of Rights Act (HR 1053)
 Protecting Cyber Networks Act (HR 1560)
 Passed House on April 23
 Source: ISACA Cybersecurity Legislation Watch Center
32

33. Bills Worth Watching
 National Cybersecurity Protection
Advancement Act (HR 1731)
 Secure Data Act (S 135)
 Data Security and Breach Notification Act (S
177)
 Cyber Threat Sharing Act (S 456)
 Commercial Privacy Bill of Rights Act (S 547)
 Cybersecurity Information Sharing Act (S 754)
 Source: ISACA Cybersecurity Legislation Watch Center
33

34. Call to Action
 ISACA Cybersecurity Legislation Watch Center
 http://www.isaca.org/cyber/Pages/cybersecuritylegislation.as
px
 2015 Global Cybersecurity Status Report
 http://www.isaca.org/pages/cybersecurity-global-status-
report.aspx
 State of Cybersecurity: Implications for 2015
 http://www.isaca.org/cyber/Documents/State-of-
Cybersecurity_Res_Eng_0415.pdf
 Presented in conjunction with the RSA Conference
34

35. Call to Action
 ISACA / ISSA sponsorship with member
advocacy and involvement:
 National Strategic Risk Policy
 Global Cyber Governance Framework
 NIST Cybersecurity Framework
 Is there enough active involvement from ISACA
beyond supplying COBIT 5 as a reference model?
35

36. Call to Action
 Get involved on a company, community,
state and federal level
 Encourage your company to participate in the
private and government-sponsored
cybersecurity information sharing forums
 Lobby your congressional representatives for
responsible legislation; enablers not absolutes
36

37. Thank You!
Questions?
bdickard@yahoo.com
37