Executive Briefing Series Cybersecurity 2013: What Every CIO Should Know
advertisement
Executive Briefing Series (Volume 6, Number 3) May 2013 Cybersecurity 2013: What Every CIO Should Know An Executive Summary of the April 19 2013 Workshop written by Melanie Teplinsky and Tom Kellermann edited by Dr. Gwanhoo Lee and Ms. Marianne Du Contents 1. Introduction Professor William DeLone, Executive Director, Kogod Center for Information Technology and the Global Economy Eric Wenger, Policy Counsel, Microsoft 2. Panel 1: Policy Developments David Bodenheimer, Partner, Crowell & Moring LLP Eric Wenger, Policy Counsel, Microsoft Moderator: Melanie Teplinsky, Adjunct Professor, American University, Washington College of Law 3. Panel 2: Private Sector Challenges and Opportunities Robert A. Parisi, Jr., Managing Director and National Practice Leader for Technology, Network Risk & Telecommunications, Marsh Jeffrey Portis, Cyber Specialist/Assistant Vice President, Financial Institutions, Chubb Group of Insurance Companies Moderator: Tom Kellerman, Vice President of Cyber Security, TrendMicro 4. Group Discussion Facilitator: Eric Wenger, Microsoft Policy Counsel 1. Executive Briefing Volume 6 / Number 3 May 2013 Introduction and Overview CITGE’s April 19, 2013 program focused on cybersecurity. Cyber threats have surpassed terrorism as the number one global threat facing the United States, and cybersecurity poses a major, ongoing challenge for today’s CIOs. William DeLone, Executive Director of Kogod’s Center for Information Technology and the Global Economy (CITGE) and Eric Wenger, Microsoft Policy Counsel, opened the CITGE program with brief welcoming remarks. DeLone noted that the program would address the core question of how to protect information technology assets from various types of cyberthreats, and he extended special thanks to the program’s organizers, sponsors, and host. Wenger acknowledged the expertise in the audience, encouraged audience participation, and took a moment to note that we are changing the way that we interact with technology, as evidenced by the various technologies on display in Microsoft’s offices, where the program took place. -1- Executive Briefing Volume 6 / Number 3 May 2013 Panel 1: Policy Developments The first panel engaged in a lively discussion of recent cybersecurity law and policy developments. Specifically, the panel addressed: (1) the current cyberthreat landscape; (2) the business case for cybersecurity; (3) basic cyberhygiene and the cybersecurity executive order; (4) regulatory compliance obligations; (5) SEC guidance and cyberrisk; and (6) recommended actions for CIOs. Current Cyberthreat Landscape Wenger distinguished two different types of cybersecurity problems: protecting infrastructure and protecting information. First, Wenger discussed the problem of securing critical infrastructure so as to prevent the disruption or destruction of IT-reliant systems essential to our public safety, economic stability, and/or national security. Wenger identified the Saudi Aramco incident, in which a cyberattack destroyed an estimated 30-40,000 computers at the Saudi national petroleum company, as the most recent example of a destructive attack on critical infrastructure. Second, Wenger discussed the problem of protecting trade secrets and intellectual property (“IP”) from theft whether by cybercriminals or by state-actors seeking to advantage corporate actors in their countries. While Wenger emphasized the importance of separating the problem of protecting infrastructure from the problem of protecting information, he noted that when a cyberattack is occurring, it may be difficult to see the origin of, and motivation for, the attack. Wenger also emphasized that cyberrisk must be managed as it cannot be completely eliminated. Instead of thinking of networks as having a border around them that is impenetrable, he encouraged the audience to think about resiliency in the face of a successful penetration. For example, he encouraged consideration of ways to: (1) compartmentalize systems so that if a bad actor does penetrate a network, we can keep the bad actor from getting elsewhere; (2) rehabilitate the system; (3) get back up online; etc. Business Case for Cybersecurity Before making the business case for cybersecurity at the corporate level, David Bodenheimer underscored the costs of cybertheft of IP to the U.S. economy as a whole. Specifically, Bodenheimer noted that: (1) General Alexander (who is dual-hatted as Director of the National Security Agency and Commander of U.S. Cyber Command) has referred to the loss of IP and trade secrets from cyberespionage the “greatest transfer of wealth in human history;” (2) in 2009 remarks, President Obama referenced an estimate placing cybercrime losses at as much as $1 trillion in one year; and (3) there have been reports of $250 billion in R&D, IP and trade secrets lost to U.S. businesses annually. Bodenheimer exhorted that while one cannot control the entire economy, one can control one’s own organization, and he argued that there is a business case for cybersecurity at the organizational level. Bodenheimer offered several striking examples of individual corporate -2- Executive Briefing Volume 6 / Number 3 May 2013 losses resulting from cybersecurity breaches, including: (1) a company that lost 38 terabytes of data – twice the data in the U.S. Library of Congress; (2) the U.S. metals company that lost $1 billion of research and development to a cyberattack; (3) Global Payments Systems’ 9% stock price dive after their security breach; and (4) deals that fell apart after cyberbreaches (including, for example, the $2.4 billion Coca-Cola deal). According to Bodenheimer, the significant losses from cybercrime indicate that there is a business case for corporate cybersecurity, and he urged CIOs to take this business case back to their CFOs, CEOs, and General Counsel. David Bodenheimer noted that everybody is a target. To determine whether or not a company is a target, Bodenheimer suggested three tests. First, the Mueller test (named for FBI Director Mueller) provides that there are only two classes of companies: those that have been breached and those that will be. Second, the “Bodenheimer test” provides that organizations with anything of value are targets. Under the third test, which is an empirical test, a company is a target if it provides one of the following technologies being targeted for cyberespionage (as discussed in the report of the National Counter Intelligence Executive, the Mandiant Report, or the DSS Report): IT, communications, military, aerospace, dual-use, clean technologies, healthcare, pharma, or agricultural. Bodenheimer noted that while financial institutions are not on this list, they also are targets, as the recent prolonged attacks on U.S. financial institutions demonstrated. Wenger expanded on Bodenheimer’s comments, explaining that different types of targeting may require different responses. One type of targeting is general targeting, where threat actors are looking for a specific type of target, but not a specific target. Wenger likened such cases to a thief going down the street testing doorknobs, and said that, in such cases, you want to make sure your door is locked so that when the thief gets to your door, he keeps going. The concept is that basic hygiene that eliminates common points of entry may be effective in addressing opportunistic threat actors. According to Wenger, organizations also need to consider how to deal with the more difficult problem of specific targeting, in which there is a specific threat to a specific organization, noting that there have been cases where specific officials at a company have been the target of spear-phishing attacks. Basic Cyber Hygiene & the Cybersecurity Executive Order Wenger explained that basic cyber-hygiene is part of what the [February 2013] Executive Order (“EO”) on cybersecurity is attempting to accomplish. Specifically, the EO tasked NIST with developing a cybersecurity framework to identify what kind of standards may be useful (not only for protecting CI, but also for protecting operations that are below the critical threshold). The EO seeks eventually to incentivize voluntary adoption of these standards. Wenger explained that it is very early in the NIST process, but that it is an accelerated process, with NIST trying to get a draft of the framework together within an eight month period. Wenger noted that after some iterations of this process, we will have a better sense of what the final product will look like. -3- Executive Briefing Volume 6 / Number 3 May 2013 Regulatory Compliance Obligations Bodenheimer pointed out that multiple compliance obligations may come into play as a result of a cybersecurity breach. As an example of this problem, Bodenheimer discussed the Department of Defense’s TRICARE breach,1 in which 4.9 million veterans’ and veteran families’ information was lost when backup computer tapes were stolen from a DoD contractor handling the tapes. Bodenheimer explained that, in the case of TRICARE, one incident involved millions of records and potentially brought multiple standards into play including those set forth in: (1) state data breach notification laws; (2) the Health Insurance Portability and Accountability Act (“HIPAA”) breach notification and information security rules designed to safeguard personal health information; and (3) the Privacy Act of 1974, pursuant to which plaintiffs sued DoD seeking $1,000 for each person affected by the TRICARE breach, for a total of $4.9 billion in damages that DoD presumably tried to shift onto the contractor. Bodenheimer explained that, as the TRICARE breach suggests, one breach may bring multiple standards into play since there are different standards for different types of data. Bodenheimer explained that, as a result of the “multiplicity” of different standards, organizations “don’t even know how clean they need to be,” making it difficult for organizations even to achieve basic levels of cyber hygiene. While Bodenheimer explained that organizations cannot protect all of their information, he suggested that, as a first step, organizations should begin by identifying the information that the organization is trying to protect and identifying the most important secrets that the organization must secure. Wenger agreed with Bodenheimer’s assessment and urged organizations to ask themselves: “What are the keys to the kingdom?” “What is the lifeblood of the organization?“ Wenger went on to emphasize the importance of mapping out the different types of data held by an organization as well as the obligations associated with that data. He explained that taking such steps will help the organization to see where there is overlap and where there are differences in the compliance requirements the organization faces. Once an organization understands the regulatory obligations associated with its data, Wenger explained that it is important to understand who is responsible for managing those compliance obligations. The need to identify compliance boundaries becomes particularly salient as organizations increasingly move data to the cloud. As an example, Wenger described two different approaches to HIPAA compliance that cloud providers currently take. Microsoft offers a business associate agreement in which Microsoft takes on the obligation for ensuring that the cloud service is operating in a HIPAA compliant manner. Other cloud service providers offer so-called “HIPAA capable” service, in which the customer is responsible for making sure that the service is operated in a HIPAA-compliant manner. Regardless of which cloud provider is 1 TRICARE is the military health program. -4- Executive Briefing Volume 6 / Number 3 May 2013 chosen, it is important that organizations understand who is responsible for managing various compliance obligations. SEC Guidance & Cyberrisk Bodenheimer explained that pursuant to SEC staff-level cybersecurity guidance issued in 2011, publicly-traded companies may (1) be required to disclose a material cybersecurity breach or “incident;” (2) need to disclose material cyber risks; and (3) be at risk for shareholder suits in the event that they fail to implement safeguards. While the guidance applies to publicly-traded companies, Bodenheimer expects that it will be a major driver of cybersecurity for all companies, and that for companies losing substantial IP/trade secrets to cyberintruders, it will be a “gamechanger.” Wenger discussed Senator Rockefeller’s (D-W.V.) role in the SEC guidance. Wenger noted that it was Senator Rockefeller’s correspondence with the SEC that led to issuance of the SEC’s staff level guidance in 2011, and he explained that Senator Rockefeller is now pressing the Commission to issue a formal SEC rule. He noted that Senator Rockefeller recently sent letters to the CEOs of every Fortune 500 company in the United States asking them a series of questions about their cybersecurity practices. According to Wenger, about 200 companies did not respond, but a congressional report summarizes the types of responses received from those companies that did respond, including Microsoft. While speaking about the Rockefeller letter, Wenger noted that companies in the technology space have been thinking about cyber risks for some time, have been thinking about what is “material,” and have been making sure that they are reporting material risks. (Wenger also indicated that Microsoft, which supports risk-based reporting, has some notional concerns with increasing the complexity of SEC filings. According to Wenger, the larger the filings become, the more information is packed into them, the less useful the filings become for shareholders.) However, Wenger noted that for some of the Fortune 500 companies not in the technology space, it may have been an interesting exercise for CEO’s receiving Rockefeller’s letter to determine who to talk to; what their company is doing on cybersecurity, and what cyber risks the company faces. Wenger concluded with a reminder that the operation of an entity’s IT infrastructure is no longer something separate and apart from operation of the entity. He cautioned that CEOs must work with CIO/CISOs because IT is an important part of operating a corporation, and must be considered in investment and risk management decisions. Recommendations for CIOs The panelists were then asked what advice they would give to a CIO or CISO who must deal with multifaceted threats on a daily basis. What could CIO/CISOs they do in the next six to twelve months to improve security? -5- Executive Briefing Volume 6 / Number 3 May 2013 Wenger began with the notion that there are some things that you can control and some that you cannot. If a well-resourced state actor specifically targets your operations, there is probably not a lot that you can do to stop that from happening, but there are things you can control. First, with respect to compliance obligations, organizations can get a greater sense of the compliance obligations they face; where those obligations overlap and where they do not; and who is responsible for managing those obligations. Second, organizations can separate out the basic hygiene problem and can consider implementing baseline cybersecurity controls (e.g., SANS twenty critical controls). Basic cyber hygiene may enable organizations to clean things up in a way that allows them to identify threats that otherwise might have been hidden. As Wenger explained, if you can quiet down the “noise in the system,” other threats may be easier to ferret out. Bodenheimer began with the observation that, at last count, there were approximately 800 controls in the NIST 800-53 draft (i.e., the Security and Privacy Controls for Federal Information Systems) and Allen Paller identifies twenty critical security controls in the SANS Institute’s framework for information security. Bodenheimer then offered the following six core questions/observations for CIO consideration: (1) Do you have a cyberlawyer who can serve as a thought leader on cybersecurity issues? (2) Are you engaging in discussions with your board of directors, CEO, and general counsel to ensure that they have a full understanding of cyber risks? (3) Do you know your organization’s data? You need to know what you have to protect and the potential consequences of a breach. Knowing what kind of data you have also will help you determine the cyberstandards you have to meet. (4) What cyberstandards do you have to meet? It is important to identify the rules applicable to your organization and any compliance requirements. If you are a federal agency, FISMA and NIST are the starting points. If you are a health care company, HIPAA is your starting point. If you are a government contractor, the Privacy Act, FISMA, NIST, etc. are your starting points. (5) Coordinate your defenses. Coordination is necessary to ensure that there are no gaps in the defenses used to protect your organization’s important information and infrastructures, including personal data; trade secrets; and the IT network. (6) Do you have support from top management for cybersecurity efforts? Such support often comes after a major cybersecurity breach, but spending a small percentage up front may prevent serious losses down the line. Audience questions: What’s a reasonable amount of time to fully implement SANS? Bodenheimer said that the answer depends on the threat level. For an organization that already has had several major incidents, the time to fully implement SANS was yesterday. He said that there is no defined industry standard or government standard, noting that it took years for DoD to get their information system from a grade D to a higher grade. Bodenheimer emphasized that cybersecurity involves a layered defense and is a never-ending process, but that -6- Executive Briefing Volume 6 / Number 3 May 2013 organizations need to secure their most important data now. CIOs must identify their most important data and tell the CEO that the company needs to take care of these now. Wenger reiterated that cybersecurity is a process, stating: “it’s a journey, not a destination.” He said that the goal is to close gaps, but given the dynamic threat environment in which we are operating, as soon as we finish our work, we have to start again. Wenger noted that cybersecurity is a “cycle” and that as long as we rely upon IT, the problem will not go away. Under my cursory “root cause” analysis, if we allow people to make revenues off of intellectual property by selling products with known and latent defects with no liability, then we are going to have to live with the cybersecurity problem. I’m not sure imposing liability would solve the problem, but has the freedom from liability outlived its usefulness? Can we reach a better balance between reliability and IP revenues? Analogizing to the real-world, Wenger argued that if a house was locked and a would-be intruder figured out a new way to attack that lock, it would be odd to think that we would hold the manufacturer of the lock responsible for the consequences of the intrusion. Wenger also noted that software is often used in unintended and unexpected ways. He said that part of the problem is that we are operating in an environment where technologies themselves are constantly being exposed to new services. Some of the software that was written is now being exposed to new services that did not exist when the software was created. Wenger argued that we want to allow for continued innovation and creation of these technologies and that imposing liability in the manner suggested might hinder those goals. Bodenheimer reiterated that no one has perfect security and that the threat is so great and moving so fast that there will always be gaps in defense. Second, Bodenheimer emphasized the importance of maintaining incentives to innovate and said that companies will not sell and support solutions if the potential liability is too great. In support of this argument, Bodenheimer offered an example from the Homeland Security context. He noted that the SAFETY Act was passed to encourage companies to develop anti-terrorism technology by protecting said companies from enterprise-threatening liability in the event that the technology fails. (Wenger noted later in the discussion that the House Homeland Security Committee is developing a legislative proposal that would apply the SAFETY Act model – in which government agrees to absorb some of the risk of failed technology -- to cybersecurity with the idea of incentivizing cybersecurity offerings). Third, Bodenheimer argued that carrots might yield more cybersecurity than sticks alone. Finally, Bodenheimer noted that there already is liability, although ad hoc. Returning to the example of DoD’s TRICARE, Bodenheimer assumed liability in the amount of $500 per compromised record and multiplied that by the 4.9 billion TRICARE participants who lost their data. He then asked “Can any company take a $2.5 billion hit?” He argued that $2.5 billion is enough to get the attention of even the biggest companies, and that, in some cases; the ramifications of security breaches are severe, bordering on draconian. Bodenheimer also suggested that we need a standard within the public sector that addresses the liability and we have to be careful how certain risks are shifted. -7- Executive Briefing Volume 6 / Number 3 May 2013 Bodenheimer suggested that allocation of risk is going to be one of most interesting issues we face in next ten years. How will risk be shifted? For example, if a $40 billion deal is scuttled after a security breach that comes through a law firm, who will be responsible? Can any law firm take a $40 billion risk? He suggested that we will face similar risk-shifting issues with cloud technologies. Finally, Bodenheimer discussed cyberinsurance, suggesting that cyberinsurance markets may drive cybersecurity. He noted that if an organization does not have adequate cybersecurity, it may not be able to afford insurance or may not be eligible for coverage. How can CIOs operationalize the legal/policy developments discussed in today’s program? Teplinsky noted that we are witnessing a shift in mindset. She argued that where we once were focused only on perimeter defense (i.e., keeping bad guys out of our networks), we now are coming to accept the idea that adversaries are in our networks and are beginning to develop strategies to address that reality. She suggested that CIOs need to bring this new mindset to the C-Suite. The other panelists noted that this question would be addressed more fully in the second panel. -8- Executive Briefing Volume 6 / Number 3 May 2013 Panel 2: Private Sector Challenges and Opportunities The second panel began with a threat landscape overview by Tom Kellermann, Vice President of Cybersecurity at Trend Micro Inc. It was noted that 96% of Capital is in digital form and that organized crime has indeed migrated their operations online. Attacks have become targeted in nature and thus criminals can bypass perimeter defenses like virus scanner and firewalls. These realities are exacerbated by the adoption of virtualization and mobility by enterprises. In his presentation Kellermann depicted a shadow economy which had become an economy of scale which is service based e.g. Hacking services for hire. The hacking trends of 2013 which were noteworthy are: mobile attacks; virtualization attacks; cross platform attacks; watering hole attacks (e.g. attacks which infect trusted web portals and mobile applications and finally attacks on Mac users. -9- Executive Briefing Volume 6 / Number 3 May 2013 Kellermann concluded by highlighting an 11 step risk assessment methodology for enterprises: 1. Has the cyber security posture of all third parties been audited? 2. Is access to all sensitive systems and computers governed by two factor authentication? 3. Does a log inspection program exist? How frequently are they reviewed? 4. Does file integrity monitoring exist? 5. Can vulnerabilities be virtually patched? 6. Is MDM and Mobile Application Reputation software utilized? 7. Do you utilize a DLP? 8. Can you migrate your layered security into the cloud? 9. Do you maintain multi-level rule-based event correlation? Is there custom sandbox analysis? 10. Do you have access to global threat intelligence? 11. Can you transfer your risk e.g. are you cyber insured? The panel begins with two significant discussion tracks: First, Bob Parisi, Managing Director for Marsh and Jeff Portis, Vice President for Chubb and Sons Insurance were asked which cyber-attack trends were most worrisome? Both panelists concurred and stated that the Distributed Denial of Service Attacks (DDOS) attacks and “island hopping attacks” which transit through trusted third parties were the most problematic for their constituencies. Bob Parisi stressed that DDOS attacks impact both the reputational risk “headline risk” of enterprises as well as inhibits their ability to function much like a fire would impact a facility in the real world. The subsequent panel discussion revolved around the cyber insurance and how organizations might best transfer risk. Bob Parisi depicted exactly what losses are covered under Cybersecurity insurance. These were typically third party costs associated with notification expenses due to the 42 State data breach laws; legal expenses and the expenses associated with incident response and recovery. He stressed that the insurance industry does not cover direct losses e.g. financial loses. Bob Parisi noted that the market for Cybersecurity cover now exceeds $1B and is experiencing the highest growth of all insurance products. Jeff Portis stressed that Chubb does not insure everyone and the underwriting process is not only rigorous but it is updated on an annual basis. The Financial sector represented the largest insured industry with Education and Healthcare in second and third respectively. Jeff stated that of the top four red flags for underwriting were: - 10 - Executive Briefing 1. 2. 3. 4. Volume 6 / Number 3 May 2013 Size of organization and industry The existence of an updated Information Security Policy and Program The existence of an Incident Response Plan The existence of awareness training for employees (See: http://www.chubb.com/businesses/csi/chubb822.html) The panel conversation then coalesced into a conversation regarding best practices for awareness training and management of third party risk. On the former, the panel highlights the need for ongoing education and training of employees to prevent spear-phishing attacks. This thread focused on behavioral based systems wherein users are tested for their susceptibility to social engineering via email. Tom Kellermann stressed that these tests should be tied to HR policy and promotion. In addition it was noted that IT professional within enterprises should attend cyber security conference so as to stay “current”. Managing third party risk was the final conversational topic. According to ISACA 81% of organizations who suffered a breach due to the lack of security in a trust partner system, still had not updated their Service Level Agreement in 2012. At issue here is that SLA’s are outdated and overly focused on the “uptime/resiliency” of your data not the security. The panel noted that the lack of proper contracts and security audits of third parties contributed to systemic risk and it is fundamental that General Counsel’s learn to modernize SLA’s so as to manage this cyber exposure. Bob Parisi note that a minimum these - 11 - Executive Briefing Volume 6 / Number 3 May 2013 agreements should define security to the same standard as your organization. He stressed the viability of the PCI standard. (See: https://www.pcisecuritystandards.org/). Tom Kellermann noted that is an organization care to develop robust security they should refer to the twenty critical controls as defined by the SANs Institute and mandate that these controls be active within managed service provider networks. (See: http://www.sans.org/critical-security-controls/). In conclusion, the panel stressed the importance of risk assessments and risk transfer via Cybersecurity insurance. - 12 - Executive Briefing Volume 6 / Number 3 May 2013 Presenter Bios David Z. Bodenheimer Partner Crowell & Moring LLP David Z. Bodenheimer is a partner in the law firm of Crowell & Moring LLP where he heads the Homeland Security Practice and specializes in Government Contracts, Cybersecurity, and Privacy. Resident in the DC office, he joined the firm in 1988 after six years with the U.S. Navy Department and many years as a University of North Carolina Tarheel (JD, MBA, BA, 1974-82). Representing all sizes of technology clients for 30 years, Mr. Bodenheimer litigates, counsels and resolves the full range of issues confronting clients in selling to the Government. See, e.g., Wynne v. UTC, 463 F.3d 1261 (Fed. Cir. 2006) (defeated $299 million defective pricing claim after 33-day trial and Federal Circuit appeal); Health Net Federal Services, 2009 CPD 220 (successful protest of $16 billion award after 5-day hearing). He authored the Defective Pricing Handbook (Thomson West, 2012-13 ed.) and regularly lectures on Government contracting, pricing, and fraud matters. As the head of C&M’s Homeland Security practice, Mr. Bodenheimer focuses upon acquisition, technology, and cyber risks confronting government contractors, including information security, privacy, data breach, and federal regulatory issues. He has testified before Congress regarding military cybersecurity, as well as other hearings on antiterrorism technology and homeland security acquisition practices. As Division Chair (Security, Privacy & Information Law) and Committee Co-Chair (Cybersecurity & Homeland Security), he has led ABA initiatives and panels on emerging issues and risks in the cybersecurity, privacy, and homeland security arenas. To cope with rapidly changing risks driving information technology, he advises, trains, and supports clients on information security (FISMA, FIPS, NIST, DIACAP, and security breach), privacy requirements, and electronic surveillance issues. - 13 - Executive Briefing Volume 6 / Number 3 May 2013 Tom Kellerman Vice President of Cyber Security Trend Micro Tom Kellermann served as a Commissioner on The Commission on Cyber Security for the 44th Presidency and serves on the board of the National Cyber Security Alliance, The International Cyber Security Protection Alliance (ICSPA), and the National Board of Information Security Examiners Panel for Penetration Testing. Tom is a Professor at American University's School of International Service and is a Certified Information Security Manager (CISM). Formally holding the position as Chief Technology Officer at AirPatrol Corporation, Tom Kellermann spent five years as Vice President of Security Awareness for Core Security. Previously, Tom was the Senior Data Risk Management Specialist for the World Bank Treasury Security Team, where he was responsible for internal cyber-intelligence and policy and for advising central banks around the world about their cyber-risk posture and layered security architectures. He co-authored the book "E-safety and Soundness: Securing Finance in a New Age." Tom Kellermann frequently speaks on the topics including cyber security, policy creation, risk management, and advanced persistent response. Melanie J. Teplinsky Adjunct Professor American University, Washington College of Law A graduate of Princeton University (A.B., cum laude, '96) and Harvard Law School (J.D., cum laude, '99), Ms. Teplinsky has written and spoken extensively on cyberlaw issues and currently serves on the Advisory Board for CrowdStrike, Inc., an innovative cybersecurity technology company. Prior to joining American University Washington College of Law as an adjunct professor, Ms. Teplinsky practiced cyberlaw at Steptoe & Johnson LLP, where she counseled leading financial services, telecommunications, and other multinational clients on a wide array of issues including cybersecurity, data protection, and electronic surveillance. Ms. Teplinsky has worked on information technology policy issues in the Executive Office of the President (dividing her time between OMB's Office of Information and Regulatory Affairs, Information Technology Branch and the Office of Science and Technology Policy). At EOP, Ms. Teplinsky reviewed proposed federal information technology legislation, and worked on digital intellectual property initiatives, authentication, encryption, PKI and privacy issues. Ms. Teplinsky also has worked at NIST's Computer Security Laboratory and SAIC's Center for Information Strategy and Policy. - 14 - Executive Briefing Volume 6 / Number 3 May 2013 Ms. Teplinsky began her career in 1991 as an analyst at the National Security Agency (NSA) and continued her technical work at the Institute for Defense Analyses' Center for Communications Research, a federally-funded research and development center supporting NSA's mission. Ms. Teplinsky is a Harry Truman National Scholarship recipient (1995) and served as a law clerk to the honorable Judge Rya W. Zobel in the U.S. District Court, District of Massachusetts (1999-2000 Term). Ms. Teplinsky lives in Bethesda, MD with her husband and 6-year-old daughter and enjoys playing the violin. Eric Wenger Policy Counsel Microsoft Eric Wenger serves as Policy Counsel for Microsoft’s U.S. Government Affairs team where he leads the company’s efforts to shape and pass federal cyber security and cyber crime legislation. Eric joined Microsoft in May 2009 from the Criminal Division of the U.S. Department of Justice, where he served as a trial attorney in the Computer Crime and Intellectual Property Section and as a Special Assistant United States Attorney in the District of Columbia. In this capacity, Eric prosecuted computer crimes, including phishing, hacking, and credit card theft. He advised and trained federal prosecutors and law enforcement agencies on the federal laws that limit government access to electronic communications. He also helped draft the federal government’s strategic plan to address identity theft crimes. Prior to DOJ, Eric served as an attorney at the Federal Trade Commission’s Bureau of Consumer Protection, where he prosecuted complex Internet fraud cases, including the first FTC phishing cases. In his final year at the FTC, Eric was an Attorney Advisor to Commissioner Thomas B. Leary. Before the FTC, Eric worked in the Office of the New York State Attorney General and became Deputy Chief of the Internet Bureau. He prosecuted consumer protection litigation aimed at deceptive online practices, including the misrepresentation of privacy policies, and chaired a staff-level Internet Privacy Subcommittee for the National Association of Attorneys General. Eric did his undergraduate work at Cornell University and received his J.D. with honors from the George Washington University Law School. He lives in Bethesda with his wife and two children. In his spare time, Eric raises funds and awareness to fight brain cancer in memory of his late daughter, Kayla. - 15 - Executive Briefing Volume 6 / Number 3 May 2013 Robert A. Parisi, Jr. Managing Director & National Practice Leader for Technology, Network Risk & Telecommunications Marsh Robert Parisi is a Managing Director and National Practice Leader for Technology, Network Risk & Telecommunications specialist in Marsh’s New York City headquarters. His current responsibilities include advising clients on issues related to intellectual property, technology, privacy, and cyber related risks as well as negotiating with the carriers on terms and conditions. Prior to joining Marsh, Robert was the senior vice president and Chief Underwriting Officer (CUO) of eBusiness Risk Solutions at AIG. Robert joined AIG in 1998 as legal counsel for its Professional Liability group and held several executive and legal positions, including CUO for Professional Liability and Technology. While at AIG, Robert oversaw the creation and drafting of underwriting guidelines and policies for all lines of Professional Liability. Robert was also instrumental in the development of specialty reinsurance to address aggregation of risk issues inherent in cyber, privacy and technology insurance. In addition to working with AIG, Robert has also been in private practice, principally as legal counsel to various Lloyds of London syndicates. While at Marsh, Robert has worked extensively with Marsh clients in all industries, assisting them in analysis of their risk as well as in the placement of coverage for cyber and privacy risks. Jeffrey Portis Cyber Specialist / Assistant Vice President, Financial Institutions Chubb Group of Insurance Companies Mr. Portis is based out of Atlanta, Georgia. He is an assistant vice president and part of the DFI Large Account Team working on bank and insurance business. Mr. Portis focuses on accounts out of the southeast. Mr. Portis has been active as a Subject Matter Expert for Cyber for four years and was involved in managing a cyber book in the Southeast for financial institutions and commercial accounts. Mr. Portis was appointed as a cyber specialist in August 2010 for the Eastern Territory. He is very active in setting strategy for the Chubb CyberSecurity Product and serves as a referral point for deals throughout the Eastern Territory. In addition, he conducts training on an internal basis as well as an external basis to help increase the awareness with the exposures and how to address them with CyberSecurity. - 16 - Executive Briefing Volume 6 / Number 3 May 2013 Confirmed Attendees (ordered by affiliation) Name Organization Title Kamalika Sandell Gwanhoo Lee Alberto Espinosa Mike Carleton William DeLone American Univeristy American Univeristy American University American University American University Melanie Teplinsky Stephanie DaCosta David Silberman Sarah Ryan Jade Bernad Urjita Sudula Fang Zou Margaret Weber Suzanne McGann Sarah Ryan Molly Kerrigan Keyvan Gheissari Caitlin Dunn Maddy Gregory Will Maner John Hoysgaard Frank Armour Stephanie Toussaint Andrew E. Olson Jeffrey Portis Larry Fitzpatrick American University American University American University American University American University American University American University American University American University American University American University American University American University American University American University American University American University American University American University American University & Bentley University American University & Executive Insights American University, Washington College of Law American University, Washington College of Law American University, Washington College of Law American University, Washington College of Law Aruba Networks Bully Pulpit Interactive Chubb Group of Insurance Companies Computech, Inc. Chris Bursenos David Z. Bodenheimer Computech, Inc Crowell & Moring LLP Mary Culnan Rich Schroth Claudia D. Cuccia Peter Frechette Pasha Sternberg Alex Zerden Riad Muwakki Jennifer Nedeau - 17 - Associate CIO Associate Professor and Director Professor Research Fellow Professor and Executive Director Adjunct Professor of Law, Washington College of Law Student Student Student Student Student Student Student Student Student Student Student Student Student Student Student Research Fellow Student Student Senior Research Fellow and Professor Emeritus Executive-in-Residence & CEO Student Student Student Student National Account Manager Director Cyber Specialist / Assistant Vice President, Financial Institutions President Cybersecurity Assessment & Compliance Manager Partner Executive Briefing Joseph Kraus Volume 6 / Number 3 Mohamoud Jibrell Steve Kaisler Toni McDermott Holocaust Memorial Museum Howard Hughes Medical Institute i_SW Corporation Marriott Robert A. Parisi, Jr. Sharon Solomon Greg Lankler Eric Wenger Curtis Generous Marsh Medimmune Mercury/Clark & Weinstock Microsoft Navy Federal Credit Union Jimmie Owens Steve Cooper Tom Kellerman Jungsu Song Navy Federal Credit Union The Strativest Group Trend Micro WorldBank - 18 - May 2013 CIO Vice President for Information Technology Senior Scientist IT Planning and Enterprise PMO Managing Director & National Practice Leader for Technology, Network Risk & Telecommunications CIO Managing Director Policy Counsel CTO Manager, Information Security Architecture & Vulnerability Management Partner Vice President of Cyber Security Senior ICT Policy Specialist CITGE Executive Team Dr. William H. DeLone Executive Director, CITGE Professor, Kogod School of Business, American University Dr. Gwanhoo Lee Director, CITGE Associate Professor, Kogod School of Business, American University Dr. Richard J. Schroth Executive-in-Residence, Kogod School of Business, American University CEO, Executive Insights, Ltd. Michael Carleton Senior Research Fellow Former CIO, U.S. Department of Health and Human Services Dr. Frank Armour Research Fellow CITGE Advisory Council Steve Cooper CIO, Air Traffic Organization, Federal Aviation Administration Bill DeLeo Director of Release Engineering Architecture, SAS Associated Faculty and Research Fellows Dr. Erran Carmel Professor, Kogod School of Business, American University Mohamoud Jibrell CIO, Howard Hughes Medical Institute Dr. J. Alberto Espinosa Associate Professor, Kogod School of Business, American University Joe Kraus CIO, U.S. Holocaust Memorial Museum Dr. Peter Keen Distinguished Research Fellow Chairman, Keen Innovation Ed Trainor former CIO, AMTRAK Dr. Mary Culnan Senior Research Fellow Slade Professor of Management and Information Technology, Bentley College Susan Zankman SVP of Information Resources Finance and Management Services, Marriott International
