Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

Cybersecurity: Key Terms

advertisement 
Cybersecurity Primer
August 15, 2014
National Journal Presentation Credits
Producer: David Stauffer
Director: Jessica Guzik
Cybersecurity: Key Terms
Cybersecurity
Information security applied to computers and networks
Cyber incident
A violation of an organization’s security policy as a means to access
networks or spread malicious codes
Cyber attack
An attack targeting an enterprise’s use of cyberspace to disrupt,
disable, destroy, or control a computing infrastructure and its data;
types of attacks include, but are not limited to denials-of-service,
viruses, malware, and phishing schemes
Cyber threat intelligence
Information about vulnerability of or threat to a government or
private sector entity’s network; includes information about a
network’s protection from attackers
National Security System
Any information system that involves intelligence activities,
cryptologic activities related to national security, command and
control of military forces, or direct fulfillment of military or
intelligence missions
Critical infrastructure
Physical or virtual assets and systems vital to society; destruction or
damage to such assets could debilitate national security, the
economy, public health or safety, or the environment
Source: Government Accountability Office, 2013; U.S. Department of Commerce, 2003; Center for Strategic and International Studies, 2013, NIST 2013.
2
Number of Cyber Incidents Reported Among Federal Agencies
Has Increased Nearly Ninefold Since 2006
Number of Incidents Reported to U.S. Computer Emergency Readiness Team
(US-CERT), FY 2006-2012
Analysis
• Number of reported cyber incidents has lead to a growing concern about cybersecurity and the destructive impact cyber attacks
could have on the government, military, private sector, and even personal operations
• Number of reported cyber incidents has prompted many to urge the U.S. government to provide a greater level of protection from
such attacks
• Rise in reported incidents may also be partially attributed to better reporting; a growing awareness of cyber attacks has led agencies
and companies that are part of critical infrastructure to be more forthcoming about threats and incidents
Source: Government Accountability Office, 2013; Ellen Nakashima and Danielle Douglas, “More Companies Reporting Cybersecurity Incidents,” The Washington Post,
March 1, 2013.
3
Federal Agencies are Vulnerable to a Variety of Cyber Incidents
Types of Incidents Reported to US-CERT, FY 2006-2012
Scans, probes,
attempted access
Unauthorized
access
Unknown or
under
investigation
Malicious
code
Improper
usage
Analysis
• Spreading malicious codes, unauthorized access, and improper usage are the most common types of cyber incidents, accounting for 55%
of total incidents reported
• According to the Government Accountability Office, many of these incidents resulted in data loss, data theft, computer intrusions,
privacy breaches, and economic loss
Source: Government Accountability Office, 2013.
4
Threats to Cybersecurity are Decentralized and Diverse
Actors Threatening Private and Public Cybersecurity
Spyware or Malware Authors
Individuals or organizations
producing and distributing
malware/spyware
Spammers
Individuals or organizations
distributing unsolicited e-mails with
hidden or false information
Business Competitors
Companies obtaining sensitive information from
rival or target companies to improve their
competitive edge
Threats to
Cybersecurity
Insiders
Organization insiders gaining network
access to damage or steal system data
(e.g. NSA’s Edward Snowden)
Hackers
Individuals or groups gaining
unauthorized access into networks for
various reasons
Bot-net Operators
Networks of remotely controlled
systems coordinating cyber attacks
Nations
Foreign governments seeking
information to develop
information warfare doctrine,
programs, and capabilities
Criminal Groups
Groups attacking systems for
monetary gain
Phishers
Individuals or groups stealing
identities or information for
monetary gain
International
Corporate Spies
Spies conducting economic
and industrial espionage
Terrorists
Individuals or groups seeking to
destroy, incapacitate, or exploit
critical infrastructure
Analysis
• Cyber threats are caused by individuals and organizations motivated by financial gain, political advantage, and ideological causes
• Many cyber attacks fall under multiple categories, e.g. a terrorist and a phisher can be one in the same
Source: Government Accountability Office, 2013; Congressional Research Service, 2013;
5
Government Agencies and Organizations Protect Federal, Private
Organizations Against Cyber Threats
Agencies Tasked with Protecting Nation’s Cybersecurity
Department of Homeland Security
• Responds quickly to cyber vulnerabilities
• Partners with owners and operators of
critical infrastructure, to release actionable
cyber alerts
• Investigates and arrests criminals
• Educates public on cyber safety
• Within DHS, United States Computer
Emergency Readiness Team (US-CERT)
provides cyber threat warning information
and coordinates responses
Office of Management and Budget
• Develops and oversees implementation
of policies, principles, standards, and
guidelines on information security in
federal agencies
• Annually reviews and approves agency
information security programs
Department of Commerce
• Oversees Internet Policy Task Force
• Researches and reviews cybersecurity
standards in the commercial sector
• Within the Department of Commerce, the
National Institute of Standards and
Technology (NIST) develops minimum
security standards for agencies and
guidelines for identifying information
systems critical to national security
Source: Government Accountability Office, 2013; Department of Homeland Security, 2013; Department of Commerce, 2013.
6
Cybersecurity Became a Legislative Priority in Past Decade
Timeline of Enacted Cybersecurity Legislation
2002
2006
2008
Federal Information Security
Management Act (FISMA)
Comprehensive National
Cybersecurity Plan
Establishes a comprehensive, riskbased framework to ensure
information security controls over
information resources supporting
federal operations and assets
Establishes frontline of defense
against network intrusion, enhances
U.S. counterintelligence capabilities
and expands cyber education
National Infrastructure
Protection Plan
Provides framework integrating a
range of efforts and partnerships
designed to make the nation’s critical
infrastructure more safe
2013
Executive Order “Improving
Critical Infrastructure of
Cybersecurity”, Failure of
CISPA
EO requires government to share
cybersecurity threats with private
sector and directs NIST to create
best practices for cybersecurity in
the private sector; House passes,
but Senate does not take action
on, major cybersecurity bill CISPA
Source: National Journal Research; White House, 2000; Government Accountability Office, 2013; Department of Homeland Security, 2009; Central Intelligence
Agency, 2008; Gerry Smith, “Senate Won’t Vote on CISPA, Deals Blow to Controversial Cyber Bill,” HuffPost Tech, April 25, 2013.
7
In Executive Order, Private Sector Cooperation Encouraged
But Voluntary
Cybersecurity Executive Order (EO) Flow of Information
Mandated Course of Action
Recommendations and
detected threats
U.S. Executive Branch
Private Sector
• Ordered National Institute of Standards and
Technology (NIST) to create a “cybersecurity
framework” to identify threats and establish
guidelines for protection; a first draft was
released in February of 2014
• Ordered NIST to assess its own performance
on privacy
• Directs all government agencies to provide
alerts to the private sector in the event of a
threat
• May help NIST develop framework
• May volunteer to comply with cybersecurity
framework
• May help to protect critical infrastructure, e.g.,
electrical grids, banking systems, and water
treatment plants
Voluntary Course of Action
Analysis
•Obama’s 2013 executive order aimed to enhance cybersecurity by establishing a synergetic framework between the private sector and
government agencies
•Government agencies must share information about alerts, threats, and vulnerabilities with private sector
•In return, private sector entities are advised, though not required, to help NIST develop a stronger cybersecurity framework
Source: Brian Fung, “Why Some Privacy Advocates Are Grinning Over Obama’s Cybersecurity Order,” National Journal, Feb. 13, 2013; Michael S. Schmidt and Nicole Perlroth, “Obama Order Gives Firms Cyberthreat Information,” New York Times, Feb.
12, 2013; Chenxi Wang, “Obama’s Cybersecurity Executive Order: Heart in the Right Place But There Is Little Teeth, ” Forbes, Feb. 14, 2013. National Institute of Standards and Technology, “Framework for Improving Critical Infrastructure
Cybersecurity, Version 1.0,” Feb. 12, 2014.
8
Executive Order Struggles with Implementation
Process of Implementing Cybersecurity Information Sharing EO
DHS
Communications Service Providers
Critical Infrastructure Sectors
Participating
Certifies
To provide sharing
services and utilities to
Not Participating
Defense
Telecomm
Energy
Chemical
Critical
Manufacturing
Dams
Emergency
Services
Food and
Agriculture
Financial
Services
Health
Care
Nuclear
Water
IT
Transportation
Government
Facilities
Commercial
Facilities
Analysis
•The information sharing program outlined in the 2013 EO has only reached three of 16 critical infrastructure industries
•DHS does not directly advertise or maintain the program, instead relying on private service providers for those functions; government
information provided through the program is free, but companies must purchase the data sharing services and utilities from private
providers
•Currently, only two service providers, CenturyLink and AT&T, have applied and been approved for the program
Source: Aliya Sternstein, “Who Receives Hacker Threat Info From DHS?” NextGov, August 11, 2014; Department of Homeland Security, “Critical Infrastructure Sectors.”
9
Program Has a Chicken-and-Egg Problem of Low Participation
Barriers to Participation in Information Sharing Program
Limited number of
communications service
providers participating…
…Because critical
infrastructure sectors aren’t
participating, because…
Analysis
•The executive order currently has a chicken-and-egg problem; the program needs more service providers to expand the service to all 16
critical infrastructure sectors, but because so few sectors are currently involved, few service providers are interested in expanding into
the program
•Moreover, there are barriers for service providers: the current accreditation process for service providers takes eight months, and the
investment that companies need to make to get clearance for employees to view the information and build secure communications
networks to protect the information is formidable
Source: Aliya Sternstein, “Who Receives Hacker Threat Info From DHS?,” NextGov, August 11, 2014; Department of Homeland Security, “Critical Infrastructure Sectors”.
10
In 2014, Congress Advanced Legislation to Increase
Cybersecurity Sharing Participation
Timeline of Recent Legislative Action on Cybersecurity
June 2014
The Cyber Information
Sharing Act (CISA) is
introduced in the Senate,
removing legal barriers for
companies to share
information about
cybersecurity threats and
providing liability protection
for companies who share such
information
July 8. 2014
The Senate Select
Committee on
Intelligence approves
CISA and sends it to
the Senate floor for
debate
Liability protection would allow
protection from civil action,
regardless of prior contracts that
may prevent sharing information
without a customer’s consent
July 28, 2014
The House passes three bills:
The National Cybersecurity
and Critical Infrastructure
Protection Act, which creates a
civilian agency under DHS to
handle cyber information sharing
between the government and
private industries and
organizations for security
purposes; The Critical
Infrastructure Research and
Development Advancement
Act, which directs DHS to
develop a strategic plan for
cybersecurity protection; and
The Homeland Security
Boots-On-The-Ground Act,
which requires DHS to develop
occupation classifications for
individuals performing
cybersecurity functions
July 31, 2014
The Cyber Information
Sharing Tax Credit Act
is introduced in the Senate,
providing tax credits to
private companies who
share information regarding
cybersecurity threats with
security research
organizations
Sources: Gregory S. McNeal, “Controversial Cybersecurity Bill Known As CISA Advances Out Of Senate Committee,” Forbes, July 9, 2014; Steve Augustino, Jameson Dempsy and Dawn Damschen, “Could 2014 Be The Year for Cybersecurity Sharing
Legislation?” Above The Law, July 14, 2014; Mary-Louise Hoffman, “Sen. Kirsten Gillibrand Proposes Tax Incentves To Spur Cyber Intel Sharing,” ExecutiveGov, August 4, 2014; Eric Chabrow, “How House Passed 3 Cybersecurity Bills,” Bank Info
Security, July 29, 2014.
11
NIST Framework’s Tiers Rate Organizational
Preparedness Against Cyber Threats
NIST Tiers
Risk Management Process
Integrated Risk Management
Program
External Participation
Tier I – Partial
No formalized process, ad hoc and
reactive to threats, not informed
by organizational needs or current
trends
Limited awareness of
cybersecurity risk and no
organization-wide approach to risk
management
No processes in place to
participate in coordination with
other entities on cybersecurity
Tier II – Risk Informed
Risk management practices are
approved by management but may
not be organization-wide policy;
risk management may be informed
by organizational needs or current
trends
Awareness of cybersecurity risk at
the organizational level, no
organizational approach
The organization understands it is
part of a larger ecosystem but has
no formal system for external
interaction
Tier III – Repeatable
The organization’s risk
management practices are formally
approved and expressed as policy,
and the organization changes those
practices based on updated
organizational needs and current
trends
A consistent organization-wide
approach to risk management
The organization understands its
partners and dependencies and
receives information from those
entities that allows for
collaboration and informed
responses to threats
Tier IV – Adaptive
A formalized and continuously
updating system of cybersecurity
practices based on information
from previous and current
cybersecurity activities
An organization-wide approach to
managing cybersecurity risk using
risk-informed policies and
procedures, with cybersecurity
risk management as a part of
organizational culture
Actively shares information with
partners to ensure systemic
security and defense against a
cybersecurity breach
Source: National Institute of Standards and Technology, “Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0,” Feb. 12, 2014.
Cyber Attacks Cost Private Sector Millions
Average Annual Cost of Cyber Attack Damages Per Sector in FY 2012
In millions of dollars
Analysis
•Cyber attacks were most costly to defense, utilities and energy, and financial services sectors in FY 2012; these sectors spent an average of $19.4
million on cyber attack damages, while all other sectors shown spent an average of $5.7 million
•Cyber attacks are mostly likely to target defense, utilities, and financial services sectors because they contribute to the nation’s critical infrastructure
•Consumer products, hospitality, and retail sectors spend the least on cyber attack damages because they rarely possess information pertinent to the
nation’s critical infrastructure
* Data is based on survey of 56 companies; cost refers to cost of addressing cyber attack damages
Source: “2012 Cost of Cyber Crime Study: United States,” Ponemon Institute, October 2012.
13
Cyber Attacks Prompt Private Sector to Take Precautions
Proactive vs. Reactive
Corporate Spending Against
Cyber Threats, 2010
Annual Gross Written Premiums for Cybersecurity
Private Liability Insurance
In millions of dollars
Analysis
•Companies spent more on proactive measures—labor, capital, or services that assist in avoiding cyber incidents and data breaches—in
2010 than on reactive measures—expenditures made in response to cyber incidents and data breaches
•Aligning with this trend is the growth of the cybserinsurance market, which commanded $1 billion in annual premiums in 2012, a 40%
increase compared to 2010
Source: Adam Mazmanian, “The Cyber Premium,” National Journal, June 15, 2012; NIST, 2013.
14
Related documents
Joining the Cybersecurity Revolution: What it means, where the jobs
Joining the Cybersecurity Revolution: What it means, where the jobs
Read Key Cybersecurity`s full description of
Read Key Cybersecurity`s full description of
Final Reflection Essay–Qi Zhu
Final Reflection Essay–Qi Zhu
Topics - tri
Topics - tri
The Political Economy of Cybersecurity
The Political Economy of Cybersecurity
BroadBand Building Future Skills for National Security and Business
BroadBand Building Future Skills for National Security and Business
Download
advertisement