The Impact of US Cybersecurity Policies on Submarine Cable Systems

Transcription

1 The Impact of US Cybersecurity Policies on Submarine Cable Systems International Cable Protection Committee 2013 Plenary Meeting May 21-23, 2013 Eric Fishman, Esq., Partner, Phillips Nizer LLP 666 Fifth Avenue New York NY Phone Fax Resourceful Representation 600 Old Country Road Garden City NY Phone Fax 34 Pantigo Road East Hampton NY Phone Fax Court Plaza North 25 Main Street Hackensack NJ Phone Fax

2 Cyberattacks in the US In 2012, cyberattacks triple over 2011 according to Akamai Ponemon Institute study of 56 entities in 2012 reports increased average annual cost of $8.9M Oct. 2012: DOD Secretary Panetta wars US facing possibility of cyber-pearl Harbor (NYT) 2013 PWC Survey of US CEOs: 68% predict major cyberattack May 20, 2013: China resumes hacking of US targets (NYT)

3 Executive Order and Presidential Policy Directive - February 12, 2013 The cyber threat to critical infrastructure continues to grow and represents one of the most serious national security challenges we must confront. Mandates creation of a voluntary Cybersecurity Framework for Critical Infrastructure ( CI ) entities. Promotes information sharing between government agencies and targeted entities that may face a cybersecurity threat. CI defined as systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of these matters. PPD specifies 16 CI sectors, including communications, and information technology.

4 Presidential Executive Order (cont.) Executive Order promotes government information sharing with private entities: Instructs Attorney General and DHS Secretary to establish process to rapidly disseminate unclassified reports of cyber threats to non-ci targeted entities Instructs AG and DHS Secretary to establish a process to disseminate classified reports of threats to CI entities, and expedite security clearances for CI personnel Directs National Institute of Standards and Technology ( NIST ) to create a voluntary Cybersecurity Framework within one year. Framework to include a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to cyber risks and incorporate voluntary consensus standards and best practices to the fullest extent possible and be consistent with voluntary international standards.

5 Presidential Executive Order (cont.) Framework will be developed through an open review and comment process, along with consultation with DHS, NSA, Sector-Specific Agencies, CI owners and operators, and other stakeholders Instructs agencies to determine whether their cybersecurity regulations are adequate in light of Framework, and whether the agency has authority to establish new requirements based on Framework. If current regulations are insufficient, agency must propose prioritized, risk-based, efficient and coordinated actions to mitigate cyber risk.

6 Presidential Executive Order (cont.) FCC Role Independent agencies, like FCC, encouraged to engage in a consultative process with DHS, relevant Sector-Specific Agencies, and other affected parties to consider prioritized actions to mitigate cyber risks for CI consistent with their authorities Presidential Policy Directive specifies that communications systems [are] uniquely critical to the enabling functions they provide across all critical infrastructure sectors. PPD tasks FCC with (1) identifying and prioritizing communications infrastructure; (2) identifying communications sector vulnerabilities and working with industry and other stakeholders to address those vulnerabilities; (3) working with stakeholders, including industry, and engaging foreign governments and international organizations to increase the security and resilience of CI within the communications sector; and (4) facilitating the development and implementation of best practices promoting the security and resilience of critical communications infrastructure.

7 Presidential Executive Order (cont.) Directs Department of Commerce to recommend incentives to promote participation in the CI Cybersecurity Program. These incentives may include technical and public policy measures that improve cybersecurity without creating barriers to innovation, economic growth and the free flow of information. Google exception

8 NIST Request for Information ( RFI ) On February 26, 2013, NIST issues a Request for Information seeking comments on the development of standards, guidelines and best practices that will comprise the Cybersecurity Framework. Deadline for Comments: April 8, 2013 NIST solicits information in three categories: Current Risk Management Practices Use of Frameworks, Standards, Guidelines and Best Practices Specific Industry Practices Current Risk Management Practices NIST seeks information on how organizations assess risk; how cybersecurity factors into that risk assessment; current usage of existing cybersecurity frameworks, standards and guidelines; and other management practices related to cybersecurity.

9 NIST Request for Information ( RFI ) (cont.) Use of Frameworks, Standards, Guidelines and Best Practices NIST seeks comments on applicability of existing publications to address cybersecurity needs, including, but not limited to documents developed by international standards organizations; US Government Agencies and organizations; State regulations or PUCs; industry and industry associations; other Governments; and non-profits and other non-governmental organizations.

10 NIST Request for Information ( RFI ) (cont.) Specific Industry Standards. NIST seeks comment on the adoption of the following practices as they pertain to critical infrastructure components Separation of business from operational systems Use of encryption and key management Identification and authorization of users accessing systems Asset identification and management Monitoring and incident detection tools and capabilities Incident handling policies and procedures Mission/system resiliency practices Security engineering practices Privacy and civil liberties protection

11 How Will the Framework be Developed?

12 NIST Notice of Inquiry ( NOI ) On March 28, 2013, NIST issued a Notice of Inquiry seeking comment on incentives designed to promote participation in a voluntary program to be established by DHS to support the adoption by owners and operators of critical infrastructure of the Cybersecurity Framework. Deadline for Comments: 2013

13 NIST Notice of Inquiry ( NOI ) (cont.) Seeks comment on: Are existing incentives adequate to address the current risk environment for your sector/company? Do particular business sectors or company types lack sufficient incentives to make cybersecurity investments more than others? If so, why? How do businesses/your business assess the costs and benefits of enhancing their cybersecurity? What are the best ways to encourage businesses to make investments in cybersecurity that are appropriate for the risks that they face? How do businesses measure success and the cost-effectiveness of their current cybersecurity programs? Are there public policies or private sector initiatives in the US or other countries that have successfully increased incentives to make security investments or other investments that can be applied to security?

14 NIST Notice of Inquiry ( NOI ) (cont.) Are there disincentives or barriers that inhibit cybersecurity investments by firms? Are there specific investment challenges encountered by small business and/or multinational companies, respectively? For business that are already subject to cybersecurity requirements, what is the cost of compliance and is it burdensome relative to other costs of doing business? What are the merits of providing legal safe harbors? By contrast, what would be the merits or implications of incentives that hold entities accountable for failure to exercise reasonable care that results in loss due to inadequate security measures? How can liability structures and insurance, respectively, be used as incentives? What other market tools are available to encourage cybersecurity best practices? What are the benefits and challenges associated with voluntary governance mechanisms?

15 Comments on RFI Filed by over 240 parties, including IBM, DOD, Microsoft, CISCO, VeriSign, Intel, Citibank, Internet Security Alliance, Honeywell, VISA, Lockheed Martin, Financial Services Sector Coordinating Council In the telecom sector, comments from Verizon, AT&T, Level 3, NARUC, Siemens, NCTA, US Telecom, FCC, CTIA, Alcatel-Lucent, ATIS, NCTA

16 Initial Analysis of RFI Comments Basis for additional discussion at upcoming Framework Workshop RFI Responses reviewed and categorized by topics: Regulation/legal Conformity/standards Metrics Privacy/civil liberties Future Practice Other

17 Initial Analysis of RFI Comments (cont.) Framework Principles: 35.8% of respondents urge flexibility, no one size fits all 64.6% discuss interrelationship between Framework and international standards 81.1% - Framework should encourage use of risk-based approaches rather than compliance-based approaches 33.3% - Framework should leverage existing risk management approaches

18 Initial Analysis of RFI Comments (cont.) Common Points: 67.0% discuss senior management engagement in and accountability for cybersecurity 20.9% discuss need for baseline security 75.3% urge improved understanding, information sharing of threat landscape 68.7% urge risk management process that addresses cyber risk in conjunction with other types of risk at organizational level 60.0%: Separation of business systems and operational systems 61.7%: Need for skilled cybersecurity workforce

19 Initial Analysis of RFI Comments (cont.) Initial Gaps 59.2%: Metrics (performance-related data to monitor and measure goals) 52.2%: Privacy and civil liberties (ability to avoid harmful consequences) 55.9%: Use of tools to facilitate implementation 57.2%: Dependencies (critical functions rely on other organizations in order to perform) 65.4%: Industry best practices 46.5: Resiliency (ability to sustain an attack)

20 Telecom Comments FCC Through Communications Security, Reliability and Interoperability Council, composed of 50 leaders from private sector and government, pursues a multistakeholder approach to develop and recommend cybersecurity best practices. Reporting requirements of system outages Level 3 Supports advanced research on cyber threat mitigation Supports incentives to motivate vendors to adopt industry standard security models Existing frameworks should be collapsed to reduce certification impact Framework should focus on the supply chain of technology solutions Need for adaptability, flexibility

21 Telecom Comments (cont.) Verizon Framework should build on existing standards, be voluntary, flexible, and costeffective NIST should not include any type of government reporting obligations in Framework NIST should not adopt any practices that will shift costs to CI owners Need Federal legislation to address issues beyond reach of EO: existing legal barriers to information sharing; liability protection for deployment of countermeasures to cyber threats and sharing information; investing in education and training of cybersecurity professionals

22 Telecom Comments (cont.) AT&T Framework should embrace principles of efficiency, prioritization of standards, inclusiveness, and innovation over regulation Framework should build on existing relationships Framework should be developed through consultative process, harmonize with international standards Framework should be flexible, taking into account varying capabilities of CI owners, as well as practicality and cost effectiveness

23 Telecom Comments (cont.) Alcatel-Lucent Recommends industry-led, standards-based approach to cybersecurity Advocates a common lexicon across critical infrastructure Framework should harmonize sector specific security standards, guidelines and regulations to standard security lexicon Defense-in-depth multiple defense mechanisms to defend against attack Framework should incorporate international standards that can be applied across borders

24 Telecom Comments (cont.) National Cable & Telecommunications Association ( NCTA ) Framework must be flexible, agile and adaptable, recognizing that diversity is preferable to uniformity Framework should take into account differences in design, size and complexities of architectures and business models, and provide flexibility Need for liability protections to minimize litigation risk, legal uncertainties Framework should include all relevant industry sectors, including IT Framework should draw on existing resources and solutions

25 Telecom Comments (cont.) United States Telecom Association Framework should treat protection and security of CI as a shared responsibility across all participants in internet ecosystem Framework should be flexible and non-prescriptive Framework should foster increased information sharing and liability protection for private stakeholders Need for Incentives to Promote Adoption of Best Practices tax, direct funding; streamlined regulation

26 Comments on Incentives FCC Focuses on existing incentives: Public-private partnerships Consumer complaints Outage reporting NCTA Liability Protection to eliminate legal uncertainties Policy framework that encourages robust information sharing Preemption of conflicting state and local laws Financial incentives financial support; tax credits and deductions Regulatory restraint

27 Comments on Incentives (cont.) Telecommunications Industry Association ( TIA ) Leveraging public-private partnerships is critical Government should ensure flexibility and ability to innovate Enhanced information sharing Increased Federal cybersecurity R + D Tax Based incentives Cybersecurity insurance Recognized necessity of international approaches Oppose regulation Industry led, voluntary, consensus based standards should serve as safe harbors, not requirements USTA Safe harbors Increased information sharing Tax incentives Targeted subsidies

28 NIST Workshops April 3, 2013 May 29-31, 2013

29 Source Materials Executive Order: Presidential Policy Directive: NIST RFI: NIST NOI: NIST RFI Comments: NIST NOI Comments:

30 Questions?

31 The Impact of US Cybersecurity Policies on Submarine Cable Systems International Cable Protection Committee 2013 Plenary Meeting May 21-23, 2013 Eric Fishman, Esq., Partner, Phillips Nizer LLP Direct Fifth Avenue New York NY Phone Fax Resourceful Representation 600 Old Country Road Garden City NY Phone Fax 34 Pantigo Road East Hampton NY Phone Fax Court Plaza North 25 Main Street Hackensack NJ Phone Fax