Discussion DO NOT COPY, DISTRIBUTE, OR DISSEMINATE.

Transcription

1 Cybersecurity Time for Action February 26, 2015 BLUF Government information and the nation s infrastructure remain at serious risk to cyberattacks, and recent legislation in Congress does little to address the problems. Despite over $12 billion in annual federal funding for cybersecurity, the prevalence and magnitude of cyberattacks have increased significantly in recent years. The Administration and Congress have failed to keep pace with the persistent threat as few cyber-related bills have been passed since At the same time, the absence of a comprehensive national cybersecurity strategy has left the national cybersecurity apparatus rudderless. These issues combined with poor understanding of cybersecurity, failing private-public partnerships, and poor incentives to combat the threat, have left the nation vulnerable. Although momentum to address cybersecurity issues has increased, Congress and the Administration s actions so far have not been promising. Issues The major issues that have left the nation vulnerable to cybersecurity attacks include: Ineffective Strategy: Cybersecurity is a complex and evolving issue, requiring coordinated leadership and persistent attention. Currently, no single agency is in charge of coordinating the government s cyberrelated initiatives. The lack of a lead executive agent, combined with the lack of a national cybersecurity strategy has created a large, often redundant bureaucracy that still has gaps. Piecemeal Policies: The Administration and Congress take a piecemeal approach to cybersecurity, producing legislation and policies that only address near-term cyber issues. This shortsightedness underlines a lack of a holistic understanding of cyberthreats and the role they must play in cybersecurity. Failing Public-Private Partnerships: The private sector s distrust of the government over legal and liability concerns has impeded information sharing efforts aimed at strengthening cybersecurity. Reported Federal Cyber Incidents and FISMA spending 80,000 $16 70,000 $14 60,000 $12 50,000 $10 40,000 $8 30,000 $6 20,000 $4 10,000 $2 0 FY06 FY07 FY08 FY09 FY10 FY11 FY12 FY13 FY14 FY15* FISMA Spending (Right Axis) Incidents Reported to US-CERT by Federal Agencies (Left Axis) * FY15 and FY16 funding based on presidential budget requests Source: GAO Analysis of US-CERT, CRS Report on Cybersecurity Issues and Challenges FY16* $0 Billions of Dollars Number of Incidents Over the past 8 years the number of information security incidents reported by federal agencies to the U.S. Computer Emergency Readiness Team increased by 1,121 percent. At the same time, funding for the Federal Information Security Management Act (FISMA) more than doubled in the past eight years before experiencing cuts from the FY13 sequester.

2 2 Discussion Ineffective Strategy: Cybersecurity is the act of protecting information and communications technology (ICT) and their contents. However, protection has been lacking recently with major breeches of both public and private ICT systems, including the Veteran Affair s data network, Anthem Blue Cross accounts database, and DOD s Central Command s Twitter account to name just a few. The viability of information security is being questioned and Congress and the Administration have renewed their focus on cyber issues. The current FY16 proposed budget increases cybersecurity spending once again by $1 billion but despite the large spending, the federal government is handicapped by its lack of direction and strategy. Currently, the U.S. government does not have a comprehensive cybersecurity strategy despite numerous strategy documents published over the last decade. Additionally, there is no single document that synthesizes applicable laws or policies in order to provide a comprehensive description of priorities, responsibilities, and milestones. Moreover, there is a lack of continuity in current policies. For example, the 2003 National Strategy to Secure Cyberspace does not refer to the 2000 National Plan for Information Systems although they address similar issues. Evolution of Cybersecurity Strategy and Policy There is no single document that comprehensively defines U.S. cybersecurity strategy. Various documents contributing to the national strategy have either revised priorities or delegated new responsibilities to organizations. On the legislative side, there was a 12-year gap between the 2002 Federal Information Security Management Act and the four bills passed by the 113 th Congress in late The existing strategy documents lack key elements including; milestones and performance measures, cost justifications and resource allocations, roles and responsibilities, and linkage to other key documents, such as the National Security Strategy (NSS). The Government Accountability Office (GAO) argues that the absence of accountability and oversight mechanisms within the strategy documents has contributed to the shortcomings of agency cybersecurity risk management processes. The federal cybersecurity apparatus, as a result, has also become more complex over the last decade with no clear delineation of roles and responsibilities that have emerged over the years. For example, much of the criticism towards the White House s establishing the National Cyberthreat Intelligence Integration Center (CTIIC) is that its threat information-sharing role is already being filled by a number of existing organizations, including the National Cybersecurity and Communications Integration Center (NCCIC). At the same time, the 113 th Congress passed a bill that instructed the NCCIC to share potential threats with private companies, which overlaps with the new CTIIC s responsibilities.

3 3 Simplified Illustration of Federal Agency Cybersecurity Roles The illustration provides an extremely simplified illustration of broad roles and responsibilities of agencies involved in cybersecurity. However, numerous overlaps in roles and responsibilities exist that are not represented. Source: CRS, Cybersecurity Issues and Challenges Piecemeal Policies: Since the 111 th Congress, many cyber bills have been introduced but they all have experienced logjams with controversies over roles and responsibilities between agencies, the federal government, and state governments. As a result, policy has lagged behind the very threats it is meant to address. Until December 2014, the last cybersecurity bill to be enacted was the Federal Information Security Management Act (FISMA) in To pass bills, Congress has adopted a step-by-step approach rather than tackle a comprehensive and more controversial cybersecurity bill. The result is that the four bills passed late last year addressed only near-term cyber issues (preventing disasters and espionage, reducing impact of attacks, improving inter and intra-sector collaboration, and clarifying roles and responsibilities), and they fail to address the long-term challenges of cyberthreats. New legislation needs to be flexible and forward looking, recognizing that technology outpaces the legislative processes. As they stand today, the proposed cyber-related bills in the 114 th Congress do not address long-term challenges. In order to address the long-term challenges, policy must address (1) cybersecurity Research and Development (R&D) to affect the design of ICT, (2) cybercrime penalties that can influence the structure of

4 4 incentives, (3) a framework that may improve consensus about cybersecurity, and (4) federal initiatives in cloud computing and other components of cyberspace that may help shape the evolution of cybersecurity. Current Legislation Federal Information Security Management Act (FISMA) 2002 FISMA Modernization Act 2014 Cybersecurity Workforce Assessment Act 2014 National Cybersecurity Protection Act 2014 Cybersecurity Enhancement Act Description Defines a comprehensive framework to protect government information, operations, and assets against cyber threats. Requires the National Institute of Standards and Technology to develop minimum information security standards and guidelines and for each agency to develop procedures to detecting, reporting, and responding to security incidents. Revises FISMA 2002 and clarifies roles and responsibilities for overseeing and implementing agencies information security program. Requires DHS to assess its cybersecurity workforce and develop a strategy for addressing workforce gaps. Codifies DHS National Cybersecurity and Communications Integration Center (NCCIC) as the nexus of cyber and communications integration for federal government, intelligence community, and law enforcement. Authorizes the Department of Commerce, through the National Institute for Standards and Technology, to facilitate and support the development of voluntary standards to reduce cyber risks to critical infrastructure. Proposed Legislation Terrorism Prevention and Critical Infrastructure Protection Act Cyber Defense National Guard Act Safe and Secure Federal Websites Act Cybersecurity Education and Federal Workforce Enhancement Act Cyber Privacy Fortification Act Cyber Threat Sharing Act Cyber Intelligence Sharing and Protection Act of 2015 Description Codifies Presidential Policy Directive 21 to improve critical infrastructure security and resilience. Requires the Director of National Intelligence to conduct a study on the feasibility of establishing a Cyber Defense National Guard. Prohibits a federal agency from deploying a personally identifiable information website until a certification is submitted to Congress that demonstrates that the website is fully functional and secure. Establish an Office of Cybersecurity Education and Awareness Branch within the DHS to strengthen the agency s capacity to attract and retrain highly trained computer and information security professionals. Amends federal criminal code to provide criminal penalties for intentional failures to provide required notices of security breach involving sensitive personally identifiable information. Codifies mechanisms for enabling cybersecurity threat indicator sharing between private and government entities. Provides for the sharing of certain cyber threat intelligence and cyberthreat information between intelligence community and cybersecurity entities. Public-Private Partnerships: Public-private partnerships have been emphasized in cybersecurity strategy documents as far back as the Clinton administration. Greater information sharing can increase the size and quality of cybersecurity products and make cyberspace more secure, reduce redundant efforts, and make dollars spent on cybersecurity more effective. However, efforts have been continuously stymied by private sector unwillingness, weak government incentives, lack of enforcement regimes, and imprecise guidelines. Part of the challenges to public/private collaboration is the perceived legal and economic barriers to information sharing. After a cyber incident, firms may be reluctant to release information, as the admission would benefit their competitors. Firms and industry groups are wary of violating privacy or anti-trusts laws that may harm their brand with consumers. At the same time, public-private partnerships have been mostly onesided to date. The Department of Homeland Security s (DHS) NCCIC, responsible for such collaboration, has been primarily the recipient rather than the facilitator of information. A number of failed bills proposed by the

5 5 113 th Congress dealt with these obstacles to information sharing. The Cybersecurity Intelligence Sharing and Protection Act (CISPA) of 2014, the Cybersecurity Information Sharing Act (CISA), and the Cybersecurity Information Sharing Tax Credit Act aim to increase information sharing through legal protection and economic incentives. However, all three proposals failed due to continued concerns with privacy and debate over mandatory information sharing. Characteristics of Public Sector Reactive to media and current events Stove-piped ICT systems Cannot communicate well across agencies Level of expertise varies across agencies Heavily regulated information Characteristics of Private Sector Requires financial motivations to act Agile in developing and testing technology Structural advantage dealing with cyberattacks Level of expertise varies across sectors Heavily guarded information The lack of information sharing legislation has spurred the administration to act. In 2013, the administration signed Executive Order and Presidential Policy Directive 21 to address cybersecurity of critical infrastructure through voluntary public/private collaboration and the use of existing regulatory authorities. This month, the White House also announced another executive order that protects private companies from voluntary public disclosure. The administration will also establish the Cyber Threat Intelligence Integration Center (CTIIC) that will coordinate intelligence across various agencies and determine whether it can be shared with the private sector. However, these efforts have been met with some criticism. Google, Yahoo, and Facebook, which had received public backlash for provided the government with data, continue to boycott government sponsored security-sharing forums, believing liability protections are inadequate. At the same time, the CTIIC has come under fire for being redundant and that efforts should focus on improving the existing framework for reporting and sharing information. The private sector is likely to continue their efforts independent of federal government, such as Facebook s new Threat Exchange service. Whether the government is able to convince top tech firms (e.g. Apple, Cisco, FireEye, Google, Intel, Palo Alto Networks) to collaborate with the NCCIC and participate in new cybersecurity initiatives will be indicative of progress in addressing the liability and incentive problems associated with information sharing. At the same time, improvements in hardware security by Cisco, Intel, and Furthermore, cyber hygiene or simple practices that diminish risks of unauthorized access needs to proliferate in addition to advances in end point collection capabilities, improvements in database storage and retrieval, and advances in automated countermeasures. While these improvements are not panacea to cyber threats, they are low hanging fruits that can provide defense in depth against cyber attacks. However, although the White House is likely to remain at the forefront of new federal cyber initiatives, without a national cybersecurity strategy and complementary legislative actions, these initiatives will have limited impact and the nation will remain vulnerable to the evolving threat. Glossary of terms used CISA Cybersecurity Information Sharing Act CISPA Cybersecurity Information Sharing and Protection Act CTIIC Cyber Threat intelligence Integration Center DHS Department of Homeland Security DNI Director of National Intelligence FISMA Federal Information Security Management Act ICT Information and Communications Technology NCCIC National Cybersecurity and Communications Integration Center NIST National Institute of Standards and Technology

6 6 NEPTUNE ADVISORY Scott Ellison Kevin Jiang Patrick McCarthy, CFA David Schopler th Street SE Washington, DC scott@neptuneasc.com kevin@neptuneasc.com patrick@neptuneasc.com schop@neptuneasc.com This report is proprietary to Neptune Advisory and is intended for the exclusive use of the recipient and its employees and should not be copied or further distributed, circulated, disseminated, or discussed. Neptune Advisory does not provide advice, reports, or analyses regarding securities and this report should not be understood as performing any analysis or making any judgment or giving any opinion, judgment or other information pertaining to the nature, value, potential or suitability of any particular investment. This report is based upon information believed to be reliable at the time it was prepared. However, Neptune Advisory cannot guarantee the accuracy or correctness of any judgment, opinion or other information contained in this report. Neptune Advisory, its partners, employees or agents have no obligation to correct, update, or revise this report or advise or inform recipient should Neptune Advisory or any of its partners, employees or agents determine that any judgment, opinion, or other information contained in this report is inaccurate or incorrect or should Neptune Advisory or any of its partners, employees or agents change their view as to any judgment, opinion or other information expressed herein. Neptune Advisory, its partners, employees and agents shall have no liability to you or any third party claiming through you with respect to your use of this report or for any errors of transmission. Partners and employees of Neptune Advisory or their family members may own securities or other financial interest of, or have other relationships or financial ties to, of one or more of the issuers discussed herein.

7 7 BlackArch Partners Third Party Independent Research Disclaimer: This constitutes a research report prepared by an independent third party research provider. BlackArch has not reviewed the accuracy of this report. Any opinions expressed herein are statements of judgment on the date of the report and are subject to future change without notice. Neither this information nor any opinions expressed herein are a solicitation to purchase or sell any securities, and nothing contained in this report is or should be construed as investment advice. This information contains forward looking predictions that are subject to certain risks and uncertainties which could cause actual results to differ materially from those currently anticipated or projected. BlackArch provides this information to its clients in an effort to provide comprehensive information of a broad range of possible opportunities. Any questions regarding this report or its contents must be addressed to your BlackArch Representative.