Protecting Critical Information Infrastructure in times of increasing cyber conflict

Transcription

1 Protecting Critical Information Infrastructure in times of increasing cyber conflict Jan Neutze Director of Cybersecurity Policy (Europe/Middle East/Africa) Microsoft

2 Critical Infrastructures are under (cyber) attack

3 18% of the data that was exfiltrated through cyber attacks in Europe in 2016 related to companies industrial control systems. In 2016, hackers most often targeted financial, manufacturing, telecom industries and governments. At global level, across industries, healthcare accounted for 27% of data breaches in 2016, followed by Government (14%). In addition politically-motivated hacking is on the rise. This is particularly concerning in view of elections in France (May) and Germany (Autumn). Terrorist are also now invading this space. On 13 February, the UN Security Council called on Member States to address the danger of terrorist attacks against critical infrastructure.

4 243 Average days attackers are present on a victim network before detection Security Impact of cyber attacks could be as much as $3 trillion in lost productivity and growth is a CEO $ 3.5M Average cost of a data breach to a company 15 % increase YoY level issue Job security Customer loyalty Implications Brand reputation Intellectual property Civil liability

5 Emerging policy frameworks for critical infrastructure protection

6

7 Cybersecurity: a Priority for EU Member States Tech-policy becomes central element of EU policymaking Targeted cyberattacks increasing Dependence on IT systems increasing Cybersecurity = Industrial Policy in Europe? Communication on Building a European Cybersecurity Industry Privacy Shield Czech Cybersecurity Law German IT-Security Law Latvian Cybersecurity Law eidas Regulation E-Privacy Regulation Dutch Hacking Back Law EU Cybersecurity Strategy 2.0 Polish Cybersecurity Law NIS Directive Lithuanian Cybersecurity Law Danish Cybersecurity Law Austrian Cybersecurity Law General Data Protection Regulation Estonian Cybersecurity Law ANSSI Cloud Security Strategy

8 Objectives REGULATORY OVERSIGHT Establish Member State cyber capabilities (CERTs & National Strategies) Create coordination mechanisms to share policy and technical information DOCUMENTED SECURITY POLICY INCIDENT REPORTING Increase security baselines for critical infrastructures & digital service providers Increase visibility into significant incidents AUDITS BASELINE SECURITY

9 EU NIS Directive Industry's Perspective Different Approaches for CIP vs. Digital Services Building National Capabilities (CERT, Strategy, etc) Harmonization across EU challenging Incident-Reporting vs. Information-Sharing

10 A US Executive Order on Improving Critical Infrastructure Cybersecurity (EO), adopted in February 2013, called on the National Institute of Standards and Technology (NIST) to develop a Cybersecurity Framework providing a baseline of standards and best practices for critical infrastructure organizations to manage cyber risks. The NIST Framework was developed by the NIST in close collaboration with the private sector and academia. It was codified by the Cybersecurity Enhancement Act of The Framework is referenced in several documents recently published by the European Network and Information Security Agency (ENISA) in the context of the transposition of the NIS Directive.

11 What is the NIST Cybersecurity Framework? NIST CSF emerging as a global best practice in managing cyber risk. The CSF provides a common taxonomy and mechanism for organizations to: 1) Describe their current cybersecurity posture; 2) Describe their target state for cybersecurity; 3) Identify and prioritize opportunities for improvement within the context of a continuous and repeatable process; 4) Assess progress toward the target state; 5) Communicate among internal and external stakeholders about cybersecurity risk. five continuous and concurrent functions Framework Core consists of : IDENTIFY -> PROTECT -> DETECT -> RESPOND -> RECOVER These Functions provide a high-level, strategic view of the lifecycle of an organization's management of cybersecurity risk. They are composed of 22 categories and 97 sub-categories.

12 Objectives Promote alignment of governments cybersecurity legislation, guidelines and standards Foster cooperation between public and private sectors and across boundaries, within and between organisations Ensure that cybersecurity management is risk-based Help organisation to focus on desired security objectives Maintain room for continued security innovations How? Build on best practices established by the NIST Framework Engage with relevant stakeholders through consultations or open workshops Use an iterative process to ensure that requirements/guidelines are developed and refined with constant feedback Establish common language and reference points to be used by security practitioners

13 Beyond regulation: the need for global cybersecurity norms

14 Major (alleged) nation-state cyberattacks since 2007 DDOS AGAINST ESTONIA OPERATION AURORA CAST LEAD AND PILLAR OF DEFENSE (ISRAEL/PALESTINE) STUXNET JASMINE REVOLUTION SAUDI ARAMCO AND RASGAS NORTH KOREA SOUTH KOREA OPM US PRESIDENTIAL ELECTIONS USA - ISIS NORWAY RUSSO- GEORGIAN WAR GHOSTNET INDIA PAKISTAN CYBER CONFLICT SONY YAHOO! HEARTBLEED SECURITY BUG SONY NORTH KOREA JAPAN PENSION SERVICE SWIFT MONTENEGRO CZECH MFA UKRAINE RUSSIAN BANKS POWER GRID

15 PRESERVING THE UTILITY OF A GLOBAL CONNECTED SOCIETY DEFINING ACCEPTABLE AND UNACCEPTABLE STATE BEHAVIORS OFFENSIVE AND DEFENSIVE CYBERSECURITY NORMS PROMOTE TRANSPARENCY, COOPERATION AND STABILITY IN CYBERSPACE REDUCING RISKS LIMITING POTENTIAL CONFLICT IN CYBERSPACE FOSTERING GREATER PREDICTABILITY Voluntary, non-binding norms, rules or principles of responsible behavior of States aimed at promoting an open, secure, stable, accessible and peaceful ICT environment. UN Group of Governmental Experts (UNGGE), July 2015

16 Multilateral fora for intergovernmental dialogue Group of Twenty (G20) North Atlantic Treaty Organization (NATO) Organization for Security and Cooperation in Europe (OSCE) Shanghai Cooperation Organization (SCO) United Nations (UN) Multi-stakeholder fora East West Institute (EWI) London Process Munich Security Conference (MSC) World Economic Forum (WEF) Global Commission for Stability of Cyberspace

17 Microsoft s vision: DIGITAL GENEVA CONVENTION TECH ACCORD ATTRIBUTION COUNCIL GOVERNMENTS INDUSTRY PUBLIC-PRIVATE PARTNERSHIP

18 @JanNeutze

19 Nation-states Global ICT industry Maintain trust No targeting of tech companies, private sector or critical infrastructure No assistance in offensive actions Support response efforts Assist private sector to detect, contain, respond to and recover from events Collaborative remediation after attacks Coordinated approach to vulnerability handling Report vulnerabilities to vendors rather than to stockpile, sell or exploit them Coordinated disclosure practices for vulnerabilities Mitigate the impact of nation-state attacks Exercise restraint in developing cyber weapons and ensure that any developed are limited, precise and not reusable Collaborative and proactive defense Stop proliferation of vulnerabilities Commit to non-proliferation activities to cyber weapons Support for intergovernmental defensive efforts Prevent mass events Limit offensive operation to avoid a mass event No corresponding norm for the global ICT industry. Patch customers globally No corresponding norm for nation-states. Software patches available to all