Critical Information Infrastructure Protection Law

Similar documents
Bradford J. Willke. 19 September 2007

Critical Infrastructure Protection (CIP) as example of a multi-stakeholder approach.

The Australian Government s Approach to Critical Infrastructure Resilience

Insider Threat Program: Protecting the Crown Jewels. Monday, March 2, 2:15 pm - 3:15 pm

Government-Industry Collaboration: 7 Steps for Resiliency in Critical Infrastructure Protection

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

FINNISH APPROACH TO CRITICAL INFRASTRUCTURE PROTECTION

Outreach and Partnerships for Promoting and Facilitating Private Sector Emergency Preparedness

University of Pittsburgh Security Assessment Questionnaire (v1.7)

STRATEGY ATIONAL. National Strategy. for Critical Infrastructure. Government

Member of the County or municipal emergency management organization

Critical Infrastructure Protection & Resilience Europe / Asia. Conference Discussion Reviews

Legal, Ethical, and Professional Issues in Information Security

Internet of Things Toolkit for Small and Medium Businesses

Cyber Security: Threat and Prevention

Cyber Risks in the Boardroom Conference

how to manage risks in those rare cases where existing mitigation mechanisms are insufficient or impractical.

Cybersecurity in Higher Ed

Standard CIP Cyber Security Critical Cyber Asset Identification

Cyber Intelligence Professional Certificate Program Booz Allen Hamilton 2-Day Seminar Agenda September 2016

Standard CIP Cyber Security Critical Cyber Asset Identification

Railroad Infrastructure Security

ADIENT VENDOR SECURITY STANDARD

Security Guideline for the Electricity Sector: Business Processes and Operations Continuity

NATIONAL DEFENSE INDUSTRIAL ASSOCIATION Homeland Security Symposium

Dr. Emadeldin Helmy Cyber Risk & Resilience Bus. Continuity Exec. Director, NTRA. The African Internet Governance Forum - AfIGF Dec 2017, Egypt

Legislative Framework

European Union Agency for Network and Information Security

National Cyber Incident Response - Architectural Concepts

COMESA CYBER SECURITY PROGRAM KHARTOUM, SUDAN

Governance Ideas Exchange

Security Policies and Procedures Principles and Practices

Checklist: Credit Union Information Security and Privacy Policies

Security and Privacy-Aware Cyber-Physical Systems: Legal Considerations. Christopher S. Yoo University of Pennsylvania July 12, 2018

Information Technology General Control Review

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

NATIONAL STRATEGY FOR GLOBAL SUPPLY CHAIN SECURITY

ISAO SO Product Outline

Information technology Security techniques Information security controls for the energy utility industry

Cybersecurity and Data Protection Developments

Data Breach Notification: what EU law means for your information security strategy

HIPAA Security and Privacy Policies & Procedures

Legal and Regulatory Developments for Privacy and Security

CSIRT in general CSIRT Service Categories Reactive Services Proactive services Security Quality Management Services CSIRT. Brmlab, hackerspace Prague

WELCOME ISO/IEC 27001:2017 Information Briefing

The NIS Directive and Cybersecurity in

THE CYBER SECURITY ENVIRONMENT IN LITHUANIA

Version 1/2018. GDPR Processor Security Controls

EUROPEAN ORGANISATION FOR SECURITY SUPPLY CHAIN SECURITY WHITE PAPER

Information sharing in the EU policy on NIS & CIIP. Andrea Servida European Commission DG INFSO-A3

Executive Order on Coordinating National Resilience to Electromagnetic Pulses

The Common Controls Framework BY ADOBE

ISO / IEC 27001:2005. A brief introduction. Dimitris Petropoulos Managing Director ENCODE Middle East September 2006

The Federal Council s Basic Strategy. for Critical Infrastructure Protection

Business Continuity: How to Keep City Departments in Business after a Disaster

Function Category Subcategory Implemented? Responsible Metric Value Assesed Audit Comments

SAINT PETERSBURG DECLARATION Building Confidence and Security in the Use of ICT to Promote Economic Growth and Prosperity

Directive on security of network and information systems (NIS): State of Play

Cyber Security Requirements for Supply Chain. June 17, 2015

Fundamentals of Cybersecurity/CIIP. Building Capacity: Using a National Strategy & Self-Assessment

Putting It All Together:

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

RFC2350 TLP1: WHITE. Έκδοση National CSIRT-CY RFC2350

Stephanie Zierten Associate Counsel Federal Reserve Bank of Boston

NATIONAL CYBER SECURITY STRATEGY. - Version 2.0 -

CERT Symposium: Cyber Security Incident Management for Health Information Exchanges

Professional in Critical Infrastructure Protection

THE WHITE HOUSE. Office of the Press Secretary. EMBARGOED UNTIL DELIVERY OF THE PRESIDENT'S February 12, 2013 STATE OF THE UNION ADDRESS

Critical Information Infrastructure Protection. Role of CIRTs and Cooperation at National Level

Cybersecurity for the Electric Grid

Romania - Cyber Security Strategy. 6th IT STAR Workshop on Digital Security

cybersecurity in Europe Rossella Mattioli Secure Infrastructures and Services

DHS Cybersecurity. Election Infrastructure as Critical Infrastructure. June 2017

Cyber Security Strategy

UNCLASSIFIED. National and Cyber Security Branch. Presentation for Gridseccon. Quebec City, October 18-21

From Hyogo to Sendai. Anoja Seneviratne Disaster Management Centre

Maintaining Resiliency Within the Defense Industrial Base Through Preparedness Response and Recovery

NATIONAL GUIDELINES ON CLOUD COMPUTING FOR GOVERNMENT, MINISTRIES, DEPARTMENTS AND AGENCIES

NW NATURAL CYBER SECURITY 2016.JUNE.16

RESILIENCE AND CRITICAL INFRASTRUCTURE

The challenges of the NIS directive from the viewpoint of the Vienna Hospital Association

Commonwealth Cyber Declaration

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

Brussels, 19 May 2011 COUNCIL THE EUROPEAN UNION 10299/11 TELECOM 71 DATAPROTECT 55 JAI 332 PROCIV 66. NOTE From : COREPER

Principles for a National Space Industry Policy

Program 1. THE USE OF CYBER ACTIVE DEFENSE BY THE PRIVATE SECTOR

Red Flags/Identity Theft Prevention Policy: Purpose

Telecommunications: Preventing Service Disruption

PRC Cyber Security Law --- How does it affect a UK business? Xun Yang Of Counsel, Commercial IP and Technology

PD 7: Homeland Security Presidential Directive 7: Critical Infrastructure Identification, Prioritization, and Protection

Cybersecurity Strategy of the Republic of Cyprus

Provisional Translation

IT risks and controls

DHS Cybersecurity: Services for State and Local Officials. February 2017

NYDFS Cybersecurity Regulations: What do they mean? What is their impact?

Understanding Cyber Insurance & Regulatory Drivers for Business Continuity

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

Greg Garcia President, Garcia Cyber Partners Former Assistant Secretary for Cyber Security and Communications, U.S. Department of Homeland Security

Continuous protection to reduce risk and maintain production availability

716 West Ave Austin, TX USA

Transcription:

Critical Information Infrastructure Protection Law CCD COE Training 8 September 2009 Tallinn, Estonia Maeve Dion Center for Infrastructure Protection George Mason University School of Law Arlington, Virginia. U.S.A.

CIIP Law Definitions & Lexicon (CIIP as part of CIP) Sample* Areas of Law Policy Considerations for CIIP

Defining CI 2007 Survey Netherlands France New Zealand Germany [A] sector was deemed critical if its breakdown or serious disruption could lead to damage on a national scale. All infrastructures that are vital to the maintenance of primary social and economic processes are considered critical sectors.... infrastructure necessary to provide critical services. Critical services are those whose interruption would have a serious adverse effect on New Zealand as a whole or on a large proportion of the population, and which would require immediate reinstatement. Critical infrastructures (CI) are organisations and facilities of major importance to the community whose failure or impairment would cause a sustained shortage of supplies, significant disruptions to public order or other dramatic consequences.

Defining CIP 2007 Survey Australia Canada U.K.... those physical facilities, supply chains, information technologies and communication networks which, if destroyed, degraded or rendered unavailable for an extended period, would significantly impact on the social or economic well being of the nation, or affect Australia s ability to conduct national defence and ensure national security.... those physical and information technology facilities, networks, services and assets which, if disrupted or destroyed, would have a serious impact on the health, safety, security or economic well being of Canadians or the effective functioning of governments in Canada.... those assets, services and systems that support the economic, political and social life of the UK whose importance is such that loss could: cause large scale loss of life have a serious impact on the national economy have other grave social consequences for the community be of immediate concern to the national government.

Defining CIP 2007 Survey Belgium Finland... identifies three types of critical infrastructure: vital points, i.e. facilities that require protection because of their socio economic importance, e.g. nuclear plants, bridges, ports, etc.; sensitive points, i.e. facilities that require protection because of their importance for the national or allied defence potential; critical points, i.e. persons, public authorities, communities, buildings, facilities, places and goods which face a real or potential threat of political or criminal nature. Critical Infrastructure to Be Secured: Technological infrastructure of society Transportation, logistics and distribution systems Food supply Energy supply Social and health care arrangements Industry and systems related to national defence

CIIP Law Definitions & Lexicon (CIIP as part of CIP) Sample* Areas of Law Policy Considerations for CIIP

Sample* Areas of Law Security Regulations by Industry / Sector Information Sharing (Open Government, Privacy) Antitrust / Competition Criminal Law Tort Law Private Ordering (Contracts) National Security & Defense Law International Agreements / Law

Security Regulations by Industry Industry / Sector Specific Limited? Interconnections? Operations vs. safety vs. security Comprehensive? Culture / Policy Accountability

Information Sharing Required vs. Voluntary Public vs. Private Vulnerabilities AND Threats Third Party Access to Information Proprietary Info / Market Strength Increased Regulation Private lawsuits Privacy / Open Government Laws Within / Between Governments

Antitrust / Competition Law Private Sector Collaboration & Cooperation Information Sharing Relationship with Regulators Structures for Exemptions / Approvals Timely? Costly?

Criminal Law Wrongful Activity: Alteration / Deletion of Content Degradation / Damage to System Unauthorized Access Traditional Crimes (theft, insider trading, etc.) Intent (act vs. consequential harm) Damage Requirements Aggregation Timing Corporate Accountability Investigation & Enforcement (international)

Tort Law ISPs = Publisher or Distributor Slander / Defamation (waiver / immunity) Contributory Infringement (copyright) Negligence vs. Negligent Enablement E.g., Breach Notifications (legislative) Consequential Harm Evolution of Foreseeable (reasonableness) Likelihood of Bad Activity Likelihood of Harm (> intervening criminal act) Least Cost Avoider Contractual Relationship (definition of legal duty )

Private Ordering (Contracts) Private Re distribution of Risk Waivers / Immunities (e.g., software) User s Negligence Trumps (e.g., U.K. banking) Risk Assessment based on Knowledge Unequal Knowledge of Risks? Private Risk = Based on Business Practice Risk to Business Profitability Risk of Damage to Assets Risks when Government = Customer Awareness of Threat Levels Costs for Mitigation of Risks (e.g., Estonia vs. U.S.)

National Security & Defense Balance of Government Interests Security / Defense Intelligence Law Enforcement Emergency Powers Resource Allocation Control of Systems Prioritization of Restoration War Powers Use of the Military to Support Civil Authorities State Secrets Foreign Ownership (access & control)

International Agreements / Law Humanitarian Law NATO Mutual Cooperation Agreements (law enforcement)

CIIP Law Definitions & Lexicon (CIIP as part of CIP) Sample* Areas of Law Policy Considerations for CIIP

Policy Considerations for CIIP Access & Availability Identification, authentication, access controls, and auditing. Intrusion detection, firewalls, antivirus software. Network resilience, redundancy. Data storage, integrity, encryption. Protecting CII Human Factors Training / certification for technological capabilities. Organizational security programs, training, and oversight. End user education. Organizational Responsiveness To law enforcement and intelligence: technical requirements, information demands, etc. To regulators: Informational auditing, security plans, licensing requirements, etc. Proactive Abilities Awareness and monitoring of interdependencies. Threat identification and prediction.

Policy Considerations for CIIP Threats Threats to CII, and threats via CII (disruption & weaponization) WHO? HOW? WHY? Natural disaster. Insider. Associate (contractor / vendor). External (competitor / enemy). Human error (development or operations). Failure of awareness (human error at policy & management level). Deliberate act. Accident. To hurt the infrastructure operator. To hurt an entity reliant upon the infrastructure. Theft / Extortion. To hurt an economy.

Policy Considerations for CIIP CIIP Needs Credible monitoring of activity in the Internet and the network backbone. Early warning system. Incident tracking. Response protocols to escalation of incidents. Clearly defined frameworks for response and reconstitution. Trusted processes that enable intelligence transfer between public and private sectors. Alignment of physical CIP and cyber CIP. Establishment of common definitions, taxonomy, and standards. Dedication to the next generation (education & training). Decisive leadership & vision.

CIIP Law Definitions & Lexicon (CIIP as part of CIP) Sample* Areas of Law Policy Considerations for CIIP QUESTIONS?

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback