Cyber Security and the Vulnerability of Networks: Why we Need to Rethink our Cyber Defenses Now

Similar documents
79th OREGON LEGISLATIVE ASSEMBLY Regular Session. Senate Bill 90

The NIST Cybersecurity Framework

Cybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com

Protecting Controlled Unclassified Information(CUI) in Nonfederal Information Systems and Organizations

GOVERNMENT IT: FOCUSING ON 5 TECHNOLOGY PRIORITIES

300 Riverview Plaza Odysseus Marcopolus, Chief Operating Officer Trenton, NJ POLICY NO: SUPERSEDES: N/A VERSION: 1.0

Section One of the Order: The Cybersecurity of Federal Networks.

Advanced Technology Academic Research Council Federal CISO Summit. Ms. Thérèse Firmin

Cybersecurity for the Electric Grid

Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure

THE WHITE HOUSE. Office of the Press Secretary EXECUTIVE ORDER

Preparing for NIST SP January 23, 2018 For the American Council of Engineering Companies

How Cybersecurity Initiatives May Impact Operators. Ross A. Buntrock, Partner

DFARS Cyber Rule Considerations For Contractors In 2018

THE WHITE HOUSE Office of the Press Secretary EXECUTIVE ORDER

Akin Gump Client Update Alert

SAC PA Security Frameworks - FISMA and NIST

December 10, Statement of the Securities Industry and Financial Markets Association. Senate Committee on Banking, Housing, and Urban Development

NIST RISK ASSESSMENT TEMPLATE

Cybersecurity: Legislation, Hearings, and Executive Branch Documents

Mapping to the National Broadband Plan

Cybersecurity & Privacy Enhancements

Cybersecurity: Legislation, Hearings, and Executive Branch Documents

STRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS AND CRITICAL INFRASTRUCTURE

Cybersecurity and Data Privacy

Evaluating and Improving Cybersecurity Capabilities of the Electricity Critical Infrastructure

National Preparedness System (NPS) Kathleen Fox, Acting Assistant Administrator National Preparedness Directorate, FEMA April 27, 2015

Executive Order on Coordinating National Resilience to Electromagnetic Pulses

Federal Mobility: A Year in Review

Views on the Framework for Improving Critical Infrastructure Cybersecurity

Cybersecurity: Legislation, Hearings, and Executive Branch Documents

NISP Update NDIA/AIA John P. Fitzpatrick, Director May 19, 2015

Internet Governance in April April 2016

Annual Report for the Utility Savings Initiative

Laws and Regulations & Data Governance

Written Statement of. Timothy J. Scott Chief Security Officer The Dow Chemical Company

Welcome to the CyberSecure My Business Webinar Series We will begin promptly at 2pm EDT All speakers will be muted until that time

Smart Grid Update. Christopher J. Eisenbrey. Director, Business Information Edison Electric Institute (EEI)

GAO CYBERSPACE POLICY. Executive Branch Is Making Progress Implementing 2009 Policy Review Recommendations, but Sustained Leadership Is Needed

NIST Smart Grid Activities

IT Modernization In Brief

Financial Adviser Standards and Ethics Authority Ltd

Inapplicability to Non-Federal Sales and Use

GLOBAL INDICATORS OF REGULATORY GOVERNANCE. Scoring Methodology

Mastering Data Privacy, Social Media, & Cyber Law

Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure

The Center of Innovation: Creating an Innovation

Federal Initiatives to Protect Controlled Unclassified Information in Nonfederal Information Systems Against Cyber Threats

Advanced Cyber Risk Management Threat Modeling & Cyber Wargaming April 23, 2018

COUNCIL OF THE EUROPEAN UNION. Brussels, 24 May /13. Interinstitutional File: 2013/0027 (COD)

DFARS Defense Industrial Base Compliance Information

ECB-PUBLIC OPINION OF THE EUROPEAN CENTRAL BANK. of 18 May 2018

Cybersecurity: Federalism as Defense-in-Depth

DHS Cybersecurity: Services for State and Local Officials. February 2017

PilieroMazza Webinar Preparing for NIST SP December 14, 2017

The value of visibility. Cybersecurity risk management examination

BILLING CODE P DEPARTMENT OF ENERGY Federal Energy Regulatory Commission. [Docket No. RM ] Cyber Systems in Control Centers

SECURITY CODE. Responsible Care. American Chemistry Council. 7 April 2011

National CIRT - Montenegro. Ministry for Information Society and Telecommunications

CEN and CENELEC Position Paper on the draft regulation ''Cybersecurity Act''

ISACA GEEK WEEK SECURITY MANAGEMENT TO ENTERPRISE RISK MANAGEMENT USING THE ISO FRAMEWORK AUGUST 19, 2015

Procuring New Infrastructure for Canada s Municipalities

INFORMATION ASSURANCE DIRECTORATE

DFARS Compliance. SLAIT Consulting SECURITY SERVICES. Mike D Arezzo Director of Security Services. SLAITCONSULTING.com

GEORGIA CYBERSECURITY WORKFORCE ACADEMY. NASCIO 2018 State IT Recognition Awards

Hitachi Announces the Conclusion of Absorption-Type Company Split Agreement Relating to Reorganization of the Healthcare Business

UNCLASSIFIED. FY 2016 Base FY 2016 OCO

Framework for Improving Critical Infrastructure Cybersecurity

WHAT SECTION 215A OF THE FEDERAL POWER ACT MEANS FOR ELECTRIC UTILITIES. Stephen M. Spina J. Daniel Skees Arjun P. Ramadevanahalli December 17, 2015

MYTH vs. REALITY The Revised Cybersecurity Act of 2012, S. 3414

Developing Issues in Breach Notification and Privacy Regulations: Risk Managers Are you having the right conversation with the C Suite?

Information Technology Security Plan Policies, Controls, and Procedures Identify Risk Assessment ID.RA

HIPAA Compliance is not a Cybersecurity Strategy

National Policy and Guiding Principles

Presidential Documents

NCSF Foundation Certification

Cybersecurity: Legislation, Hearings, and Executive Branch Documents

Deception: Deceiving the Attackers Step by Step

PROTECTING ARIZONA AGAINST CYBER THREATS THE ARIZONA CYBERSECURITY TEAM

Verizon closes 2017 with strong wireless customer growth and retention, well-positioned in new markets

Why is the CUI Program necessary?

IT-CNP, Inc. Capability Statement

Energy Assurance Energy Assurance and Interdependency Workshop Fairmont Hotel, Washington D.C. December 2 3, 2013

DHS Cybersecurity. Election Infrastructure as Critical Infrastructure. June 2017

We are releasing 7 pages of responsive documents. Pursuant to FOIA, certain information has been redacted as it is exempt from release.

CONE 2019 Project Proposal on Cybersecurity

Outreach and Partnerships for Promoting and Facilitating Private Sector Emergency Preparedness

Cybersecurity: Legislation, Hearings, and Executive Branch Documents

The Impact of US Cybersecurity Policies on Submarine Cable Systems

The trouble with referees is that they know the rules, but they do not know the game.

Rocky Mountain Cyberspace Symposium 2018 DoD Cyber Resiliency

Sage Data Security Services Directory

Promoting Global Cybersecurity

Protecting Buildings Operational Technology (OT) from Evolving Cyber Threats & Vulnerabilities

ASSEMBLY, No STATE OF NEW JERSEY. 217th LEGISLATURE INTRODUCED FEBRUARY 4, 2016

136 FERC 61,039 UNITED STATES OF AMERICA FEDERAL ENERGY REGULATORY COMMISSION. [Docket No. RM ] Smart Grid Interoperability Standards

ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)

Cyber Risks, Coverage, and the Board of Directors.

UNITED STATES OF AMERICA BEFORE THE U.S. DEPARTMENT OF COMMERCE NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY

INVL TECHNOLOGY results for 12 months of March 2018

Transcription:

F E A T U R E A R T I C L E : Cyber Security and the Vulnerability of Networks: Why we Need to Rethink our Cyber Defenses Now " " # $ & &'(# Gesmer Updegrove LLP, 40 Broad Street, Boston, MA 02109 www.gesmer.com

" #$ & #$ ' (' ( +, ' + &,- #-./.$ 0 1 ' ( # $ 2 The increasing popularity of the cloud computing IT hosting model will result in more and more data and software being hosted in fewer and fewer locations & &

-/ -./2 -.// 3-.. + 4 5 6 + 7 " 4 7 8+ 7 ' ( ' ( + " 8 '( 0-.-. 9 :7 7 +, 3

8 '( ; 6 '( : ' ( -./- < 7 0, &= 7 >?@ < A@ " AB//B./ 7 6 C < : 7 & : 7 /?.. = 1 4

9 D = ' ( 0 # $ # E $ :, : C 1 F# $ < +<FC 4 < #$ < D + # $ ; D + /- #$ ' ( + " " 9 G 5

G G & ' ( & < = 0 H 7 I 0 # $ 1 ; # $ 7 " " 6

0 9 # < <$ ; ' ( + E+# +$H 11/. E+ 3>? 1 7

#$ 7 5 " 0 9 < # $ 0 H "5 : C : /A-..J88 " 8

//,H +H -.// / 8 1//8 " ' ( 8< 7 D = # $ 1 D 8 D 9 G K-C 'L( G G G D, # $ ; HH 1 1 Van Camp, Jeffrey, E-Reader Sales to Jump 68 Percent in 2011, Says Gartner, DigitalTrends.com (December 9, 2011, at: http://www.digitaltrends.com/mobile/e-reader-sales-to-jump-68-percent-in-2011- says-gartner/ All Web pages cited in this article were last accessed on May 22, 2011. 9

H, +" :#,+:7$,,+:7 ' ( " HH 1 # $ 0 0 ; # $ ' ( 1" 6 " " 4 '5:, M(# :::8& 1 5 $ 5:,M E 1 ' ( 10

- '( 4 < 1 & 9 " 3---? -./? 2 48 &4 >-.//&EC4 ' 4( 9 4 4 & 1 0 3-. -?@4< ' ( N 2 A wide variety of business models, not all of which involve remote hosting, have collectively been referred to as cloud services, or cloud computing. As used in this article, cloud services applies only to those services that involve the remote hosting of a customer s data and/or software. For an overview of the range of services that the broad definition has been applied to, see Badger, Lee et al., Cloud Computing Synopsis and Recommendations: Recommendations of the National Institute of Technology [draft], NIST Special Publication 800-146 (May 2011, at: http://csrc.nist.gov/publications/drafts/800-146/draft-nist-sp800-146.pdf The NIST draft offers the following definition: ' 3 Cloud Computing: a Global Market Report, Global Industry Analysts, Inc. (April 2010, summarized at: http://cloudcomputing-vision.com/1000/report-suggests-cloud-computing-services-market-reach-us2225- billion-2015/ 4 Federal Cloud Computing Strategy, pp. 1-2, at: http://www.cio.gov/documents/federal-cloud-computing- Strategy.pdf Security issues are addressed at pp. 26 28, and relevant government security resource documents are listed on pp. 37 38. 11

#17$ 4 < 4 /AAJ 01 N2-/- & C >..4 -./?? 0 H,+:7 4 '( "# & -/-.// <., 5 US CIO Unveils Government Shift to Cloud Computing, Cybersecurity News (February 14, 2011, at: http://cybersecuritynews.org/2011/02/14/us-cio-unveils-government-shift-to-cloud-computing/ 12

" 7 + 1 6 H 6 #$ " 6 1 N. 2. H J. >. ' (-? H -? O 6 In The Dark: Crucial Industries Confront Cyber Attacks, McAfee and the Centre for Strategic and International Studies (2011, at: http://www.mcafee.com/us/resources/reports/rp-critical-infrastructureprotection.pdf 13

" 8 & 8 #7;,$ < 9 $ 9& 9 AB// " 4?.. # $ 5: 14

1 0 +", 0 8 C # $ 7 '( 4 : 8 E >/.:+ ' ( 9 G G '( & 4 5 5 #$ #&$ 1 & J ' ( & 8 > 9 7 For an overview of existing cyber security standards, see: Updegrove, Andrew, Security Standards and the Internet: Keeping the Cyberbarbarians from the Gate, Standards Today, Vol. VIII, No. 4 (June July, 2009, at: http://www.consortiuminfo.org/bulletins/jun09.php#feature For an ongoing news feed regarding cloud computing standards, bookmark: http://www.consortiuminfo.org/news/archive.php?page=1&category=2&subcat=cloud20computing 8 For an overview of the SmartGrid effort, see Standards and the Smart Grid: the U.S. Experience, and the other articles to be found in the April May 2009 issue (Vol. VIII No. 3 of Standards Today, at: http://www.consortiuminfo.org/bulletins/apr09.php 15

9 4 # $ # $, A & # $ # $ 7 $ '&(& ( 9 It should be noted that some believe that no degree of security effort can make the Internet as we know it sufficiently secure, due to its inherent design. If they are right, then the better course, however expensive, would be to replace it. See, for example, Markoff, John, Do We Need a New Internet? The New York Times (February 14, 2009, at: http://www.nytimes.com/2009/02/15/weekinreview/15markoff.html 16

8 5 #5$ 4, + # $ + /. 0 8 5 /A2. 8, ' ( 5 4 D " ' & # $ # $ # $ 7 7 10 The Council s Web site is here: https://www.pcisecuritystandards.org/ Links to its many standards and guidance documents can be found here: https://www.pcisecuritystandards.org/security_standards/documents.php 17

+ 5 5 8 ( # $ 0 1 4 $ : +( : # $ 18

8 0, + (0 4 '+ ;( ';( + ; + ; + ;, B 0 B 4 7 5 19

# $9 =/9 0 G G G =-9 ; G =29 + 54 Application Examples of CyberSecure Data and Internet Sustainability Framework Category Level 1 Examples Finance Trading platforms, Interactions with the Federal Reserve and Banks Airlines Operating systems and applications software; maintenance records Government Social Security and IRS records; Key Agency and military systems and data Large Shareholder records, Businesses Operating and (> $1 Billion applications software; certain industry-specific data Level 2 Examples Compliance and customer asset data Flight plans, customer account data Other public records, compliance data, statistical data Tax records, compliance data Level 3 Examples Marketing, billing, compliance Personnel records Personnel records Contracts, service agreements Mid-size Businesses ($100 MM - $1 Billion SMEs (> $100 MM Shareholder records; certain industry-specific data n/a Tax records, compliance data Tax records, compliance data Contracts, Service agreements Contracts, Service agreements '&(& 5 5 4 8 20

=8 8 7& +& ; 4 8 + = 87;, 54 7;, #$ 7;, 54 # $ 5 4 : 4 8 -& +( 5?. : & &1/--.//+ 1"=;,, &#,&$ NJ 1 ' ( P +P 9 21

:< 1 ; & //,4 #'4($ /- ;-..- /2 '5 ; -.//( #' ($ ; & & /N 0 ' ( & ' (9 Q #$G 11 Fact Sheet: Cybersecurity Legislative Proposal, The White House, Office of the Press Secretary (May 12, 2011, at: http://www.whitehouse.gov/the-press-office/2011/05/12/fact-sheet-cybersecurity-legislative-proposal 12 Available at: http://www.whitehouse.gov/sites/default/files/omb/legislative/letters/cybersecurity-regulatory- Framework-for-Covered-Critical-Infrastructure-Act.pdf 13 Homeland Security Act of 202 (6 U.S.C,. 121 35 seq. The proposed amendments, which would add new Sections 241-249 to Title II of the Act, may be accessed at: ttp://www.whitehouse.gov/sites/default/files/omb/legislative/letters/dhs-cybersecurity-authority.pdf 14 The Fact Sheet referred to above includes this explanatory note: Data Centers. The Federal Government has embraced cloud computing, where computer services and applications are run remotely over the Internet. Cloud computing can reduce costs, increase security, and help the government take advantage of the latest private-sector innovations. This new industry should not be crippled by protectionist measures, so the proposal prevents states from requiring companies to build their data centers in that state, except where expressly authorized by federal law. 22

#0$ G #$ ' (9 RS R S ' (9 T 9 G G /? #-N2$ 5 ;#5;$9 T H P ( G G 15 If enacted, the definitions would appear as subsections (5, (7 and (17, respectively, of Subtitle E, Section 242, Title II. 23

-N2#$ G G H' G( 4'( # 5 $ G ' G( ' G( G ' (9 5: G B 5; -NN 5; ' T ( " -N>#$-N?-NO 5;-NJ -N> '+ = G&G + 1( ' ( 4 5; + -9 24

#/$ GT #2$ G #N$ G #?$ ;-..-#O/-/$GT & 2 A 4 5; ' ( " 4 : ' (' ( 24 ' ( 9 T 9 #/$ G #-$ G #2$ G #N$ & ' "? J.-( 25

N5; #7;,$8 54 9 T /O 5 4 5; " 5:' ( 4 '4 P 4 9 5 4 G :G :5 4 8 + 4 " # + $? 4 5; < 16 That the private sector would be asked to play the lead in cyber security standards development is a matter not just of recent convention, but also of law, dictated by the passage of the National Technology Transfer and Advancement Act of 1995 (15 U.S.C Section 3701, which formalized the U.S. bottom up process of standards development. For an overview of the interaction of the public and private sectors in standards development, see: Updegrove, Andrew, A Work in Process: Government Support for Standard Setting in the United States: 1980 2004, Standards Today, Vol. IV No. 1 (January 2005, at: http://www.consortiuminfo.org/bulletins/jan05.php#feature 26

# >$ ' ( 9 #/$T G G #-$ # $> 9 4 4 9 4, /2.-N/ 4, " 54 G G G A4, AB// 8 & 27

H H AB// 75# $ 8 & " + 9 + " & 5; & ; & : 54 : 4 G G 0& 28

0 -.// 9BBB B- DU/ 29

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback