Cyber Security Issues and Responses Andrew Rogoyski Head of Cyber Security Services CGI UK andrew.rogoyski@cgi.com
CGI in cyber security Credentials Clients We have over 35 years of experience working with government and commercial as a trusted advisor We work with clients using state of the art facilities, including a world-class innovation lab and one of the only companies with three accredited security certification facilities, one in the US, one in the UK and one in Canada CGI is completing its 10 th Security Operations Centre which operate globally Our managed services support over 100 clients in 16 countries across all industries We defend against 43 million cyber attack incidents each day on military and intelligence networks and infrastructure Business-focused approach to security 2
The changing shape of IT security issues 1986: Lawrence Berkeley NL discovers attempt to copy US Government Information on Arpanet 1988: First worm created at Cornell 1990: Arpanet becomes the Internet 1998: Google Founded 2003: DHS creates National Cyber Security Division 2003: Slammer worm 2004: Facebook launched 2007: Cyber attack on Estonian Government 2007: iphone 3 launched 2010: US Intelligence on Wikileaks 2010: Stuxnet 2010: US Cyber Command becomes operational 2010: ipad launched IA The era of early connectedness Cyber The era of mass interdependence 1984 Drivers for Change: 1. Industrialised Cyber espionage 2. Militarisation of cyberspace 3. Rise of hacktivism 4. Organised cybercrime 5. Growing dependency on the Internet 6. The rise of the devices 7. Privacy and Data Protection 2000: ILOVEYOU worm 2001: Budapest Convention on Cybercrime 2000 2014 3 2008: Marathon Oil, ExxonMobil and ConocoPhillips hacked for oil discovery data 2009: The Aurora attacks, hit Google and 33 companies 2011: RSA and Lockheed attacked 2011: Sony Playstation network hacked, costing $170m 2013: Edward Snowden reveals stolen NSA data 2013: South Korean media and banks attacked 2012: Aramco loses 30,000 PCs to attack
What are the emerging trends and responses? It s not all about technology More: targeted attacks, social engineering, attacks against mobile, more sophistication More: government involvement carrying the economic and security risk More: international government involvement and co-operation, with focus on CNI More: regulation, legislation, obligatory reporting around privacy and breaches More: Competition for scarce skills and know-how Change: to cloud, mobile, interconnectedness, including managed security services 4
The UK Cyber Security Strategy HMG Vision Our vision is for the UK in 2015 to derive huge economic and social value from a vibrant, resilient and secure cyberspace, where our actions, guided by our core values of liberty, fairness, transparency and the rule of law, enhance prosperity, national security and a strong society. Published in November 2011 with a 650m budget 1 of 33 national cyber strategies Themes Cyber crime Resilience to cyber attack Shape an open, stable and vibrant internet Build knowledge, skills and capabilities to underpin all the objectives 5
CISP and CERT The Cyber Security Information Sharing Partnership Pilot in 2011/12 Collaboration between industry and HMG Technical infrastructure for sharing technical and tactical cyber attack information Building trust relationships Establish a fusion cell The CERT-UK Launched in April 2014 Subsumes CISP National Cyber Security Incident Management. Support to Critical National Infrastructure companies to handle cyber security incidents. Promotes cyber security situational awareness across industry, academia, and the public sector. Provides the single international point of contact for co-ordination and collaboration between national CERTs. 6
Government Guidance for Cyber Security Sep 2012 April 2014 7
Cyber Education, Skills and Know-How Initiatives Promote cyber security learning in schools Competitions to attract people into the profession Funding for graduate and post graduate students in cyber studies Accredited 11 universities as Academic Centres of Excellence in Cyber Security Research Set up 3 new Research Institutes and funded 2 Centres for Doctoral Training in cyber Strengthened the cyber security profession through the introduction of CESG s1 Certified Professional Scheme March 2014 8
Cyber in Corporate Finance Threats Individuals, nation states, hacktivists, employees & contractors, organised crime and competitors Targeting Transactions The very act of putting information together may trigger interest, it may also create an attractive target A complex mix of external advisors, short timescales and high stakes leads to vulnerabilities Issues How secure is each contributor and stakeholder in this transaction? Who needs to know? Can you monitor access to information? What is your strategy for breaches? Do you have a security partner? March 2014 9
The National Cyber Security Programme 10
New Priorities in the UK Additional 210m, plus one year Focus on Critical National Infrastructure (CNI) The February 2014 Summit with Government and regulators (ONR, BoE, FCA, PRA, Ofcom, Ofgem and Ofwat): Strong cyber security in the firms and markets we oversee is fundamental to meeting regulatory objectives there is a need to work with international partners to understand our risk and increase the level of network and information security, including at the EU level Work to embed cyber security in the firms and markets that they oversee; Assess the state of cyber security across each sector; Identify aggregated cyber security risks within and across sectors; Working with industry, increase information flows on threat, vulnerabilities and mitigation strategies across each sector; Support sectors to develop effective incident detection and management capabilities. 11
Questions under consideration Regulation or guidance? Is UK Government advice to the energy sector sufficient, should they broaden out (i.e. to extraction and (conventional) generation)? Should UK Government adopt US or European cyber frameworks/standards or develop UK versions? (e.g. the NIST framework) At what level should the standards be pitched? (too low level and they don t engage or are seen as prescriptive, too high level and no action is taken). Should UK focus on the detail that the US NIST frameworks are perceived to be missing? What impact could related regulation from Europe have? (e.g. the General Data Protection Regulation (GDPR) or the Network and Information Security Directive (NISD) 12
NIST Cyber Framework President issued Executive Order 13636, Improving Critical Infrastructure Cybersecurity, on February 12, 2013, which established that [i]t is the Policy of the United States to enhance the security and resilience of the Nation s critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties NIST Feb 2014 13
Summary The threat landscape is becoming more sophisticated, more targeted and more aggressive Security responses are becoming more complex technically challenging and more all encompassing Government intervention (in various forms) is on the rise The skills and experience to run solutions are becoming highly sought after it is difficult to create and maintain critical mass of expertise There will be a convergence with managed security services and IT outsourcing 14
Questions/Discussion What are your views on Government intervention to improve the security of the UK s critical infrastructure what is the most effective way to intervene? Are UK frameworks better than international version? Are overseas interventions influencing your UK businesses? What would help you make the investments regulation, awareness or business case? What are you prepared to share, in terms of cyber attack experiences and information? Do you have the skills to meet these requirements or will you look for a trusted partner? Do you know the questions to ask of your own organisation and do you have confidence in the replies you receive? 15