Cyber Security Issues and Responses. Andrew Rogoyski Head of Cyber Security Services CGI UK

Similar documents
The UK s National Cyber Security Strategy

CESG:10 Steps to Cyber Security WORKING WITH GOVERNMENT, INDUSTRY AND ACADEMIA TO MANAGE INFORMATION RISK

ENISA EU Threat Landscape

Commonwealth Cyber Declaration

COMESA CYBER SECURITY PROGRAM KHARTOUM, SUDAN

European Union Agency for Network and Information Security

Cybersecurity. Securely enabling transformation and change

Cybersecurity & Digital Privacy in the Energy sector

National Policy and Guiding Principles

Cyber Security Strategy

Netherlands Cyber Security Strategy. Michel van Leeuwen Head of Cyber Security Policy Ministry of Security and Justice

Implementing the Administration's Critical Infrastructure and Cybersecurity Policy

Brussels, 19 May 2011 COUNCIL THE EUROPEAN UNION 10299/11 TELECOM 71 DATAPROTECT 55 JAI 332 PROCIV 66. NOTE From : COREPER

EU policy on Network and Information Security & Critical Information Infrastructures Protection

SECURING THE UK S DIGITAL PROSPERITY. Enabling the joint delivery of the National Cyber Security Strategy's objectives

The NIS Directive and Cybersecurity in

December 10, Statement of the Securities Industry and Financial Markets Association. Senate Committee on Banking, Housing, and Urban Development

NATIONAL CYBER SECURITY STRATEGY. - Version 2.0 -

A Strategy for a secure Information Society Dialogue, Partnership and empowerment

Security and resilience in Information Society: the European approach

COUNCIL OF THE EUROPEAN UNION. Brussels, 24 May /13. Interinstitutional File: 2013/0027 (COD)

Cybersecurity and Privacy Innovation Forum Brussels, 28 April Keynote address. Giovanni Buttarelli European Data Protection Supervisor

Principles for a National Space Industry Policy

ISF Threat Horizon: Cybercrime and the banking industry

UNCLASSIFIED. National and Cyber Security Branch. Presentation for Gridseccon. Quebec City, October 18-21

Challenges and Opportunities in Cyber Physical System Research

Implementing Executive Order and Presidential Policy Directive 21

Program 1. THE USE OF CYBER ACTIVE DEFENSE BY THE PRIVATE SECTOR

The NIST Cybersecurity Framework

H2020 WP Cybersecurity PPP topics

Overview of the Cybersecurity Framework

NIS Directive : Call for Proposals

Canada Highlights. Cybersecurity: Do you know which protective measures will make your company cyber resilient?

The challenges of the NIS directive from the viewpoint of the Vienna Hospital Association

Engaging Executives and Boards in Cybersecurity Session 303, Feb 20, 2017 Sanjeev Sah, CISO, Texas Children s Hospital Jimmy Joseph, Senior Manager,

RIMS Perk Session Protecting the Crown Jewels A Risk Manager's guide to cyber security March 18, 2015

13967/16 MK/mj 1 DG D 2B

Implementation Strategy for Cybersecurity Workshop ITU 2016

Cybersecurity in Asia-Pacific State of play, key issues for trade and e-commerce

Protecting Critical Information Infrastructure in times of increasing cyber conflict

Cloud First: Policy Not Aspiration. A techuk Paper April 2017

Horizon 2020 Security

Innovation Infrastructure Partnership

BHConsulting. Your trusted cybersecurity partner

European Directives and reglements for Information security

ENCS The European Network for Cyber Security

Cyber Security Roadmap

ISRAEL NATIONAL CYBER SECURITY STRATEGY IN BRIEF

How Cybersecurity Initiatives May Impact Operators. Ross A. Buntrock, Partner

MALAYSIA S APPROACH IN CAPACITY BUILDING. Dr Amirudin Abdul Wahab Chief Executive Officer CyberSecurity Malaysia 24 March 2017

Wiebe Ruttenberg & Emran Islam DG Market Infrastructure & Payments. From Cyber Threats via Cyber Security to Cyber Resilience

Cyber Security in Europe

Bringing cyber to the Board of Directors & C-level and keeping it there. Dirk Lybaert, Proximus September 9 th 2016

About Issues in Building the National Strategy for Cybersecurity in Vietnam

cybersecurity in Europe Rossella Mattioli Secure Infrastructures and Services

cybersecurity in Europe Rossella Mattioli Secure Infrastructures and Services

Cybersecurity Strategy of the Republic of Cyprus

Cyber Security in Smart Commercial Buildings 2017 to 2021

Towards a European Cloud Computing Strategy

CYBER SECURITY AIR TRANSPORT IT SUMMIT

COMMISSION STAFF WORKING DOCUMENT EXECUTIVE SUMMARY OF THE IMPACT ASSESSMENT. Accompanying the document

PONEMON INSTITUTE RESEARCH REPORT 2018 STUDY ON GLOBAL MEGATRENDS IN CYBERSECURITY

ITU-ACMA Asia Pacific Regulators Roundtable July 2014

Greg Garcia President, Garcia Cyber Partners Former Assistant Secretary for Cyber Security and Communications, U.S. Department of Homeland Security

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

WORKSHOP CYBER SECURITY AND CYBERCRIME POLICIES FOR AFRICAN DIPLOMATS. Okechukwu Emmanuel Ibe

Private sector s engagement in the implementation of the Sendai Framework

Cyber Security Strategy

Itu regional workshop

Legal and Regulatory Developments for Privacy and Security

Cyber Security: Threat and Prevention

The European Policy on Critical Information Infrastructure Protection (CIIP) Andrea SERVIDA European Commission DG INFSO.A3

Package of initiatives on Cybersecurity

G8 Lyon-Roma Group High Tech Crime Subgroup

Position Title: IT Security Specialist

NATIONAL DEFENSE INDUSTRIAL ASSOCIATION Homeland Security Symposium

Cybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com

Caribbean Cyber Security: Not Only Government s Responsibility

Cyber Security Beyond 2020

Stephanie Zierten Associate Counsel Federal Reserve Bank of Boston

Security Awareness Training Courses

Discussion on MS contribution to the WP2018

SAINT PETERSBURG DECLARATION Building Confidence and Security in the Use of ICT to Promote Economic Growth and Prosperity

CHAIR S SUMMARY: G7 ENERGY MINISTERS MEETING

Resolution adopted by the General Assembly on 21 December [on the report of the Second Committee (A/64/422/Add.3)]

Cybersecurity governance in Europe. Sokratis K. Katsikas Systems Security Laboratory Dept. of Digital Systems University of Piraeus

GEORGIA CYBERSECURITY WORKFORCE ACADEMY. NASCIO 2018 State IT Recognition Awards

ehealth Ministerial Conference 2013 Dublin May 2013 Irish Presidency Declaration

Framework for Improving Critical Infrastructure Cybersecurity

Provisional Translation

Romania - Cyber Security Strategy. 6th IT STAR Workshop on Digital Security

Society, the economy and the state depend on information and communications technology (ICT).

CYBER INCIDENT REPORTING GUIDANCE. Industry Reporting Arrangements for Incident Response

NCSF Foundation Certification

UAE National Space Policy Agenda Item 11; LSC April By: Space Policy and Regulations Directory

HOSTED SECURITY SERVICES

Framework for Improving Critical Infrastructure Cybersecurity. and Risk Approach

Call for Expressions of Interest

India s National Policy On. Information Technology. Ajay Sawhney, President & CEO, National egovernance Division, Dept of IT

Cyber Security and Cyber Fraud

Transcription:

Cyber Security Issues and Responses Andrew Rogoyski Head of Cyber Security Services CGI UK andrew.rogoyski@cgi.com

CGI in cyber security Credentials Clients We have over 35 years of experience working with government and commercial as a trusted advisor We work with clients using state of the art facilities, including a world-class innovation lab and one of the only companies with three accredited security certification facilities, one in the US, one in the UK and one in Canada CGI is completing its 10 th Security Operations Centre which operate globally Our managed services support over 100 clients in 16 countries across all industries We defend against 43 million cyber attack incidents each day on military and intelligence networks and infrastructure Business-focused approach to security 2

The changing shape of IT security issues 1986: Lawrence Berkeley NL discovers attempt to copy US Government Information on Arpanet 1988: First worm created at Cornell 1990: Arpanet becomes the Internet 1998: Google Founded 2003: DHS creates National Cyber Security Division 2003: Slammer worm 2004: Facebook launched 2007: Cyber attack on Estonian Government 2007: iphone 3 launched 2010: US Intelligence on Wikileaks 2010: Stuxnet 2010: US Cyber Command becomes operational 2010: ipad launched IA The era of early connectedness Cyber The era of mass interdependence 1984 Drivers for Change: 1. Industrialised Cyber espionage 2. Militarisation of cyberspace 3. Rise of hacktivism 4. Organised cybercrime 5. Growing dependency on the Internet 6. The rise of the devices 7. Privacy and Data Protection 2000: ILOVEYOU worm 2001: Budapest Convention on Cybercrime 2000 2014 3 2008: Marathon Oil, ExxonMobil and ConocoPhillips hacked for oil discovery data 2009: The Aurora attacks, hit Google and 33 companies 2011: RSA and Lockheed attacked 2011: Sony Playstation network hacked, costing $170m 2013: Edward Snowden reveals stolen NSA data 2013: South Korean media and banks attacked 2012: Aramco loses 30,000 PCs to attack

What are the emerging trends and responses? It s not all about technology More: targeted attacks, social engineering, attacks against mobile, more sophistication More: government involvement carrying the economic and security risk More: international government involvement and co-operation, with focus on CNI More: regulation, legislation, obligatory reporting around privacy and breaches More: Competition for scarce skills and know-how Change: to cloud, mobile, interconnectedness, including managed security services 4

The UK Cyber Security Strategy HMG Vision Our vision is for the UK in 2015 to derive huge economic and social value from a vibrant, resilient and secure cyberspace, where our actions, guided by our core values of liberty, fairness, transparency and the rule of law, enhance prosperity, national security and a strong society. Published in November 2011 with a 650m budget 1 of 33 national cyber strategies Themes Cyber crime Resilience to cyber attack Shape an open, stable and vibrant internet Build knowledge, skills and capabilities to underpin all the objectives 5

CISP and CERT The Cyber Security Information Sharing Partnership Pilot in 2011/12 Collaboration between industry and HMG Technical infrastructure for sharing technical and tactical cyber attack information Building trust relationships Establish a fusion cell The CERT-UK Launched in April 2014 Subsumes CISP National Cyber Security Incident Management. Support to Critical National Infrastructure companies to handle cyber security incidents. Promotes cyber security situational awareness across industry, academia, and the public sector. Provides the single international point of contact for co-ordination and collaboration between national CERTs. 6

Government Guidance for Cyber Security Sep 2012 April 2014 7

Cyber Education, Skills and Know-How Initiatives Promote cyber security learning in schools Competitions to attract people into the profession Funding for graduate and post graduate students in cyber studies Accredited 11 universities as Academic Centres of Excellence in Cyber Security Research Set up 3 new Research Institutes and funded 2 Centres for Doctoral Training in cyber Strengthened the cyber security profession through the introduction of CESG s1 Certified Professional Scheme March 2014 8

Cyber in Corporate Finance Threats Individuals, nation states, hacktivists, employees & contractors, organised crime and competitors Targeting Transactions The very act of putting information together may trigger interest, it may also create an attractive target A complex mix of external advisors, short timescales and high stakes leads to vulnerabilities Issues How secure is each contributor and stakeholder in this transaction? Who needs to know? Can you monitor access to information? What is your strategy for breaches? Do you have a security partner? March 2014 9

The National Cyber Security Programme 10

New Priorities in the UK Additional 210m, plus one year Focus on Critical National Infrastructure (CNI) The February 2014 Summit with Government and regulators (ONR, BoE, FCA, PRA, Ofcom, Ofgem and Ofwat): Strong cyber security in the firms and markets we oversee is fundamental to meeting regulatory objectives there is a need to work with international partners to understand our risk and increase the level of network and information security, including at the EU level Work to embed cyber security in the firms and markets that they oversee; Assess the state of cyber security across each sector; Identify aggregated cyber security risks within and across sectors; Working with industry, increase information flows on threat, vulnerabilities and mitigation strategies across each sector; Support sectors to develop effective incident detection and management capabilities. 11

Questions under consideration Regulation or guidance? Is UK Government advice to the energy sector sufficient, should they broaden out (i.e. to extraction and (conventional) generation)? Should UK Government adopt US or European cyber frameworks/standards or develop UK versions? (e.g. the NIST framework) At what level should the standards be pitched? (too low level and they don t engage or are seen as prescriptive, too high level and no action is taken). Should UK focus on the detail that the US NIST frameworks are perceived to be missing? What impact could related regulation from Europe have? (e.g. the General Data Protection Regulation (GDPR) or the Network and Information Security Directive (NISD) 12

NIST Cyber Framework President issued Executive Order 13636, Improving Critical Infrastructure Cybersecurity, on February 12, 2013, which established that [i]t is the Policy of the United States to enhance the security and resilience of the Nation s critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties NIST Feb 2014 13

Summary The threat landscape is becoming more sophisticated, more targeted and more aggressive Security responses are becoming more complex technically challenging and more all encompassing Government intervention (in various forms) is on the rise The skills and experience to run solutions are becoming highly sought after it is difficult to create and maintain critical mass of expertise There will be a convergence with managed security services and IT outsourcing 14

Questions/Discussion What are your views on Government intervention to improve the security of the UK s critical infrastructure what is the most effective way to intervene? Are UK frameworks better than international version? Are overseas interventions influencing your UK businesses? What would help you make the investments regulation, awareness or business case? What are you prepared to share, in terms of cyber attack experiences and information? Do you have the skills to meet these requirements or will you look for a trusted partner? Do you know the questions to ask of your own organisation and do you have confidence in the replies you receive? 15

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback