Cybersecurity Policy Roadmap - NY
Transcript of Cybersecurity Policy Roadmap - NY
Cybersecurity Policy Roadmap
16th Annual New York State Cyber Security Conference
June 5, 2013
Presented by: Robert Mayer
USTelecom, Vice-President Industry &
State Affairs
Chairman, Communications Sector Coordinating Council (CSCC)
Cybersecurity Committee
Content
2
The 2010 Cyber Policy Review
Public-Private Partnership Framework, Venues and Accomplishments
2013 Cybersecurity Executive Order
2013 Presidential Policy Directive 21
Key Congressional Initiatives
Discussion/Q&A
National Institute of Standards and Technology (NIST) Role in Cyber Framework
Cybersecurity Policy Ecosystem
Official Ecosystem Perspective
SOURCE: WHITE HOUSE WEBSITE
3
Illustrative Cyber Landscape
CONGRESS
INTERNATIONAL
PARTNERSHIPS
MS_ISAC
US CERT
IT-SCC
CSCC FS-ISAC
ESF-#2 IT-ISAC
NCCIC
DOJ
NIST
FBI
DOD
LAW ENFORCEMENT DHS
NSA
Treasury
NCC
DOC
EOP
NTIA STANDARDS
ORGS
Cyber UCG NCIRP
DOS
WCIT2012 NATO
DHS-CS&C
IS-IRC
NTOC
NOCs
USSS
InfraGard
CERTs
CNCI
Int’l. Cyber Strategy COMMS-ISAC DC3
DIB
DNI
CSRIC
ATIS
IBG
DHS-IP
JTF-GNO NITRD
OSTP
NCIJTF
GOP-CTF
House-CSTF
WG7:BOTNETs
CISPA
SOPA
WG2A:CyberBPs
NERC ITU
IEEE
THE WHITE HOUSE
ICS-CERT
INTELLIGENCE
24+ GOVERNMENT AGENCIES
DEFENSE
PRIVATE SECTOR
The landscape evolves in response to the growing threat environment and associated political, economic, and social interests
4
2010 Cyber Policy Review
5
“Public-private partnerships have fostered information sharing and served as a foundation for U.S. critical infrastructure protection and cybersecurity policy for over a decade. During that time, the Federal government and the private sector have engaged in a number of forums on cybersecurity and information and communications infrastructure issues.”
The White House Cyberspace Policy Review March, 2010
Public-Private Partnership Entities
6
The Public-Private Partnership Operates on Multiple Levels
STRATEGY
PLANNING
OPERATIONS InfraGuard Led by FBI
Public/Private Partnership
16 Sector Coordinating Councils Critical Infrastructure Partnership Advisory Council (CIPAC) (PCIS)
USCERT US Computer Emergency
Readiness Team
Cyber Unified Coordination Group (UCG)
National Cyber Incident Response Plan
National Cybersecurity Framework National Institute of Standards and
Technology (NIST)
Cyberspace Policy Review White House 60-Day Cyber Policy Review
National Infrastructure Protection Plan
Executive Order Rewrite (NIPP)
NCICC National Cybersecurity and Communications Integrations
Center
Cyberspace Policy Review
National Strategy for Trusted Identities in
Cyberspace (NSTIC)
7
The Industry Contributes Substantial Resources in Support of the Public-Private Partnership
The Comprehensive National Cyber Security
Initiative Project 12
The National Cyber Incident Response Plan
The 2012 National Sector Risk Assessment
The White House Department of Homeland Security
The Industry Botnet Group
The Supply Chain Task Force
The Blueprint for a Secure Cyber Future
National Cybersecurity Integration Command
Center (NCICC)
2012 National Level Exercise (NLE)
National Coordinating Center (Comms –ISAC)
National Cybersecurity Awareness Month
Cyber Storm Exercises
National Response Framework (NRF)
National Infrastructure Protection Plan (NIPP)
The Sector-Specific Plan/ Sector Annual Report
Recent Partnership Examples
Support of the Public-Private Partnership (Con’t)
The Joint Coordinating
Center Pilot
Department of Homeland Security (Continued)
The DIB Pilot
The National Security Telecommunications Advisory Committee
(NSTAC)
The Cross-Sector Cyber Security Working Group
(CSCWG)
The National Security Information Exchange
The Telecom Energy Alliance
8
Recent Partnership Examples
Department of Commerce
The Internet Task Force
National Cyber Security Center for Excellence
The National Vulnerability Database
Smart Grid Cyber Security Working Group
Cyber Security Innovations and the Internet Economy
Support of the Public-Private Partnership (Con’t)
The Industry Botnet Group Information Security and Privacy Advisory Board
InfraGuard
Department of Justice
Internet Crime Complaint Center (IC3)
Business Alliance Initiative
Domestic Security Alliance Council
Computer and Telecommunications
Coordinator (CTC) Program
9
Recent Partnership Examples
10
Communications Security, Reliability, and
Interoperability Council I
Federal Communications Commission (FCC)
Communications Security, Reliability, and
Interoperability Council III
Support of the Public-Private Partnership (Con’t)
Network Reliability and Interoperability Council
(NRIC)
Communications Security, Reliability, and
Interoperability Council II
Network Security Network Best Practices
DNSSEC Implementation
Secure BGP
U.S Anti Botnet Code of Conduct
Recent Partnership Examples
CSRIC IV in Planning Stage
11
Support of the Public-Private Partnership (Con’t)
U.S. National Policy Statement
It is the policy of the United States to enhance the security and resilience of the Nation's critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties. We can achieve these goals through a partnership with the owners and operators of critical infrastructure to improve cybersecurity information sharing and collaboratively develop and implement risk-based standards.
White House Executive Order 13636 February 12, 2013
12
Support of the Public-Private Partnership (Con’t)
Executive Order (Continued)
The Executive Order’s impact has already been significant. It’s affect on the public-private partnership will be a function of how the Order is implemented.
New information sharing programs to provide both classified and unclassified threat and attack information to U.S. companies
The development of a Cybersecurity Framework
Establishment of a voluntary program to promote the adoption of the Framework
The review of existing cybersecurity regulation
Strong privacy and civil liberties protections based on the Fair Information Practice Principles
13
Support of the Public-Private Partnership (Con’t)
Presidential Policy Directive 21
The Administration issued Presidential Policy Directive 21 (PPD-21) which updated the Homeland Security Presidential Directive 7 (HSPD 7 issued in 2003).
Identify the functional relationships across the government related to critical infrastructure
Work to improve the effectiveness of the existing public-private partnership with owners and operators and state, local, tribal and territorial partners in both the physical and cyber space
Develop an efficient situational awareness capability that addresses both the physical and cyber implications of an incident
Ensure further integration and awareness throughout the government and enables responsible info sharing of with stakeholders
Produce a comprehensive research and development plan for critical infrastructure to guide the government’s effort to enhance and encourage market-based innovation
14
Support of the Public-Private Partnership (Con’t)
NIST Cybersecurity Framework
NIST has 240 days to develop a voluntary cybersecurity framework.
Identify security standards and guidelines applicable across sectors of critical infrastructure,
while identifying areas that should be addressed through future collaboration with particular sectors and standards-developing organizations
Provide a prioritized, flexible, repeatable, performance-based, and cost-effective approach
Help owners and operators of critical infrastructure identify, assess, and manage cyber risk
Provide guidance that is technology neutral and enables critical infrastructure sectors to benefit from a competitive market for products and services
Include guidance for measuring the performance of implementing the Cybersecurity Framework
Include methodologies to identify and mitigate impacts of the Cybersecurity Framework and associated information security measures or controls on business confidentiality, and to protect individual privacy and civil liberties
15
Support of the Public-Private Partnership (Con’t)
Key Congressional Initiatives
Congress continues to search for ways to build support for cybersecurity legislation
Cybersecurity Act of 2012– S.2105 – Sponsored by former Senators Joe Lieberman (I-Conn) and Susan Collins (R-Maine). Senate failed in August 2012 to move bill past cloture.
Cyber Intelligence Sharing and Protection Act – H.R.624 (CISPA)
– Sponsored by House Intel Committee Chairman Mike Rogers and Ranking Member Dutch Ruppersberger and reintroduced and passed in the 113th Congress as H.R. 624. Bill now moves to the Senate. Sen. Jay Rockefeller, Senate Commerce Committee Chairperson, said the Senate would not approve CISPA but would instead draft an alternative bill
Strengthening and Enhancing Cybersecurity by Using Research,
Education, Information, & Technology Act – S.2151 (SECURE IT) – Introduced by Senator John McCain on March 1, 2012. Representative Marsha Blackburn reintroduced the SECURE IT Act of 2013 on April 10, 2013.
16
Support of the Public-Private Partnership (Con’t)
Discussion/Q&A