What are you trying to secure against Cyber Attack?

Imagination at work.

Bonnie Harrington

Executive Counsel EHS and Product Safety & Cybersecurity

GE Energy Management

Cybersecurity Legal Landscape

SCCE SE Regional Conference

November 7, 2014

What are you trying to secure against Cyber Attack?

“75 % of Compliance Officers aren’t involved in

managing cyber security risk”*

 Personally Identifiable Information (PII)  Personal Card Information (PCI)  Personal Health Information (PHI)  Intellectual Property

 Critical Infrastructure  Customer Data  Employee Data  Big Data (IoT)  Gov’t Restricted Data

A few points on Privacy and Data Protection

• Federal:

 No central regulator or overarching law  Sector Specific (e.g.,

Surveillance, Financial Services, Healthcare)

• State:

 Most states and territories have PII breach notification laws … some require regulator notification • EU Data Protection Regulation  PII  Adopted by Parliament March 2014 to replace member state national laws based on 1995 directive … expected to be adopted in 2015 … 2017 effective date  Consent, right to be forgotten/erasure, fines, data breach reporting/notification

United

States

Europe

Context: Existing Federal “Cyber” Law

• The Counterfeit Access Device and Computer Fraud & Abuse Act of 1984 • Prohibits various attacks on federal computer systems and on those used by banks and in

interstate and foreign commerce

• The Electronic Communications Privacy Act of 1987 • Prohibits unauthorized electronic eavesdropping • The Computer Security Act of 1987

• Gave National Institute of Science & Technology (NIST) responsibility for developing security standards for USG computer system

»Except national security systems used for defense/intelligence (CNSS) • Gave responsibility to Secretary of Commerce for promulgating electronic security standards • The Paperwork Reduction Act of 1995

• Gave OMB responsibility for developing federal agency cybersecurity policies • The Clinger-Cohen Act of 1996

• Agency heads responsible for ensuring adequacy of agency information security policies/procedures and established CIO positions in agencies

Context: Existing Federal “Cyber” Law,

continued

• The Homeland Security Act of 2002

• Gave DHS cybersecurity responsibilities, along with general responsibility for homeland security and critical infrastructure

• The Cyber Security Research and Development Act of 2002 • Established cybersecurity research responsibilities in NIST • The E- Government Act of 2002

• Guide to federal IT management and initiatives to make services available online, includes cybersecurity requirements

• The Federal Information Security Management Act of 2002 (FISMA)

• Strengthened NIST and agency cybersecurity responsibilities, established federal incident center, made OMB responsible for promulgating federal cybersecurity standards

No comprehensive Cyber Security Law

5 November 7, 2014 SCCE SE Regional Conference

Energy Policy Act of 2005

Title XII

Section 1211 (Electric Reliability Standards)

 Amends Federal Power Act to grant FERC authority

to regulate bulk power system reliability

 Directs FERC to designate an Electric Reliability

Organization (ERO)

 Authorizes ERO to develop and enforce reliability

standards, to include cyber security protection

 Limits FERC standards-setting authority… approve,

reject, remand for changes, or direct development of

new standards

CIP-002: Critical asset designation

CIP-003: Cyber security management controls CIP-004: Personnel security standards

CIP-005: Electronic security perimeter (ESP) definition CIP-006: Physical security for ESP

CIP-007: Electronic ESP security

CIP-008: Incident reporting and response planning CIP-009: Recovery planning for cyber assets

CIP standards

Alert system

Industry Advisory

• Informational… highlight issue or problem • No response required

Recommendation to Industry

• Recommends specific action • Response required

Essential Action

• Essential to grid reliability • Requires NERC Board approval • Response required

Mandatory, enforceable

Accountable, but not enforceable

7 November 7, 2014 SCCE SE Regional Conference

NERC cyber security toolkit

NIST Cybersecurity Framework

• Developed by NIST with industry • Version 1.0 released in Feb 2014 • 5 core functions: identify, protect, detect,

respond and recover • Voluntary and evolving

Critical Infrastructure Cyber Community (C3_{) Voluntary Program}

• Identifies and notifies owners/operators of critical infrastructure

• Offers information sharing, technical support, training, assessments

Cybersecurity Information Sharing

• Rapid dissemination of unclassified cyber threat reports to targets and expedited personnel clearances • Victim notifications by the FBI

Chemical Commercial Facilities Communications Energy Critical Manufacturing Dams Defense Industrial Base Emergency Services Financial Services

Food & Agriculture Government Facilities

Water & Wastewater Systems Nuclear Reactors, Materials & Waste Healthcare & Public Health Information Technology Transportation Systems

16 Critical Infrastructure Sectors

Focused on Critical Infrastructure

Agency Guidance on Cybersecurity

• Regulated companies should disclose information about cybersecurity risks and cyber incidents in SEC filings consistent with general disclosure requirements

• Recent breaches have led to speculation of mandatory requirements in the future

• J 2014 SEC Ch i A il C b Ri k d h B d

disclose internally/externally

• June 2014 SEC Chair Aguilar on Cyber Risks and the Boardroom • Adopt the NIST framework for managing cyber security risk

• Assign oversight of cyber risk to a specific board committee, preferably a separate risk committee

• Assign in-house corporate expertise to manage cybersecurity risks on daily basis and report to the board regularly

• Preparedness: response plans that include how to determine extent of damage and how to disclose internally/externally

• 2014 DOJ/FTC Policy Statement

• Antitrust should not be a barrier to legitimate cybersecurity information sharing if proper safeguards in place

• Information appropriate for sharing: cybersecurity threats, incident reports, indicators, threat signatures, alerts

• Cannot share competitive information such as pricing, output or business plans

9 November 7, 2014 SCCE SE Regional Conference

Cyber security policy landscape

5 key issues

1. Information sharing

2. Clarification of Federal authority

3. Critical infrastructure

4. Liability protections

11

Cyber legislation in the 113

th

Congress

By the numbers…

House

Senate

 Introduced and referred to

committee

 Reported by committee

 Passed by Chamber

 Signed into law

14

10

7

4

7

1

0

0

• Lots of activity, but little movement beyond non-controversial

measures

• Progress hamstrung by competing approaches

 House leadership… piecemeal legislation

 Senate leadership… comprehensive legislation

• White House focused on NIST Framework and Agency actions

November 7, 2014 SCCE SE Regional Conference

Post-election outlook

•

Remote chance of seeing cyber provisions in Continuing Resolution

•

Pre-conference discussions suggest support for the following measures:

 FISMA Reform

 Info-sharing (CISPA/CISA)  Cyber R&D

 SAFETY Act amendment (NCCIP)

Lame Duck

session

114

_Congress

White House

•

Senate Dems likely to follow White House retreat from focus on

comprehensive legislation

•

Republican victory in mid-terms could break cyber logjam in Congress

•

Continued focus on NIST Cyber Framework…further adoption, Version

2.0

EU: Cybersecurity Strategy

• Strategy for “open, safe and secure cyberspace” in response to

risks, incidents and cybercrime issued February 7, 2013

• Network & Information Security Directive (NIS Directive) adopted

by Parliament in March 2014:

• Common requirements for NIS strategy, cooperation plan,

competent authority, computer emergency response team

(CERT)

• Common NIS standards for authorities and critical infrastructure

providers (energy, transport, banking, stock exchange, health)

• Cooperation among Member States … early warnings, response,

drills

• Notification of significant impact events

• Audit power, referral of criminal and data protection breaches

What to do now…

• Identify what you are trying to protect • Are your policies in place and up to date?

• Are you testing your policies and procedures through drills?

• For Products: are you doing product testing and vulnerability assessments? • Apply the NIST Framework … how do you stand up in IDENTIFY,

PROTECT, DETECT, RESPOND, RECOVER for your cyber risk areas? • Are you ready for potential mandatory cyber risk and incident reporting? • Is cybersecurity risk being managed by your board?

“Every compliance officer needs to decide whether it’s time

for them to be Captain Kirk and boldly go into cyber...”*

* Alan Brill, Sr. Managing Director, Kroll, 2014 Anti-Bribery and Corruption Benchmarking Report (Kroll and Compliance Week Survey)

Web Links

2011 SEC Guidance: http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm

June 2014 SEC Chair Aguilar on Cyber Risks and the Boardroom:

http://www.sec.gov/News/Speech/Detail/Speech/1370542057946#.VD27iU0tCM8

2014 DOJ/FTC Policy Statement: http://www.justice.gov/atr/public/guidelines/305027.pdf

Executive Order 13636, Improving Critical Infrastructure: http://www.whitehouse.gov/the-press-office/2013/02/12/executive-order-improving-critical-infrastructure-cybersecurity

NIST Cybersecurity Framework: http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214-final.pdf

Critical Infrastructure Cyber Community (C3) Voluntary Program:

http://www.dhs.gov/about-critical-infrastructure-cyber-community-c%C2%B3-voluntary-program

2014 Anti-Bribery and Corruption Benchmarking Report: Untangling the Web of Risk and Compliance, A collaboration between Kroll and Compliance Week:

http://www.kroll.com/resources/reports/compliance-week-kroll-anti-corruption-bribery-report/

15 November 7, 2014 SCCE SE Regional Conference