The daily news stories about stolen user information and intellectual property from both private and public organizations makes cyber security top of mind for most senior leaders.
There is little distinction between the public and private sectors when it comes to cyber security; Compromised data affects any organization’s ability to perform its mission and serve its customers. It can also destroy an organization’s long term sustainability.
Recent Executive Order included a number of initiatives targeting US Federal Departments and Agencies:
Placing the responsibility for cyber security risk on the heads of federal agencies
Calling for a report on cyber security concerns facing critical infrastructure to be drafted within six months
Mandating government agencies, especially those in the civilian sector, consider opportunities to share cyber technology when feasible, a shared services approach to cyber
Additionally, the National Institute of Standards and Technology (NIST) published Special Publication 800-171, Protecting Controlled Unclassified Information (CUI) or “sensitive but unclassified” information in Nonfederal Information Systems and organizations in June 2015.
The goal of 800-171 is to provide direction to federal agencies to ensure that sensitive federal data and information is protected when processed, stored, and used outside of the federal government in non-federal information systems. More broadly, the controls specified in 800-171 will need to be addressed in those IT systems that store any CUI or sensitive but unclassified information provided by the federal government.
Private corporations that hold such information are expected to implement the controls in 800-171 by the end of 2017.
Forums action for cyber security
Couple the above with the fact that those who perpetrate cyber-attacks are constantly adjusting their tactics and using ever more sophisticated approaches, there is a great deal of urgency both in the public and private sectors to act in timely, reasonable, and prudent ways to protect both public and private information systems.
For companies not directly affected by 800-171, there is no less urgency due to the reputation risks associated with information security breaches or the stealing of their proprietary designs, algorithms, product plans, etc. (Example: The recent Equifax breach)
The NFPPC felt given the above, cyber security/resilience is both timely and necessary as the focus of our first public-private collaboration. We will focus the collaboration so as to determine what this means to any size organization such that they understand what they need to do to improve their cyber resilience.
Cyber-attacks continue to increase in frequency and sophistication, presenting significant challenges for organizations that must defend their data and systems from capable threat actors. These actors range from individual, autonomous attackers to well- resourced groups operating in a coordinated manner as part of a criminal enterprise or on behalf of a nation-state. Threat actors can be persistent, motivated, and agile, and they use a variety of tactics, techniques, and procedures (TTPs) to compromise systems, disrupt services, commit financial fraud, and expose or steal intellectual property and other sensitive information. Given the risks these threats present, it is increasingly important that organizations share cyber-threat information, and use the community’s experience to improve their security posture.
Cyber -threat information is any information that can help an organization to identify, assess, monitor, and respond to cyber-threat s. Examples of cyber-threat information include indicators (system artifacts or observables 2 associated with an attack), TTPs, security alerts, threat intelligence reports, and recommended security tool configurations. Most organizations already produce multiple types of cyber- threat information that are available to share internally as part of their information technology and security operations efforts.
FISMA 2016 Executive Summary
The State of Federal Cybersecurity In 2016, cybersecurity continued to become a household term among the American public, as millions of citizens had their personal data and devices exposed to ever expanding cyber threats. During the year, malicious actors compromised several social media and email services, leading to the exposure of personal data for a large portion of their user bases. In October 2016, a distributed denial of service attack used seemingly innocuous internet-connected devices to cripple servers that connect the public to many popular websites. The exploits that led to these cyber incidents were not new, and demonstrate that we must redouble our efforts to inform Americans and companies across the country of methods that they can employ to protect their data from malicious actors.Click for 2016 FISMA Report
Office of Management and Budget
The Office of Management and Budget (OMB) worked with agencies to develop policies aimed at strengthening cybersecurity across the government, including a revision to OMB Circular A-130, Managing Information as a Strategic Resource, which sets the overarching framework for managing Federal IT resources. OMB also collaborated with the Office of Personnel Management (OPM) to publish the first-ever Federal Cybersecurity Workforce Strategy to help agencies recruit and retain top cyber talent. OMB and its interagency partners look to build on these policies and continue driving cybersecurity performance in the coming years.
Federal Agencies were Not Immune
Federal agencies were not immune to these exploits in 2016, with over 30,899 cyber incidents that led to the compromise of information or system functionality. Sixteen of these incidents met the threshold for a major incident, a designation that triggers a series of mandatory steps for agencies, including reporting certain information to Congress.
During the year, Federal agencies made considerable progress in strengthening their defenses and enhancing their workforces to combat cyber threats. In particular, agencies worked to enforce the use of multi-factor Personal Identity Verification (PIV) cards, with 81% of government users now using this credential to access Federal networks. Additionally, over 70% of Federal agencies have employed strong antiphishing and malware capabilities to help safeguard their networks from malicious activity. Agencies have also made significant progress toward safeguarding their high value information technology (IT) assets and employing capabilities to identify, detect, and protect hardware and software assets on their networks.
Agency FISMA Progress
This annual report provides Congress with information on agencies’ progress towards meeting cybersecurity performance goals in Fiscal Year (FY) 2016 and the results of the independent Inspectors General (IGs) assessments that identify areas in need of improvement. This report also provides information on Federal cybersecurity incidents, ongoing efforts to mitigate and prevent future incidents, and agencies’ progress in implementing cybersecurity policies and programs to protect their systems, networks, and data.
Acting FTC Chair Maureen Ohlahausen addressed a meeting of the National Cyber Security Alliance Monday at the NASDAQ in New York City.
Charlie Tupitza asked a question about the importance of public private collaboration especially in how it helps small businesses understand reasonable approaches. She gave a very positive response.
Maureen Ohlhausen echoed the Forums opinion
about the value of helping small businesses. It is critical to consider the needs and abilities of small businesses while we collaborate about a more holistic view of cyber resilience business value. Since small and mid size businesses play such an important role in our supply chain we must do everything we can to help them with reasonable approaches to protect themselves, partners and customers.
Here is her quote from the event.
We see a number of organizations struggling to map to the CSF and deal with reasonableness. We wonder what value you see in public and private collaboration to help determine reasonableness and address the difference between large and small organizations.
I think there can be enormous value to have public and private collaboration and discussion on these issues of the NIST Cyber Security Framework and Reasonableness.
Reasonableness is the FTC’s touchstone and it is based on the size of the organization. We do understand that small organizations don’t have the resources of large organizations, but that doesn’t mean that they can’t take basic steps.
So the kinds of areas we have brought enforcement actions have been areas of don’t have the password be the name of your company. Have a firewall. See what data you have, why and who has access to it. Don’t give access to everybody to the most secure sensitive types of data if they don’t need access. These are some basic low cost steps and I think that business can be very useful as part of the dialog to be a resource to say what is a cost effective step. What is reasonable for a small company to take to secure data to the best of their ability understanding their ability for a small company wouldn’t necessarily be the same as a Fortune 500 company’s ability.
Efforts are being considered to map this to or Foundation for Public Private Collaboration.
This document, developed by the Australian Signals Directorate (ASD), replaces ASD’s publication Strategies to Mitigate Targeted Cyber Intrusions – Mitigation Details and directly complements ASD’s publication Strategies to Mitigate Cyber Security Incidents
Additional information is provided in this document to help organizations mitigate cyber security incidents caused by:
targeted cyber intrusions (e.g. executed by advanced persistent threats such as foreign intelligence services) and other external adversaries who steal data
ransomware denying access to data for monetary gain, and external adversaries who destroy data and prevent computers/networks from functioning
malicious insiders who steal data such as customer details or intellectual property malicious insiders who destroy data and prevent computers/networks from functioning
“business email compromise”
threats to industrial control systems.
Implementation guidance is provided for each of the associated mitigation strategies, including references to controls in ASD’s Australian Government Information Security Manual(ISM).
Readers are strongly encouraged to visit ASD’s website for the latest version of this document and additional information about implementing the mitigation strategies.
ASD’s website also has separate and specific guidance for mitigating denial of service, and securely using cloud computing and enterprise mobility including personally owned computing devices such as tablets, smartphones and laptops.
We do not provide links that are not https so you will have to search for these.
The Global Forum for Advanced Cyber Resilience released the first draft today of the Foundation for Public Private Collaboration based on the Department of Defense Enterprise Service Management Framework which the DoD CIO Terry Halvorsen directed all activities to conform to on December 24, 2015.
The Forum recognized the business value of the DESMF to provide a much-needed foundation and basic lexicon for collaboration including the recognition of business value for cyber resilience considerations during the strategy phase of the development of products and services.
The DESMF was written to appeal to a broader audience than just the DoD. The Forum made only minor modifications to terms so it is easy for the DoD to continue to collaborate with the Forum as they have for over a year. Example: The Forum changed the terms ‘DoD’ to ‘organization’ and ‘warfighter’ to ‘customer’ in the document. The Forum takes advantage of this as a foundation for private/public collaboration adding cyber resilient and business value underpinnings at a common level for all participants. The Framework does not give guidance for how to do things, it provides a simple framework for what is needed in the development of services. The Forum believes it has application for products as well.
The Foundation for Public and Private Collaboration serves two purposes: First as a reference document to enable and facilitate meaningful collaboration. Second as a framework for operationalizing service management within and between organizations. It is up to your organization to see direct value for operationalization. We believe it provides valuable guidance which you can take advantage of at the pace your organization is capable of.
To date the Forum has helped facilitate high level collaboration between participants from the DoD, several civilian agencies, telecommunications, energy, healthcare, transportation, hospitality, entertainment, finance and manufacturing sectors as well as state governments, not for profit organizations, higher education including colleges and universities part of the NSA/DHS Centers of Academic Excellence program and others.