cybersecurity: what does a breach mean to your job, identity or … · 2012. 4. 9. · cyber...
Post on 05-Sep-2020
3 Views
Preview:
TRANSCRIPT
Cybersecurity:
What Does a Breach Mean to
Your Job, Identity or Security?Your Job, Identity or Security?
American Bar Association David Z. Bodenheimer
Public Contract Law Section Crowell & Moring LLP
Toronto, Canada August 7, 2011
© 2011 Crowell & Moring LLP
Cyber Contrarians
Why Cyber Contrarians are Clueless
“pork-hungry politicians”
“no substantive basis”for cybersecurity threats
2
for cybersecurity threats
“ulterior motives andconflicts of interest”
“The $100 billion Washington will spend on cybersecurity inthe next decade may be less about guarding America froma real threat, and more about enriching revolving-door lobbyistsand satisfying pork-hungry politicians.”
“‘The notion that our power grid, air traffic control system,and financial networks are rigged to blow at the press of abutton would be terrifying if it were true,’ Brito and Watkinswrite. “But fear should not be a basis for public policymaking.’The public has been given no substantive basis for suchfears.” [Carney, The Washington Examiner (Apr. 28, 2011)]
Signs of the
Cyber Apocalypse
© 2010 Crowell & Moring LLP
74% Expect Foreign Attack
Cyber 9/11 on Banks
4S. 773
Foreign Cyber Threats
Foreign Penetration of Grid
“The Chinese are relentless and don’tseem to care about getting caught. Andwe have seen Chinese networkoperations inside certain of ourelectricity grids. Do I worry about thosegrids, and about air traffic control
5
grids, and about air traffic controlsystems, water supply systems, and soon? You bet I do.”
(Joel Brenner, head of U.S. Office ofNational Counterintelligence Executive,Apr. 21, 2009)
“Cyberspies have penetrated the U.S. electrical grid and leftbehind software programs that could be used to disrupt thesystem, according to current and former national securityofficials.
The spies came from China, Russia and other countries, theseofficials said, and were believed to be on a mission to navigatethe U.S. electrical system and its controls. The intrudershaven’t sought to damage the power grid or other keyinfrastructure, but officials warned they could try during a crisisor war.
“‘The Chinese have attempted to map our infrastructure, suchas the electrical grid,’ a senior intelligence official. ‘So havethe Russians.’”
Chinese Cyber Threats
Chinese Cyber Threats
• 40,000 Hackers: “There are fortythousand Chinese hackers who arecollecting intelligence off U.S.information systems and those of ourpartners.” (Adm. McConnell, Jan. 2008)
China Cyber Dominance
“According to its “Cyber WarfareDoctrine,” China’s military strategy isdesigned to achieve global “electronicdominance” by 2050, to include thecapability to disrupt financialmarkets, military and civilian
6
• Daily Attacks. “A defence force sourcesaid yesterday that attacks initiated fromChina occurred almost on a daily basis”(Australian Defense Force, Apr. 2009)
• Classified Data Compromised. “aChina-based cyber espionage network hadaccessed 1200 computers in 103 countriescontaining classified documents.” (MunkCentre for Int’l Studies, Apr. 2009)
markets, military and civiliancommunications capabilities, andthe electric grid prior to the initiationof traditional military operations.”*Securing the Modern Electric Grid fromPhysical and Cyber Attacks: House HomelandSecurity Subcomm. (July 21, 2009)
Grid Attack > $700 Billion
FERC Warning $700 Billion Threat
“For a society that runs on power, the
7
“greater than the August 2003 blackout”
“For a society that runs on power, thediscontinuity of electricity to chemicalplants, banks, refineries, hospitals, andwater systems presents a terrifyingscenario. Economists recentlysuggested that the loss of power to athird of the country for three monthswould result in losses of over $700billion.”
262 Million Breaches (2009)
Compromised Personal Records (‘09)
“2008 Data Breach Total Soars: 47% Increase over2007” Identity Theft News (Identity Theft Daily, Jan. 5, 2009)
Records with sensitive personal information involved in
8
Records with sensitive personal information involved insecurity breaches in the U.S. since January 2005:
262,442,156 records (Privacy Rights Clearinghouse, June 11, 2009)
“Millions of Americans have been victimized, their privacyviolated, their identities stolen, their lives upended, and their wallets
emptied.” (President Obama, May 29, 2009)
514 Million Breaches (2011)
271 Million RecordsExposed Since June 2009
Records with sensitive personalinformation involved in security breachesin United States since January 2005:
533,686,975 records
9
533,686,975 recordsJune 4, 2011
262,424,592 recordsJune 4, 2009
[www.privacyrights.org]
“According to the PrivacyRights Clearinghouse, morethan 340 million recordscontaining sensitive personalinformation have beeninvolved in data securitybreaches since 2005.”
Cybersecurity:
Why General Counsels & CFOs
Need to Worry – Now!Need to Worry – Now!
Secrets
Gone?© 2011 Crowell & Moring LLP
Cyber Risks – SEC Scrutiny
Security Problem
- Not disclosing material risks
Impact
SEC scrutiny or actions
“Cyber risk management is a critical corporate
11
“Cyber risk management is a critical corporateresponsibility. Federal securities law requirespublicly traded companies to disclose ‘material’risks and events, including cyber risks andnetwork breaches. A review of past disclosuressuggests that a significant number of companiesare failing to meet these requirements.” [NewsRelease, May 12, 2011]
Cyber Risks – Shareholders
Security Problem
- Risking personal data
Impact
Shareholder or private suits
$20 Million Suit. Countrywide’s lax
Sony Breach – 101 Million
“In addition to losing an estimated revenuestream of $10 million a week, Sony willprobably have to reimburse customers whopay for its premium service, rebuild itscomputer systems and beef up securitymeasures, said Michael Pachter, an analystwith Wedbush Securities who said the
12
$20 Million Suit. Countrywide’s lax“internal procedures” & security breach[Courthouse News, Apr. 5, 2010]
Stock-Price Hit. “Sony fell 2.3percent to 2,262 yen” after securitybreach of 101 million records.[Bloomberg News (May 6, 2011)]
$6.75 Million/Incident. “averagecost per incident of a data breach” inU.S. [Sen. Comm. Hearings, Sept. 2010]
with Wedbush Securities who said theincident could cost the company $50million.” [L.A. Times, Apr. 28, 2011]
Cyber Risks – Lost IP
2x Library of Congress
“As an example of the threat, oneAmerican company had 38 terabytesof sensitive data and intellectualproperty exfiltrated from itscomputers – equivalent to nearlydouble the amount of text contained
Bet-the-Company
$1 Trillion Losses. “Cyber criminalsstole intellectual property frombusinesses worldwide worth up to$1 trillion.” [President Obama, 2009]
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
“Greatest Damage” “The greatest
13
double the amount of text containedin the Library of Congress.”[Sen. Sheldon Whitehouse (May 10,2010)]
2 x
“Greatest Damage” “The greatestdamage to the American economy fromcyber attacks is due to massive theftsof business information.” [Scott Borg(Dir., U.S. Cyber Consequences Unit)]
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
$400 Million Theft. “A singleemployee of an American companywas convicted of stealing intellectualproperty reportedly worth $400million.” [President Obama, 2009]
Cyber Risks – FCA Actions
Security Problem
- Improper disposal of data
Impact
False Claims Act suit
“PLASTILAM, INC. failed to take
14
“PLASTILAM, INC. failed to takesufficient steps to safeguardconfidential data, including the namesand Social Security numbers of over100 Medicare beneficiaries. Theinvestigation revealed that a numberof misprinted beneficiary cards werediscarded, whole, in an unsecureddumpster.”
Cyber Risks – Suspension
Security Problem- Misuse of DoD data
Impact Suspension Loss of $5B Contract
L-3 Trips as LockheedSnatches $5 Billion Contract
“A disputed U.S. military contract worth up to$5 billion was finally awarded to LockheedMartin Corp. (LMT) this week after the U.S.
15
“But earlier this month the deputygeneral counsel of the U.S. Air Forcesuspended the L-3 unit responsiblefor the work from receiving neworders because of the investigation.Employees at L-3’s special supportprograms division were accused ofcopying government emails andforwarding them without the author’sknowledge.”
$5 billion was finally awarded to LockheedMartin Corp. (LMT) this week after the U.S.Air Force launched an investigation intopossibly inappropriate email activities at rivalL-3 Communications Corp. (LLL).
L-3, a New York-based provider of militaryand aerospace equipment, reduced its 2010outlook as a result of the lost contract, whichrepresented about 3% of its 2009 revenue,according to a government filing. Full-yearprofit is now expected to be in a range of$8.09 to $8.29 a share, compared to a priorview of $8.13 to $8.33 a share.”
Cyber Risks – Acquisitions
Security Problem
- Security as selection factor
Impact
Lost Government work
Major legislation & agency actions to
RFP Requirements
“The proposal will be evaluatedfor an effective plan and timelineto meet the DoD DIACAPdocumentation requirementswithin allowed timeframes.”
16
Major legislation & agency actions tomake cybersecurity a significantfactor in federal acquisitions
Senate & House legislation
President’s proposals
Agency competitions
Cyber Risks – Protests
Security Problem
- Multiple security breaches
Impact
Protests
“However, the USAJOBS screenshot,
Monster Hackers Also HitUSAJobs.gov (Aug. 31, 2007)
“It now appears that Monster.comknew about a breach of its systemsalmost a month before Symantec told
17
“However, the USAJOBS screenshot,memoranda from OPM and OMBdiscussing the Government’s policy onsafeguarding social security numbers,and the three sets of internetarticles discussing Monster’s pastsecurity breaches ensure thecompleteness of the administrativerecord and shall be admitted.”
Allied Tech. Group v. U.S., (Fed. Cl. 2010)
knew about a breach of its systemsalmost a month before Symantec toldMonster of a massive phishingoperation targeting Monster.comusers. That long of a lag is"inexcusable," said W. DavidStephenson, a homeland security andcorporate crisis managementconsultant, "after the legacy of pastproblems."
Cyber Risks – Congressional,DOJ & IG Investigations
Security Problem
- Failure to install safeguards
Impact
IG investigation
False statement risk
Thompson, Langevin DemandInvestigation into DepartmentCyber Attacks (Sept. 24, 2007)
18
False statement risk
Criminal exposure “criminal investigation”
“fraudulent statement”
Cyber Risks – State Actions
Florida AG vs. Certegy
• 5.9 million records stolen
• Florida Safeguards Rule
• Info Security Program– Designate accountable staff
19
– Designate accountable staff
– Assess risks
– Implement safeguards
• $850,000 Fine to AG
• $125,000 to Seniors Group
• Annual Security Report
• 5-Year Scrutiny
Cyber Risks – State Actions
Conn. AG Action
• Stolen computer drive
• 1.5 million medical &financial records (500,000Conn. Residents)
Another Conn. AG Action
Connecticut AG to Lead Coalitionof States Investigating Google
20
• Added InformationSecurity Safeguards
• $250,000 to Conn. AG
• $1 million of ID theftinsurance
• 2-year credit monitoring
“The Connecticut Attorney General’s Officewill lead a coalition of a ‘significant number ofstates’ in investigating Google Inc.’s collectionof data from unsecured wireless internetconnections, AG Richard Blumenthal (D) saidin a June 21 statement.”
of States Investigating Google
WiFi Data Collection(Privacy Law Watch, June 24, 2010)
Cyber Risks – Liability
Security Problem
- IT security technology fails
Impact
Insurance coverage?
Contractor liability?
What Happens When YouSell IT Security that Fails?
• Gov. Contractor Defense– Commercial specifications
• SAFETY Act Coverage
21
Contractor liability? • SAFETY Act Coverage– No terrorist attack
• 85-804 Indemnification– Limited agency authority
• Legislative Proposals– Political limitations
Boyle vs. UTC,487 US 500(1988)
Cyber Risks – Warfare Risks
Security Problem
- Supporting cyber war
Impact
Unknown risks & liability
International Law
$50 Billion Lawsuit
“One lawsuit alone, filed May12 by a purported nationalclass of Verizon customers,seeks $50 billion in damages.”
[“Court Will Decide State Secrets Issues First in
22
International Law- Authority to attack?
US Law- Electronic surveillance & wiretapping
laws
- Covert operations (Title 10 vs. 50)
- Posse Comitatus (DoD & CONUS)
- 5th Amendment takings
[“Court Will Decide State Secrets Issues First inNSA Phone Surveillance Class Action Suit,Privacy Law Watch, June 9, 2006]
Cyber’s Toughest Topics
Cyber Issues
• Managing Risk
• Sharing Information
• Partnering (Pub/Private)
Cyber Challenges
SEC/shareholder scrutiny
Authority & WikiLeaks
Working Models
23
• Partnering (Pub/Private)
• Waging Cyber War
• Addressing Liability
Working Models
Private Rights of Action
Public/Private RiskAllocation
Questions?
David Z. Bodenheimer
Crowell & Moring LLP
24
dbodenheimer@crowell.com
(202) 624-2713
15269209
top related