issues and responses - cgi uk · cisp and cert • the cyber security information sharing...
TRANSCRIPT
Cyber Security Issues and Responses
Andrew Rogoyski
Head of Cyber Security Services
CGI UK
CGI in cyber security
2
• We have over 35 years of experience working
with government and commercial as a trusted
advisor
• We work with clients using state of the art
facilities, including a world-class innovation lab
and one of the only companies with three
accredited security certification facilities, one
in the US, one in the UK and one in Canada
• CGI is completing its 10th Security Operations
Centre which operate globally
• Our managed services support over 100 clients
in 16 countries across all industries
• We defend against 43 million cyber attack
incidents each day on military and intelligence
networks and infrastructure
• Business-focused approach to security
Credentials Clients
“IA” The era of early connectedness
3
The changing shape of IT security issues
2000 2014 1984
1986: Lawrence Berkeley
NL discovers attempt to
copy US Government
Information on Arpanet
1988: First worm
created at Cornell
1990: Arpanet becomes
the Internet
2000: ILOVEYOU worm
2003: DHS creates
National Cyber
Security Division
2009: The Aurora
attacks, hit Google
and 33 companies
2010: US Cyber
Command becomes
operational
2010: Stuxnet
2001: Budapest
Convention on Cybercrime
2007: Cyber attack on
Estonian Government
2010: US Intelligence
on Wikileaks
2008: Marathon Oil,
ExxonMobil and
ConocoPhillips hacked for
oil discovery data
2011: RSA and
Lockheed attacked
2011: Sony Playstation
network hacked,
costing $170m
2012: Aramco
loses 30,000
PCs to attack
2013: South
Korean media
and banks
attacked
2013: Edward
Snowden
reveals stolen
NSA data
2007: iPhone 3 launched
2010: iPad launched
2004: Facebook
launched
1998: Google
Founded
2003: Slammer
worm
“Cyber” The era of mass interdependence
Drivers for Change:
1. Industrialised Cyber
espionage
2. Militarisation of cyberspace
3. Rise of hacktivism
4. Organised cybercrime
5. Growing dependency on the
Internet
6. The rise of the devices
7. Privacy and Data Protection
What are the emerging trends and responses?
It‟s not all about technology…
4
• More: targeted attacks, social engineering,
attacks against mobile, more sophistication
• More: government involvement – carrying
the economic and security risk
• More: international government involvement
and co-operation, with focus on CNI
• More: regulation, legislation, obligatory
reporting around privacy and breaches
• More: Competition for scarce skills and
know-how
• Change: to cloud, mobile,
interconnectedness, including managed
security services
The UK Cyber Security Strategy
5
HMG Vision
• Our vision is for the UK in 2015 to derive huge economic and social value from a vibrant, resilient and secure cyberspace, where our actions, guided by our core values of liberty, fairness, transparency and the rule of law, enhance prosperity, national security and a strong society.
• Published in November 2011 with a £650m budget
• 1 of 33 national cyber strategies
Themes
• Cyber crime
• Resilience to cyber attack
• Shape an open, stable and vibrant internet
• Build knowledge, skills and capabilities to underpin all the objectives
CISP and CERT
• The Cyber Security Information Sharing Partnership
• Pilot in 2011/12
• Collaboration between industry and HMG
• Technical infrastructure for sharing technical and tactical cyber attack information
• Building trust relationships
• Establish a „fusion cell‟
• The CERT-UK
• Launched in April 2014
• Subsumes CISP
• National Cyber Security Incident Management.
• Support to Critical National Infrastructure companies to handle cyber security incidents.
• Promotes cyber security situational awareness across industry, academia, and the public sector.
• Provides the single international point of contact for co-ordination and collaboration between national CERTs.
6
Government Guidance for Cyber Security
7
April 2014 Sep 2012
Cyber Education, Skills and Know-How
8
• Initiatives
• Promote cyber security learning in
schools
• Competitions to attract people into the
profession
• Funding for graduate and post
graduate students in cyber studies
• Accredited 11 universities as
Academic Centres of Excellence in
Cyber Security Research
• Set up 3 new Research Institutes and
funded 2 Centres for Doctoral
Training in cyber
• Strengthened the cyber security
profession through the introduction of
CESG‟s1 Certified Professional
Scheme
March 2014
Cyber in Corporate Finance
9
• Threats
• Individuals, nation states, hacktivists,
employees & contractors, organised
crime and competitors
• Targeting Transactions
• The very act of putting information
together may trigger interest, it may also
create an attractive target
• A complex mix of external advisors,
short timescales and high stakes leads
to vulnerabilities
• Issues
• How secure is each contributor and
stakeholder in this transaction?
• Who needs to know?
• Can you monitor access to information?
• What is your strategy for breaches?
• Do you have a security partner?
March 2014
The National Cyber Security Programme
10
New Priorities in the UK
• Additional £210m, plus one year
• Focus on Critical National Infrastructure (CNI)
• The February 2014 Summit with Government and regulators (ONR, BoE, FCA, PRA, Ofcom, Ofgem and Ofwat):
• “Strong cyber security in the firms and markets we oversee is fundamental to meeting regulatory objectives…”
• “there is a need to work with international partners to understand our risk and increase the level of network and information security, including at the EU level”
• Work to embed cyber security in the firms and markets that they oversee;
• Assess the state of cyber security across each sector;
• Identify aggregated cyber security risks within and across sectors;
• Working with industry, increase information flows on threat, vulnerabilities and mitigation strategies across each sector;
• Support sectors to develop effective incident detection and management capabilities.
11
Questions under consideration
• Regulation or guidance?
• Is UK Government advice to the energy sector sufficient, should they
broaden out (i.e. to extraction and (conventional) generation)?
• Should UK Government adopt US or European cyber
frameworks/standards or develop UK versions? (e.g. the NIST
framework)
• At what level should the standards be pitched ? (too low level and
they don‟t engage or are seen as prescriptive, too high level and no
action is taken).
• Should UK focus on the detail that the US‟ NIST frameworks are
perceived to be missing?
• What impact could related regulation from Europe have? (e.g. the
General Data Protection Regulation (GDPR) or the Network and
Information Security Directive (NISD)
12
NIST Cyber Framework
13
NIST Feb 2014
President issued Executive Order 13636, “Improving Critical Infrastructure
Cybersecurity,” on February 12, 2013, which established that “[i]t is the Policy
of the United States to enhance the security and resilience of the Nation‟s
critical infrastructure and to maintain a cyber environment that encourages
efficiency, innovation, and economic prosperity while promoting safety, security,
business confidentiality, privacy, and civil liberties
Summary
14
• The threat landscape is becoming more
sophisticated, more targeted and more
aggressive
• Security responses are becoming more
complex – technically challenging and more all
encompassing
• Government intervention (in various forms) is
on the rise
• The skills and experience to run solutions are
becoming highly sought after – it is difficult to
create and maintain critical mass of expertise
• There will be a convergence with managed
security services and IT outsourcing
Questions/Discussion
15
• What are your views on Government intervention to improve the security of the UK’s critical infrastructure – what is the most effective way to intervene?
• Are UK frameworks better than international version? Are overseas interventions influencing your UK businesses?
• What would help you make the investments – regulation, awareness or business case?
• What are you prepared to share, in terms of cyber attack experiences and information?
• Do you have the skills to meet these requirements or will you look for a trusted partner?
• Do you know the questions to ask of your own organisation and do you have confidence in the replies you receive?