unclassified dod and private sector cybersecurity ... › eventpower › images › v1 › ... ·...
TRANSCRIPT
UNCLASSIFIEDUNCLASSIFIED
UNCLASSIFIEDUNCLASSIFIED
Cybersecurity Interaction Between DoD and Private Sector
June 6, 2019Vicki Michetti, Office of the DCIO-Cybersecurity, Director, Policy, Strategy, International, and Defense Industrial Base
UNCLASSIFIEDUNCLASSIFIED
UNCLASSIFIEDUNCLASSIFIEDUNCLASSIFIED
UNCLASSIFIED
Cybersecurity Environment
53% of attacks result in damages of $500,000 or more CISCO Annual Cybersecurity Report 2018
Cybercrime will cost businesses over $2 trillion by 2019
Juniper Research
The U.S. was the most targeted country in the past three years; accounting for 27% of all targeted attack activity Internet Security Threat Report, Symantec 2018
49% of customers with at least one significant attack were successfully attacked again within one year
M-Trends 2018, FireEye
53,308 security incidents, 2,216 data breaches, 65 countries, 67 contributors
68% of breaches took months or longer to discover
2018 Data Breach Investigations Report, Verizon
Cyber threats targeting unclassified information have dramatically increased
1
UNCLASSIFIEDUNCLASSIFIED
UNCLASSIFIEDUNCLASSIFIEDUNCLASSIFIED
UNCLASSIFIED
Cyber Threat
• U.S. is engaged in a continuous competition against strategic adversaries, rogue states, terrorist organizations, and criminal networks
• Russia, China, Iran, and North Korea all use cyberspace to challenge the U.S.
• Use tools in cyberspace to undermine our economy and democracy,
• Steal our intellectual property, • Sow discord in our democratic processes
• Our adversaries are continually developing new and more effective cyber weapons
• Risk is growing that these countries will conduct cyber-attacks against the United States during a crisis short of war
2
UNCLASSIFIEDUNCLASSIFIED
UNCLASSIFIEDUNCLASSIFIEDUNCLASSIFIED
UNCLASSIFIED
National Cyber Strategy: Four Pillars
I. Defend the homeland by protecting networks, systems, functions and data
II. Promote American prosperity by nurturing, thriving digital economy and fostering strong domestic innovation
III. Preserve peace and security by strengthening the ability of the United States- in concert with allies and partners – to deter and, if necessary, punish those who use cyber tools for malicious purposes; and
IV. Expand American influence abroad to extend the key tenets of an open, interoperable, reliable, and secure internet
3
UNCLASSIFIEDUNCLASSIFIED
UNCLASSIFIEDUNCLASSIFIEDUNCLASSIFIED
UNCLASSIFIED
Defense Cyber Strategy
• Strategic competitors are conducting cyber-enabled campaigns to erode U.S. military advantages, threaten our infrastructure, and reduce our economic prosperity
• The Department must defend its own networks from malicious activity and be prepared to defend, when directed, those operated by entities of the nation’s critical infrastructure
• DoD will also collaborate with our various partners to strengthen the cybersecurity and resilience of both the DoD and the DIB
• The Department will also seek to preempt, defeat, or deter malicious activity targeting U.S. critical infrastructure entities that could cause a significant cyber event
4
UNCLASSIFIEDUNCLASSIFIED
UNCLASSIFIEDUNCLASSIFIEDUNCLASSIFIED
UNCLASSIFIED
The Cyber Landscape
5
UNCLASSIFIEDUNCLASSIFIED
UNCLASSIFIEDUNCLASSIFIEDUNCLASSIFIED
UNCLASSIFIED
What DoD Is Doing
• DoD has a range of activities including both regulatory and voluntary programs to improve the cybersecurity of DIB and protect DoD programs and information
• Secure DoD’s information systems and networks
• Codify cybersecurity responsibilities and procedures for the acquisition workforce in defense acquisition policy
• Implement contractual requirements through the Defense Federal Acquisition Regulation Supplement (DFARS)
• Leverage security standards such as National Institute of Standards and Technology (NIST) Special Publication 800-171 “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations” (Revision 1 published Dec 2016)
• Engage industry through DoD’s voluntary Defense Industrial Base Cybersecurity Program for cyber threat information sharing
6
UNCLASSIFIEDUNCLASSIFIED
UNCLASSIFIEDUNCLASSIFIEDUNCLASSIFIED
UNCLASSIFIED
Voluntary DIB Cybersecurity Program
DIB CS Program is a public private cybersecurity partnership that:
• Provides a collaborative environment for sharing unclassified and classified cyber threat information
• Offers analyst-to-analyst exchanges, mitigation and remediation strategies
• Provides companies analytic support and forensic malware analysis
• Increases U.S. Government and industry understanding of cyber threat
• Enables companies to better protect unclassified defense information on company networks or information systems
• Protects confidentiality of shared information
Mission: Enhance and supplement DIB participants’ capabilities to safeguard DoD information that resides on, or transits, DIB unclassified information systems
Framework Agreement
Information Sharing
Reporting and Response
(dibnet.dod.mil)
Damage Assessment
DIB CS Construct
7
UNCLASSIFIEDUNCLASSIFIED
UNCLASSIFIEDUNCLASSIFIEDUNCLASSIFIED
UNCLASSIFIED
DoD Cyber Crime Center
DC3 Cyber Forensics Laboratory - CFL
DC3 Cyber Training Academy - CTA
DC3 Technical Solutions Development - TSD
DC3 Analytical Group - AG
DC3 Defense Industrial Base (DIB) Collaborative Info Sharing Environment
DC3 Vulnerability Disclosure Program - VDP
- DCISE
A DoD technical center for digital & multimedia forensics, cyber training, technical solutions development, & cyber analytics supporting DoD & National requirements
8
UNCLASSIFIEDUNCLASSIFIED
UNCLASSIFIEDUNCLASSIFIEDUNCLASSIFIED
UNCLASSIFIED
Most Successful DIB Attack Vectors
Attack Vendor MitigationPhishing emails • Disable web links inside e-mails
• Strip attachments from external e-mails for separate scanning
Harvested/Stolen Credentials • Enable two-factor authentication
Commonly Available Web Exploits • Aggressive system patching• Secure application development
Watering Hole Attacks • Host based intrusion detection• Deploy secure browser configurations
Social Media • Restrict sensitive information posted in public profiles
• Scrutinize requests and attachments from unknown or questionable sources
Source: DoD Cyber Crime Center
9
UNCLASSIFIEDUNCLASSIFIED
UNCLASSIFIEDUNCLASSIFIEDUNCLASSIFIED
UNCLASSIFIED
Basic Safeguarding of Contractor Information Systems
FAR Clause 52.204-21, “Basic Safeguarding of Contractor Information Systems,” Final Rule, effective June 2016
• Used in solicitations and contracts when the contractor or subcontractor may have Federal contract information residing in or transiting through its information system
• Requires the contractor/subcontractor to safeguard Federal contract information on the Contractor’s Internal Information System by implementing 17 of the 110 requirements in NIST SP 800-171)
Federal Contract Information — “Information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public Websites) or simple transactional information, such as necessary to process payments.”
10
UNCLASSIFIEDUNCLASSIFIED
UNCLASSIFIEDUNCLASSIFIEDUNCLASSIFIED
UNCLASSIFIED
DFARS Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting
Defense Federal Acquisition Regulation Supplement Clause 252.204-7012 requires contractors/subcontractors to:
1. Provide adequate security to safeguard covered defense information that resides on or is transiting through a contractor’s internal information system or network
2. Report cyber incidents that affect a covered contractor information system or the covered defense information residing therein, or that affect the contractor’s ability to perform requirements designated as operationally critical support
3. Submit malicious software discovered and isolated in connection with a reported cyber incident to the DoD Cyber Crime Center
4. If requested, submit media and additional information to support damage assessment
5. Flow down the clause in subcontracts for operationally critical support, or for which subcontract performance will involve covered defense information
11
UNCLASSIFIEDUNCLASSIFIED
UNCLASSIFIEDUNCLASSIFIEDUNCLASSIFIED
UNCLASSIFIED
NIST SP 800-171, Protecting CUI in Nonfederal Information Systems and Organizations
NIST SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations
• Developed for use on contractor and other nonfederal information systems to protect CUI at confidentiality impact level “moderate”, in accordance with FIPS 199 (32 CFR 2002.12)
• Requirements are performance-based, significantly reduce unnecessary specificity
Enables contractors to comply using systems and practices likely already in place
More easily applied to existing systems • Provides standardized/uniform set of requirements for all CUI
security needs — Allows nonfederal organizations to consistently implement safeguards
for the protection of CUI (i.e., one CUI solution for all customers)— Allows contractor to implement alternative, but equally effective,
security measures to satisfy CUI security requirements
12
UNCLASSIFIEDUNCLASSIFIED
UNCLASSIFIEDUNCLASSIFIEDUNCLASSIFIED
UNCLASSIFIED
Implementing NIST SP 800-171 Requirements
13
UNCLASSIFIEDUNCLASSIFIED
UNCLASSIFIEDUNCLASSIFIEDUNCLASSIFIED
UNCLASSIFIED
Resources
• NIST Manufacturing Extension Partnership (MEP) Public-private partnership with Centers in all 50 states and Puerto Rico dedicated
to serving small and medium-sized manufacturers NIST Handbook 162, "NIST MEP Cybersecurity Self-Assessment Handbook for
Assessing NIST SP 800-171 Security Requirements” (Free publication downloaded over 29,000 times - provides step-by-step guide to assessing a small manufacturer’s information systems against the security requirements in NIST SP 800-171)
https://nvlpubs.nist.gov/nistpubs/hb/2017/NIST.HB.162.pdf• Procurement Technical Assistance Program (PTAP) and Procurement Technical
Assistance Centers (PTACs) Nationwide network of centers/counselors experienced in government
contracting, many of which are affiliated with Small Business Development Centers and other small business programs
http://www.dla.mil/HQ/SmallBusiness/PTAP.aspx• Cybersecurity Evaluation Tool (CSET)
No-cost application, developed by DHS, provides step-by-step process to evaluate information technology network security practices
https://ics-cert.us-cert.gov/Downloading-and-Installing-CSET 14
UNCLASSIFIEDUNCLASSIFIED
UNCLASSIFIEDUNCLASSIFIEDUNCLASSIFIED
UNCLASSIFIED
Resources
• Cybersecurity in DoD Acquisition Regulations (http://dodprocurementtoolbox.com/) for Related Regulations, Policy, Frequently Asked Questions, and Resources, June 26, 2017
• DoD Website for DFARS, Procedures, Guidance and Information (PGI), and Frequently Asked Questions (http://www.acq.osd.mil/dpap/dars/dfarspgi/current/index.html) and (https://www.acq.osd.mil/dpap/pdi/cyber/guidance_ for_assessing_compliance _and_ enhancing_protections.html)
• NIST SP 800-171 Revision 1 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171r1.pdf)
• NIST SP 800-171A, Assessing Security Requirements for Controlled Unclassified Information (https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171a.pdf)
• DoDI 5230.24, Distribution Statements on Technical Documents(www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodi/523024p.pdf)
• DoD’s Defense Industrial Base Cybersecurity program (DIB CS Program)(https://dibnet.dod.mil)
15
UNCLASSIFIEDUNCLASSIFIED
UNCLASSIFIEDUNCLASSIFIEDUNCLASSIFIED
UNCLASSIFIED
Summary
• Strategic competitors are conducting cyber-enabled campaigns to erode U.S. military advantages, threaten our infrastructure, and reduce our economic prosperity.
• Magnitude of the cyber threat continues to grow • National Cyber Strategy and Defense Cyber Strategy highlight
steps the U.S Government and DoD are taking to enhance our national cybersecurity
• Interaction between DoD and the private sector is critical to countering the threat
• To better secure DoD information, DoD is engaging the DIB with both mandatory and voluntary activities
• DoD collaboration with the DIB strengthens their cybersecurity and resilience from malicious activity
16
UNCLASSIFIEDUNCLASSIFIED
UNCLASSIFIEDUNCLASSIFIED
Contact Information: DIB CS Program: E-mail: [email protected] Phone: 703-604-3167Toll Free Number: 1-855-363-4227 FAX: 571-372-5434https://dibnet.dod.mil