Presents U.S. Federal Cybersecurity Programs, the Cybersecurity Act (CSA) of 2015, NIST Framework for Improving Critical Infrastructure Cybersecurity, and Private Sector Best Practices in Cybersecurity Governance
1. The U.S. Approach to Cybersecurity Governance
Gwanhoo, Ph.D.
Professor of IT Management
Director, Kogod Cybersecurity Governance Center
Kogod School of Business
American University, Washington D.C.
@gwanhoolee
2. Data Breach in the U.S. IRS
(Internal Revenue Service)
100,000 tax accounts
were breached.
Stolen data include social
security information, date
of birth, and street
address (February, 2015)
3. Largest Data Breach in U.S. Government
Hackers stole personnel data
including Social Security
numbers for over 21 million
U.S. federal employees from
the Office of Personnel
Management’s databases
(June, 2015)
8. The White House Initiatives
• The Comprehensive National Cybersecurity
Initiative (CNCI), 2008
• The National Initiative for Cybersecurity
Education (NICE), 2008
• Presidential Policy Directive 21: Critical
Infrastructure Security and Resilience, 2013
• Executive Order 13636: Improving Critical
Infrastructure Cybersecurity, 2013
• Executive Order 13691: Promoting Private Sector
Cybersecurity Information Sharing, 2015
12. THE CYBERSECURITY ACT (CSA) OF 2015
• Signed into law on December 18, 2015
• Calls on public and private entities to share
information relevant to cybersecurity
• Four subsections:
– Cybersecurity Information Sharing
– Federal Cybersecurity Enhancement
– Federal Cybersecurity Workforce Assessment
– Other Cybersecurity Matters
13. THE CYBERSECURITY ACT (CSA) OF 2015
• Businesses have the option of participation
• DHS is designated as the consolidator of cyber threat
information
– cyber threat indicators & cyber defensive measures
• Information shared must be sanitized of customer and
company employee personal identifiable information
14. THE CYBERSECURITY ACT (CSA) OF 2015
• The government can share a company’s cyber threat
indicators (if volunteered) with federal agencies and
non-federal entities
• Companies are granted immunity if they are compliant
in data sharing policies
– Protections from liability, non-waiver of privilege,
protections from FOIA disclosure
15. CSA 2015: Corporate Governance Implications
The legislation Intent Governance Implications
Participation is
optional
To encourage the private
sector to participate without
the mandates from the
government.
Need to understand the pros and cons of
voluntary participation. Need to discover
what this means for their company in
terms of whether to report, when to
report, and whether to report
anonymously
Authorizes
companies to
monitor cyber
threat information
Permission to create a more
“active” monitoring
environment inside of
companies.
Need guidance as to the level of
monitoring outside of its own firewalls.
Need to set parameters to concepts like
“pro-active defense.”
16. CSA 2015: Corporate Governance Implications
The legislation Intent Governance Implications
The government can
share a company’s
cyber threat indicators
with federal agencies
and non-federal
entities
To increase the ability for
the government (DHS) to
share anonymous
information with other
agencies
Need to understand the risks and
benefits of becoming a cooperative
partner with the federal government.
Boards will have to collaborate with
the cyber management team.
Authorizes knowledge
distribution to federal
agencies
To get a big picture view of
how bad actors are
organizing and behaving.
Need to understand the trends related
to the larger cyber picture for their
company.
17. CSA 2015: Corporate Governance Implications
The legislation Intent Governance Implications
Immunity is granted if
compliant in the private
entities’ data sharing
Private sector can be
released of liability when
reporting compromises
systematically.
Need to understand that the
process of information sharing
under CSA of 2015 is still in its
infancy. The intent is still resting on
fragile interpretations.
The government will be
required to create a portal for
information sharing with the
limited purposes
The government wants to
make it easy for a
company to share its
information, ultimately in
automated exchanges.
Need to understand pros and cons
of directly interacting with federal
agencies in this fashion as it has
potential risks.
18. NIST (National Institute of Standards and Technology)
Framework for Improving Critical Infrastructure Cybersecurity
• Released on February 12, 2014
• In response to the U.S. President’s Executive Order
13636 (February 12, 2013)
• Assembles standards, guidelines, and best practices
in industry today
• References global standards such as ISO/IEC 27001,
ISA 62443, COBIT 5
19. NIST Cybersecurity Framework
• Provides a common taxonomy and mechanism for
organizations to:
1) Describe their current cybersecurity posture;
2) Describe their target state for cybersecurity;
3) Identify and prioritize opportunities for improvement;
4) Assess progress toward the target state;
5) Communicate among internal and external
stakeholders about cybersecurity risk.
26. Cyber-Risk Oversight Principles for Corporate Boards
(National Association of Corporate Board)
• Cybersecurity is an enterprise-wide risk management issue
• Understand the legal implications of cyber risks
• Access to Cybersecurity expertise (CIO & CISO)
• Enterprise-wide cyber-risk management program with adequate
staffing & budget using NIST framework
• Identify risks to avoid, accept, mitigate and transfer via insurance