Username
Password
	Remember Me
	» Lost your Password?

Archives page

Posts Tagged ‘cyber security’

Comments on DOD-GSA Cyber Resilience Rules Needed!

On Wednesday, March 12, 2014, the Department of Defense (DOD) and General Services Administration (GSA) Joint Working Group on Improving Cybersecurity and Resilience Through Acquisition (Working Group) requested public comments on its draft implementation plan (draft plan) for federal cybersecurity acquisition. See 79 Fed. Reg. 14042 (Mar. 12, 2014). The draft plan is the first of several steps toward implementing the recommendations outlined in the Working Group’s recently finalized report on Improving Cybersecurity and Resilience Through Acquisition (see our previous blog post for a summary).

As comments are due on April 28, 2014, federal contractors and other stakeholders should act quickly to submit their views on what will have a significant and lasting impact on federal cybersecurity acquisition practices.

The draft plan proposes a repeatable, scalable, and flexible framework for addressing cyber risk in federal acquisitions, and by design, it will affect nearly all contracting entities. The draft plan proposes a “taxonomy” for categorizing procurements so that the government can effectively prioritize those in need of additional resources, attention, and safeguards. As proposed, the taxonomy is modeled on Federal Information and Communications Technology (ICT) acquisitions—though the Working Group has asked whether this framework is a workable model for the categorization of all acquisitions. The Working Group would use the ICT framework to categorize all acquisitions that present cyber risk, after which it would separately assess the risks within each category. Categories that present greater cybersecurity risk (based on threats, vulnerabilities, and impacts) would receive more and faster attention in acquisitions. The taxonomy is, in our view, the most significant new development in the draft plan, as it will serve as the principal basis for categorizing the extent of cyber regulations for procurements. This aspect of the plan accordingly warrants particularly close attention.

The Working Group seeks comments in many areas, including whether:

(a) the approach is workable;

(b) the process will obtain sufficient stakeholder input;

(d) the approach will satisfy the goals of Recommendation IV of the final report, i.e., whether it creates a repeatable, scalable, and flexible framework for addressing cyber risk in federal acquisitions;

(e) the major tasks and sub-tasks are appropriate and, if implemented, will achieve the identified outputs/completion criteria;

(f) the taxonomy and category definitions can be used to develop overlays (a fully specified set of security requirements and supplemental guidance that allow for the specific tailoring of security requirements;

(g) factors can be developed to assess each measure of cybersecurity risk (i.e., threat, vulnerability and impact);

(h) other aspects (e.g., annual spending) should be considered in category prioritization; and

(i) in addition to information security controls derived from the cybersecurity framework and other relevant NIST guidance and international standards, other procedural or technical safeguards that address business cyber risk should be included (e.g., source selection and pricing methodology, source selection evaluation criteria minimum weighting and evaluation methodology, etc).

Submit comments here or contact GTSC to provide input to the Coalition’s response.

Brian Finch, a partner in Dickstein Shapiro’s Washington, DC office, is head of the firm’s Global Security Practice. Named by Washingtonian magazine in 2011 as one of the top 40 federal lobbyists under the age of 40, Brian is a recognized authority on global security matters who counsels clients on regulatory and government affairs issues involving the Department of Homeland Security, Congress, the Department of Defense, and other federal agencies. Dickstein Shapiro is a Strategic Partner of the Government Technology & Services Coalition. You can reach Brian at [email protected] (202)420-4823.

Justin Chiarodo represents clients in all aspects of federal, state, and local procurement law. Named by Law360 in 2013 as a “Rising Star” in Government Contracts, Justin has extensive experience in government contracts litigation, compliance, and regulatory matters, with particular expertise in the defense, health care, technology, and professional services sectors.

Daniel Broderick is a Washington, DC-based associate in Dickstein Shapiro’s Energy Practice. He focuses on regulatory and project development matters affecting clients in the electricity industry, including electric market design, municipalization, compliance, certification, and power purchase agreements.

A Perspective on the DoD-GSA Recommendations to Improve Cyber Security and Resilience through Acquisition

The views expressed in this article are solely those of the author and do not reflect the opinion of the General Services Administration or the Department of Defense.

I always start out any discussion of cybersecurity by emphasizing the context of the problem. In our increasingly hyper-connected world, cyber risks affect us all – governments, private sector organizations, and individuals. Cybersecurity events have become commonplace, almost daily occurrences, and with the advent of the “internet of things,” they are only going to increase in frequency and magnitude. It is a shared problem. And it demands a shared solution. We have an obligation to take actions in our personal and professional lives to help provide for our personal, national and economic security. Changing how the federal government buys things using our tax dollars is an important part of the solution.

Last week DoD and GSA released a report that provides six strategic acquisition reforms to improve cybersecurity. I’m pleased that the recommendations have been well received by the federal acquisition community. In my opinion, the report has been well received because it is a community product. The recommendations reflect the views and expertise of a diverse set of stakeholders from sole proprietors and individual citizens to multinational corporations and government agencies. The report does a decent job of articulating what needs to be done; now the hard work of figuring out how it gets done is in front of us.

As a threshold matter, it’s important to know that the order of the recommendations in the report is not indicative of their relative importance or the sequence of implementation. The most important recommendation is actually number four. Why is number four most important? Because the other recommendations can’t be fully implemented until number four is. For example, recommendation number one suggests including new “cybersecurity hygiene” requirements for appropriate contracts. However, we won’t know which contracts are appropriate until the risk management strategy of number four is at least partially developed. I’ll explain below.

Recommendation number four is titled: “Institute a Federal Acquisition Cyber Risk Management Strategy.”

The goal of this recommendation is to develop a repeatable, scalable process for addressing cyber risk in federal acquisitions based on (1) the risk inherent to the product or service being purchased, and (2) the risk tolerance of the end user.

The first step is to develop a consistent method to measure cyber risk in the things the government buys. Once we specifically identify which types of acquisitions present cyber risk, we can decide which types are “appropriate.” From National Security Systems to paper clips – a primary question here is, which types of buying do or don’t present cyber risk?

Because we can’t possibly address all the types of acquisition at once, the next step is to prioritize the types of federal acquisition by risk so we can identify the right starting point. The prioritization should probably consider cyber risk, mission-criticality of the function supported by the type of acquisition, and the amount of money spent on the type of acquisition annually, among other things. Which other things should this prioritization consider?

After the prioritization is complete, starting with the highest risk type of buying, develop acquisition-cybersecurity “overlays” applicable to all buys of that type. The overlays will include both procurement and information security practices – two very different and arcane disciplines. Which security controls from NIST SP 800-53 revision 4 should apply to a type of acquisition? Which acquisition practices should apply? When should the government not use lowest-price-technically-acceptable source selection?

The DoD-GSA report gives us a good strategy, and it provides a solid frame of reference, but as the old saying goes – the devil is in the details. Nothing could be truer about the next steps here.

The government has committed to continuing the collaborative process used to develop the recommendations as it develops the implementation plan. In the next few weeks, the agencies will publish a request for comment on a draft plan for implementing the recommendations. The draft plan will propose specific actions to accomplish the recommendations, starting with the cyber risk management strategy.

So, stay engaged. And when the request for comment is published, do your part to help solve one of the most pressing issues of our time by submitting your suggestions.

By Contributing Author: Emile Monette

Emile Monette is a recognized authority in the legal and operational aspects of public procurement, cybersecurity supply chain risk, and supply chain sustainability. His background includes domestic, international, and U.S. military experience investigating, negotiating, and managing multimillion-dollar contracts. Emile is a fifteen-year veteran of procurement law and policy development, and he has served in various positions in the legislative and executive branches of the federal government.

DOD & GSA Issue Final Report on Improving Cybersecurity & Resilience through Acquisition

On January 23, 2014, the Department of Defense (DoD) and General Services Administration (GSA) Joint Working Group on Improving Cybersecurity and Resilience Through Acquisition (Working Group) submitted its eagerly anticipated final report on integrating cybersecurity requirements into all federal procurements. This report, which satisfies Executive Order (EO) 13636 and Presidential Policy Directive (PPD) 21, includes recommendations on the increased use of cybersecurity standards in all federal acquisition activities, including strategic planning, capabilities needs assessment, systems acquisitions, and program and budget development.

The final report is perhaps most notable as another step toward an era where most every government contractor must satisfy baseline cybersecurity requirements. While the final report does not provide explicit guidance on the details of creating such a new procurement environment, in light of recent, imminent and forthcoming government activity, including the final rule imposing cybersecurity and reporting obligations on DoD contractors (issued November 18, 2013 and summarized here), the upcoming final cybersecurity framework of the National Institute of Standards and Technology (NIST) (to be released in mid-February), and the forthcoming final rule governing the safeguarding of government contractor information systems (likely finalized next year), we view this final report as a bellwether. Government contractors who ignore the final report and the course it has set do so at their own peril.

Cybersecurity issues will increasingly affect agency standard setting, coverage issues and incentives, government audits and investigations, security breach litigation, and other business drivers. Government contractors and other companies that handle government information or supply components that could be compromised electronically must begin, to the extent they have not already done so, to think both strategically and pragmatically about developing an integrated approach to these cybersecurity issues.

Background

On February 12, 2013, President Obama issued EO 13636 – Improving Critical Infrastructure Cybersecurity. Section 8(e) mandated that the Working Group, in consultation with the Department of Homeland Security (DHS) and the Federal Acquisition Regulatory (FAR) Council, “make recommendations to the President . . . on the feasibility, security benefits, and relative merits of incorporating security standards into acquisition planning and contract administration.” Section 8(e) also directed the Working Group to “address what steps can be taken to harmonize and make consistent existing procurement requirements related to cybersecurity.”

On May 13, 2013, the Working Group published a request for information (RFI), inviting public comment on the appropriate cybersecurity measures and parameters for federal procurements (summarized here). The Working Group also consulted with representatives from the DoD, GSA, DHS, FAR Council, the Office of Federal Procurement Policy, NIST, and others before issuing the final report.

Working Group Recommendations

The final report makes six recommendations, including that the federal government and/or contractors, as appropriate, should:

(1) institute baseline cybersecurity requirements as a condition of contract award for appropriate acquisitions;

(2) address cybersecurity in relevant training;

(3) develop common cybersecurity definitions for federal acquisitions;

(4) institute a federal acquisition cyber risk management strategy;

(5) include a requirement to purchase from original equipment or component manufacturers (OEM), their authorized resellers, or other trusted sources, when available, for appropriate acquisitions; and

(6) increase government accountability for cyber risk management.

For contractors, the most helpful recommendations ask the government to clarify, with more specificity, the standards to which contractors will be held accountable. For example, the first recommendation correctly observes that, “[o]ften, cybersecurity requirements are expressed in terms of compliance with broadly stated standards and are included in a section of the contract that is not part of the technical description of the product or service the government seeks to acquire.” This, the report concedes, “leaves too much ambiguity as to which cybersecurity measures are actually required in the delivered item.” Accordingly, the report recommends expressing baseline cybersecurity requirements as part of the acquisition’s technical requirements and including performance measures to ensure the baseline is maintained and risks are identified. The final report also recommends common cybersecurity definitions, which if adopted would dramatically advance anxiety about contractors’ and the government’s current and near-future cybersecurity obligations.

Though the recommendations are instructive, the final report does not actually mandate specific baseline requirements or propose common cybersecurity definitions. Nor does it propose a cyber risk management strategy or otherwise attempt to identify the acquisitions in which baseline requirements or OEM limitations are “appropriate.” Instead, the final report “intends” that others will harmonize these recommendations with ongoing rulemakings, cybersecurity standards, and statutory frameworks. In short: stay tuned.

Takeaways

First and foremost, change is coming. Although the final report recommendations are directed more toward government program managers and acquisition decision makers than industry, the harmonization of such recommendations with recent and forthcoming regulations, mandatory contract provisions, and other statutory requirements and protections will affect the industry directly and significantly.

Other critical points for government contractors to consider as the final report’s recommendations are implemented include:

What cybersecurity terms will be defined, and what will those definitions look like? Considering that the definitions will be used government-wide, it is imperative that contractors provide feedback lest a definition be issued that is contrary to their interests, much less defies common sense;

What topics will be covered in the cyber education program for the procurement work force? If procurement officials are not properly educated on a variety of threats, then they may fail to incorporate standards and requirements that are necessary for information protection;

How will federal risk management strategy be developed? And will it be flexible enough to account for the rapidly evolving threat environment?;

Are contractors prepared to fight back against cybersecurity requirements in federal acquisition programs that are being used to exclude otherwise acceptable vendors and technologies?; and

How deep will these requirements reach into federal contractors’ business? In other words, will the cybersecurity obligations be limited just to public-contracting programs, or will they effectively become company-wide requirements regardless of the buyer?

The final report is a clear signal that mandatory baseline standards, training protocols, and other risk-based requirements are on the horizon. Those standards will likely be based on the NIST framework or, in specialized areas, even stricter protocols. Government contractors and other companies that handle government information must implement an integrated strategy that mitigates the risks associated with these cybersecurity issues, and where viable, the opportunities that these changes might create.

By Contributing Authors: Brian Finch, Justin Chiarodo, and Daniel Broderick from GTSC Strategic Partner Dickstein Shapiro

DHS Releases Privacy Office’s Annual Report to Congress: Any Progress?

In November, the Department of Homeland Security’s Privacy Office issued its annual report to Congress. The report, which covers the period from July 2012 through June 2013, was a few months late. The incoming Chief Privacy Officer (CPO), Karen Neuman, announced the release of the report.

Neuman came to the Department from a boutique privacy law firm, having replaced Mary Ellen Callahan, who left DHS to return to private practice in August 2012. In the interim, Deputy Chief Privacy Officer for DHS, Jonathan Cantor, served as acting CPO. The 2013 Annual Report is 89 pages long, and covers Privacy Office’s efforts in five key areas, or goals. From the report, they are:

Goal 1 (Privacy and Disclosure Policy): Foster a culture of privacy and transparency, and demonstrate leadership through policy and partnerships;
Goal 2 (Advocacy): Provide outreach, education, training, and reports in order to promote privacy and openness in homeland security;
Goal 3 (Compliance): Ensure that DHS complies with federal privacy and disclosure laws and policies and adheres to the DHS FIPPs;
Goal 4 (Oversight): Conduct robust oversight on embedded privacy protections and disclosures in all DHS activities; and
Goal 5 (Workforce Excellence): Develop and maintain the best privacy and disclosure professionals in the Federal Government.

These goals align, mostly, with the six key functions of a public sector privacy office: policy; compliance; oversight; incidents and breaches; education and training; and engagement and outreach. Workforce excellence, while important at any organization, seems to be a curious goal for the Privacy Office, with barely a page of discussion on the goal in the main body of the report.

Importantly, the annual report makes clear that privacy at DHS is much broader than found in Privacy Act offices at most other Federal agencies. The DHS Privacy Office has been at the forefront on privacy and privacy policy within the Federal Government, often out in front of the Office of Management and Budget, the entity charged with responsibility for the Privacy Act of 1974, the main privacy law applicable to the Federal government.

During the period of the 2013 annual report, the Privacy Office worked on, and issued Department-wide policy, in a number of areas, to include: information sharing with the Intelligence Community; research projects at the Department; and the conduct of Privacy Office investigations under expanded authority from the 9/11 Commission Act. Under “advocacy” – encompassing the key functions of “education and training” and “engagement and outreach” – the Privacy Office set up a working group to consider unmanned aircraft systems (UAS) and worked together with the Civil Rights and Civil Liberties Office to inform civil society of the Department’s efforts with respect to Presidential directives on critical infrastructure. The office also had substantial contact with data protection authorities, members of parliament, and officials from justice and interior ministries from around the Globe.

Compliance, the heart of any agency privacy program, showed significant improvements. During the reporting period, the Privacy Office approved 87 Privacy Impact Assessments (PIA), under Section 208 of the E-Government Act of 2002, and 24 System of Records Notices (SORN), under the Privacy Act of 1974. Among the PIAs was the first ever for a Federal agency on the use of UAS. The Office also reviewed over 200 intelligence products and over 500 intelligence information reports, to assure that the minimum necessary amount of PII is disseminated in these intelligence documents.

On oversight, the Privacy Office conducted a comprehensive review of the Department’s compliance with the Automated Targeting System (ATS) PIA and SORN, and the joint US/EU Passenger Name Record Agreement prior to the European Commission’s 2013 Joint Review of PNR. The Office also completed several Privacy Compliance Review reports on various Departmental programs, to include the use of social media for situational awareness, the E-Verify Self Check Program’s use of a third-party identity proofing service, and information sharing.

It is worth noting that the DHS Privacy Office Annual Report, a statutory requirement under the Homeland Security Act, is critical to the office’s oversight responsibilities. The report also has been the source of friction between Congress and the Executive Branch in the ten years of the Department’s existence. In the first few years, the Privacy Office had difficulty in getting out the annual report in a timely manner, with the second report covering a two-year period. Congress, viewing the annual report as an independent means of receiving objective information from the Privacy Office of Departmental matters affecting the personal privacy of Americans, was concerned with delays in issuance of the annual report and, accordingly, mandated in annual appropriations bills that no appropriated funds be used by anyone outside of the Privacy Office to alter, direct that changes be made to, delay, or prohibit the annual report’s transmission to Congress.

Congress followed up on the appropriations language with an even clearer and stricter limitation on perceived interference with the annual report in the Implementing Recommendations of the 9/11 Commission Act of 2007 (9/11 Commission Act). Section 802(e)(1) of the Act states that the CPO shall “submit reports directly to the Congress regarding performance of the responsibilities of the senior official under this section [the Chief Privacy Officer], without any prior comment or amendment by the Secretary, Deputy Secretary, or any other officer or employee of the Department or the Office of Management and Budget. . . . ” The 9/11 Commission Act also gave the Privacy Officer greater independence, akin to an agency inspector general, stating that the Privacy Officer reports to, and is under the “general supervision of,” the DHS Secretary.

The 2007 annual report’s issuance was stayed pending an opinion from DOJ’s Office of Legal Counsel on the language of section 802(e)(1). The Office of Legal Counsel eventually published an opinion, stating section 802 would not preclude DHS or OMB review of the report prior to its release. Since 2007, there have been no further disputes between Congress and the Executive Branch over the CPO’s independence, and the annual report has been released Congress and the public in September of each year.

Contributing Author: Hugo Teufel

Hugo Teufel is the former Chief Privacy Officer of the U.S. Department of Homeland Security. An attorney, he assists public and private sector clients in a wide range of areas including privacy and security; investigations, compliance, and corporate governance; defense and homeland and national security; government contracts formation, administration and litigation.

Dec. 12: The National Security Supply Chain: Reducing the Vulnerabilities

Join the Government Technology & Services Coalition (GTSC) for a program featuring an overview of acquisition, technology and innovation in the intelligence community to both assure we have the most advanced protections in place to mitigate our vulnerabilities, and the most recent tools and information on how to protect intellectual property, prevent insider threats and understand supply chain considerations in the government contracting environment. Keynote Frank Montoya, Jr., National Counterintelligence Executive, Office of the Director of National Intelligence will keynote with a preview of the 2013 Economic Espionage Report (EER).

AGENDA AT A GLANCE

12:00 PM Welcome & Introductions

Kristina Tanasichuk, CEO, GTSC
Elena Kim-Mitchell, Director, Private Sector Outreach, ODNI

12:10 PM ODNI Movie

12:30 PM – 1:30 PMKeynote Luncheon:Preview of the 2013 Economic Espionage Report
Frank Montoya, Jr., Counterintelligence Executive, ONCIX

1:30 PM – 2:00 PM CERT & Insider Threat

Randy Trzeciak Senior Member of the Technical Staff, Software Engineering Institute’s (SEI), CERT Program, Carnegie Mellon University

2:00 PM – 3:00 PM Best Practices on Insider Threats & Supply Chain Security

Joan McCarroll, Director, Systems Engineering and Integration (SE&I) Center of Excellence
Kathy Mills, Corporate Security Officer/Security Director, CENTRA Technology, Inc.

3:00PM – 3:30PM Cyber Threats & Vulnerabilities to Small & Mid-Sized Companies

3:30 PM – 4:15 PM Acquisition, Technology & Innovation
Dr. David A. Honey, Ph.D., Director for Science & Technology, Assistant Deputy Director of National Intelligence for Science & Technology, ODNI

4:15PM – 5:00 PM What Can Business Do?

DHS Business Continuity tool
FBI Resources

Keynote: Dr. David A. Honey, Director for Science & Technology, Assistant Deputy Director of National Intelligence for Science & Technology, ODNI

Dr. David Honey serves as the Director for Science & Technology and Assistant Deputy Director for National Intelligence for Science & Technology for the Office of the Director of National Intelligence. Dr. David A. Honey joined the DoD’s Office of the Director, Defense Research and Engineering as the Director for Research on 31 August 2009. Dr. Honey was responsible for policy and oversight of DoD Science and Technology programs from Basic Research through Advanced Technology Development. He was also responsible for oversight of DoD laboratories, ensuring the long-term strategic direction of the Department’s S&T programs, and for developing those technologies needed for continued technological superiority of US forces. Before assuming this position Dr. Honey was the General Manager and Senior Vice President of the Defense Sector for Information Systems Laboratories (ISL), a small business pursuing science and engineering innovations in the fields of advanced sensors, communications, UAVs, adaptive signal processing, and undersea warfare technology. Dr. Honey also served on the Air Force Scientific Advisory Board. Dr. Honey was the Director of the Defense Advance Research Projects Agency (DARPA) Strategic Technology Office (STO), Director of the Advanced Technology Office (ATO), and Deputy Director and Program Manager of the Microsystems Technology Office (MTO). While at DARPA he led efforts in optoelectronics, networks, communications, information assurance, network-centric-warfare applications, information assurance, sensor systems, space and near-space sensors and structures, maritime technology, underground facility detection and characterization, alternative energy, and chemical-biological defense.

Keynote: Frank Montoya, Jr., Counterintelligence Executive, Office of the National Counterintelligence Executive (ONCIX)

Frank Montoya, Jr. began his career as an FBI special agent in May 1991 and reported to the San Antonio Field Office, where he worked violent crime and fugitive investigations. He established and led activities of the division’s fugitive task force. Montoya also worked temporarily in the Oklahoma City Field Office to assist in the Alfred P. Murrah Federal Building bombing investigation. In April 2000, Montoya was promoted and worked at FBI Headquarters. He oversaw national security investigations and operations. During this time, he assisted in the Robert Hanssen investigation. Montoya transferred to the Milwaukee Field Office in November 2002. He served as supervisor and oversaw the counterintelligence squad and several national security investigations. Montoya returned to FBI Headquarters in December 2005, was promoted to unit chief in the Counterintelligence Division, and participated in the establishment of the National Cyber Investigations Joint Task Force. He moved to the West Coast in July 2007 and worked in the San Francisco Field Office as assistant special agent in charge in the counterintelligence branch.

Joan McCarroll, Director, Systems Engineering and Integration (SE&I) Center of Excellence

In her role as SE&I COE Director, Joan is responsible for establishing and promoting TASC’s best practices and processes in SE&I, program protection and cybersecurity including insider threat analysis. In her current role, Joan identifies Leading Practices in SE and deploys them across the company resulting in innovative solutions for our customers. In the area of program protection, Joan has expertise in both external and internal threat assessment and protection. Since joining TASC in 1990, Joan has performed and led end-to-end technical efforts in support of operationally deployed systems, systems under development, and future system architecture studies. She has held senior program management positions supporting the intelligence community in secure communications and SIGINT. Joan received her BSEE from Drexel University and her MS in Systems Analysis and Management from George Washington University. She has also attended Executive education courses at Darden and Strategic Marketing at the University of Chicago.

Kathy Mills, Corporate Security Officer/Security Director, CENTRA Technology, Inc.

Kathy joined CENTRA Technology, in November 2008 as the Corporate Security Officer/Security Director. She is responsible for all aspects of CENTRA’s Security operations, including personnel security, program security, physical security, and Information security, at both CENTRA’s Arlington and Burlington locations. Kathy has over twenty years experience in security including management of day-to-day operational security, personnel management, administration, and maintaining all aspects of a security program under the National Industrial Security Program.

Randy Trzeciak Senior Member of the Technical Staff, Software Engineering Institute’s (SEI), CERT, Carnegie Mellon University

Randy Trzeciak is currently a Senior Member of the technical staff for the Software Engineering Institute’s (SEI) CERT Program. Mr. Trzeciak is a member of a team in CERT focusing on insider threat research. The studies analyze the physical and online behavior of malicious insiders prior to and during network compromises. Other insider threat research uses system dynamics modeling for risk analysis of the impacts of policy decisions, technical security measures, psychological issues, and organizational culture on insider threat. Mr. Trzeciak also is an adjunct professor in Carnegie Mellon’s H. John Heinz School of Public Policy and Management. Prior to his current role in the CERT Program, Mr. Trzeciak managed the Management Information Systems (MIS) team in the Information Technology Department at the SEI. Under his direction, the MIS team developed and supported numerous mission-critical, large-scale, relational database management systems.

Cyber Security Survey

Last fall, the InfraGard National Capital Region Members Alliance (INCRMA), FBI-Washington Field Office, and the Government Technology & Services Coalition (GTSC) co-hosted a cyber security program at which we announced our intention to develop a survey for companies to share their experience with cyber security “incidents,” hacking, viruses, spear phishing, malware, and other suspicious activity, in addition to asking about what kinds of tools and resources could be most valuable to help industry be more prepared.

The survey collects data on the type and frequency of computer security incidents in which a computer was used as the means of committing a crime against the company or as a conduit through which other intrusion and/or criminal activity was perpetrated. It also collects data about the type and size of the company, cyber security practices, and computer infrastructure.

The results will provide the basis for enhancing or initiating efforts to strengthen the information sharing and awareness to inform our public private partnerships and create meaningful programming and tools to combat the cyber threat.

Initial results will be reviewed at our Cyber Security Awareness Month program on October 23 with Dr. Phyllis Schneck, the new Deputy Under Secretary of Cyber Security at DHS. The full results will be released this fall. The questions have been developed by GTSC from a previously issued DOJ survey, in combination with input from FBI-WFO’s Cyber Branch and the INCRMA’s Cyber Special Interest Group. Please feel free to share the link with others who you believe would be appropriate respondents.

Cyber Security Insurance: Does Your Company Need It?

“Cybersecurity – A Special Report”…with newspaper headlines like this in the The Washington Post, cyber security is THE hot topic. If your company uses a computer, credit card, checking account, files a tax return, employs smart phones, or uses iPads, your business is a target for losing intellectual property or becoming the vehicle for a cyber attack — with a huge financial loss as the result.

For individuals the theft or misuse of private information occurs daily. Signals stolen while using public internet, misplaced cell phones, fishing attacks on home computers, and theft of personal computers happen throughout our society and result in long-term financial crisis.

Small Business owners face even greater obstacles from cyber attacks. A recent National Small Business Association reported 44% of their 800 surveyed members had fallen victim to a digital break-in. What are the steps we can take to help thwart these information criminals? Solutions for both companies and individual citizens are very similar.

All business firms using the internet must have a strong risk management plan established and adhere to the rules in order to lessen the impact of cyber theft. With the growth of cloud computing, use of smart phones and tablets, employees telecommuting, and digital information flowing outside the office, cyber attackers have many more access points. The Federal Communication Commission (FCC) lays out guidelines to prevent cyber attacks. Among their suggestions are:

Train employees in security principles. Use strong passwords with expiration dates.
Protect information, computers and networks from cyber attacks. Install fire wall security, the latest security software and web browsers.
Create a mobile device action plan. Password protect devices, encrypt data, and install security apps and how to report lost or stolen equipment.
Make copies of all important data. Store offsite or in the cloud.
Passwords and authentication. Require unique passwords and change every three months.

Many businesses have the additional exposure of outsourcing data. Many businesses share customer information with third parties who provide billing, payroll, and employee benefits. Additionally, web hosting, HR services, and information technology services are frequently outsourced. Despite this outsourcing exposure many businesses do not require third parties to cover costs associated with data breach in their contacts. When using outside partners, what is the risk-management strategy they use to protect you against financial loss and reputation harm?

Because of the explosion in internet usage many companies are seeking contractual risk transfer and indemnification through insurance. Starting in the early 1990’s insurance has changed to provide protection for cyber growth. Today numerous insurance companies either provide stand-alone policies or add the protection with other coverages, such as Directors & Officers policies (D&O), Errors & Omission Policies (E&O), and Fiduciary Liability policies. An E&O policy is a type of professional liability typically issued to companies setting standards for them selves or other clients. D&O liability coverage is designed to protect companies against their management decisions and covers directors, officers, staff and the organization itself.

Cyber Liability Policies should provide protection for both First Party and Third Party Claims.

First Party coverage includes:

Network and Information Security Liability
Communication and Media Liability
Regulatory Defense Exposure

Third Party coverage includes:

Crisis Management Event Exposures
Security Breach Remediation and Notification Expenses
Computer Program and Electronic Data Restoration Expenses
Computer Fraud
Funds Transfer Fraud
E-Commerce Extortion
Business Interruption and Additional Expenses

Cyber Insurance helps before the loss occurs by going through a thorough underwriting process to help highlight the potential risk exposures to be addressed. Nevertheless, should the loss occur these policies help in determining the data leak, PR crisis, IT crisis, and the financial crisis.

The recommendation to combat today’s cyber threat involves risk management planning, assistance from third party partners, and insurance coverage to assist should a loss occur. For more cyber security tips, visit www.US-CERT.com. Learn about the FCC’s Small Business Cyber Planner here.

Mary Jordan, “CYBERSECURITY – A Special Report,” The Washington Post, Thursday, October 10, 2013

P. Allen Haney, President, P. Allen Haney Company

Mr. P. Allen Haney is a Strategic Advisor to the Government Technology & Services Coalition. He is also a trusted advisor to business owners and nonprofit executives, Allen Haney is best known for solving problems. His consul on employee benefits, executive compensation, and retirement planning routinely vitalizes the health and sustainability of closely held businesses and associations.

He is most appreciated for his all-inclusive, uncompromising commitment to expand client capacity by uncovering risks and opportunities hidden in blind spots. Read more about Mr. Haney here.

Oct. 23: Cyber Security: Focus on Public Private Sector Collaboration

Join GTSC and the InfraGard National Capital Region Members Alliance for a cyber program focused on the threats to the public and private sector. gram. Since Executive Order 13636 and PPD-21 were issued in February 2013, there has been a renewed focus on the challenges of security the nation’s digital infrastructure. Most admit and understand that our cyber security relies on a strong and vital collaboration between industry and government — whether that be the industry protecting our critical infrastructure or industry that provides the underpinning of our economy. Legislators on Capitol Hill are trying to determine how to streamline authorities and responsibilities and law enforcement and other agencies in the Federal government are grappling with preventing and mitigating the impacts of this threat. This session will discuss DHS’ role in cyber security, how the private sector and Federal partners are communicating, what threats are at the forefront from cyber hackers, hostile nation states etc. and how we see future collaboration improving to fight these threats and protect our economy and infrastructure.

AGENDA AT A GLANCE

8:00 AM Registration & Breakfast

8:30 AM Conference Introduction

8:45 AM Keynote: The Challenges of Cyber Security

9:30 AM How do we share information more effectively?

10:30 AM What are the latest threats?

11:30 AM Lunch on your own in the National Geographic Society Cafeteria

12:30 PM Keynote: Cyber Security Priorities from the DHS Perspective

1:15 PM Where is the Government Targeting their Resources?

2:00 PM What the Private Sector Do?

2:45 PM Closing Remarks

Confirmed Speakers:

Keynote: Dr. Phyllis Schneck, Deputy Under Secretary for Cyber Security, NPPD, DHS

Dr. Phyllis Schneck, McAfee’s former CTO and vice president of the global public sector, has been named deputy under secretary of cyber security for the National Protection and Programs Directorate at DHS. Join us to hear her priorities for cyber at NPPD!

Denise Anderson, National Council of Information Sharing and Analysis Centers (ISACs); Vice President, Financial Services-ISAC

Noel Due, Supervisory Special Agent, FBI – HQ, Cyber Division, Operation Clean Slate

Brian Finch, Partner, Global Security, Dickstein Shapiro LLP

John Harmon, Partner, Tactical Network Solutions

John Lainhart, CGEIT, CISA, CISM, CRISC, CIPP/G, CIPP/US Partner, Cybersecurity & Privacy, US Public Sector, IBM Global Business Services

James Mulvenon, Vice President, Defense Group Inc., Center for Intelligence Research and Analysis

Vipul Sharma, Vice President & CTO, Civil Government & Healthcare IT solutions, L-3 STRATIS

Trent Teyema, Assistant Special Agent in Charge, FBI WFO, Criminal Division – Cyber Branch

Glenn Wood, Vice President, Technology, InfraGard Board & Co-Chair, Cyber SIG

About the InfraGard National Capital Region Members Alliance

The InfraGard National Capital Region Members Alliance (INCRMA) consists of a growing membership of professionals who are creating a more resilient critical infrastructure in the Washington, DC metro area. These include defense industrial base, information technology, water supply systems, electrical energy, emergency services, law enforcement, health systems, transportation, banking, and telecommunications. Our membership is voluntary yet exclusive and is comprised of individuals from both the public and private sector. The main goal of INCRMA is to promote ongoing communication, education, and community outreach between the public and private sectors and the FBI. In doing so, information is shared, relationships are strengthened, and vital assets are protected. To learn more, visit us at www.infragard.org.

Spear Phishing: Getting Caught is a Drag

I’m a Spear Phisherman. I want to catch the big one and reel it in! But I’m not talking about tuna; I’m talking about landing your personal information. Here’s my secret: I impersonate your friends, your bank and the people you trust to gain access to your computer and your network.

I’m pretty good. I know that you can’t always tell the difference from the real messages and the fake ones that I dangle in front of you. It doesn’t take long for me to gather lots of personal information about you — what you like, who you follow, what you purchase online and which websites you visit.

I use the information I find through open sources and develop personalized messages designed to trick you into believing they are from trusted entities. Spear phishermen like me can design emails, tweets, phone texts and even Facebook updates that access your private information after just one click.

Once you open the message, I trick you into giving me your user names, passwords or other office information, which allow me to access your network undetected. Little did you know that you just gave me the ability to take all the company information I would like.

It’s easy to avoid my targeted attacks and protect yourself against “Spear Phishing:”

Be stingy with your user name and password. Don’t share personal information with anyone. At all!
Don’t surf the Web chasing popular stories, blog posts, videos, etc. I love to hide in these sites, learn about your likes and dislikes and then target you.
Think before you click links from social media sites, emails or text messages. That’s the easiest way for me to catch your information.
Verify any caller before providing names and email addresses of your coworkers. Be the first line of defense.
Delete suspicious emails without opening them or responding to them. If it looks suspicious and you don’t know the sender, it could just be bait. Use caution!

It’s easy to protect your information against my traps and keep your personal and company information safe.

Protect — don’t neglect — your information against Spear Phishermen like Mal Ware. For more information, check out www.us-cert.gov.

Lisa Martin
CEO
LeapFrog Solutions, Inc.

LeapFrog Solutions (LFS) is a certified woman owned small business based in Fairfax, Virginia. Founded in 1996, we are a trusted source for commercial businesses and federal agencies seeking full spectrum creative solutions and exceptional program management. This blogpost is brought to you by GTSC in partnership with LeapFrog Solutions. For more information on cyber awareness campaigns contact Anjali Dighe at 703.539.6127 or [email protected].