cybersecurity implications: a legal...
TRANSCRIPT
Robert S. Metzger875 15th Street, NW, Ste 725Washington, D.C. 20005202.777.8951 (o)213.880.4224 (m)[email protected]
rjo.com
Robert S. Metzger © 2018 All Rights Reserved
Cybersecurity implications: A Legal Perspective
Presented by:Robert S. Metzger
Work-in-ProcessSubject to Revision
Personal Views of Author
DeloitteCYBER COMPLIANCE FORUM
June 21, 2018
Robert S. Metzger © 2018 All Rights Reserved
Changed Conditions: Is “Compliance” Sufficient?
2
Robert S. Metzger © 2018 All Rights Reserved
HEADLINESWashington Post:“China hacked a Navy
contractor and secured a trove of highly sensitive data on
submarine warfare”June 8, 2018
Article Link
3
Fortune:“Hackers Stole
Restricted F-35 Data From an Australian
Contractor”October 14, 2017
Article Link
Bloomberg:“Kaspersky Lab Has Been Working With
Russian Intelligence”
July 11, 2017
Article Link
Krebs on Security:“Target Hackers Broke in Via HVAC Company”
February 5, 2014
Article Link
New York Times:“Cyberattacks Put
Russian Fingers on the Switch at Power
Plants, U.S. Says”March 15, 2018
Article Link
Robert S. Metzger © 2018 All Rights Reserved
On the Subject of “Compliance“ …
• Lawyers and consultants sometimes advise on compliance outcomes to do “just enough,” at the least necessary cost, to satisfy law, regulation and contract requirements.
• Some in Government describe such “compliance” as a “check-the-box” exercise often producing only illusory security results.
• Relying on legacy approaches, some respond to adverse security events hoping that incidental, incremental or iterative measures are enough.
• Compliance is a necessary element of prudent contractor response. But is it enough to achieve and sustain the security DoD needs?
4
Adversaries use “blended operations” to find and exploit cyber and supply chain weakness.
Robert S. Metzger © 2018 All Rights Reserved
Limits of the Present Approach
• Voluntary measures may not be adopted.• Trust-based “compliance” is undependable.• Present procurement measures are insufficient.• Software SC attacks are multi-sectoral (KSL).• Supply Chain risk is throughout life-cycle.• Connected systems (IoT) add complications.• Adversaries will exploit new systems (additive
manufacturing) and new standards (5G).
5
There is an emerging consensus among Government leadership (Executive Branch and Congress) that present security measures are insufficient and that new strategies, policies and methods are necessary.
Measures focused on network security and
perimeter-protection of information systems do not address the threat range or
vulnerability span.
Threats to the supply chain expose operational systems and require new measures.
Robert S. Metzger © 2018 All Rights Reserved
A Risk-Based Security Assessment Model
6
Threat-informed, Vulnerability-Aware, Consequence-Averse
Source: Defense Science Board, “Resilient Military Systems and the Advanced Cyber Threat,” January 2013
DoD Leadership is moving from a compliance-drivenapproach to risk-based assessment (RBA).
This has important and enduring implications for contractors.
DoD is leading these efforts but security risks extend across the Whole of Government (WoG) – and Whole of Industry (WoI)
Robert S. Metzger © 2018 All Rights Reserved
Cybersecurity: the DFARS and SP 800-171
7
Robert S. Metzger © 2018 All Rights Reserved
① NIST’s SP 800-171, establishing 110 cyber safeguards expected of commercial companies who host, use or transmit CUI.② NARA’s CUI Rule, establishing 23 categories and 84 categories of CUI, including Controlled Technical Information (CTI), responsibilities for designation, dissemination controls and required cyber security measures (NIST SP 800-171 for CUI on non-federal information systems).③ Acquisition Measures, namely DFARS 252.204-7012, a contract clause which obligates all DoD suppliers (except COTS) to provide “adequate security,” using SP 800-171 safeguards, to protect “Covered Defense Information” (CDI), which includes CTI, and promptly to report incidents to DoD for damage analysis. DPAP 9/21/17: A System Security Plan (SSP) & POAM Initially Sufficient
Aug. 14, 2016
Rev. 1
Rev 1 issued
8
Three “Legs” of DoD’s Present Cyber Requirements
Robert S. Metzger © 2018 All Rights Reserved
Protection of Information and Information Systems
9
Categorization of Information and Information Systems
This publication establishes security categories for both information and information systems. The security categories are based on the potential impact on an organization should certain events occur which jeopardize the information and information systems needed by the organization to accomplish its assigned mission, protect its assets, fulfill its legal responsibilities, maintain its day-to-day functions, and protect individuals. Security categories are to be used in conjunction with vulnerability and threat information in assessing the risk to an organization.
Security Objectives The FISMA defines three security objectives for information and information systems: CONFIDENTIALITY “Preserving authorized restrictions on informationaccess and disclosure, including means for protecting personal privacy and proprietary information…” [44 U.S.C., Sec. 3542] A loss of confidentiality is the unauthorized disclosure of information. INTEGRITY “Guarding against improper informationmodification or destruction, and includes ensuring information non-repudiation and authenticity…” [44 U.S.C., Sec. 3542] A loss of integrity is the unauthorized modification or destruction of information. AVAILABILITY “Ensuring timely and reliable access to and use of information…” [44 U.S.C., SEC. 3542] A loss of availability is the disruption of access to or use of information or an information system.
Federal Information Processing Standards Publication (FIPS)FIPS- 199 | Standards for Security Categorization of
Federal Information and Information Systems
Threats are not limited to
information and information systems.
The Defense Industrial Base (DIB) includes contractor assets independent of information that
merit protection against cyber and
supply chain threats.
Robert S. Metzger © 2018 All Rights Reserved
Impact: FIPS 199
10
• FIPS-199 recognizes three levels of impact of unauthorized disclosure of information on Confidentiality, Integrity and Availability.
• The -7012 DFARS is limited to Confidentiality and SP 800-171 treats all as “Moderate” impact.
• Security impact of breach of contractor systems may exceed “Moderate” impact.
Robert S. Metzger © 2018 All Rights Reserved
Limitations of the -7012 DFARS
• The focus of -7012 DFARS is protection of the confidentiality of “CDI”. Threats to defense assets extend also to integrity and availability.
• The -7012 DFARS is largely trust-based, relying upon “self-attestation.” Effective security of high-value assets may require assurance measures.
• The DFARS does not clearly define “CDI” and fails to prioritize CTI. The focus on “Information” and “Information Systems” excludes OT, ICS.
• Present measures do not distinguish high-value assets or high impact data. • Treating the impact of all CDI as “Moderate” is an expedient convention,
but not representative of real world circumstances. • Incident reporting requirements leave some room for evasion.
11
Robert S. Metzger © 2018 All Rights Reserved
Issues with SP 800-171
• The 110 safeguards are expressed in a single sentence. This flexibility makes -171 susceptible to a range of outcomes, but makes frustrates certainty of sufficiency.
• -171 focuses on improvements in on-premises security; achievement is problematic at vulnerable lower levels of the supply chain, encouraging promises but not security.
• For its own purposes, DoD now recognizes the superior security and functionality of cloud services – but 171 and the DFARS deal with cloud “awkwardly”.
• Safeguards against perimeter threats achieve little versus Advanced Persistent Threats.• Little in -171 addresses software security or operational technology (OT).• After-incident “impact assessment” largely measures the damage done – but DoD does
indicate an intent to share what it learns with the defense supply chain.• For smaller businesses, SP 800-171 is hard to understand, difficult and costly to meet.• Advanced methods (Cloud Enclaves, DRM, Encryption) may do more, cost less.
12
Robert S. Metzger © 2018 All Rights Reserved
New Developments
• Revised FAQs (April 2, 2018)• DCMA may review SSP and POAM – but not a
“technical assessment” (but see Guidance)
• Draft DoD Guidance for Reviewing SSPs & for Assessment in a Procurement Action (April 24, 2018)
• Communicates DoD intent to assess security (SSPs, POAM) both pre- and post-award
• NIST SP 800-171 Rev. 1 Update (June 7)• NIST SP 800-171A (final) (June 12, 2018)
13
DSS Now Responsible for CUI in DIB
Robert S. Metzger © 2018 All Rights Reserved
Issues of Administration & Implementation
• PRESENT RESPONSIBILITIES• DOD CIO | DOD ACQ (DPAP) | DOD R&E |REQUIRING ACTIVITIES | DCMA | COs | CTRs |NARA | NIST
• CHANGING ROLES?• USD(I) | DSS … “Federal Security Counterintelligence Agency” (?)
• NECESSARY RESOURCES … PRESENTLY UNKNOWN• Draft Guidance: “validate implementation … with an independent government assessment”
• IMPLEMENTATION ISSUES • What is “Covered Defense Information” – Who Decides?• System Security Plans (SSPs) and Plans of Action & Milestones (POAMs) – Significance? Value?• International Suppliers, Commercial Sources; Does Flow-Down Break Down? • Paper-Driven Compliance or Risk-Based Action?• Is “Adequate Security” Determined by Program, By Contract or By Enterprise?• Who Acts for the Government Following a Breach and Incident Report?
14
“I designate … DSS as the Department’s lead for implementing procedures for oversight of CUI for the DIB.” USD(I) Mem. May 17, 2018
Robert S. Metzger © 2018 All Rights Reserved
Supply Chain Risks
15
Robert S. Metzger © 2018 All Rights Reserved
The Changed Nature of Threats
• Cyber and supply chain threats are actual, not conjectural.• Kaspersky Labs shows software-induced risks.
• Adversaries mount cross-domain attacks: cyber (network-delivered), physical (counterfeit or tampered parts) and cyber/physical attacks.
• “Asymmetric” warfare avoids areas of U.S. “kinetic” advantage:• to slow the progress and realization of strategic technologies;• to compromise the operation and reliability of systems and platforms;• to replicate what has been accomplished by the U.S. technology base; and• to defeat expected military advantages from emerging technologies.
16
Nation state adversaries see cost/benefit in such “blended” attacks.
Rogers Joseph O’Donnell © 2018 All Rights Reserved
Supply Chain Threats
• Who?• Nation states and state-sponsored• Commercial Rivals• Criminal organizations• Hackers• Disloyal and Disgruntled Employees• Poorly Trained Workers
• Why?• Political motives• Denial of technical advantage• Extraction of commercial technology• Impair/disrupt operations• Inflict financial injury• Extortion, intimidation• Damage mission confidence, effectiveness
• Interests threatened?• Confidentiality via unauthorized
exfiltration of technical information and other protected data +
• Integrity should an attack corrupt data or system integrity +
• Availability of information or information systems may be denied or disrupted &
• Functionality of devices & industrial control systems (infrastructure, manufacturing, logistics) +
• Safety: the IoT connects systems originally designed to act autonomously
17
FISMA
Rogers Joseph O’Donnell © 2018 All Rights Reserved
Supply Chain Vulnerability: Attack Vectors
• Poor systems/connection hygiene + mobile• “Authorized individuals” (insider threat)• Technical information disclosure/exchange• Collaborative technical mechanisms (PLM)• Purchased hardware and physical systems• Purchased software and firmware• Web access and internet connections• SCADA and Industrial Control Systems• MRO and sustainment infrastructure• Connected development & supply teams• Dependency on critical supplier availability• Interconnected sensors – the “IoT” (and Network of Things (“NoT”))
18
Virtually every electronic and many non-electronic
(e.g., human) interfaces, at each level of the supply chain, can be vulnerable
“attack surfaces”.
Supply Chain vulnerabilities extend to raw and
processed materials and assurance of sources.
Robert S. Metzger © 2018 All Rights Reserved
Supply Chain Response
19
Robert S. Metzger © 2018 All Rights Reserved
Base Propositions
• Failure to secure against supply chain threats risks “forfeiture” of U.S. Government and industry investment, misappropriation of IP, loss of unduplicated advantage and exposure to infrastructure failure.
• A “whole of Government” approach is needed. • Expect multiple, cross-Government initiatives:
• Law• Regulation• Policy• Funding• Acquisition Practices• Oversight & Administration• Liability
20
DoD intends to demand more from its suppliers (at all levels) and to make security a source of profit, not a “cost center.” How this tension will be reconciled is TBD. An approach that is punitive and prescriptive will fail – but a permissive regime has failed.
Robert S. Metzger © 2018 All Rights Reserved
“4th Pillar” – Equal Priority to Security
• Historically, “cost, schedule and performance” have been key ACQ drivers.• Security should be elevated to receive equal priority from all participants.• Dispersed, agile and evolving threats require continuous commitment
from both government and industry.• Industry is the source of the new technologies to protect and can provide
innovative means, operational and technical, to defend those technologies; • Industry is likely to respond more quickly and with more advanced, difficult-to-
defeat technical measures than Government; and• Retention of participants in the defense industrial base is essential.
21
DoD must enhance the “business case” for improved security
Robert S. Metzger © 2018 All Rights Reserved
Issues with the Acquisition System
• Breakthrough technologies, without rapid exploitation, can be “wasting,” unproductive and vulnerable assets.
• Is the balance correct between “full and fair competition” (CICA) and rapid, secure accomplishment of national security objectives?
• “Acquisition reform” (e.g., Section 809 Commission) must avoid increasing vulnerability to untrusted and unverified sources.
• “Transparency” and “open government” contribute to the knowledge base of adversaries without counterpart exposure to the U.S.
• DoD needs to further revise DODI 5000.02 to elevate all-aspect security.
22
The acquisition system is the “funnel” through which policy and security objectives reach the industrial base.
Robert S. Metzger © 2018 All Rights Reserved
Potential Contracting Measures: Industry Reaction?
1. Require achievement of minimum security for companies (at any level) to participate in the defense supply chain for certain acquisitions;
2. Beyond “adequate security” as required by DFARS -7012, establish methods to review and assess actual accomplishment of security;
3. Establish metrics for accreditation using expert third parties; create “Security Integrity Scores” (SIS) to motivate industry;
4. Condition eligibility for new awards upon rated adequacy of security measures, leverage SIS to qualify for multiple buyers;
5. In competitive selection, treat security as an evaluation factor and a positive discriminator;
23
6. In appropriate contracts, require software Bill of Material (BOM), minimum maintenance, continuous monitoring, and reporting;
7. With industry participation, establish methods and practices to define “standards of due care” expected of contractors;
8. Use “safe harbor” provisions to encourage positive security measures and to remove barriers to prompt event reporting;
9. Once standards are in place, require contractors to have cyber and supply chain commercial insurance; and
10. Improve oversight and support by clarifying assigned roles and responsibilities.
Robert S. Metzger © 2018 All Rights Reserved
Possible Measures to “Deliver Uncompromised”
24
POTENTIAL COURSES OF ACTION (COAs)
Elevate security as a primary acquisition metric The “4th Pillar” – revise DoDI 5000.02; use acquisition process both to require and to reward improved security
Form a Whole of Government “National Supply Chain Intelligence Center” (NSIC)
Integrate diverse sources of threat information and improve distribution of actionable intelligence
Ensure Supplier Readiness and Use Contract Terms Treat security as a positive discriminator in source selection; increase oversight and support to verify
Extend Laws to “Never Contract With the Enemy” DoD must have statutory means with sufficient process to avoid contracting with high risk sources
Litigation Reform and Liability Protection “Safe Harbors” for security investment and reporting; extend SAFETY Act to cyber, impose potential legal liability for security below the “standard of care”
Tax Incentives and Private Insurance Advocate for tax credits for security investment; make security a profit center; promote supply chain insurance
Robert S. Metzger © 2018 All Rights Reserved
Resilience as a Critical Component of Security
• The NIST Cybersecurity Framework (CSF) gives equal attention to Identify, Protect, Detect, Respond and Recover.
• The -7012 DFARS and SP 800-171 give primary attention to ID, PR and DE.
• Given that suppliers have been or will be attacked, “adequate security” demands greater emphasis on RE and RC.
• DoD may require plans for fail-over and preparation for degraded operation.
Exercises can assist to isolate injury, limit cascading effects and contain the consequences of attack.
Robert S. Metzger © 2018 All Rights Reserved
About the Presenter: Bob Metzger
26
This presentation reflects Mr. Metzger’s personal views and should not be attributed to the Department of Defense, the Defense Science Board or to any client of his firm or other organization with which he is involved or affiliated.
Robert S. MetzgerRogers Joseph O’Donnell | Tel: [email protected]
Bob heads the Washington, D.C. office of Rogers Joseph O’Donnell, P.C., a boutique law firm that has specialized in public contract matters for more than 35 years. He attended Georgetown University Law Center, where he was an Editor of the Georgetown Law Journal. Subsequently, he was a Research Fellow, Center for Science & International Affairs, Harvard Kennedy School (now, “Belfer Center”). As a Special Government Employee of the Department of Defense, Bob was a member of the Defense Science Board task force that produced the Cyber Supply Chain Report in February 2017.
Named a 2016 “Federal 100” awardee, Federal Computer Week cited Bob for his “ability to integrate policy, regulation and technology” and said of him: “In 2015, he was at the forefront of the convergence of the supply chain and cybersecurity, and his work continues to influence the strategies of federal entities and companies alike.” Chambers USA (2018) ranks Bob among top government contracts lawyers and said that “[h]e is particularly noted for his expertise in cyber and supply-chain security with clients regarding him as the ‘preeminent expert in cybersecurity regulations and how they affect government contractors.’” The Legal 500 in 2016 cited Mr. Metzger as an “expert” in cyber and supply chain security. Bob is among 49 U.S. lawyers rated as “Expert” in government contracts by Who’s Who Legal (2016, 2017) and was featured in the “Government Contracts 2017 Discussion” of Who’s Who Legal.
For RSA Conference 2018, Bob served on a panel on “First Recourse or Last Resort? The National Interest in Regulating the IoT” and moderated a second panel on “IOT and Critical Infrastructures: A Collision Of Fundamentals?.” A member of the International Institute for Strategic Studies (ISS), Bob’s articles on national security topics have appeared in International Security and the Journal of Strategic Studies, among other publications.
Robert S. Metzger © 2018 All Rights Reserved
About Rogers Joseph O’Donnell
27
• Specialized in government contracts for 35 years
• 12 partners, 9 associates
• Co-chairs: Mark Linderman and Jeff Chiow
• 7 full-time in D.C. office
• Gov Con Practice ranked –Band 2 (Chambers USA 2018)Tier 2 (The Legal 500 2018)
• Chambers ranks Neil O’Donnell in Band 1, Bob Metzger in Band 3, Patricia Meagher and Aaron Silberman in Band 4
“Boutique firm Rogers Joseph O’Donnell is ‘excellent’ in the government contracts-related litigation space. Recent highlights include the ‘responsive’ team representing T.Y. Lin International in litigation regarding the Bay Area Rapid Transit Silicon Valley Extension project, concerning issues of alleged liability and damages during the design and build process. Bid protests remain prominent in the group’s caseload; representative clients include CGI, CBE, Siemens Government Technologies, McKesson and Northrop Grumman. FCA issues are another area of strength. Head of the Washington DC office Robert Metzger has ‘an uncanny ability to have his next several devastating arguments lined up in advance’; Brian Miller, also based in Washington DC, is ‘very knowledgeable’ and ‘knows the industry inside out’. Firm head Neil O’Donnell, Patricia Meagher, Lauren Kramer and Mark Linderman operate from the firm’s San Francisco office. Linderman co-chairs the practice group with Washington DC-based Jeffery Chiow.”The Legal 500 (2018)