1. CYBERSECURITY
UPDATE
October 9, 2013
Southern Risk Council

2. The Cybersecurity Activity in Washington
• Cybersecurity Framework
• DHS Integrated Task Force
• Regulators (e.g. FCC CSRIC)
• Possible Legislation

3. DHS Critical Infrastructure Sectors
Communications Sub-sectors:
• Cable
• Wireless
• Wireline
• Satellite
• Broadcast

4. Executive Order on Cybersecurity
• President signed an Executive Order and Presidential Policy Directive on
February 12, 2013 to Improve Critical Infrastructure Cybersecurity
• “Critical Infrastructure” is defined as “systems and assets, whether
physical or virtual, so vital to the US” that their incapacity or destruction
would have debilitating impact on:
• Security,
• National economic security,
• Public health or safety
• Key Parts
• Cybersecurity Information Sharing (AG, DHS, and DNI, section 4)
• Privacy and Civil Liberties Protections (DHS, section 5)
• Develop Baseline Framework to Reduce Cyber Risk to Critical Infrastructure
(NIST, section 7)
• Voluntary program to support adoption (DHS, section 8)
• “Procurement requirements related to cybersecurity”
• Identification of Critical Infrastructure at Greatest Risk (DHS, section 9)
• Agency review and report on existing regulatory requirements and authority to
establish new framework-based requirements (section 10)

5. How the Framework has been Developed
5th Framework Workshop – November 14-15
EO 13,636 and PPD-21 – February 12, 2013

6. The Cybersecurity Framework
Cybersecurity
Risk
Management
Identify
Protect
DetectRespond
Recover
Prioritized Flexible Repeatable Performance
based
Cost
Effective
Basic Cyber Hygiene

7. DHS Voluntary Cybersecurity Program
Voluntary
Adoption
ProgramIncentives
Implementation
Guidance
Promote
Participation
Adopters

8. White House on Cybersecurity Incentives
The departments of Homeland Security, Commerce and Treasury identified
8 incentives the federal government could use to encourage the nation's critical
infrastructure owners to adopt voluntarily the cybersecurity framework being
developed under the auspices of the National Institute of Standards and Technology.
The eight incentives are:
1. Cybersecurity insurance,
2. Grants,
3. Process preferences,
4. Liability limitation,
5. Streamlined regulations,
6. Public recognition,
7. Rate recovery for price-regulated industries and
8. Cybersecurity research.
Incentives would help nation's critical infrastructure operators adopt voluntary
framework.

9. Cybersecurity Timeline
Publication
of
Preliminary
Framework
5th NIST
Workshop
End of 45 Day
Comment
Period on
Preliminary
Framework
Publication of
Final
Framework
FCC CSRIC IV
Commences
Regulatory
Requirements
Sufficiency
Analysis
Framework
Effectiveness
Assessment

10. Thanks
Phil Agcaoili
Chief Information Security Officer, Cox Communications, Inc.
Co-Chair, Communications Sector Coordinating Council (CSCC),
Cybersecurity Committee – Technical Sub-Committee
Member, Communications Information Sharing and Analysis Center (ISAC)
Co-Chair, FCC CSRIC IV, WG 4 (Cybersecurity Best Practices)
Co-Founder & Board Member, Southern CISO Security Council
Distinguished Fellow and Fellows Chairman, Ponemon Institute
Founding Member, Cloud Security Alliance (CSA)
Inventor & Co-Author, CSA Cloud Controls Matrix, GRC Stack,
Security, Trust and Assurance Registry (STAR), and
CSA Open Certification Framework (OCF)
@hacksec
https://www.linkedin.com/in/philA

11. CYBER INSURANCE
Section 2