Introduction to the National Cybersecurity & Communications Integration Center (NCCIC) “A Partnership for Strength” 1

NCCIC Overview and Mission NCCIC Overview - -Operates at the intersection of the network defense, private sector, civilian, law enforcement, intelligence, and defense communities - cybersecurity and communications domains NCCIC Mission – -Apply unique analytic perspectives -Ensure shared situational awareness -Orchestrate synchronized response efforts -Protect the Constitutional and privacy rights of Americans

We NEED to Think Differently - A New Paradigm for Security Security breaches are inevitable Leadership must OWN the problem Manage Risk – build into security – threat centric Situational Awareness - vital Resilience is ESSENTIAL - operate through compromise Compliance is NOT security Partnership between government and industry is critical Culture Shift – Reactive to PROACTIVE!!! Leadership MUST OWN – this is a CEO/Board responsibility to get ahead of threats, manage risk set up to be resilient – CAN’T be “clean up on aisle 9” - Don’t cede the field to cyber ninjas – understand coast and consequences – manage risk All Threats are NOT Equal - Attacks which are targeted & persistent - greatest challenge, greatest risk The Biggies Economic Espionage – Targeted & Persistent…gain economic advantage Organized Crime - Targeted & Persistent…financial gain Hacktivists – Targeted…defamation and media interest Nuisances – DDoS efforts…prove it can be done, potential launch points 3

Traditional Cyber Security SOC, CSIRC, C&A, Policy Dynamic cyber defense User Behavior Traditional Cyber Security SOC, CSIRC, C&A, Policy Intelligence Information Sharing IT/Network Security Leadership Mission Deep Net Awareness Dynamic Cyber Defense – be aggressive in defending – be open to new sources of intel – be open to new places to get and grow talent Leadership MUST own the problem set! - who are the players – Board, CEO, COO, CSO, CIO etc - what is their responsibility - understand the threat - plan & program for it – decide how to manage risk - exercise - work thru it – resilient – keep business/mission going What is intel? What it is NOT! Information vs Intelligence Information- -Raw, unfiltered feed -Unevaluated when delivered -Aggregated from virtually every source -May be true, false, misleading, incomplete, relevant or irrelevant. Intelligence -Processed, sorted information -Evaluation and interpreted by trained intelligence analysts -Aggregated from reliable sources and cross correlated for accuracy -Accurate, timely, complete (as possible), assessed for relevancy -Actionable Resilience 4

Protection of Information Traffic-Light Protocol (TLP): Originator-controlled classification system developed to encourage greater sharing of sensitive (but unclassified) information with external entities. When should it be used? TLP Color How may it be shared? Sources may use TLP: RED when information cannot be effectively acted upon by additional parties, and could lead to impacts on a party’s privacy, reputation, or operations if misused. RED Recipients may not share TLP: RED information with any parties outside of the specific exchange, meeting or conversation in which it is originally disclosed. Sources may use TLP: AMBER when information requires support to be effectively acted upon, but carries risks to privacy, reputation, or operations if shared outside of the organizations involved. AMBER Recipients may only share TLP: AMBER information with members of their own organization, and only as widely as necessary to act on that information. Sources may use TLP: GREEN when information is useful for the awareness of all participating organizations as well as with peers within the broader community or sector. GREEN Recipients may share TLP: GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels. Sources may use TLP: WHITE when information carries minimal or no risk of misuse, in accordance with applicable rules and procedures for public release. WHITE TLP: WHITE information may be distributed without restriction, subject to copyright controls.

Protection of Information (cont.) Protected Critical Infrastructure Information (PCII) Information-protection program enhances voluntary information sharing between infrastructure owners and operators and the government PCII protections Guarantee shared information will not lead to the exposure of sensitive or proprietary data

-Understand Threat Landscape -Leadership OWNS a New Paradigm! So What? -Understand Threat Landscape -Leadership OWNS a New Paradigm! -Consider Cybersecurity Framework -Implement 20 Critical Security Controls -Change – Reactive to Proactive – Intelligence & Information Sharing 7

8

BACK UP SLIDES

National Cybersecurity Team Each Department has distinct, yet complementary roles: DHS: responsible for coordinating the domestic all-hazards preparedness efforts of executive departments and agencies DOJ: responsible for responding to domestic counterterrorism, intelligence, and law enforcement activities DOD: responsible for national defense, foreign cyber intelligence, protection of national security systems

NCCIC Pillars and Capabilities NCCIC Operational Pillars Information Sharing Incident Handling / Crisis Management Analysis NCCIC In-House and Virtual Capabilities 24/7/365 Operations Center Critical Infrastructure / Key Resources (CI/KR) Sectors Information Sharing & Analysis Centers (ISAC) Fed/State/Local/Tribal Government International Partners NCCIC Branches United States Computer Emergency Readiness Team (US-CERT) Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) National Coordinating Center for Telecommunications (NCC) Operations & Integration (O&I)

Future NCCIC Focus Areas Enhance the integration and coordination of national response to significant cyber events Create shared situational awareness among public sector, private sector, and international partners by coordinating the joint development and dissemination of timely and actionable cybersecurity and communications information Expand the Common Operating Picture (COP) Expand domestic and international relationships Increase provision of Enhanced Cybersecurity Services (ECS) Improve machine-readable exchange of information Improve on-site/remote assistance capabilities to rapidly respond to routine and significant cybersecurity and communications incidents in order to mitigate harmful activity, manage crisis situations, and support recovery

Liaison Officers (LNO) at NCCIC Department of Justice DOJ FBI National Cyber Investigative Joint Task Force (NCI-JTF) Department of Defense NSA/Central Security Service (CSS) Threat Operations Center (NTOC) DOD CYBERCOM DOD Cyber Crime Center (DC3) DOD NORTHCOM Department of Homeland Security DHS Cybersecurity Legal Staff DHS Cybersecurity Public Affairs DHS National Operations Center (NOC) DHS Security Operations Center (SOC) Immigration and Customs Enforcement National Infrastructure Coordination Center (NICC) United States Coast Guard United States Secret Service Department of State Information Sharing and Analysis Centers Communications ISAC Energy Sector ISAC Financial Services ISAC Information Technology ISAC Multi-State ISAC Other private sector entities 13

NCCIC Liaison Officers Located at External Organizations Department of Defense (DOD) Cyber Command (CYBERCOM) DOD Northern Command (NORTHCOM) DOD Defense Cyber Crime Center (DC3) DOJ FBI National Cyber Investigative Joint Task Force (NCI-JTF) NSA/Central Security Service (CSS) National Threat Operations Center (NTOC) DHS National Operations Center (NOC) 14