2009 08 13 Larry Clinton AIA Public Policy Webinar

7/31/2019 2009 08 13 Larry Clinton AIA Public Policy Webinar

1/48

Larry Clinton

President

Internet Security [email protected]

703-907-7028 (O) 202-236-0001 (C)


2/48


3/48

ISA Board of Directors

Ty Sagalow, Esq. ChairPresident Innovation Division, ZurichTim McKnight Second V Chair, CSO,Northrop Grumman

Ken Silva, Immediate Past Chair. CSO VeriSignGen. Charlie Croom (Ret.) VP Cyber Security, Lockheed MartinJeff Brown, CISO/Director IT Infrastructure, RaytheonEric Guerrino, SVP/CIO, Bank of New York/Mellon FinancialLawrence Dobranski, Chief Strategic Security, NortelPradeep Khosla, Dean, Carnegie Mellon University School ofComputer SciencesJoe Buonomo, President, DCRBruno Mahlmann, VP Cyber Security, Perot SystemsLinda Meeks, CISO Information Security, Boeing

J. Michael Hickey, 1st Vice ChairVP Government Affairs, Verizon

Marc-Anthony Signorino, Treas.National Assoc. of Manufacturers


4/48

Our Partners


5/48


6/48

Internet Security Alliance PriorityProjects

1. Public Policy: The Cyber Security SocialContract: Recommendations to Obama

2. Financial Risk Management of CyberEvents

3. Securing the Globalized IT Supply chain4.

Securing the Unified CommunicationsPlatform

5. Modernizing Law in the Digital Age


7/48

The Old Web


8/48

Source: http://cm.bell-labs.com/who/ches/map/gallery/index.html

The Web Today


9/48

What is the I-Net & how do weManage it?

Inherently insecure Constantly changingInternational

Doesnt fit in traditional governanceboxes

Not even really an it its a network ofnetworks/digital/public/private/shared Tied into everything


10/48

Post 9-11 Cyber Security Policy

National Strategy to Secure Cyber Space DIB EffortComprehensive National Cyber Intiative(CNCI)

CSIS and ISA Proposals to Obama/Congress

60-day review & Obama Speech (5/29/09)


11/48

National Strategy to Secure CyberSpace (2002-03)

First comprehensive Administration viewof problem

Raised many key issues Predicted market forces would adequately

motivate private sector

General lack of follow through by USG


12/48

Extent of the Problam

Military Testimony. Vice Chairman of the Joint Chiefs of Staff JamesCartwright told Congress in March 2007 that America is under widespreadattack in cyberspace.

Wall Street Journal: Cyberspies have penetrated the U.S. electrical gridand left behind software programs that could be used to disrupt the system,according to current and former national-security officials.

Wired Magazine: The Defense Departments geeks are spooked by arapidly spreading worm crawling across their networks. So theyvesuspended the use of so-called thumb drives, CDs, flash media cards, andall other removable data storage devices from their nets, to try to keep theworm from multiplying any further.

CSIS: Americas failure to protect cyberspace is one of the most urgentnational security problems facing the new administration that will take office

in January 2009. It is, like ULTRA and Enigma, a battle fought mainly in theshadows. It is a battle we are losing.

New York Times: TJX says it has spent at least $130 million on legal andother matters related to the security breach.


13/48

Latter Bush Years

Comprehensive National Cyber Intiative(CNCI)

Largely classified (except for Project 12)including proposing use of:

British Consultancy ModelDIB intiative


14/48

USG is a user and an enforcer


15/48

DIB program

DoD agrees to: Provide classified tips and analysis on threat actors Distribute attributed data from DoD and other industry partners Protect data attributable to specific companies Provide selected forensic support

~30 cleared defense contractors agree to: Report compromised computers to DoD Provide analysis of information exposed Provide forensic image of computer if requested Participate in formal Damage Assessment run by DoD acquisition

community


16/48

What to Tell President Obama?

1. We need to increase our emphasis andinvestment on cyber security

2. Cyber Security must be recognized ascritical infrastructure maintenance

3. Cyber Security is not a IT problem.4.

Cyber security is a enterprise wide riskmanagement problem

5. Government and Industry need newrelationship


17/48

Releasing the Cyber Security Social ContractNovember, 2008


18/48

ISA Cyber Social Contract

Similar to the agreement that led to publicutility infrastructure dissemination in 20th C

Infrastructure develop -- market incentives Consumer protection through regulation Gov role is more creativeharder

motivate, not mandate, compliance Industry role is to develop practices andstandards and implement them


19/48

Administration and congress GetMore Active

White House 60-day policy review: Thegovernment, working with State and localpartners, should identify procurement strategiesthat will incentivize the market to make moresecure products and services available to thepublic.

Congress: Network Defense Act placesrequirements on contractors doing business withDHS

Department of Defense: Announcing results ofDFARS review


20/48

DoD Action

DOD is currently evaluating information securitystandards and developing DFARS language (tobe released in Summer/Fall)

Army Labs Policy Memo directs acquisitionexecutives to engage their Program ExecutiveOffices and Program Managers to takeimmediate steps to:

Ensure that CUI is identified and appropriatelyprotected in DoD acquisition programsReport incidences and exfiltration


21/48

Current Congressional Activity

Over Hearings & Actions Different Committees

Congress Investigative Arm Reports on Cyber Issues

Senate Bill (S. 773) House Bill (H.R. 2195)


22/48

Current Congressional Activity

S 773 Rockefeller Snow Lierberman collins (Sen. Homeland

Security)

House Commerce Committee House Homeland Security Committee


23/48


24/48

Presidential Interest

Hacking Obamas Website Its no secret that my presidential campaign harnessed the Internet

and technology to transform politics. What isnt widely known is thatduring the general election hackers managed to penetrate ourcomputer systems. (President Obama, May 29, 2009)

Source In Iran Sees Plans for Presidents Chopper(USA Today, Mar. 2, 2009)

The U.S. Navy is investigating how an unauthorized user in Irangained online access to blueprints and other information about ahelicopter in President Obamas fleet.


25/48

Obama speaks on cyber security

My administration will pursue a new comprehensiveapproach to securing Americas digital infrastructure.

This new approach with this: From now on, our digitalinfrastructure the networks and computers wedepend on every day will be treated as theyshould be: as a strategic national asset. Protecting

this infrastructure will be a.

(President Obama, May 29, 2009)


26/48

President Obamas Report onCyber Security (May 30 2009)

The United States faces the dual challenge ofmaintaining an environment that promotes efficiency,innovation, economic prosperity, and free trade whilealso promoting safety, security, civil liberties, andprivacy rights. (Presidents Cyber Space Policy

Review page iii)

Quoting from Internet Security Alliance CyberSecurity Social Contract: Recommendations to theObama Administration and the 111th CongressNovember 2008


27/48

President Obamas Report onCyber Security (May 30, 2009)

The government, working with State and local partners,should identify procurement strategies that will incentivizethe market to make more secure products and servicesavailable to the public. Additional incentive mechanismsthat the government should explore include adjustments to

liability considerations (reduced liability in exchange forimproved security or increased liability for theconsequences of poor security), indemnification, taxincentives, and new regulatory requirements andcompliance mechanisms. Presidents Cyber Space PolicyReview May 30, 2009 page v

Quoting Internet Security Alliance Cyber Security SocialContract: Recommendations to the Obama Administrationand 111th Congress


28/48

Obama Near Term Action Plan:

1. Appoint a Cyber Security policy coordinator directly responsible to thePresident and dual-hatted to both the NSC and the NEC.

2. Prepare for the Presidents approval an updated national strategy to securethe information and communications infrastructure. This strategy should

include continued evaluation of CNCI activities and, where appropriate,build on its successes.

5. Convene appropriate interagency mechanisms to conduct interagency-cleared legal analyses of priority cybersecurity-related issues identifiedduring the policy-development process and formulate coherent unifiedpolicy guidance that clarifies roles, responsibilities, and the application of

agency authorities for cybersecurity-related activities across the Federalgovernment.

Presidents Cyber Space Policy Review May 30, 2009 page vi


29/48

Obama near term Action Plan

Initiate a national awareness campaign.(train workforce/improve education also inmid-term plan)

Expand information sharing programs Refine Government procurement and

improve market incentives


30/48

Near Term and Mid-Term Issues

Regulation vs. Incentives Financial and Educational aspects of

cyber security

Information Sharing Global Supply Chain Management Securing new media and coordinating thelegal structure to new technologies


31/48

Regulation vs. Incentives

ISA Social Contract argues vs. regulationwhich is slow/limited in effect/anti-UScompetitivenss/anti-security and wont

work.

Obama: Let me be very clear, we are notgoing to regulate cyber security standards

to the private sector. (May 29 2009)


32/48

Congressional TestimonyOctober, 2007


33/48

ISA Proposed Incentives(Testimony E & C May 1, 2009)

1. R & D Grants2. Tax incentives3. Procurement Reform4.

Streamlined Regulations5. Liability Protection

6. Public Education7. Insurance8. SBA loans9. Awards programs10. Cyber SAFETY Act


34/48

Proposed Incentives: Liability

The Federal government should consider options forincentivizing collective action and enhancecompetition in the development of cybersecuritysolutions. For example, the legal concepts forstandard of care to date do not exist for

cyberspace. Possible incentives include adjustmentsto liability considerations (reduced liability inexchange for improved security or increased liabilityfor the consequences of poor security),indemnification, tax incentives, and new regulatory

requirements and compliance mechanisms. ---Obama Administrations Report on Cyber SecurityMay 2009 page 28)


35/48

The Economy is reliant on theInternet

The state of Internet security is erodingquickly. Trust in online transactions isevaporating, and it will require strong

security leadership for that trust to berestored. For the Internet to remain the

juggernaut of commerce and productivity it

has become will require more, not less,input from security. PWC Global CyberSecurity Survey 2008


36/48

The need to understand businesseconomics to address cyber issues

If the risks and consequences can be assignedmonetary value, organizations will have greaterability and incentive to address cybersecurity. Inparticular, the private sector often seeks a businesscase to justify the resource expenditures needed for

integrating information and communications systemsecurity into corporate risk management and forengaging partnerships to mitigate collective risk.Government can assist by considering incentive-based legislative or regulatory tools to enhance the

value proposition and fostering an environment thatencourages partnership. --- Presidents CyberSpace Policy Review May 30, 2009 page 18

Financial Management of cyber


37/48

Financial Management of cyberRisk

It is not enough for the information technologyworkforce to understand the importance ofcybersecurity; leaders at all levels of government andindustry need to be able to make business andinvestment decisions based on knowledge of risks

and potential impacts. Presidents Cyber SpacePolicy Review May 30, 2009 page 15

ISA-ANSI Project on Financial Risk Management ofCyber Events: 50 Questions Every CFO should Ask

----including what they ought to be asking theirGeneral Counsel and outside counsel. Also, HR, BusOps, Public and Investor Communications &Compliance


38/48

Financial Impact of Cyber RiskOctober, 2008


39/48

Information Sharing

Problem Clearly needs additonal work DIB model results, good, but some

problems and not scalable

Trust is built on mutual exchangeAlternatives:British Consultancy Model

Roach Motel Model


40/48

Cyber Security as a NewBusiness Opportunity

Military contractors are now in the enviableposition of turning what they learned from

protecting sensitive Pentagon data that sitson their own computers, into a lucrativebusiness that could replace revenue form thecancellation of conventional weapons

systems as the demand for greater computersecurity spreads to health care, energy andthe rest of the critical infrastructures. NYTimes 5/31/09


41/48

Securing the IT Supply Chain

The challenge with supply chain attacks is that asophisticated adversary might narrowly focus onparticular systems and make manipulation virtuallyimpossible to discover. Foreign manufacturing doespresent easier opportunities for nation-state

adversaries to subvert products; however, the samegoals could be achieved through the recruitment ofkey insiders or other espionage activities. ----Presidents Cyber Space Policy Review May 30,2009 page 34


42/48

ISA/CMU Supply Chain Project

18 months long (start fall 07) Focus on firmware Carnegie Mellon University and Center for Cyber

Consequences Unit 3 conferences 100 Gov., Industry and Academic participants Results are strategy and framework provided toUSG for NSC 60-day review of cyber policy


43/48

Securing The IT Supply ChainIn The Age of Globalization

November, 2007


44/48

ISA/CMU Supply Chain Project

1. Globalization of IT Supply Chain will increase2. USG reliance on IT will also increase3. Threat from IT supply chain significant for USG4. USG-only solution impractical5. Attackers will be fluid and creative so fixed

policies will be ineffective long term

6. Need a flexible framework of solutions7. Framework must account for both security and

cost


45/48

Appendix C of ObamaAdministration Report: Conclusion

The history of electronic communications in the United Statesreflects steady, robust technological innovation punctuated bygovernment efforts to regulate, manage, or otherwise respond toissues presented by these new media, including securityconcerns. The iterative nature of the statutory and policydevelopments over time has led to a mosaic of government lawsand structures governing various parts of the landscape forinformation and communications security and resiliency.Effectively addressing the fragmentary and diverse nature of thetechnical, economic, legal, and policy challenges will require aleadership and coordination framework that can stitch this

patchwork together into an integrated whole. Presidents CyberSpace Policy Review May 30, 2009 page C-12


46/48

Other Legal Issues That need to beResolved

Scores of legal issues emerged, such asconsiderations related to the aggregation ofauthorities, what authorities are available for thegovernment to protect privately owned criticalinfrastructure, the placement of Internet monitoring

software, the use of automated attack detection andwarning sensors, data sharing with third partieswithin the Federal government, and liabilityprotections for the private sector. (Obama

Administrations Report on Cyber Security May 2009

page 3)


47/48

Developing SCAP Automated Security &Assurance for VoIP & Converged Networks

September, 2008

ISA U ifi d C i ti L l


48/48

ISA Unified Communications LegalCompliance Analysis (June 2009)

1.Descibes available UnifiedCommunications (UC) Technologies

2. Describes Security Risks of Deployment

3. Inventory of Laws to be considered predeployment

4. Analysis if ECPA creates a legal barrier to

deployment5 Toolkit for lawyers and clients to assist in

avoiding exposure from deployment

2009 08 13 Larry Clinton AIA Public Policy Webinar

Documents

Transcript of 2009 08 13 Larry Clinton AIA Public Policy Webinar