2009 04 26 Larry Clinton ISA Overview Presentation for Ed Stull
2009 08 13 Larry Clinton AIA Public Policy Webinar
-
Upload
isalliance -
Category
Documents
-
view
217 -
download
0
Transcript of 2009 08 13 Larry Clinton AIA Public Policy Webinar
-
7/31/2019 2009 08 13 Larry Clinton AIA Public Policy Webinar
1/48
Larry Clinton
President
Internet Security [email protected]
703-907-7028 (O) 202-236-0001 (C)
-
7/31/2019 2009 08 13 Larry Clinton AIA Public Policy Webinar
2/48
-
7/31/2019 2009 08 13 Larry Clinton AIA Public Policy Webinar
3/48
ISA Board of Directors
Ty Sagalow, Esq. ChairPresident Innovation Division, ZurichTim McKnight Second V Chair, CSO,Northrop Grumman
Ken Silva, Immediate Past Chair. CSO VeriSignGen. Charlie Croom (Ret.) VP Cyber Security, Lockheed MartinJeff Brown, CISO/Director IT Infrastructure, RaytheonEric Guerrino, SVP/CIO, Bank of New York/Mellon FinancialLawrence Dobranski, Chief Strategic Security, NortelPradeep Khosla, Dean, Carnegie Mellon University School ofComputer SciencesJoe Buonomo, President, DCRBruno Mahlmann, VP Cyber Security, Perot SystemsLinda Meeks, CISO Information Security, Boeing
J. Michael Hickey, 1st Vice ChairVP Government Affairs, Verizon
Marc-Anthony Signorino, Treas.National Assoc. of Manufacturers
-
7/31/2019 2009 08 13 Larry Clinton AIA Public Policy Webinar
4/48
Our Partners
-
7/31/2019 2009 08 13 Larry Clinton AIA Public Policy Webinar
5/48
-
7/31/2019 2009 08 13 Larry Clinton AIA Public Policy Webinar
6/48
Internet Security Alliance PriorityProjects
1. Public Policy: The Cyber Security SocialContract: Recommendations to Obama
2. Financial Risk Management of CyberEvents
3. Securing the Globalized IT Supply chain4.
Securing the Unified CommunicationsPlatform
5. Modernizing Law in the Digital Age
-
7/31/2019 2009 08 13 Larry Clinton AIA Public Policy Webinar
7/48
The Old Web
-
7/31/2019 2009 08 13 Larry Clinton AIA Public Policy Webinar
8/48
Source: http://cm.bell-labs.com/who/ches/map/gallery/index.html
The Web Today
-
7/31/2019 2009 08 13 Larry Clinton AIA Public Policy Webinar
9/48
What is the I-Net & how do weManage it?
Inherently insecure Constantly changingInternational
Doesnt fit in traditional governanceboxes
Not even really an it its a network ofnetworks/digital/public/private/shared Tied into everything
-
7/31/2019 2009 08 13 Larry Clinton AIA Public Policy Webinar
10/48
Post 9-11 Cyber Security Policy
National Strategy to Secure Cyber Space DIB EffortComprehensive National Cyber Intiative(CNCI)
CSIS and ISA Proposals to Obama/Congress
60-day review & Obama Speech (5/29/09)
-
7/31/2019 2009 08 13 Larry Clinton AIA Public Policy Webinar
11/48
National Strategy to Secure CyberSpace (2002-03)
First comprehensive Administration viewof problem
Raised many key issues Predicted market forces would adequately
motivate private sector
General lack of follow through by USG
-
7/31/2019 2009 08 13 Larry Clinton AIA Public Policy Webinar
12/48
Extent of the Problam
Military Testimony. Vice Chairman of the Joint Chiefs of Staff JamesCartwright told Congress in March 2007 that America is under widespreadattack in cyberspace.
Wall Street Journal: Cyberspies have penetrated the U.S. electrical gridand left behind software programs that could be used to disrupt the system,according to current and former national-security officials.
Wired Magazine: The Defense Departments geeks are spooked by arapidly spreading worm crawling across their networks. So theyvesuspended the use of so-called thumb drives, CDs, flash media cards, andall other removable data storage devices from their nets, to try to keep theworm from multiplying any further.
CSIS: Americas failure to protect cyberspace is one of the most urgentnational security problems facing the new administration that will take office
in January 2009. It is, like ULTRA and Enigma, a battle fought mainly in theshadows. It is a battle we are losing.
New York Times: TJX says it has spent at least $130 million on legal andother matters related to the security breach.
-
7/31/2019 2009 08 13 Larry Clinton AIA Public Policy Webinar
13/48
Latter Bush Years
Comprehensive National Cyber Intiative(CNCI)
Largely classified (except for Project 12)including proposing use of:
British Consultancy ModelDIB intiative
-
7/31/2019 2009 08 13 Larry Clinton AIA Public Policy Webinar
14/48
USG is a user and an enforcer
-
7/31/2019 2009 08 13 Larry Clinton AIA Public Policy Webinar
15/48
DIB program
DoD agrees to: Provide classified tips and analysis on threat actors Distribute attributed data from DoD and other industry partners Protect data attributable to specific companies Provide selected forensic support
~30 cleared defense contractors agree to: Report compromised computers to DoD Provide analysis of information exposed Provide forensic image of computer if requested Participate in formal Damage Assessment run by DoD acquisition
community
-
7/31/2019 2009 08 13 Larry Clinton AIA Public Policy Webinar
16/48
What to Tell President Obama?
1. We need to increase our emphasis andinvestment on cyber security
2. Cyber Security must be recognized ascritical infrastructure maintenance
3. Cyber Security is not a IT problem.4.
Cyber security is a enterprise wide riskmanagement problem
5. Government and Industry need newrelationship
-
7/31/2019 2009 08 13 Larry Clinton AIA Public Policy Webinar
17/48
Releasing the Cyber Security Social ContractNovember, 2008
-
7/31/2019 2009 08 13 Larry Clinton AIA Public Policy Webinar
18/48
ISA Cyber Social Contract
Similar to the agreement that led to publicutility infrastructure dissemination in 20th C
Infrastructure develop -- market incentives Consumer protection through regulation Gov role is more creativeharder
motivate, not mandate, compliance Industry role is to develop practices andstandards and implement them
-
7/31/2019 2009 08 13 Larry Clinton AIA Public Policy Webinar
19/48
Administration and congress GetMore Active
White House 60-day policy review: Thegovernment, working with State and localpartners, should identify procurement strategiesthat will incentivize the market to make moresecure products and services available to thepublic.
Congress: Network Defense Act placesrequirements on contractors doing business withDHS
Department of Defense: Announcing results ofDFARS review
-
7/31/2019 2009 08 13 Larry Clinton AIA Public Policy Webinar
20/48
DoD Action
DOD is currently evaluating information securitystandards and developing DFARS language (tobe released in Summer/Fall)
Army Labs Policy Memo directs acquisitionexecutives to engage their Program ExecutiveOffices and Program Managers to takeimmediate steps to:
Ensure that CUI is identified and appropriatelyprotected in DoD acquisition programsReport incidences and exfiltration
-
7/31/2019 2009 08 13 Larry Clinton AIA Public Policy Webinar
21/48
Current Congressional Activity
Over Hearings & Actions Different Committees
Congress Investigative Arm Reports on Cyber Issues
Senate Bill (S. 773) House Bill (H.R. 2195)
-
7/31/2019 2009 08 13 Larry Clinton AIA Public Policy Webinar
22/48
Current Congressional Activity
S 773 Rockefeller Snow Lierberman collins (Sen. Homeland
Security)
House Commerce Committee House Homeland Security Committee
-
7/31/2019 2009 08 13 Larry Clinton AIA Public Policy Webinar
23/48
-
7/31/2019 2009 08 13 Larry Clinton AIA Public Policy Webinar
24/48
Presidential Interest
Hacking Obamas Website Its no secret that my presidential campaign harnessed the Internet
and technology to transform politics. What isnt widely known is thatduring the general election hackers managed to penetrate ourcomputer systems. (President Obama, May 29, 2009)
Source In Iran Sees Plans for Presidents Chopper(USA Today, Mar. 2, 2009)
The U.S. Navy is investigating how an unauthorized user in Irangained online access to blueprints and other information about ahelicopter in President Obamas fleet.
-
7/31/2019 2009 08 13 Larry Clinton AIA Public Policy Webinar
25/48
Obama speaks on cyber security
My administration will pursue a new comprehensiveapproach to securing Americas digital infrastructure.
This new approach with this: From now on, our digitalinfrastructure the networks and computers wedepend on every day will be treated as theyshould be: as a strategic national asset. Protecting
this infrastructure will be a.
(President Obama, May 29, 2009)
-
7/31/2019 2009 08 13 Larry Clinton AIA Public Policy Webinar
26/48
President Obamas Report onCyber Security (May 30 2009)
The United States faces the dual challenge ofmaintaining an environment that promotes efficiency,innovation, economic prosperity, and free trade whilealso promoting safety, security, civil liberties, andprivacy rights. (Presidents Cyber Space Policy
Review page iii)
Quoting from Internet Security Alliance CyberSecurity Social Contract: Recommendations to theObama Administration and the 111th CongressNovember 2008
-
7/31/2019 2009 08 13 Larry Clinton AIA Public Policy Webinar
27/48
President Obamas Report onCyber Security (May 30, 2009)
The government, working with State and local partners,should identify procurement strategies that will incentivizethe market to make more secure products and servicesavailable to the public. Additional incentive mechanismsthat the government should explore include adjustments to
liability considerations (reduced liability in exchange forimproved security or increased liability for theconsequences of poor security), indemnification, taxincentives, and new regulatory requirements andcompliance mechanisms. Presidents Cyber Space PolicyReview May 30, 2009 page v
Quoting Internet Security Alliance Cyber Security SocialContract: Recommendations to the Obama Administrationand 111th Congress
-
7/31/2019 2009 08 13 Larry Clinton AIA Public Policy Webinar
28/48
Obama Near Term Action Plan:
1. Appoint a Cyber Security policy coordinator directly responsible to thePresident and dual-hatted to both the NSC and the NEC.
2. Prepare for the Presidents approval an updated national strategy to securethe information and communications infrastructure. This strategy should
include continued evaluation of CNCI activities and, where appropriate,build on its successes.
5. Convene appropriate interagency mechanisms to conduct interagency-cleared legal analyses of priority cybersecurity-related issues identifiedduring the policy-development process and formulate coherent unifiedpolicy guidance that clarifies roles, responsibilities, and the application of
agency authorities for cybersecurity-related activities across the Federalgovernment.
Presidents Cyber Space Policy Review May 30, 2009 page vi
-
7/31/2019 2009 08 13 Larry Clinton AIA Public Policy Webinar
29/48
Obama near term Action Plan
Initiate a national awareness campaign.(train workforce/improve education also inmid-term plan)
Expand information sharing programs Refine Government procurement and
improve market incentives
-
7/31/2019 2009 08 13 Larry Clinton AIA Public Policy Webinar
30/48
Near Term and Mid-Term Issues
Regulation vs. Incentives Financial and Educational aspects of
cyber security
Information Sharing Global Supply Chain Management Securing new media and coordinating thelegal structure to new technologies
-
7/31/2019 2009 08 13 Larry Clinton AIA Public Policy Webinar
31/48
Regulation vs. Incentives
ISA Social Contract argues vs. regulationwhich is slow/limited in effect/anti-UScompetitivenss/anti-security and wont
work.
Obama: Let me be very clear, we are notgoing to regulate cyber security standards
to the private sector. (May 29 2009)
-
7/31/2019 2009 08 13 Larry Clinton AIA Public Policy Webinar
32/48
Congressional TestimonyOctober, 2007
-
7/31/2019 2009 08 13 Larry Clinton AIA Public Policy Webinar
33/48
ISA Proposed Incentives(Testimony E & C May 1, 2009)
1. R & D Grants2. Tax incentives3. Procurement Reform4.
Streamlined Regulations5. Liability Protection
6. Public Education7. Insurance8. SBA loans9. Awards programs10. Cyber SAFETY Act
-
7/31/2019 2009 08 13 Larry Clinton AIA Public Policy Webinar
34/48
Proposed Incentives: Liability
The Federal government should consider options forincentivizing collective action and enhancecompetition in the development of cybersecuritysolutions. For example, the legal concepts forstandard of care to date do not exist for
cyberspace. Possible incentives include adjustmentsto liability considerations (reduced liability inexchange for improved security or increased liabilityfor the consequences of poor security),indemnification, tax incentives, and new regulatory
requirements and compliance mechanisms. ---Obama Administrations Report on Cyber SecurityMay 2009 page 28)
-
7/31/2019 2009 08 13 Larry Clinton AIA Public Policy Webinar
35/48
The Economy is reliant on theInternet
The state of Internet security is erodingquickly. Trust in online transactions isevaporating, and it will require strong
security leadership for that trust to berestored. For the Internet to remain the
juggernaut of commerce and productivity it
has become will require more, not less,input from security. PWC Global CyberSecurity Survey 2008
-
7/31/2019 2009 08 13 Larry Clinton AIA Public Policy Webinar
36/48
The need to understand businesseconomics to address cyber issues
If the risks and consequences can be assignedmonetary value, organizations will have greaterability and incentive to address cybersecurity. Inparticular, the private sector often seeks a businesscase to justify the resource expenditures needed for
integrating information and communications systemsecurity into corporate risk management and forengaging partnerships to mitigate collective risk.Government can assist by considering incentive-based legislative or regulatory tools to enhance the
value proposition and fostering an environment thatencourages partnership. --- Presidents CyberSpace Policy Review May 30, 2009 page 18
Financial Management of cyber
-
7/31/2019 2009 08 13 Larry Clinton AIA Public Policy Webinar
37/48
Financial Management of cyberRisk
It is not enough for the information technologyworkforce to understand the importance ofcybersecurity; leaders at all levels of government andindustry need to be able to make business andinvestment decisions based on knowledge of risks
and potential impacts. Presidents Cyber SpacePolicy Review May 30, 2009 page 15
ISA-ANSI Project on Financial Risk Management ofCyber Events: 50 Questions Every CFO should Ask
----including what they ought to be asking theirGeneral Counsel and outside counsel. Also, HR, BusOps, Public and Investor Communications &Compliance
-
7/31/2019 2009 08 13 Larry Clinton AIA Public Policy Webinar
38/48
Financial Impact of Cyber RiskOctober, 2008
-
7/31/2019 2009 08 13 Larry Clinton AIA Public Policy Webinar
39/48
Information Sharing
Problem Clearly needs additonal work DIB model results, good, but some
problems and not scalable
Trust is built on mutual exchangeAlternatives:British Consultancy Model
Roach Motel Model
-
7/31/2019 2009 08 13 Larry Clinton AIA Public Policy Webinar
40/48
Cyber Security as a NewBusiness Opportunity
Military contractors are now in the enviableposition of turning what they learned from
protecting sensitive Pentagon data that sitson their own computers, into a lucrativebusiness that could replace revenue form thecancellation of conventional weapons
systems as the demand for greater computersecurity spreads to health care, energy andthe rest of the critical infrastructures. NYTimes 5/31/09
-
7/31/2019 2009 08 13 Larry Clinton AIA Public Policy Webinar
41/48
Securing the IT Supply Chain
The challenge with supply chain attacks is that asophisticated adversary might narrowly focus onparticular systems and make manipulation virtuallyimpossible to discover. Foreign manufacturing doespresent easier opportunities for nation-state
adversaries to subvert products; however, the samegoals could be achieved through the recruitment ofkey insiders or other espionage activities. ----Presidents Cyber Space Policy Review May 30,2009 page 34
-
7/31/2019 2009 08 13 Larry Clinton AIA Public Policy Webinar
42/48
ISA/CMU Supply Chain Project
18 months long (start fall 07) Focus on firmware Carnegie Mellon University and Center for Cyber
Consequences Unit 3 conferences 100 Gov., Industry and Academic participants Results are strategy and framework provided toUSG for NSC 60-day review of cyber policy
-
7/31/2019 2009 08 13 Larry Clinton AIA Public Policy Webinar
43/48
Securing The IT Supply ChainIn The Age of Globalization
November, 2007
-
7/31/2019 2009 08 13 Larry Clinton AIA Public Policy Webinar
44/48
ISA/CMU Supply Chain Project
1. Globalization of IT Supply Chain will increase2. USG reliance on IT will also increase3. Threat from IT supply chain significant for USG4. USG-only solution impractical5. Attackers will be fluid and creative so fixed
policies will be ineffective long term
6. Need a flexible framework of solutions7. Framework must account for both security and
cost
-
7/31/2019 2009 08 13 Larry Clinton AIA Public Policy Webinar
45/48
Appendix C of ObamaAdministration Report: Conclusion
The history of electronic communications in the United Statesreflects steady, robust technological innovation punctuated bygovernment efforts to regulate, manage, or otherwise respond toissues presented by these new media, including securityconcerns. The iterative nature of the statutory and policydevelopments over time has led to a mosaic of government lawsand structures governing various parts of the landscape forinformation and communications security and resiliency.Effectively addressing the fragmentary and diverse nature of thetechnical, economic, legal, and policy challenges will require aleadership and coordination framework that can stitch this
patchwork together into an integrated whole. Presidents CyberSpace Policy Review May 30, 2009 page C-12
-
7/31/2019 2009 08 13 Larry Clinton AIA Public Policy Webinar
46/48
Other Legal Issues That need to beResolved
Scores of legal issues emerged, such asconsiderations related to the aggregation ofauthorities, what authorities are available for thegovernment to protect privately owned criticalinfrastructure, the placement of Internet monitoring
software, the use of automated attack detection andwarning sensors, data sharing with third partieswithin the Federal government, and liabilityprotections for the private sector. (Obama
Administrations Report on Cyber Security May 2009
page 3)
-
7/31/2019 2009 08 13 Larry Clinton AIA Public Policy Webinar
47/48
Developing SCAP Automated Security &Assurance for VoIP & Converged Networks
September, 2008
ISA U ifi d C i ti L l
-
7/31/2019 2009 08 13 Larry Clinton AIA Public Policy Webinar
48/48
ISA Unified Communications LegalCompliance Analysis (June 2009)
1.Descibes available UnifiedCommunications (UC) Technologies
2. Describes Security Risks of Deployment
3. Inventory of Laws to be considered predeployment
4. Analysis if ECPA creates a legal barrier to
deployment5 Toolkit for lawyers and clients to assist in
avoiding exposure from deployment