2010 09 15 Larry Clinton InfraGuard Seminar Providing Leg Update on Effective Collaboration to...
-
Upload
isalliance -
Category
Documents
-
view
215 -
download
0
Transcript of 2010 09 15 Larry Clinton InfraGuard Seminar Providing Leg Update on Effective Collaboration to...
-
7/31/2019 2010 09 15 Larry Clinton InfraGuard Seminar Providing Leg Update on Effective Collaboration to Protect Critical Infrastructures
1/25
Larry ClintonPresident
Internet Security [email protected]
703-907-7028
202-236-0001
-
7/31/2019 2010 09 15 Larry Clinton InfraGuard Seminar Providing Leg Update on Effective Collaboration to Protect Critical Infrastructures
2/25
ISA Board of Directors
Ty Sagalow, Esq. Chair President, Innovation Division, ZurichTim McKnight Second V Chair , CSO , Northrop Grumman
Ken Silva, Immediate Past Chair, CSO VeriSign Lt. Gen. Charlie Croom (Ret.) VP Cyber Security, Lockheed Martin Jeff Brown, CISO/Director IT Infrastructure, Raytheon Eric Guerrino, SVP/CIO, Bank of New York/Mellon Financial Pradeep Khosla, Dean Carnegie Mellon School of Computer Sciences Joe Buonomo, President, Direct Computer Resources Bruno Mahlmann, VP Cyber Security, Dell Linda Meeks, VP CISO Boeing Corporation Justin Somaini, CIO, Symantec Gary McAlum, Sr. VP & CSO, USAA Andy Purdy, Chief Cyber Security Strategist CSC Corp.
J. Michael Hickey, 1 st Vice Chair VP Homeland Security, VerizonMarc-Anthony Signorino, Treasure National Association of Manufacturers
-
7/31/2019 2010 09 15 Larry Clinton InfraGuard Seminar Providing Leg Update on Effective Collaboration to Protect Critical Infrastructures
3/25
ISAlliance Mission Statement
ISA seeks to integrate advancedtechnology with business economics
and effective public policy to create a
sustainable system of cyber security.
-
7/31/2019 2010 09 15 Larry Clinton InfraGuard Seminar Providing Leg Update on Effective Collaboration to Protect Critical Infrastructures
4/25
-
7/31/2019 2010 09 15 Larry Clinton InfraGuard Seminar Providing Leg Update on Effective Collaboration to Protect Critical Infrastructures
5/25
ISA Cyber Social Contract
Similar to the agreement that led topublic utility infrastructuredissemination in 20 th C
Infrastructure develop -- marketincentives
Consumer protection throughregulation
Gov role is more creativeharder
motivate, not mandate,compliance
Industry role is to develop practicesand standards and implement them
-
7/31/2019 2010 09 15 Larry Clinton InfraGuard Seminar Providing Leg Update on Effective Collaboration to Protect Critical Infrastructures
6/25
President Obamas Report onCyber Security (May 30, 2009)
The United States faces the dualchallenge of maintaining anenvironment that promotes efficiency,innovation, economic prosperity, andfree trade while also promoting safety,security, civil liberties, and privacyrights.Presidents Cyber Space Policy Review, May 30,2009 page iii
Quoting from Internet Security Alliance Cyber Security Social Contract: Recommendationsto the Obama Administration and the 111thCongress November 2008
-
7/31/2019 2010 09 15 Larry Clinton InfraGuard Seminar Providing Leg Update on Effective Collaboration to Protect Critical Infrastructures
7/25
Roles and Responsibilites
The private sector owns 95% of the cyber infrastructure
Government must provide for thecommon defense
The private sector must, by law, operate---not in the public interest---but to maximizeshareholder value
Economics must be at the core of thepublic private partnership
-
7/31/2019 2010 09 15 Larry Clinton InfraGuard Seminar Providing Leg Update on Effective Collaboration to Protect Critical Infrastructures
8/25
Social Contract II
Implementing the ObamaCyber Security Strategy
via theISA Social Contract Model
-
7/31/2019 2010 09 15 Larry Clinton InfraGuard Seminar Providing Leg Update on Effective Collaboration to Protect Critical Infrastructures
9/25
Issues Covered in socialContract 2.0
Economics of cyber security Information sharing
Supply chain Financial Cyber Risk Management
Analog laws governing digital technology
Developing automated security standardsfor converged media (e.g. VOIP)
-
7/31/2019 2010 09 15 Larry Clinton InfraGuard Seminar Providing Leg Update on Effective Collaboration to Protect Critical Infrastructures
10/25
Cyber Security Economicsare Skewed
Responsibility, costs, harms andincentives are misaligned
Individual and Corporate Financial loss National Defense Core investment is undermined by edge
insecurity Enterprises are not structured to properlyanalyze cyber risk
-
7/31/2019 2010 09 15 Larry Clinton InfraGuard Seminar Providing Leg Update on Effective Collaboration to Protect Critical Infrastructures
11/25
CURRENT ECONOMIC INCENTIVES FAVOR ATTACKERS
Attacks are cheap and easy
Vulnerabilities are almost infinite
Profits from attacks are enormous($ 1 TRILLION in 08)
Defense is costly (Usually no ROI) Defense is often futile
Costs of Attacks are distributed
-
7/31/2019 2010 09 15 Larry Clinton InfraGuard Seminar Providing Leg Update on Effective Collaboration to Protect Critical Infrastructures
12/25
Administration Activities
Cyber Command Expand NCSD at DHS
Upgrade Law Enforcement FDIC initiative on financial system security
Critical Infrastructure protection
WH Initiatives---many on economics Department of Commerce Notice of
Inquiry on Economics of Cyber Security
-
7/31/2019 2010 09 15 Larry Clinton InfraGuard Seminar Providing Leg Update on Effective Collaboration to Protect Critical Infrastructures
13/25
Legislation
Over 40 bills introduced covering Organizational Responsibilities
Compliance and Accountability PII /data theft
Cyber Security Education & R & D
Critical Infrastructure/Vulnerability Analysis International Cooperation and Cyber crime Procurement Acquisition & Supply Chain
-
7/31/2019 2010 09 15 Larry Clinton InfraGuard Seminar Providing Leg Update on Effective Collaboration to Protect Critical Infrastructures
14/25
Some Major Bills
S 139 & HR 2221 Data Breach S 1438 & HR 4692 Internat Cyber Crime
S 921 FISMA Reform HR 2071 Intel Reauthoriztion
S 773 Comprehenseive (Commerce
Committee) S 3480 Comprehensive (Homeland
Security Committee)
HR 5026 Grid Reliability & Infrastructure
-
7/31/2019 2010 09 15 Larry Clinton InfraGuard Seminar Providing Leg Update on Effective Collaboration to Protect Critical Infrastructures
15/25
What (we think) is in the bill
Establish Private Sector Responsibility for Critical Infrastructure Protection
Govt. Role is oversight and assurecompliance (not fund)
Legislatively establish the cyber czar
Create mandatory technical standards for the most critical infrastructure
Require bi-annual cyber security audits w/heavy civil fines for non-compliance
-
7/31/2019 2010 09 15 Larry Clinton InfraGuard Seminar Providing Leg Update on Effective Collaboration to Protect Critical Infrastructures
16/25
-
7/31/2019 2010 09 15 Larry Clinton InfraGuard Seminar Providing Leg Update on Effective Collaboration to Protect Critical Infrastructures
17/25
We need a total riskmanagement approach
The security discipline has so far beenskewed toward technologyfirewalls, ID
management, intrusion detectioninsteadof risk analysis andproactive intelligencegathering.PWC Global Cyber Security Survey
-
7/31/2019 2010 09 15 Larry Clinton InfraGuard Seminar Providing Leg Update on Effective Collaboration to Protect Critical Infrastructures
18/25
Senior Exec do ARE NOT analyzing Cyber Risk adequately
There is still a gap between IT andenterprise risk management. Surveyresults confirm the belief among ITsecurity professionals that Boards andsenior executives are not adequatelyinvolved in key areas related to the
governance of enterprise security.2010 Carnegie Mellon University CyLab Governance of Enterprise Security Survey
-
7/31/2019 2010 09 15 Larry Clinton InfraGuard Seminar Providing Leg Update on Effective Collaboration to Protect Critical Infrastructures
19/25
Financial Management of
Cyber Risk It is not enough for the information technologyworkforce to understand the importance of cybersecurity; leaders at all levels of government and industry need to be able tomake business and investment decisionsbased on knowledge of risks and potentialimpacts.Presidents Cyber Space Policy Review May 30, 2009
page 15
-
7/31/2019 2010 09 15 Larry Clinton InfraGuard Seminar Providing Leg Update on Effective Collaboration to Protect Critical Infrastructures
20/25
The Economic Assessment of Cyber Security: 50 ?s for CFOs
Business Operations General Counsel Compliance Officer Media (Investors and
PR)
Human Resources Rick Manager/
Insurance
-
7/31/2019 2010 09 15 Larry Clinton InfraGuard Seminar Providing Leg Update on Effective Collaboration to Protect Critical Infrastructures
21/25
-
7/31/2019 2010 09 15 Larry Clinton InfraGuard Seminar Providing Leg Update on Effective Collaboration to Protect Critical Infrastructures
22/25
White House Meeting onCyber Security July 14
President Obama, Sec Locke, Sec.Napolitano, Howard Schmidt (others)
Commerce speaks before DHS Schmidt: need to up costs for attackers Obama: interconnected nature of the
internet will make it difficult to regulate for security Legislation moving in different direction
-
7/31/2019 2010 09 15 Larry Clinton InfraGuard Seminar Providing Leg Update on Effective Collaboration to Protect Critical Infrastructures
23/25
Regulation is not the answer
Compliance (not security) already eats upmuch of the security budget
Specific Regs cant keep up with attacks Vague regs show no effect Regs increase costs uniquely for American
companies Regs can be counter productiveceilings (Campaign Finance)
-
7/31/2019 2010 09 15 Larry Clinton InfraGuard Seminar Providing Leg Update on Effective Collaboration to Protect Critical Infrastructures
24/25
Obamas Report on Cyber Security (May 30, 2009)
The government, working with State and localpartners, should identify procurement strategies thatwill incentivize the market to make more secureproducts and services available to the public.
Additional incentive mechanisms that thegovernment should explore include adjustments toliability considerations (reduced liability in exchangefor improved security or increased liability for theconsequences of poor security), indemnification, taxincentives, and new regulatory requirements and
compliance mechanisms.Presidents Cyber Space Policy Review May 30,2009 page vs.
Quoting Internet Security Alliance Cyber SecuritySocial Contract: Recommendations to the Obama
Administration and 111 th Congress
-
7/31/2019 2010 09 15 Larry Clinton InfraGuard Seminar Providing Leg Update on Effective Collaboration to Protect Critical Infrastructures
25/25
Larry ClintonPresident
Internet Security [email protected] 703-907-7028
202 236 0001