7/31/2019 2012 03 27 Larry Clinton Presentation to AIA CIO Members
1/28
Larry ClintonPresident & CEO
Internet Security [email protected]
202-236-0001
www.isalliance.org
7/31/2019 2012 03 27 Larry Clinton Presentation to AIA CIO Members
2/28
Joe Buonomo, President and CEO, Direct Computer ResourcesLt. Gen. Charlie Croom (Ret.) VP Cyber Security Solutions, Lockheed MartinValerie Abend, Managing Director, Information Risk, Bank of New York/Mellon FinancialPradeep Khosla, Dean College of Engineering & CyLab, Carnegie Mellon UniversityMarcus Sachs, VP of Government Affairs and National Security PolicyBarry Hensley, VP and Director Counter Threat Unit/Research Group, Dell/SecureworksTom Kelly, Director of Information Security Assessments and Vulnerabilities, Boeing
Gene Fredriksen, Global Information Security Officer, TycoJulie Taylor,VP Cyber & Information Solutions Business UnitRick Howard, iDefense General Manager, VeriSignBrian Raymond, Director Tax, Tech & Economic Policy, National Association of Manufactures
Tim McKnight, Chair, VP and CISO,Northrop GrummanJeff Brown, First Vice Chair, VP of Infrastructure Services and CISO for InformationTechnology, Raytheon
Gary McAlum, Second Vice Chair,Senior VP and Chief Security Officer, USAA
Board of Directors
7/31/2019 2012 03 27 Larry Clinton Presentation to AIA CIO Members
3/28
How Real is the Cyber
threat? . . . I have to begin by noting a worrisome fact: cyberspace is becoming more dangerous. TheIntelligence Communitys world-wide threat brief to Congress in January raised cyber threats to just
behind terrorism and proliferation in its list of the biggest challenges facing our nation . . - Gen. Keith
Alexander, Director of the National Security Agency and Commander of U.S. Cyber Command
"If terrorist groups were able to acquire [] destructive cyber capabilities, I think we should feargreatly that they would use them . . . The capabilities are not yet in the hands of the most maliciousactors, so we have a window of opportunity to improve our defenses . . .We don't know exactly how
long that window of opportunity is, but I think we should feel a strong need to improve our defensesbefore that happens. - William Lynn, Former U.S. Deputy Secretary for Defense
"This threat is so intrusive, it's so serious . . . If we don't address it, it's going to have a severe impact. Ithink we have no choice but to address it, and some of that process will be regulatory. - Michael
McConnell, Former Director of National Intelligence
Weve got the wrong mental model here . . . I think we have to go to a model where we assume thatthe adversary is in our networks. Its on our machines, and weve got to operate anyway. - Dr. James
S. Peery, Director of the Sandia National Laboratories Information Systems Analysis Center
7/31/2019 2012 03 27 Larry Clinton Presentation to AIA CIO Members
4/28
ISAlliance
Mission Statement
ISA seeks to integrate advanced technologywith economics and public policy to create a
sustainable system of cyber security.
7/31/2019 2012 03 27 Larry Clinton Presentation to AIA CIO Members
5/28
Why are we not cyber
secure?
We find that misplaced incentives are as
important as technical designsecurity failure is
caused as least as often by bad incentives as by
bad technological design
Anderson and Moore The Economics of Information Security
7/31/2019 2012 03 27 Larry Clinton Presentation to AIA CIO Members
6/28
Economics Incentives
Favor Attackers Offence: Attacks are cheap Offence: Attacks are easy to launch Offence: Profits from attacks are enormous Offence: GREAT business model Defense: Perimeter to defend is unlimited Defense: Hard to show ROI Defense: Usually a generation behind the attacker Defense: Prosecution is difficult and rare Economic incentives to be INSECURE---VOIP/mobile
devices, Cloud, International Supply Chains
7/31/2019 2012 03 27 Larry Clinton Presentation to AIA CIO Members
7/28
ISA Goals
Thought Leadership in Cyber Security
Public Policy Advocacy
Develop Programs to stimulate improved cybersecurity
Build the Alliance
7/31/2019 2012 03 27 Larry Clinton Presentation to AIA CIO Members
8/28
Senate bills
Lieberman Collins----Major issue is Title I DHSregulatory authority vs. major attacks (APT)
McCain et. al. info sharing/R & D/FISMA/lawenforcement authority----no DHS reg role
Admin supports LC No action before May ISA has been asked to offer rewrite of Title Ihow
to address CI w/out adding DHS regs
7/31/2019 2012 03 27 Larry Clinton Presentation to AIA CIO Members
9/28
House
Thornberry Task Force----Incentives---Map to ISA Rogers liability for info sharing
Lungren Some DHS regstudy incent--NISO Possibly Smith/Goodlattebest practices E & C bipartisan commission on incentives Lungren may go the full HLS next week Lungren and Rogers could be on the floor April
7/31/2019 2012 03 27 Larry Clinton Presentation to AIA CIO Members
10/28
2012 ISA Board Projects
Public Policy AdvocacyThe Cyber Security SocialContract---market incentives over regulations
APT for small/mid-sized (not huge) companies Supply Chain for hardware (model contracts) Financial Management of Cyber Risk Modernized Information Sharing Model CyberTrak (under development)
7/31/2019 2012 03 27 Larry Clinton Presentation to AIA CIO Members
11/28
The Social Contract
The historic social contracts for infrastructuredevelopment (phones and electricity) combine
public policy, technology and economics
successfully
A cyber security social contract ---with differentterms can do the same
7/31/2019 2012 03 27 Larry Clinton Presentation to AIA CIO Members
12/28
Terms for the Cyber
Social Contract Create an international entity to judge
effectiveness of standards, practices, technologies
Government's) create a menu of incentives for voladoption of proven practices standards and
technologies on a sliding scale (gold silver etc.)
Adapt incentives from the rest of the economy(procurement, liability, insurance, streamlinedregulation/licensing/marketing advantages/taxes)
7/31/2019 2012 03 27 Larry Clinton Presentation to AIA CIO Members
13/28
Growth of the social
contract idea 2008 ISA Publishes Cyber Social Contract 2009 Obamas Cyber Space Policy Review
2011 endorsed by multi-association/civil libertieswhite paper on cyber security
2011 GOP Cyber Task Force Report 2012 Rogers-Ruppersberger legislation (passes
Intel committee 17-1)
2012 World Institute for Nuclear Security (WINS)
7/31/2019 2012 03 27 Larry Clinton Presentation to AIA CIO Members
14/28
Enterprise Cyber Security
The challenge in cyber security is not that best
practices need to be developed, but instead lies in
communicating these best practices demonstrating
the value in implementing them and encouragingindividuals and organizations to adopt them.
The Information Systems Audit and Control Association (ISACA)
quoted in Dept. of Commerce Green Paper - March 2011
7/31/2019 2012 03 27 Larry Clinton Presentation to AIA CIO Members
15/28
Overall, cost was most frequently cited as thebiggest obstacle to ensuring the security of criticalnetworks.
Making the business case for cyber security remainsa major challenge, because management often doesnot understand either the scale of the threat or therequirements for a solutions.
The number one barrier is the security folks whohavent been able to communicate the urgency wellenough and they havent actually been able topersuade the decision makers of the reality of thethreat.
CSIS & PWC Surveys 2010
Why Are We Not Doing It?
7/31/2019 2012 03 27 Larry Clinton Presentation to AIA CIO Members
16/28
7/31/2019 2012 03 27 Larry Clinton Presentation to AIA CIO Members
17/28
Financial Management of
Cyber Risk (2010)
7/31/2019 2012 03 27 Larry Clinton Presentation to AIA CIO Members
18/28
Growth in Financial Risk
Management Approach ISA Release Cyber Risk Team approach in 2007,
2010 and 2012 (health care)
CMU Study in 2007 only 17% firms had org widecyber risk teams.
In 2011 CMU study 87% have cyber risk teams Ponomon Institute shows investement in cyber up
100% from 2007 vs 2012 Major firms (E&Y) now using ISA model
7/31/2019 2012 03 27 Larry Clinton Presentation to AIA CIO Members
19/28
The APT----Average
Persistent ThreatThe most sophisticated, adaptive and persistent class
of cyber attacks is no longer a rare eventAPT is
no longer just a threat to the public sector and the
defense establishment this year significantpercentages of respondents across industries
agreed that APT drives their organizations securityspending. PricewaterhouseCoopers Global
Information Security Survey September 2011
7/31/2019 2012 03 27 Larry Clinton Presentation to AIA CIO Members
20/28
APT: We Are Not
Winning 80% of A & D security experts surveyed said that
their companies security policies did not address
APT style attacks. In addition more than half of all
respondents report that their organization does nothave the core capabilities directly or indirectly
relevant to countering this strategic threat. PWC2011
7/31/2019 2012 03 27 Larry Clinton Presentation to AIA CIO Members
21/28
Are we thinking of APT
all wrong? Companies are countering the APT principally
through virus protection (51%) and either intrusion
detection/prevention solutions (27%) PWC 2011
Conventional information security defenses dontwork vs. APT. The attackers successfully evade allanti-virus network intrusion and other best
practices, remaining inside the targets networkwhile the target believes they have been
eradicated.---M-Trend Reports 2011
7/31/2019 2012 03 27 Larry Clinton Presentation to AIA CIO Members
22/28
ISA and APT
Roach Motel Model 2008 (Jeff Brown RaytheonChair)
Expanded APT best Practices (Rick Howard,VeriSign, Tom Kelly Boeing and Jeff Brown co-
chairs)
7/31/2019 2012 03 27 Larry Clinton Presentation to AIA CIO Members
23/28
Supply chain
The exploitation of information technology (IT)products and services through the supply chain is
an emerging threat. In January 2012, the Director
of National Intelligence identified thevulnerabilities associated with the IT supply chain
for the nations networks as one of the greateststrategic cyber threat challenges the country
faces.
GAO Report March 2012
7/31/2019 2012 03 27 Larry Clinton Presentation to AIA CIO Members
24/28
Supply Chain laws/regs
National Defense Authorization Act passed inDecember 201--Sec 818 requires DoD to establish
guidelines for industry in terms of counterfeit part
management. With respect to Hardwarecounterfeits, DoD is looking a the Society of
Automotive Engineerings 5453 standard to informthe DoD guideline, but that there is no equivalent
standard that addresses cyber.
ISA has Guidelines about to be published
7/31/2019 2012 03 27 Larry Clinton Presentation to AIA CIO Members
25/28
ISA Proposal to AIA
The objective would be to leverage ISAsexperience and programs with AIAs resources and
membership in a mutually beneficial fashion.
ISA will contracting with AIA to do a series ofworkshops designed to create a publicationaddressing the above mentioned cyber security
issues with respect specifically to the AIAmembership. (APT/Supply Chain/Org Risk
Management & use of Incentives)
7/31/2019 2012 03 27 Larry Clinton Presentation to AIA CIO Members
26/28
ISA Proposal to AIA
The publication would meet three specific goals:1) Usefulness 2) Effectiveness 3) Economy
One or two workshops over the next 8 monthsresulting publication in first quarter of 2013
ISA will provide the base line material for eachworkshop area (supply chain, financial risk
management. APT and incentives) as well asorganize the workshops
7/31/2019 2012 03 27 Larry Clinton Presentation to AIA CIO Members
27/28
ISA Proposal to AIA
AIA will be responsible for populating theworkshops with their member companies and
financing them via a $100,000 payment to ISA. The $100,000 will earn for AIA a sponsor level
channel partnership entitling all AIA members toparticipate in the ISA run workshops and including
AIA participation in the ISA Board ISA and AIA agree to collaborate on any future
derivative programs (e.g. training/certification)
7/31/2019 2012 03 27 Larry Clinton Presentation to AIA CIO Members
28/28
Larry ClintonPresident & CEO
Internet Security Alliance
202-236-0001
www.isalliance.org
Top Related