Vous êtes sur la page 1sur 33
Larry Clinton President Internet Security Alliance lclinton@isalliance.org 703-907-7028 202-236-0001
Larry Clinton President Internet Security Alliance lclinton@isalliance.org 703-907-7028 202-236-0001

Larry Clinton President

Internet Security Alliance

lclinton@isalliance.org

703-907-7028

202-236-0001

ISA Board of Directors Ty Sagalow, Esq. Chair President, Innovation Division, Zurich Tim McKnight Second V

ISA Board of Directors

Ty Sagalow, Esq. Chair President, Innovation Division, Zurich Tim McKnight Second V Chair, CSO, Northrop Grumman

J. Michael Hickey, 1 st Vice Chair VP Government Affairs, Verizon

Marc-Anthony Signorino, Treasure

National Association of Manufacturers

Ken Silva, Immediate Past Chair, CSO VeriSign •Joe Buonomo, President, DCR •Jeff Brown, CISO/Director IT Infrastructure, Raytheon •Lawrence Dobranski, Chief Strategic Security, Nortel •Gen. Charlie Croom (Ret.), VP Cyber Security, Lockheed Martin •Eric Guerrino, SVP/CIO, bank of New York/Mellon Financial •Pradeep Khosla, Dean Carnegie Mellon School of Computer Sciences •Bruno Mahlmann, VP Cyber Security, Dell-Perot Systems •Linda Meeks, VP CISO, Boeing Corporation

Bottom line:The unbalanced cyber economics equation •   Attacks are comparatively cheap and easy •  

Bottom line:The unbalanced cyber economics equation

Attacks are comparatively cheap and easy •Profits from attacks are enormous •Little risk of capture •The perimeter to defend is endless •We are inherently a generation behind the attacker •Defense is hard and costly with little perceived ROI

ISA Cyber Social Contract •   Similar to the agreement that led to public utility infrastructure

ISA Cyber Social Contract

Similar to the agreement that led to public utility infrastructure dissemination in 20 th Century (RoR regulation)

Infrastructure development -- market incentives.

We know what to do technically & operationally, but the economics & strategy are not in place

Partner at the business plan level and apply market Incentives from rest of the economy to cyber

ISA Cyber Social Contract •   Similar to the agreement that led to public utility infrastructure
Regulation is not the answer •   Cyber problem is not corp. malfeasance •   Technology

Regulation is not the answer

Cyber problem is not corp. malfeasance •Technology changes too fast •General regs meaningless •Specific regs outdated •Congress can only regulate US •Increase cost on US firms=weaken competitiveness

Drive investment off shore=bad for economy and bad for security

Problems with cyber security economics •   Consumers think they have more protection than they do.

Problems with cyber security economics

Consumers think they have more protection than they do.

Corporate responsibility is to maximize shareholder value, not secure the (cyber) boarders

Federal government is not managing its cyber cost vulnerabilities

Most companies don’t recognize their true cyber costs and hence don’t invest

Problems with corporate cyber economics •   Point of attack in not necessarily the point of

Problems with corporate cyber economics

Point of attack in not necessarily the point of cyber loss. 3-party has no incentive to max invest

3-parties undermine cyber ROI •Old analysis methods mask modern attacks

Corporate data “owners’ don’t feel they own the security of their data

Organizational problems hinder investment

Organizational Problems •   “The security discipline has so far been skewed to technology---firewalls, ID management,

Organizational Problems

“The security discipline has so far been skewed to technology---firewalls, ID management, intrusion detection---instead of risk analysis and intel gathering. Security investment must shift from technology heavy tactical operation it has been to date to an intelligence centric, risk analysis and mitigation philosophy. We have to start addressing the human element of security not just the technical one only then will companies stop being punching bags.” PWC 2008 Info Survey

Organizational Problems •   “There is still a gap between IT and enterprise risk management. Survey

Organizational Problems

“There is still a gap between IT

and enterprise risk

management. Survey results confirm the belief among IT security professionals that Boards & Sr. Execs are not adequately involved in key areas of enterprise risk security.” CMU Dec. 2008

17% have cross organizational security team

Only 47% have formal risk management plan

1/3 of the 47% that had a plan did NOT IT risks in the plan----CMU Dec. 2008

include

Organizational problems •   75% of companies DO NOT have a Chief Risk Officer (Delloite 2009)

Organizational problems

75% of companies DO NOT have a Chief Risk Officer (Delloite 2009)

65% of US companies either don’t have a documented process to assess cyber risk or do not have a person in charge of the process they do “have in place” (Delloite 2009)---which functionally translates into really not having a plan at all.

As a Result of the Organizational problems •   Nearly half (47%) of all the enterprises

As a Result of the Organizational problems

Nearly half (47%) of all the enterprises studied in the 2009 PricewaterhouseCoopers Information security survey reported they are reducing or deferring the budgets for info security initiatives

Even though 42% acknowledged “threats to their information security have increased” and 52% acknowledged the cost reductions make adequate security more difficult to achieve---PWC 2009

President Obama’s Report on Cyber Security •   The United States faces the dual challenge of

President Obama’s Report on Cyber Security

President Obama’s Report on Cyber Security •   The United States faces the dual challenge of

The United States faces the dual challenge of maintaining an environment that promotes efficiency, innovation, economic prosperity, and free trade while also promoting safety, security, civil liberties, and privacy rights. (President’s Cyber Space Policy Review page iii)

Quoting from Internet Security Alliance Cyber Security Social Contract: Recommendations to the Obama Administration and the 111th Congress November 2008

Social Contract II Implementing the Obama Cyber Security Strategy via the ISA Social Contract Model

Social Contract II

Implementing the Obama Cyber Security Strategy via the ISA Social Contract Model
Implementing the Obama
Cyber Security Strategy
via the
ISA Social Contract Model
Cyber Space Policy Review is Pro-Economic •   The Cyber Coordinator will report to the National

Cyber Space Policy Review is Pro-Economic

The Cyber Coordinator will report to the National Economic Council as well as the National Security Council

CSPR embraces a enterprise wide risk management philosophy (including Enterprise Education)

For the first time the government proposes the use of economic incentives to promote better private sector security

Issues Covered in social Contract 2.0 •   Economics of cyber security •   Information sharing

Issues Covered in social Contract 2.0

Economics of cyber security •Information sharing •Supply chain •Financial Cyber Risk Management •Analog laws governing digital technology •Developing automated security standards for converged media (e.g. VOIP)

Chapter 2: Partnership at the Business Plan Level •   Obama personally rejected regulation of Private

Chapter 2: Partnership at the Business Plan Level

Obama personally rejected regulation of Private Sector for cyber security

Gov role to evaluate & create incentives for adopting good cyber secure policies practices and technologies just as in other areas of economy

Market incentives endorsed by Obama Cyber Space Policy Review used as menu for voluntary compliance

ISA Testimony on Incentives (May 1, 2009) 1.   R & D Grants 2.   Tax

ISA Testimony on Incentives (May 1, 2009)

1.

R & D Grants

2.

Tax incentives

3.

Procurement Reform

4.

Streamlined Regulations

5.

Liability Protection

6.

Public Education

7.

Insurance

8.

SBA loans

9.

Awards programs

10.Cyber SAFETY Act

Obama’s Report on Cyber Security (May 30, 2009) The government, working with State and local partners,

Obama’s Report on Cyber Security (May 30, 2009)

The government, working with State and local partners, should identify procurement strategies that will incentivize the market to make more secure products and services available to the public. Additional incentive mechanisms that the government should explore include adjustments to liability considerations (reduced liability in exchange for improved security or increased liability for the consequences of poor security), indemnification, tax incentives, and new regulatory requirements and compliance mechanisms. President’s Cyber Space Policy Review May 30, 2009 page vs.

»Quoting Internet Security Alliance Cyber Security Social Contract: Recommendations to the Obama Administration and 111 th Congress

Chapter 3: Information Sharing •   Current model doesn’t work •   Modern business systems too

Chapter 3: Information Sharing

Current model doesn’t work •Modern business systems too open •Limited participation in ISACs especially SMEs

Gov wont give source material, industry won’t give attack data or important internal information

Can’t keep out determined attackers

Once in the systems we have more control over attackers

Information Sharing-- Incentives •   Large Orgs become designated reporters (gold, silver etc.) which can be

Information Sharing-- Incentives

Large Orgs become designated reporters (gold, silver etc.) which can be used for marketing

Rpt C2 sites, (URLs-web sites) not that they have been breached or internal data

Gov reports---not source data •AV community circulate the info for profit •Small companies able to participate easy and cheap to block C-2

Securing The IT Supply Chain In The Age of Globalization November, 2007

Securing The IT Supply Chain In The Age of Globalization

November, 2007

Securing The IT Supply Chain In The Age of Globalization November, 2007
Securing The IT Supply Chain In The Age of Globalization November, 2007
Securing The IT Supply Chain In The Age of Globalization November, 2007
Securing the IT Supply Chain The challenge with supply chain attacks is that a sophisticated adversary

Securing the IT Supply Chain

The challenge with supply chain attacks is that a sophisticated

adversary might narrowly focus on particular systems and make manipulation virtually impossible to discover. Foreign manufacturing does present easier opportunities for nation- state adversaries to subvert products; however, the same goals could be achieved through the recruitment of key insiders or other espionage activities.

For organizations that have not yet made cyber security a true priority there are other barriers, often primarily economic.”

President’s Cyber Space Policy Review May 30, 2009 page 34

Supply Chain Economic Issues •   Secure Foundry unsustainable (think prisons) •   Govt. mandates unsustainable

Supply Chain Economic Issues

Secure Foundry unsustainable (think prisons) •Govt. mandates unsustainable •We are inherently a global economy •US firms can’t compete with heavy special burdens •Mandating security for US firms will hurt economically, reduce quality and harm security by driving providers off-shore even more

ISA Supply Chain Framework •   5 Phases, design, fabrication, assembly, distribution & maintenance •  

ISA Supply Chain Framework

5 Phases, design, fabrication, assembly, distribution & maintenance

Remedies to interruption of production, corruption of production, discrediting of production and loss of control of production

Legal Support for : unambiguous contracts w/ security measures, responsible corporation w/long term interests, motivation 4 workers and execs, verification & enforcement

2010 Supply Chain Agenda 5 Workshops in first 2 quarters of 2010 •   I. Securing

2010 Supply Chain Agenda

5 Workshops in first 2 quarters of 2010

I. Securing the Design and Fabrication Phases. •II. Securing the Assembly, Distribution, and Maintenance Phases. •III. Establishing the Necessary Legal and Contractual Conditions.

Chapter 4: Enterprise Education focus on $ It is not enough for the information technology workforce

Chapter 4: Enterprise Education focus on $

It is not enough for the information technology workforce to understand the importance of cyber security; leaders at all levels of government and industry need to be able to make business and investment decisions based on knowledge of risks and potential impacts. – President’s Cyber Space Policy Review May 30, 2009 page 15

ISA-ANSI Project on Financial Risk Management of Cyber Events: “50 Questions Every CFO should Ask ----including what they ought to be asking their General Counsel and outside counsel. Also, HR, Bus Ops, Public and Investor Communications & Compliance

Chapter 4: Enterprise Education focus on $ It is not enough for the information technology workforce
Financial Management of Cyber Risk 2010 * Phase I: 50 questions CFOs ask @ Cyber Security

Financial Management of Cyber Risk 2010

* Phase I: 50 questions CFOs ask @ Cyber Security •Complete Phase II responses to the 50 questions every CFO Should ask operations, HR, risk manager, communications, legal & compliance •Phase III Separate Programs & best practice for each organizational section on cyber security •CIO Net & European Commission request proposals for EU versions of ISA/ANSI program

Chapter 5 & 6 VOIP standards & Old Laws The history of electronic communications in the

Chapter 5 & 6 VOIP standards & Old Laws

The history of electronic communications in the United States reflects steady, robust technological innovation punctuated by government efforts to regulate, manage, or otherwise respond to issues presented by these new media, including security concerns. The iterative nature of the statutory and policy developments over time has led to a mosaic of government laws and structures governing various parts of the landscape for information and communications security and resiliency. Effectively addressing the fragmentary and diverse nature of the technical, economic, legal, and policy challenges will require a leadership and coordination framework that can stitch this patchwork together into an integrated whole. President’s Cyber Space Policy Review May 30, 2009 page C-12

Developing SCAP Automated Security & Assurance for VoIP & Converged Networks September, 2008

Developing SCAP Automated Security & Assurance for VoIP & Converged Networks

September, 2008

Developing SCAP Automated Security & Assurance for VoIP & Converged Networks September, 2008
ISA Partners

ISA Partners

ISA Partners
ISA Partners
ISA Partners
ISA Partners
ISA Partners
ISA Partners
ISA Partners
ISA Partners
ISA Partners
ISA Partners
ISA Partners
ISA Partners
ISA Partners
ISA Partners
VOIP legal and technical products 1.Legal Compliance & Security Report describes •   Available Unified Communications

VOIP legal and technical products

1.Legal Compliance & Security Report describes •Available Unified Communications (UC) Technologies •Security Risks of Deployment •Inventory of Laws to be considered pre deployment •If ECPA creates a legal barrier to deployment

Toolkit for lawyers and clients to assist in avoiding exposure from deployment

2. Technical w/NIST Program addresses •SCAP Suitability and baseline standards •NSA/DHS Grant proposal

Larry Clinton President Internet Security Alliance lclinton@isalliance.org 703-907-7028 202-236-0001
Larry Clinton President Internet Security Alliance lclinton@isalliance.org 703-907-7028 202-236-0001

Larry Clinton President

Internet Security Alliance

lclinton@isalliance.org

703-907-7028

202-236-0001