2009 10 23 larry clinton isa overview presentation to nato personnel in estonia
TRANSCRIPT
-
7/31/2019 2009 10 23 Larry Clinton ISA Overview Presentation to NATO Personnel in Estonia
1/49
Larry ClintonPresident
Internet Security [email protected]
703-907-7028
202-236-0001
-
7/31/2019 2009 10 23 Larry Clinton ISA Overview Presentation to NATO Personnel in Estonia
2/49
Larry Clinton President ISA
Former Academic came to DC in mid-80sLegislative Director for Chair Congressional Internet Committee12 years w/USTA including rewrite of telecommunications law & WIPOJoined ISA in 2002 w/former Chair Congressional IntelligenceCommitteeWritten numerous articles on Info Security, edited Journals, testifybefore Congress, electronic and print media
Boards: US Congressional I-net Caucus I-Net Education foundation,Cyber Security Partnership, DHS IT and Telecom Sector CoordinatingCommittee, CIPAC, CSCSWG
-
7/31/2019 2009 10 23 Larry Clinton ISA Overview Presentation to NATO Personnel in Estonia
3/49
ISA Board of Directors
Ty Sagalow, Esq. ChairPresident Innovation Division, ZurichTim McKnight Second V Chair,CSO, Northrop Grumman
Ken Silva, Immediate Past Chair. CSO VeriSignGen. Charlie Croom (Ret.) VP Cyber Security, Lockheed MartinJeff Brown, CISO/Director IT Infrastructure, RaytheonEric Guerrino, SVP/CIO, bank of New York/Mellon FinancialLawrence Dobranski, Chief Strategic Security, NortelPradeep Khosla, Dean Carnegie Mellon School of ComputerSciencesJoe Buonomo, President, DCRBruno Mahlmann, VP Cyber Security, Perot SystemsLinda Meeks, VP CISO Boeing corp.
J. Michael Hickey, 1st Vice ChairVP Government Affairs, Verizon
Marc-Anthony Signorino, Treas.National Assoc. of Manufacturers
-
7/31/2019 2009 10 23 Larry Clinton ISA Overview Presentation to NATO Personnel in Estonia
4/49
Core Principles
1. The Internet Changes Everything2. Cyber Security is not an "IT" issue3. Government and industry must
rethink and evolve new roles,
responsibilities and practices to
create a sustainable system of cyber
security
-
7/31/2019 2009 10 23 Larry Clinton ISA Overview Presentation to NATO Personnel in Estonia
5/49
ISAlliance Mission
Statement
ISA seeks to integrate advancements in technology with
pragmatic business needs and enlightened public policy tocreate a sustainable system of cyber security.
-
7/31/2019 2009 10 23 Larry Clinton ISA Overview Presentation to NATO Personnel in Estonia
6/49
Our Partners
-
7/31/2019 2009 10 23 Larry Clinton ISA Overview Presentation to NATO Personnel in Estonia
7/49
The Old Web
-
7/31/2019 2009 10 23 Larry Clinton ISA Overview Presentation to NATO Personnel in Estonia
8/49
The Web Today
Source: http://cm.bell-labs.com/who/ches/map/gallery/index.html
-
7/31/2019 2009 10 23 Larry Clinton ISA Overview Presentation to NATO Personnel in Estonia
9/49
ISA 2009 Priority Projects
Develop a model for an effective publicprivate partnership (Cyber Social Contract)
Develop pragmatic program for addressingfinancial cyber risks
Framework on IT supply chainStandards for unified communicationsplatforms
Handbook for navigating outdated laws
-
7/31/2019 2009 10 23 Larry Clinton ISA Overview Presentation to NATO Personnel in Estonia
10/49
-
7/31/2019 2009 10 23 Larry Clinton ISA Overview Presentation to NATO Personnel in Estonia
11/49
Post 9-11 Cyber Security Policy
National Strategy to Secure Cyber Space DIB Effort Comprehensive National Cyber Initiative
(CNCI)
CSIS and ISA Proposals to Obama/Congress
60-day review & Obama Speech (5/29/09)
-
7/31/2019 2009 10 23 Larry Clinton ISA Overview Presentation to NATO Personnel in Estonia
12/49
National Strategy to Secure CyberSpace (2002-03)
First comprehensive Administration viewof problem
Raised many key issues Predicted market forces would adequately
motivate private sector
General lack of follow through by USG
-
7/31/2019 2009 10 23 Larry Clinton ISA Overview Presentation to NATO Personnel in Estonia
13/49
DIB program
DoD agrees to: Provide classified tips and analysis on threat actors Distribute attributed data from DoD and other industry partners Protect data attributable to specific companies Provide selected forensic support
~30 cleared defense contractors agree to: Report compromised computers to DoD Provide analysis of information exposed Provide forensic image of computer if requested Participate in formal Damage Assessment run by DoD acquisition
community
-
7/31/2019 2009 10 23 Larry Clinton ISA Overview Presentation to NATO Personnel in Estonia
14/49
Releasing the Cyber Security Social ContractNovember, 2008
-
7/31/2019 2009 10 23 Larry Clinton ISA Overview Presentation to NATO Personnel in Estonia
15/49
ISA Cyber Social Contract
Similar to the agreement that ledto public utility infrastructuredissemination in 20th C
Infrastructure develop -- marketincentives Consumer protection throughregulation
Gov role is more creativehardermotivate, not mandate,compliance
Industry role is to developpractices and standards andimplement them
-
7/31/2019 2009 10 23 Larry Clinton ISA Overview Presentation to NATO Personnel in Estonia
16/49
Obama speaks on cyber security
Presidential Priority
My administration will pursue a new comprehensiveapproach to securing Americas digital infrastructure.
This new approach starts at the top with thiscommitment from me: From now on, our digitalinfrastructure the networks and computers wedepend on every day will be treated as theyshould be: as a strategic national asset. Protecting
this infrastructure will be a national securitypriority.
(President Obama, May 29, 2009)
-
7/31/2019 2009 10 23 Larry Clinton ISA Overview Presentation to NATO Personnel in Estonia
17/49
President Obamas Report onCyber Security (May 30 2009)
The United States faces the dual challenge ofmaintaining an environment that promotesefficiency, innovation, economic prosperity,and free trade while also promoting safety,
security, civil liberties, and privacy rights.(Presidents Cyber Space Policy Review pageiii)
Quoting from Internet Security Alliance CyberSecurity Social Contract: Recommendationsto the Obama Administration and the 111thCongress November 2008
-
7/31/2019 2009 10 23 Larry Clinton ISA Overview Presentation to NATO Personnel in Estonia
18/49
The Economy is reliant on theInternet
The state of Internet security is erodingquickly. Trust in online transactions isevaporating, and it will require strong
security leadership for that trust to berestored. For the Internet to remain the
juggernaut of commerce and productivity it
has become will require more, not less,input from security. PWC Global CyberSecurity Survey 2008
-
7/31/2019 2009 10 23 Larry Clinton ISA Overview Presentation to NATO Personnel in Estonia
19/49
CURRENT ECONOMIC INCENTIVESFAVOR ATTACKERS
Attacks are cheap and easy Vulnerabilities are almost infinite Profits from attacks are enormous ($ 1
TRILLION in 08)
Defense is costly (Usually no ROI) Defense is often futile Costs of Attacks are distributed
-
7/31/2019 2009 10 23 Larry Clinton ISA Overview Presentation to NATO Personnel in Estonia
20/49
The need to understand businesseconomics to address cyber issues
If the risks and consequences can be assignedmonetary value, organizations will have greaterability and incentive to address cybersecurity. Inparticular, the private sector often seeks a business
case to justify the resource expenditures needed forintegrating information and communications systemsecurity into corporate risk management and forengaging partnerships to mitigate collective risk.Government can assist by considering incentive-
based legislative or regulatory tools to enhance thevalue proposition and fostering an environment thatencourages partnership. --- Presidents CyberSpace Policy Review May 30, 2009 page 18
-
7/31/2019 2009 10 23 Larry Clinton ISA Overview Presentation to NATO Personnel in Estonia
21/49
Regulation vs. Incentives
ISA Social Contract argues vs. regulationwhich is slow/limited in effect/anti-US
competitiveness/anti-security and wontwork.
Obama: Let me be very clear, we are notgoing to regulate cyber security standardsto the private sector. (May 29 2009)
-
7/31/2019 2009 10 23 Larry Clinton ISA Overview Presentation to NATO Personnel in Estonia
22/49
Congressional TestimonyOctober, 2007
-
7/31/2019 2009 10 23 Larry Clinton ISA Overview Presentation to NATO Personnel in Estonia
23/49
ISA Model: Create a Market forBest Practices and Standards
Studies show nearly 90% of breachescould be prevented by following knownbest practices and standards
Priv Sector should continue to developstandards, practices 7 technologies
Govt. test them for effectiveness Govt. should motivate adoption via sliding
scale of market incentives
-
7/31/2019 2009 10 23 Larry Clinton ISA Overview Presentation to NATO Personnel in Estonia
24/49
ISA Proposed Incentives(Testimony E & C May 1, 2009)
1. R & D Grants2. Tax incentives3. Procurement Reform4. Streamlined Regulations5. Liability Protection6. Public Education7. Insurance8. SBA loans9. Awards programs10. Cyber SAFETY Act
-
7/31/2019 2009 10 23 Larry Clinton ISA Overview Presentation to NATO Personnel in Estonia
25/49
President Obamas Report onCyber Security (May 30, 2009)
The government, working with State and local partners,should identify procurement strategies that will incentivizethe market to make more secure products and servicesavailable to the public. Additional incentive mechanisms
that the government should explore include adjustments toliability considerations (reduced liability in exchange forimproved security or increased liability for theconsequences of poor security), indemnification, taxincentives, and new regulatory requirements andcompliance mechanisms. Presidents Cyber Space Policy
Review May 30, 2009 page v
Quoting Internet Security Alliance Cyber Security SocialContract: Recommendations to the Obama Administrationand 111th Congress
-
7/31/2019 2009 10 23 Larry Clinton ISA Overview Presentation to NATO Personnel in Estonia
26/49
Proposed Incentives: Liability
The Federal government should consider options forincentivizing collective action and enhancecompetition in the development of cybersecuritysolutions. For example, the legal concepts for
standard of care to date do not exist forcyberspace. Possible incentives include adjustmentsto liability considerations (reduced liability inexchange for improved security or increased liabilityfor the consequences of poor security),
indemnification, tax incentives, and new regulatoryrequirements and compliance mechanisms. ---Obama Administrations Report on Cyber SecurityMay 2009 page 28)
-
7/31/2019 2009 10 23 Larry Clinton ISA Overview Presentation to NATO Personnel in Estonia
27/49
Obama Near Term Action Plan:
1. Appoint a Cyber Security policy coordinator directly responsible to thePresident and dual-hatted to both the NSC and the NEC.
2. Prepare for the Presidents approval an updated national strategy to securethe information and communications infrastructure. This strategy shouldinclude continued evaluation of CNCI activities and, where appropriate,build on its successes.
5. Convene appropriate interagency mechanisms to conduct interagency-cleared legal analyses of priority cybersecurity-related issues identifiedduring the policy-development process and formulate coherent unifiedpolicy guidance that clarifies roles, responsibilities, and the application ofagency authorities for cybersecurity-related activities across the Federalgovernment.
Presidents Cyber Space Policy Review May 30, 2009 page vi
-
7/31/2019 2009 10 23 Larry Clinton ISA Overview Presentation to NATO Personnel in Estonia
28/49
Obama Action Plan: International
Near Term Action Plan Item 7Develop US Government positions for an
international cyber security policy
framework and strengthen ourinternational partnerships to createincentives that address the full range ofactivities, policies, and opportunitiesassociated with cyber security (ObamaCyber Space Policy Review P. 37)
-
7/31/2019 2009 10 23 Larry Clinton ISA Overview Presentation to NATO Personnel in Estonia
29/49
Initiate a national awareness campaign.(train workforce/improve education also in
mid-term plan)
Expand information sharing programs Refine Government procurement and
improve market incentives
Obama Near Term Action Plan:
-
7/31/2019 2009 10 23 Larry Clinton ISA Overview Presentation to NATO Personnel in Estonia
30/49
Financial Impact of Cyber RiskOctober, 2008
-
7/31/2019 2009 10 23 Larry Clinton ISA Overview Presentation to NATO Personnel in Estonia
31/49
Financial Management of Cyber Risk
It is not enough for the information technologyworkforce to understand the importance ofcybersecurity; leaders at all levels of governmentand industry need to be able to make businessand investment decisions based on knowledge ofrisks and potential impacts. Presidents CyberSpace Policy Review May 30, 2009 page 15
ISA-ANSI Project on Financial Risk Managementof Cyber Events: 50 Questions Every CFO
should Ask ----including what they ought to beasking their General Counsel and outsidecounsel. Also, HR, Bus Ops, Public and InvestorCommunications & Compliance
-
7/31/2019 2009 10 23 Larry Clinton ISA Overview Presentation to NATO Personnel in Estonia
32/49
Securing the IT Supply Chain
The challenge with supply chain attacks is that asophisticated adversary might narrowly focus onparticular systems and make manipulation virtually
impossible to discover. Foreign manufacturing doespresent easier opportunities for nation-stateadversaries to subvert products; however, the samegoals could be achieved through the recruitment ofkey insiders or other espionage activities. ----
Presidents Cyber Space Policy Review May 30,2009 page 34
-
7/31/2019 2009 10 23 Larry Clinton ISA Overview Presentation to NATO Personnel in Estonia
33/49
Securing The IT Supply ChainIn The Age of Globalization
November, 2007
-
7/31/2019 2009 10 23 Larry Clinton ISA Overview Presentation to NATO Personnel in Estonia
34/49
ISA/CMU Supply Chain Project
18 months long (start fall 07) Focus on firmware Carnegie Mellon University and Center for Cyber
Consequences Unit
3 conferences 100 Gov., Industry and Academic participants Results are strategy and framework provided to
USG for NSC 60-day review of cyber policy
-
7/31/2019 2009 10 23 Larry Clinton ISA Overview Presentation to NATO Personnel in Estonia
35/49
Outdated laws in the Digital AgeObama Report: Conclusion
The history of electronic communications in the United Statesreflects steady, robust technological innovation punctuated bygovernment efforts to regulate, manage, or otherwise respond to
issues presented by these new media, including securityconcerns. The iterative nature of the statutory and policydevelopments over time has led to a mosaic of government lawsand structures governing various parts of the landscape forinformation and communications security and resiliency.Effectively addressing the fragmentary and diverse nature of the
technical, economic, legal, and policy challenges will require aleadership and coordination framework that can stitch thispatchwork together into an integrated whole. Presidents CyberSpace Policy Review May 30, 2009 page C-12
-
7/31/2019 2009 10 23 Larry Clinton ISA Overview Presentation to NATO Personnel in Estonia
36/49
Developing SCAP Automated Security &Assurance for VoIP & Converged Networks
September, 2008
-
7/31/2019 2009 10 23 Larry Clinton ISA Overview Presentation to NATO Personnel in Estonia
37/49
ISA Unified Communications Legal
Compliance Analysis (June 2009)
1.Descibes available UnifiedCommunications (UC) Technologies
2. Describes Security Risks of Deployment3. Inventory of Laws to be considered pre
deployment
4. Analysis if ECPA creates a legal barrier todeployment
5 Toolkit for lawyers and clients to assist inavoiding exposure from deployment
-
7/31/2019 2009 10 23 Larry Clinton ISA Overview Presentation to NATO Personnel in Estonia
38/49
Information Sharing
Problem Clearly needs additional work DIB model results, good, but some
problems and not scalable
Trust is built on mutual exchangeAlternatives:British Consultancy Model
Roach Motel Model
-
7/31/2019 2009 10 23 Larry Clinton ISA Overview Presentation to NATO Personnel in Estonia
39/49
Social Contract: Info Sharing
We need to be sure information beingshared can be put into actionWe need toget the roadblocks out of the way
Most companies w/limited budgets arelocked into reactive defensive postureallowing for little more than signature
based perimeter monitoring and ifdetected malware eradication.
-
7/31/2019 2009 10 23 Larry Clinton ISA Overview Presentation to NATO Personnel in Estonia
40/49
Obama Cyber Review
Private sector engagement is required tohelp address limitations of lawenforcement and national security.
Industry leaders can help by engaging ininformation sharingInformation is thekey to preventing & responding to cyber
risk
A full and effective response mayonly be possible by brining informationfrom all sources together to benefit all.
-
7/31/2019 2009 10 23 Larry Clinton ISA Overview Presentation to NATO Personnel in Estonia
41/49
Obama Action Item #8
Develop mechanisms for cyber securityrelated information sharing that addressconcerns about privacy and proprietary
information and make information sharingmutually beneficial
-
7/31/2019 2009 10 23 Larry Clinton ISA Overview Presentation to NATO Personnel in Estonia
42/49
Roach Motel: Bugs Get In Not Out
No way to stop determined intruders Stop them from getting back out (w/data)
by disrupting attackers command and
control back out of our networks Identify web sites and IP addresses used
to communicate w/malicious code
Cut down on the dwell time in thenetwork Dont stop attacksmake them less useful
-
7/31/2019 2009 10 23 Larry Clinton ISA Overview Presentation to NATO Personnel in Estonia
43/49
Old Model for Info Sharing
Big Orgs may invest in Roach Motel (traffic& analytical methods) small orgs.never will
Many entities already rept. C2 channels(AV vend/CERT/DIB/intelligence etc.)
Perspectives narrow Most orgs dont play in info sharing orgs Info often not actionable Lack of trust
-
7/31/2019 2009 10 23 Larry Clinton ISA Overview Presentation to NATO Personnel in Estonia
44/49
New Model (based on AV model)
Focus not on sharing attack info Focus IS ON disseminating info on attacker C2
URLs & IP add & automatically block
OUTBOUND TRAFFIC to them Threat Reporters (rept malicious C2 channels) National Center (clearing house)
Firewall Vendors (push info into field of deviceslike AV vendors do now)
-
7/31/2019 2009 10 23 Larry Clinton ISA Overview Presentation to NATO Personnel in Estonia
45/49
Threat Reporters
Govt/private/commecial orgs apply analytical capability to discover, C2 sites
via malware reverse engineering
Gov certified so there would be trust intheir reports
Only report malware C2 info (web site/Ipaddress) & type (e.g. botnet)
Can use Certification for branding
-
7/31/2019 2009 10 23 Larry Clinton ISA Overview Presentation to NATO Personnel in Estonia
46/49
National Clearinghouse
Receive reports and rapidly redistribute tofirewall device vendors
Track validity of reports for re-certification Focus is rapid dissemination of
automatically actionable info
-
7/31/2019 2009 10 23 Larry Clinton ISA Overview Presentation to NATO Personnel in Estonia
47/49
Firewall Providers
Producers of devices capable of blockingoutbound web traffic
Accept data from clearinghouse Reformat as needed Recalculate to customers as quickly as
possible
-
7/31/2019 2009 10 23 Larry Clinton ISA Overview Presentation to NATO Personnel in Estonia
48/49
Incentives
Threat reporters: certification for branding Gov: secure industrial base low cost
develop common operating picture
Firewall device vendors: new market Medium & small companies; Security at
low cost in both money and time
Increase trust in internet
-
7/31/2019 2009 10 23 Larry Clinton ISA Overview Presentation to NATO Personnel in Estonia
49/49
Larry ClintonPresident
Internet Security [email protected]