2009 10 23 larry clinton isa overview presentation to nato personnel in estonia

7/31/2019 2009 10 23 Larry Clinton ISA Overview Presentation to NATO Personnel in Estonia

1/49

Larry ClintonPresident

Internet Security [email protected]

703-907-7028

202-236-0001


2/49

Larry Clinton President ISA

Former Academic came to DC in mid-80sLegislative Director for Chair Congressional Internet Committee12 years w/USTA including rewrite of telecommunications law & WIPOJoined ISA in 2002 w/former Chair Congressional IntelligenceCommitteeWritten numerous articles on Info Security, edited Journals, testifybefore Congress, electronic and print media

Boards: US Congressional I-net Caucus I-Net Education foundation,Cyber Security Partnership, DHS IT and Telecom Sector CoordinatingCommittee, CIPAC, CSCSWG


3/49

ISA Board of Directors

Ty Sagalow, Esq. ChairPresident Innovation Division, ZurichTim McKnight Second V Chair,CSO, Northrop Grumman

Ken Silva, Immediate Past Chair. CSO VeriSignGen. Charlie Croom (Ret.) VP Cyber Security, Lockheed MartinJeff Brown, CISO/Director IT Infrastructure, RaytheonEric Guerrino, SVP/CIO, bank of New York/Mellon FinancialLawrence Dobranski, Chief Strategic Security, NortelPradeep Khosla, Dean Carnegie Mellon School of ComputerSciencesJoe Buonomo, President, DCRBruno Mahlmann, VP Cyber Security, Perot SystemsLinda Meeks, VP CISO Boeing corp.

J. Michael Hickey, 1st Vice ChairVP Government Affairs, Verizon

Marc-Anthony Signorino, Treas.National Assoc. of Manufacturers


4/49

Core Principles

1. The Internet Changes Everything2. Cyber Security is not an "IT" issue3. Government and industry must

rethink and evolve new roles,

responsibilities and practices to

create a sustainable system of cyber

security


5/49

ISAlliance Mission

Statement

ISA seeks to integrate advancements in technology with

pragmatic business needs and enlightened public policy tocreate a sustainable system of cyber security.


6/49

Our Partners


7/49

The Old Web


8/49

The Web Today

Source: http://cm.bell-labs.com/who/ches/map/gallery/index.html


9/49

ISA 2009 Priority Projects

Develop a model for an effective publicprivate partnership (Cyber Social Contract)

Develop pragmatic program for addressingfinancial cyber risks

Framework on IT supply chainStandards for unified communicationsplatforms

Handbook for navigating outdated laws


10/49


11/49

Post 9-11 Cyber Security Policy

National Strategy to Secure Cyber Space DIB Effort Comprehensive National Cyber Initiative

(CNCI)

CSIS and ISA Proposals to Obama/Congress

60-day review & Obama Speech (5/29/09)


12/49

National Strategy to Secure CyberSpace (2002-03)

First comprehensive Administration viewof problem

Raised many key issues Predicted market forces would adequately

motivate private sector

General lack of follow through by USG


13/49

DIB program

DoD agrees to: Provide classified tips and analysis on threat actors Distribute attributed data from DoD and other industry partners Protect data attributable to specific companies Provide selected forensic support

~30 cleared defense contractors agree to: Report compromised computers to DoD Provide analysis of information exposed Provide forensic image of computer if requested Participate in formal Damage Assessment run by DoD acquisition

community


14/49

Releasing the Cyber Security Social ContractNovember, 2008


15/49

ISA Cyber Social Contract

Similar to the agreement that ledto public utility infrastructuredissemination in 20th C

Infrastructure develop -- marketincentives Consumer protection throughregulation

Gov role is more creativehardermotivate, not mandate,compliance

Industry role is to developpractices and standards andimplement them


16/49

Obama speaks on cyber security

Presidential Priority

My administration will pursue a new comprehensiveapproach to securing Americas digital infrastructure.

This new approach starts at the top with thiscommitment from me: From now on, our digitalinfrastructure the networks and computers wedepend on every day will be treated as theyshould be: as a strategic national asset. Protecting

this infrastructure will be a national securitypriority.

(President Obama, May 29, 2009)


17/49

President Obamas Report onCyber Security (May 30 2009)

The United States faces the dual challenge ofmaintaining an environment that promotesefficiency, innovation, economic prosperity,and free trade while also promoting safety,

security, civil liberties, and privacy rights.(Presidents Cyber Space Policy Review pageiii)

Quoting from Internet Security Alliance CyberSecurity Social Contract: Recommendationsto the Obama Administration and the 111thCongress November 2008


18/49

The Economy is reliant on theInternet

The state of Internet security is erodingquickly. Trust in online transactions isevaporating, and it will require strong

security leadership for that trust to berestored. For the Internet to remain the

juggernaut of commerce and productivity it

has become will require more, not less,input from security. PWC Global CyberSecurity Survey 2008


19/49

CURRENT ECONOMIC INCENTIVESFAVOR ATTACKERS

Attacks are cheap and easy Vulnerabilities are almost infinite Profits from attacks are enormous ($ 1

TRILLION in 08)

Defense is costly (Usually no ROI) Defense is often futile Costs of Attacks are distributed


20/49

The need to understand businesseconomics to address cyber issues

If the risks and consequences can be assignedmonetary value, organizations will have greaterability and incentive to address cybersecurity. Inparticular, the private sector often seeks a business

case to justify the resource expenditures needed forintegrating information and communications systemsecurity into corporate risk management and forengaging partnerships to mitigate collective risk.Government can assist by considering incentive-

based legislative or regulatory tools to enhance thevalue proposition and fostering an environment thatencourages partnership. --- Presidents CyberSpace Policy Review May 30, 2009 page 18


21/49

Regulation vs. Incentives

ISA Social Contract argues vs. regulationwhich is slow/limited in effect/anti-US

competitiveness/anti-security and wontwork.

Obama: Let me be very clear, we are notgoing to regulate cyber security standardsto the private sector. (May 29 2009)


22/49

Congressional TestimonyOctober, 2007


23/49

ISA Model: Create a Market forBest Practices and Standards

Studies show nearly 90% of breachescould be prevented by following knownbest practices and standards

Priv Sector should continue to developstandards, practices 7 technologies

Govt. test them for effectiveness Govt. should motivate adoption via sliding

scale of market incentives


24/49

ISA Proposed Incentives(Testimony E & C May 1, 2009)

1. R & D Grants2. Tax incentives3. Procurement Reform4. Streamlined Regulations5. Liability Protection6. Public Education7. Insurance8. SBA loans9. Awards programs10. Cyber SAFETY Act


25/49

President Obamas Report onCyber Security (May 30, 2009)

The government, working with State and local partners,should identify procurement strategies that will incentivizethe market to make more secure products and servicesavailable to the public. Additional incentive mechanisms

that the government should explore include adjustments toliability considerations (reduced liability in exchange forimproved security or increased liability for theconsequences of poor security), indemnification, taxincentives, and new regulatory requirements andcompliance mechanisms. Presidents Cyber Space Policy

Review May 30, 2009 page v

Quoting Internet Security Alliance Cyber Security SocialContract: Recommendations to the Obama Administrationand 111th Congress


26/49

Proposed Incentives: Liability

The Federal government should consider options forincentivizing collective action and enhancecompetition in the development of cybersecuritysolutions. For example, the legal concepts for

standard of care to date do not exist forcyberspace. Possible incentives include adjustmentsto liability considerations (reduced liability inexchange for improved security or increased liabilityfor the consequences of poor security),

indemnification, tax incentives, and new regulatoryrequirements and compliance mechanisms. ---Obama Administrations Report on Cyber SecurityMay 2009 page 28)


27/49

Obama Near Term Action Plan:

1. Appoint a Cyber Security policy coordinator directly responsible to thePresident and dual-hatted to both the NSC and the NEC.

2. Prepare for the Presidents approval an updated national strategy to securethe information and communications infrastructure. This strategy shouldinclude continued evaluation of CNCI activities and, where appropriate,build on its successes.

5. Convene appropriate interagency mechanisms to conduct interagency-cleared legal analyses of priority cybersecurity-related issues identifiedduring the policy-development process and formulate coherent unifiedpolicy guidance that clarifies roles, responsibilities, and the application ofagency authorities for cybersecurity-related activities across the Federalgovernment.

Presidents Cyber Space Policy Review May 30, 2009 page vi


28/49

Obama Action Plan: International

Near Term Action Plan Item 7Develop US Government positions for an

international cyber security policy

framework and strengthen ourinternational partnerships to createincentives that address the full range ofactivities, policies, and opportunitiesassociated with cyber security (ObamaCyber Space Policy Review P. 37)


29/49

Initiate a national awareness campaign.(train workforce/improve education also in

mid-term plan)

Expand information sharing programs Refine Government procurement and

improve market incentives

Obama Near Term Action Plan:


30/49

Financial Impact of Cyber RiskOctober, 2008


31/49

Financial Management of Cyber Risk

It is not enough for the information technologyworkforce to understand the importance ofcybersecurity; leaders at all levels of governmentand industry need to be able to make businessand investment decisions based on knowledge ofrisks and potential impacts. Presidents CyberSpace Policy Review May 30, 2009 page 15

ISA-ANSI Project on Financial Risk Managementof Cyber Events: 50 Questions Every CFO

should Ask ----including what they ought to beasking their General Counsel and outsidecounsel. Also, HR, Bus Ops, Public and InvestorCommunications & Compliance


32/49

Securing the IT Supply Chain

The challenge with supply chain attacks is that asophisticated adversary might narrowly focus onparticular systems and make manipulation virtually

impossible to discover. Foreign manufacturing doespresent easier opportunities for nation-stateadversaries to subvert products; however, the samegoals could be achieved through the recruitment ofkey insiders or other espionage activities. ----

Presidents Cyber Space Policy Review May 30,2009 page 34


33/49

Securing The IT Supply ChainIn The Age of Globalization

November, 2007


34/49

ISA/CMU Supply Chain Project

18 months long (start fall 07) Focus on firmware Carnegie Mellon University and Center for Cyber

Consequences Unit

3 conferences 100 Gov., Industry and Academic participants Results are strategy and framework provided to

USG for NSC 60-day review of cyber policy


35/49

Outdated laws in the Digital AgeObama Report: Conclusion

The history of electronic communications in the United Statesreflects steady, robust technological innovation punctuated bygovernment efforts to regulate, manage, or otherwise respond to

issues presented by these new media, including securityconcerns. The iterative nature of the statutory and policydevelopments over time has led to a mosaic of government lawsand structures governing various parts of the landscape forinformation and communications security and resiliency.Effectively addressing the fragmentary and diverse nature of the

technical, economic, legal, and policy challenges will require aleadership and coordination framework that can stitch thispatchwork together into an integrated whole. Presidents CyberSpace Policy Review May 30, 2009 page C-12


36/49

Developing SCAP Automated Security &Assurance for VoIP & Converged Networks

September, 2008


37/49

ISA Unified Communications Legal

Compliance Analysis (June 2009)

1.Descibes available UnifiedCommunications (UC) Technologies

2. Describes Security Risks of Deployment3. Inventory of Laws to be considered pre

deployment

4. Analysis if ECPA creates a legal barrier todeployment

5 Toolkit for lawyers and clients to assist inavoiding exposure from deployment


38/49

Information Sharing

Problem Clearly needs additional work DIB model results, good, but some

problems and not scalable

Trust is built on mutual exchangeAlternatives:British Consultancy Model

Roach Motel Model


39/49

Social Contract: Info Sharing

We need to be sure information beingshared can be put into actionWe need toget the roadblocks out of the way

Most companies w/limited budgets arelocked into reactive defensive postureallowing for little more than signature

based perimeter monitoring and ifdetected malware eradication.


40/49

Obama Cyber Review

Private sector engagement is required tohelp address limitations of lawenforcement and national security.

Industry leaders can help by engaging ininformation sharingInformation is thekey to preventing & responding to cyber

risk

A full and effective response mayonly be possible by brining informationfrom all sources together to benefit all.


41/49

Obama Action Item #8

Develop mechanisms for cyber securityrelated information sharing that addressconcerns about privacy and proprietary

information and make information sharingmutually beneficial


42/49

Roach Motel: Bugs Get In Not Out

No way to stop determined intruders Stop them from getting back out (w/data)

by disrupting attackers command and

control back out of our networks Identify web sites and IP addresses used

to communicate w/malicious code

Cut down on the dwell time in thenetwork Dont stop attacksmake them less useful


43/49

Old Model for Info Sharing

Big Orgs may invest in Roach Motel (traffic& analytical methods) small orgs.never will

Many entities already rept. C2 channels(AV vend/CERT/DIB/intelligence etc.)

Perspectives narrow Most orgs dont play in info sharing orgs Info often not actionable Lack of trust


44/49

New Model (based on AV model)

Focus not on sharing attack info Focus IS ON disseminating info on attacker C2

URLs & IP add & automatically block

OUTBOUND TRAFFIC to them Threat Reporters (rept malicious C2 channels) National Center (clearing house)

Firewall Vendors (push info into field of deviceslike AV vendors do now)


45/49

Threat Reporters

Govt/private/commecial orgs apply analytical capability to discover, C2 sites

via malware reverse engineering

Gov certified so there would be trust intheir reports

Only report malware C2 info (web site/Ipaddress) & type (e.g. botnet)

Can use Certification for branding


46/49

National Clearinghouse

Receive reports and rapidly redistribute tofirewall device vendors

Track validity of reports for re-certification Focus is rapid dissemination of

automatically actionable info


47/49

Firewall Providers

Producers of devices capable of blockingoutbound web traffic

Accept data from clearinghouse Reformat as needed Recalculate to customers as quickly as

possible


48/49

Incentives

Threat reporters: certification for branding Gov: secure industrial base low cost

develop common operating picture

Firewall device vendors: new market Medium & small companies; Security at

low cost in both money and time

Increase trust in internet


49/49

Larry ClintonPresident

Internet Security [email protected]

2009 10 23 larry clinton isa overview presentation to nato personnel in estonia

Documents