2012 03 23 larry clinton cybersecurity legislation presentation before the privacy working group

7/31/2019 2012 03 23 Larry Clinton Cybersecurity Legislation Presentation Before the Privacy Working Group

1/23

Larry ClintonPresident & CEO

Internet Security [email protected]

202-236-0001

www.isalliance.org


2/23

Joe Buonomo, President and CEO, Direct Computer ResourcesLt. Gen. Charlie Croom (Ret.) VP Cyber Security Solutions, Lockheed MartinValerie Abend, Managing Director, Information Risk, Bank of New York/Mellon FinancialPradeep Khosla, Dean of the College of Engineering and Founding Director of CyLab,Carnegie Mellon University

Marcus Sachs, VP of Gov. Affairs and National Security PolicyBarry Hensley, VP and Director of Dell Secureworks Counter Threat Unit/Research Group,

Dell/Secureworks

Tom Kelly, Director of Information Security Assessments and Vulnerabilities, BoeingGene Fredriksen, Global Information Security Officer, TycoJulie Taylor,VP Cyber & Information Solutions Business UnitRick Howard, iDefense General Manager, VeriSignBrian Raymond, Director Tax, Technology and Domestic Economic Policy, NationalAssociation of Manufactures

Tim McKnight, Chair, VP and CISO,Northrop GrummanJeff Brown, First Vice Chair, VP of Infrastructure Services and CISO for InformationTechnology, Raytheon

Gary McAlum, Second Vice Chair,Senior VP and Chief Security Officer, USAA

Board of Directors


3/23


4/23

What Do You Know

About Cyber Security? Hackers? Breaches?

Perimeter Defense? A Technology Problem? Firewalls and Passwords? Corporate Irresponsibility? APT?


5/23

Digital Changes

Privacy Cognitive Functions

Concepts of Defense Business Economics Government/Industry Roles and Responsibilities


6/23

Rethinking The Problem

Its Not An IT Problem

We Need To Think Beyond Security Systems Approach Infrastructure Development Organizational Structure International Competitiveness


7/23

ISAlliance Mission Statement

ISA seeks to integrate advanced technologywith business economics and public policy to

create a sustainable system of cyber security.


8/23

Cyber Economy Is

Misaligned [E]conomists have long known that liability shouldbe assigned to the part that can best manage risk.

Yet everywhere we look we see online risk

allocated poorlypeople who connect insecuremachines to the Internet do not bear the full

consequences of their actions (and) developers arenot compensated for costly efforts to strengthen

code.

Anderson and Moore, Information Security, 2-3.


9/23

Cyber Security

Economics Are Skewed

Responsibility, Costs, Harms and Incentives areMisaligned

Individual and Corporate Financial Loss (e.g..banks)

Defense Industrial Base Core Investment is Undermined by Edge Insecurity Enterprises are not Structured to Properly AnalyzeCyber Risk Competitive Pressure Drives Toward Insecurity


10/23

VOIP/Smart Phones etc

Unified Communications

while unified communications offer a compellingbusiness case, the strength of the UC solutions in

leveraging the internet is also vulnerability. Not

only are UC solutions exposed to the securityvulnerabilities and risk that the Internet presents,

but the availability and relative youth of UCsolutions encouraged malicious actors to develop

and launch new types of attacks. NavigatingCompliance and Security for Unified

Communication, .


11/23

Cloud Computing

62% of IT professionals surveyed reported thatthey had little or no faith in the security of data

placed in the cloud----including 48% who had

already placed their data in the cloud.

PricewaterhouseCoopers/CIO Magazine Global

Information Security Survey 2011


12/23

What We Do Know Is All Bad

All the economic incentives favor the attackers, i.e.attacks are cheap, easy, profitable and chances of

getting caught are small

Defense inherently is a generation behind theattacker, the perimeter to defend is endless, ROI is

hard to show

Until we solve the cyber economics equation wewill not have cyber security


13/23

Why China and the APT?

Countries that grow by 8-13% can only do this bycopying. Copying is easy at firstyou copy simple

factoriesbut to grow by more than 8% you need

serious know how. There are only 2 ways to getthis: partnering and theft. China cannot afford to

NOT to grow 8% yearly. Partnering wont transferenough know how to sustain 8%+ so all thats left

is theft and almost all the theft is electronic. ScottBorg, US Cyber Consequences Unit


14/23

Why Federal Regulation

wont work It misunderstands the problem as corporate

avarice or consumer product safety----its warfare

The technology and attacks change too quickly There isnt adequate jurisdiction The rules would be too general to be of use vs.

APT

Diverting resources from security to compliance iscounter productive

Reg procedure stifles investment & innovation


15/23

The Social Contract

The historic social contracts for infrastructuredevelopment (phones and electricity) combine

public policy, technology and economics

successfully

A cyber security social contract ---with differentterms, can do the same


16/23

Terms For The Cyber

Social Contract Create an international entity to judge

effectiveness of standards, practices, technologies

Government's) create a menu of incentives for voladoption of proven practices standards and

technologies on a sliding scale (gold silver etc.)

Adapt incentives from the rest of the economy(procurement, liability, insurance, streamlinedregulation/licensing/marketing advantages/taxes)


17/23

Growth Of The Social

Contract Idea 2008 ISA Publishes Cyber Social Contract 2009 Obamas Cyber Space Policy Review

2011 endorsed by multi-association/civil libertieswhite paper on cyber security

2011 GOP Cyber Task Force Report 2012 Rogers-Ruppersberger legislation (passes

Intel committee 17-1)

2012 World Institute for Nuclear Security (WINS)


18/23

Applying The Systems

Approach In Enterprise ISA Information Sharing model VOIP/smart phone standards

Financial Management of Cyber Risk (50 questionsfor CFOs/answers/health care adaption----E & Yadoption and Lawrence Livermore project

Supply Chain and Model contracts


19/23

Senate bills

Lieberman Collins----Major issue is Title I DHSregulatory authority vs. major attacks (APT)

McCain et. al. info sharing/R & D/FISMA/lawenforcement authority----no DHS reg role

Admin supports LC----getting testy No action before May


20/23

ISA Issues with LC

No Need targeted infra already regulated forcyber

No need---we are stopping APTs now Fed Reg bad fit for APT---art not science Regs will divert resources to compliance and away

from security

DHS infrastructure not adequate to the task at thistime


21/23

ISA Issues with LC

Incentives will work better---none in LC Prolonged regulatory process will stifle innovation

and investment thus harming cyber security

Unclear what is actually covered under thedefinitions (except no IT???) thus adding to

uncertainty thus bad for markets

Title I does not contain event the basic regsafeguards in similar legislation


22/23

House

Thornberry Task Force----Incentives Rogers liability for info sharing Lungren Some DHS regstudy incent--NISO Possibly Smith/Goodlattebest practices E & C bipartisan commission on incentives Lungren may go the full HLS next week Lungren and Rogers could be on the floor April


23/23

Larry ClintonPresident & CEO

Internet Security Alliance

[email protected]

202-236-0001

www.isalliance.org

2012 03 23 larry clinton cybersecurity legislation presentation before the privacy working group

Documents