2012 03 23 larry clinton cybersecurity legislation presentation before the privacy working group
TRANSCRIPT
-
7/31/2019 2012 03 23 Larry Clinton Cybersecurity Legislation Presentation Before the Privacy Working Group
1/23
Larry ClintonPresident & CEO
Internet Security [email protected]
202-236-0001
www.isalliance.org
-
7/31/2019 2012 03 23 Larry Clinton Cybersecurity Legislation Presentation Before the Privacy Working Group
2/23
Joe Buonomo, President and CEO, Direct Computer ResourcesLt. Gen. Charlie Croom (Ret.) VP Cyber Security Solutions, Lockheed MartinValerie Abend, Managing Director, Information Risk, Bank of New York/Mellon FinancialPradeep Khosla, Dean of the College of Engineering and Founding Director of CyLab,Carnegie Mellon University
Marcus Sachs, VP of Gov. Affairs and National Security PolicyBarry Hensley, VP and Director of Dell Secureworks Counter Threat Unit/Research Group,
Dell/Secureworks
Tom Kelly, Director of Information Security Assessments and Vulnerabilities, BoeingGene Fredriksen, Global Information Security Officer, TycoJulie Taylor,VP Cyber & Information Solutions Business UnitRick Howard, iDefense General Manager, VeriSignBrian Raymond, Director Tax, Technology and Domestic Economic Policy, NationalAssociation of Manufactures
Tim McKnight, Chair, VP and CISO,Northrop GrummanJeff Brown, First Vice Chair, VP of Infrastructure Services and CISO for InformationTechnology, Raytheon
Gary McAlum, Second Vice Chair,Senior VP and Chief Security Officer, USAA
Board of Directors
-
7/31/2019 2012 03 23 Larry Clinton Cybersecurity Legislation Presentation Before the Privacy Working Group
3/23
-
7/31/2019 2012 03 23 Larry Clinton Cybersecurity Legislation Presentation Before the Privacy Working Group
4/23
What Do You Know
About Cyber Security? Hackers? Breaches?
Perimeter Defense? A Technology Problem? Firewalls and Passwords? Corporate Irresponsibility? APT?
-
7/31/2019 2012 03 23 Larry Clinton Cybersecurity Legislation Presentation Before the Privacy Working Group
5/23
Digital Changes
Privacy Cognitive Functions
Concepts of Defense Business Economics Government/Industry Roles and Responsibilities
-
7/31/2019 2012 03 23 Larry Clinton Cybersecurity Legislation Presentation Before the Privacy Working Group
6/23
Rethinking The Problem
Its Not An IT Problem
We Need To Think Beyond Security Systems Approach Infrastructure Development Organizational Structure International Competitiveness
-
7/31/2019 2012 03 23 Larry Clinton Cybersecurity Legislation Presentation Before the Privacy Working Group
7/23
ISAlliance Mission Statement
ISA seeks to integrate advanced technologywith business economics and public policy to
create a sustainable system of cyber security.
-
7/31/2019 2012 03 23 Larry Clinton Cybersecurity Legislation Presentation Before the Privacy Working Group
8/23
Cyber Economy Is
Misaligned [E]conomists have long known that liability shouldbe assigned to the part that can best manage risk.
Yet everywhere we look we see online risk
allocated poorlypeople who connect insecuremachines to the Internet do not bear the full
consequences of their actions (and) developers arenot compensated for costly efforts to strengthen
code.
Anderson and Moore, Information Security, 2-3.
-
7/31/2019 2012 03 23 Larry Clinton Cybersecurity Legislation Presentation Before the Privacy Working Group
9/23
Cyber Security
Economics Are Skewed
Responsibility, Costs, Harms and Incentives areMisaligned
Individual and Corporate Financial Loss (e.g..banks)
Defense Industrial Base Core Investment is Undermined by Edge Insecurity Enterprises are not Structured to Properly AnalyzeCyber Risk Competitive Pressure Drives Toward Insecurity
-
7/31/2019 2012 03 23 Larry Clinton Cybersecurity Legislation Presentation Before the Privacy Working Group
10/23
VOIP/Smart Phones etc
Unified Communications
while unified communications offer a compellingbusiness case, the strength of the UC solutions in
leveraging the internet is also vulnerability. Not
only are UC solutions exposed to the securityvulnerabilities and risk that the Internet presents,
but the availability and relative youth of UCsolutions encouraged malicious actors to develop
and launch new types of attacks. NavigatingCompliance and Security for Unified
Communication, .
-
7/31/2019 2012 03 23 Larry Clinton Cybersecurity Legislation Presentation Before the Privacy Working Group
11/23
Cloud Computing
62% of IT professionals surveyed reported thatthey had little or no faith in the security of data
placed in the cloud----including 48% who had
already placed their data in the cloud.
PricewaterhouseCoopers/CIO Magazine Global
Information Security Survey 2011
-
7/31/2019 2012 03 23 Larry Clinton Cybersecurity Legislation Presentation Before the Privacy Working Group
12/23
What We Do Know Is All Bad
All the economic incentives favor the attackers, i.e.attacks are cheap, easy, profitable and chances of
getting caught are small
Defense inherently is a generation behind theattacker, the perimeter to defend is endless, ROI is
hard to show
Until we solve the cyber economics equation wewill not have cyber security
-
7/31/2019 2012 03 23 Larry Clinton Cybersecurity Legislation Presentation Before the Privacy Working Group
13/23
Why China and the APT?
Countries that grow by 8-13% can only do this bycopying. Copying is easy at firstyou copy simple
factoriesbut to grow by more than 8% you need
serious know how. There are only 2 ways to getthis: partnering and theft. China cannot afford to
NOT to grow 8% yearly. Partnering wont transferenough know how to sustain 8%+ so all thats left
is theft and almost all the theft is electronic. ScottBorg, US Cyber Consequences Unit
-
7/31/2019 2012 03 23 Larry Clinton Cybersecurity Legislation Presentation Before the Privacy Working Group
14/23
Why Federal Regulation
wont work It misunderstands the problem as corporate
avarice or consumer product safety----its warfare
The technology and attacks change too quickly There isnt adequate jurisdiction The rules would be too general to be of use vs.
APT
Diverting resources from security to compliance iscounter productive
Reg procedure stifles investment & innovation
-
7/31/2019 2012 03 23 Larry Clinton Cybersecurity Legislation Presentation Before the Privacy Working Group
15/23
The Social Contract
The historic social contracts for infrastructuredevelopment (phones and electricity) combine
public policy, technology and economics
successfully
A cyber security social contract ---with differentterms, can do the same
-
7/31/2019 2012 03 23 Larry Clinton Cybersecurity Legislation Presentation Before the Privacy Working Group
16/23
Terms For The Cyber
Social Contract Create an international entity to judge
effectiveness of standards, practices, technologies
Government's) create a menu of incentives for voladoption of proven practices standards and
technologies on a sliding scale (gold silver etc.)
Adapt incentives from the rest of the economy(procurement, liability, insurance, streamlinedregulation/licensing/marketing advantages/taxes)
-
7/31/2019 2012 03 23 Larry Clinton Cybersecurity Legislation Presentation Before the Privacy Working Group
17/23
Growth Of The Social
Contract Idea 2008 ISA Publishes Cyber Social Contract 2009 Obamas Cyber Space Policy Review
2011 endorsed by multi-association/civil libertieswhite paper on cyber security
2011 GOP Cyber Task Force Report 2012 Rogers-Ruppersberger legislation (passes
Intel committee 17-1)
2012 World Institute for Nuclear Security (WINS)
-
7/31/2019 2012 03 23 Larry Clinton Cybersecurity Legislation Presentation Before the Privacy Working Group
18/23
Applying The Systems
Approach In Enterprise ISA Information Sharing model VOIP/smart phone standards
Financial Management of Cyber Risk (50 questionsfor CFOs/answers/health care adaption----E & Yadoption and Lawrence Livermore project
Supply Chain and Model contracts
-
7/31/2019 2012 03 23 Larry Clinton Cybersecurity Legislation Presentation Before the Privacy Working Group
19/23
Senate bills
Lieberman Collins----Major issue is Title I DHSregulatory authority vs. major attacks (APT)
McCain et. al. info sharing/R & D/FISMA/lawenforcement authority----no DHS reg role
Admin supports LC----getting testy No action before May
-
7/31/2019 2012 03 23 Larry Clinton Cybersecurity Legislation Presentation Before the Privacy Working Group
20/23
ISA Issues with LC
No Need targeted infra already regulated forcyber
No need---we are stopping APTs now Fed Reg bad fit for APT---art not science Regs will divert resources to compliance and away
from security
DHS infrastructure not adequate to the task at thistime
-
7/31/2019 2012 03 23 Larry Clinton Cybersecurity Legislation Presentation Before the Privacy Working Group
21/23
ISA Issues with LC
Incentives will work better---none in LC Prolonged regulatory process will stifle innovation
and investment thus harming cyber security
Unclear what is actually covered under thedefinitions (except no IT???) thus adding to
uncertainty thus bad for markets
Title I does not contain event the basic regsafeguards in similar legislation
-
7/31/2019 2012 03 23 Larry Clinton Cybersecurity Legislation Presentation Before the Privacy Working Group
22/23
House
Thornberry Task Force----Incentives Rogers liability for info sharing Lungren Some DHS regstudy incent--NISO Possibly Smith/Goodlattebest practices E & C bipartisan commission on incentives Lungren may go the full HLS next week Lungren and Rogers could be on the floor April
-
7/31/2019 2012 03 23 Larry Clinton Cybersecurity Legislation Presentation Before the Privacy Working Group
23/23
Larry ClintonPresident & CEO
Internet Security Alliance
202-236-0001
www.isalliance.org