Dave McCurdy Executive Director, Internet Security Alliance - PowerPoint PPT Presentation

Dave McCurdy Executive Director, Internet Security Alliance President, Electronic Industries Alliance

Electronic Industries Alliance “The Whole is Greater Than the Sum of the Individual Parts” Consumer Telecommunications Electronics Industry Association Association (TIA) (CEA) Solid State and Government Electronics Semiconductor & Information Technology Technology Association (JEDEC) (GEIA) NSTEP National Electronic Components, Science & Assemblies & Materials Technology Affiliates Association (ECA) Education Partnership (Foundation) Electronic Representative Association (ERA) Internet Security Alliance (ISAlliance) National Association of Relay Manufactures (NARM)

Electronic Industries Alliance Mission • EIA the Alliance – “Promote market development and competitiveness of the high- tech industry through domestic and international policy efforts.” • EIA the Entity – Serves as a common voice for industry to educate policymakers and public – Addresses sustained and critical issues important to the constituent industry – Mobilizes the industry on critical issues – Coordinates policies and strategies with all allied associations – Promotes standards that serve the industry

Electronic Industries Alliance • Brings together top-level government officials and corporate leaders. • Each of the past four U.S. presidents and other major policy makers meet with EIA. • EIA provides major US tech link to international organizations

The Internet Security Alliance The Internet Security Alliance is a collaborative effort between Carnegie Mellon University’s Software Engineering Institute (SEI) and its CERT Coordination Center (CERT/CC) and the Electronic Industries Alliance (EIA ), a federation of trade associations with over 2,500 members.

Sponsors

ISAlliance = Power-Synergy • Draws on the political muscle of EIA and its 80 year history in technology policy, market development and standards creation. • Draws on the internet security expertise of the CERT at Carnegie Mellon • Draws on an international membership to bring cohesion and focus to issues

ISAlliance International--- India--Participation • ISAlliance has active members on 4 continents • 20% of ISAlliance Board are non-US based companies, Board Chair is from CW of England • TCS is the ISAlliance Founding Sponsor from India • TCS has offered to become the first “ISAlliance Security Anchor”

Outline of Today’s Presentation • The substance and politics of outsourcing in the United States today • The relationship between security issues and outsourcing and its potential effect on public policy and international business cooperation. • A proposal for NASSCOM and its member companies to formally join/work together

Economics of Offshore Outsourcing for the US • The U.S. is now facing a third consecutive year of job losses. • Last summer the US lost a quarter million jobs, while US firms shipped 30,000 new service jobs to India. • Estimates are that during the next 15 years the US will lose 3.3 million jobs to foreign companies along with $136 billion dollars in lost wages.

Positive Aspects of Outsourcing to India • India provides significant assets for high-tech companies: a highly-educated workforce well- versed in math and science and possessing engineering degrees comparable to U.S. colleges and universities. • India is becoming an increasingly important member of the international economic community. This strength could also bring better relations between the U.S. and India, and a vested interest in international security.

The US Politics of Outsourcing to India • The U.S. face a “job loss” economic recovery. • Homeland security-including cyber security- continues to have strong political appeal. • “The AFL-CIO (the largest union in the US) has mobilized support around the country for legislation that calls for an outright ban on overseas contracting” (Wash Post 1/31/04)

Results of Political Pressure in US • In November the state of Indiana canceled a $15 million contract with an Indian company due to public outcry over outsourcing. • Last year 8 states considered legislation to ban contracts using overseas workers----none passed but more pressure is expected • On Jan 23 2004 President Bush signed into law a provision prohibiting certain government contracts to companies performing the work overseas.

New US law is tip of the Iceberg • THE LAW IS A • THE LAW IS LIMITED WARNING 1. It pertains to only a narrow range of 1. State bills defeated last mostly transportation year have a better contracts. chance now 2. It is already set to 2. Congress and the expire in September Administration are now 3. Very few contracts on record as willing to are likely to be take aggressive action affected

What Drives the Outsourcing Politics ? • Speaking of the new US federal law in Saturday’s Washington Post Stan Soloway (Pres. US Professional Service Council) is quoted as saying: “he knows of no such competitions that have resulted in jobs going overseas. (It is) security restrictions that keep government contractors from using foreign workers.” (Wash. Post 1/31/04)

A Security Focus may be a good approach for India • India is considered to have a much better cultural and legal climate for IP protection than many other nations offering offshore coding. Poorer nations often don't have laws protecting foreign companies and rarely enforce whatever laws may exist. • India’s membership in WTO and adherence to TRIPS will help reduce fear.

US also needs a focus on Internet Security 1. Concerns about offshore-related security is on the rise. 2. Shift to higher-level outsourcing will put security more in spotlight. Database testing offers higher level of risk than application development and maintenance. 3. US industry develop cooperative policies, or high-tech companies will be penalized by those who are not as familiar with the issues or who wish to capitalize on the misfortunes of voters.

Growth in Incidents Reported to the CERT/CC 120000 110,000 100000 80000 55,100 60000 40000 21,756 20000 9,859 2,340 2,412 2,573 132 2,134 3,734 252 6 1,334 406 773 0 1992 1993 1994 1995 1996 1997 1988 1989 1990 1991 1998 1999 2000 2001 2002

The Dilemma: Growth in Number of Vulnerabilities Reported to CERT/CC 4,500 4,129 4,000 3,500 3,000 2,437 2,500 2,000 1,090 1,500 1,000 417 345 500 311 262 171 0 1995 2002

The Threats – The Risks Human Agents Exposures • Hackers • Information theft, loss & • Disgruntled employees corruption • White collar criminals • Monetary theft & embezzlement • Organized crime • Critical infrastructure failure • Terrorists • Hacker adventures, e-graffiti/ defacement • Business disruption Methods of Attack • Brute force Representative Incidents • Denial of Service • Code Red, Nimda, Sircam • Viruses & worms • Back door taps & • CD Universe extortion, e-Toys misappropriation, “Hactivist” campaign, • Information Warfare (IW) • Love Bug, Melissa Viruses techniques

Attack Sophistication v. Intruder Technical Knowledge “stealth” / advanced scanning techniques Tools denial of service High packet spoofing DDOS sniffers attacks Intruder sweepers www attacks Knowledge automated probes/scans GUI back doors network mgmt. diagnostics disabling audits hijacking burglaries sessions Attack exploiting known vulnerabilities Sophistication password cracking self-replicating code Attackers password guessing Low 1980 1985 1990 1995 2000

Discovered Virus Threats Per Day 10 20 30 40 50 60 70 0 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 Est

The Speed of Attacks Accelerates Slammer (January 2003) Blended threat exploits known vulnerability Global in 3 minutes Enterprises scramble to restore business availability MYDOOM (January 2004) Even Faster

Machines Infected per Hour at Peak 100,000 90,000 80,000 70,000 60,000 50,000 40,000 30,000 20,000 10,000 0 Code Red Nimda Goner Slammer

Computer Virus Costs (in billions) 150 $ billion Range Damage 120 90 60 30 0 '96 '97 '98 '99 '00 '01 '02 '03 (Through Oct 7)

ISA Security Anchor Proposal Go beyond isolated conferences to • Full service trade association for cyber security providing on-going services in: • Information sharing on threats and incidents • Best practices/standards/assessment development • Locally-based education and training • Domestic & international policy development • Develop market incentives for cyber security

What Indian Partners Can Do: • Become Security Anchors in India • TCS will be a Security Anchor in India —other companies or Associations may also apply • Join ISAlliance, be a conduit for ISAlliance services • Work jointly on projects of mutual benefit • Work jointly on increasing confidence in free market policies in the Internet age • Work jointly on developing Return on Investment programs in cyber-security

ISAlliance/CERT Knowledgebase Examples