Larry Clinton President & CEO Internet Security Alliance lclinton@isalliance.org 703-907-7028 202-236-0001 www.isalliance.org
Board of Directors • Tim McKnight, Chair , VP and CISO , Northrop Grumman • Jeff Brown, First Vice Chair , VP of Infrastructure Services and CISO for Information Technology, Raytheon • Gary McAlum, Second Vice Chair , Senior VP and Chief Security Officer, USAA • Joe Buonomo , President and CEO, Direct Computer Resources • Lt. Gen. Charlie Croom (Ret.) VP Cyber Security Solutions, Lockheed Martin • Valerie Abend, Managing Director, Information Risk, Bank of New York/Mellon Financial • Pradeep Khosla , Dean College of Engineering & CyLab, Carnegie Mellon University • Marcus Sachs , VP of Government Affairs and National Security Policy • Barry Hensley , VP and Director Counter Threat Unit/Research Group, Dell/Secureworks • Tom Kelly , Director of Information Security – Assessments and Vulnerabilities, Boeing • Gene Fredriksen , Global Information Security Officer, Tyco • Julie Taylor , VP Cyber & Information Solutions Business Unit • Rick Howard , iDefense General Manager, VeriSign • Brian Raymond , Director Tax, Tech & Economic Policy, National Association of Manufactures
How Real is the Cyber threat? • “. . . I have to begin by noting a worrisome fact: cyberspace is becoming more dangerous. The Intelligence Community’s world-wide threat brief to Congress in January raised cyber threats to just behind terrorism and proliferation in its list of the biggest challenges facing our nation . .” - Gen. Keith Alexander, Director of the National Security Agency and Commander of U.S. Cyber Command • "If terrorist groups were able to acquire [] destructive cyber capabilities, I think we should fear greatly that they would use them . . . The capabilities are not yet in the hands of the most malicious actors, so we have a window of opportunity to improve our defenses . . .We don't know exactly how long that window of opportunity is, but I think we should feel a strong need to improve our defenses before that happens.“ - William Lynn, Former U.S. Deputy Secretary for Defense • "This threat is so intrusive, it's so serious . . . If we don't address it, it's going to have a severe impact. I think we have no choice but to address it, and some of that process will be regulatory.” - Michael McConnell, Former Director of National Intelligence • “We’ve got the wrong mental model here . . . I think we have to go to a model where we assume that the adversary is in our networks. It’s on our machines, and we’ve got to operate anyway.” - Dr. James S. Peery, Director of the Sandia National Laboratories Information Systems Analysis Center
ISAlliance Mission Statement ISA seeks to integrate advanced technology with economics and public policy to create a sustainable system of cyber security.
Why are we not cyber secure? “We find that misplaced incentives are as important as technical design…security failure is caused as least as often by bad incentives as by bad technological design” Anderson and Moore “The Economics of Information Security”
Economics Incentives Favor Attackers • Offence: Attacks are cheap • Offence: Attacks are easy to launch • Offence: Profits from attacks are enormous • Offence: GREAT business model • Defense: Perimeter to defend is unlimited • Defense: Hard to show ROI • Defense: Usually a generation behind the attacker • Defense: Prosecution is difficult and rare • Economic incentives to be INSECURE---VOIP/mobile devices, Cloud, International Supply Chains
ISA Goals • Thought Leadership in Cyber Security • Public Policy Advocacy • Develop Programs to stimulate improved cyber security • Build the Alliance
Senate bills • Lieberman Collins----Major issue is Title I DHS regulatory authority vs. major attacks (APT) • McCain et. al. info sharing/R & D/FISMA/law enforcement authority----no DHS reg role • Admin supports LC • No action before May • ISA has been asked to offer rewrite of Title I—how to address CI w/out adding DHS regs
House • Thornberry Task Force----Incentives---Map to ISA • Rogers liability for info sharing • Lungren – Some DHS reg—study incent--NISO • Possibly Smith/Goodlatte—best practices • E & C bipartisan commission on incentives • Lungren may go the full HLS next week • Lungren and Rogers could be on the floor April
2012 ISA Board Projects • Public Policy Advocacy—The Cyber Security Social Contract---market incentives over regulations • APT for small/mid-sized (not huge) companies • Supply Chain for hardware (model contracts) • Financial Management of Cyber Risk • Modernized Information Sharing Model • CyberTrak (under development)
The Social Contract • The historic social contracts for infrastructure development (phones and electricity) combine public policy, technology and economics successfully • A cyber security social contract ---with different terms can do the same
Terms for the Cyber Social Contract • Create an international entity to judge effectiveness of standards, practices, technologies • Government's) create a menu of incentives for vol adoption of proven practices standards and technologies on a sliding scale (gold silver etc.) • Adapt incentives from the rest of the economy (procurement, liability, insurance, streamlined regulation/licensing/marketing advantages/taxes)
Growth of the social contract idea • 2008 ISA Publishes Cyber Social Contract • 2009 Obama’s Cyber Space Policy Review • 2011 endorsed by multi-association/civil liberties white paper on cyber security • 2011 GOP Cyber Task Force Report • 2012 Rogers-Ruppersberger legislation (passes Intel committee 17-1) • 2012 World Institute for Nuclear Security (WINS)
Enterprise Cyber Security “The challenge in cyber security is not that best practices need to be developed, but instead lies in communicating these best practices demonstrating the value in implementing them and encouraging individuals and organizations to adopt them.” The Information Systems Audit and Control Association (ISACA) quoted in Dept. of Commerce Green Paper - March 2011
Why Are We Not Doing It? • “Overall, cost was most frequently cited as “the biggest obstacle to ensuring the security of critical networks.” • “Making the business case for cyber security remains a major challenge, because management often does not understand either the scale of the threat or the requirements for a solutions.” • “The number one barrier is the security folks who haven’t been able to communicate the urgency well enough and they haven’t actually been able to persuade the decision makers of the reality of the threat.” CSIS & PWC Surveys 2010
PwC 2011 study in A & D • A & D respondents were 2x as likely to report financial losses from security incidents than 2008 • Security spending deferrals and cut backs UP for the 3 rd year in a row—20-40% over last year • The confidence rating among A & D Sr. Execs declined by 19 points since 2006 • Single greatest obstacle: “decision makers at the top of the house.”
Financial Management of Cyber Risk (2010)
Growth in Financial Risk Management Approach • ISA Release Cyber Risk Team approach in 2007, 2010 and 2012 (health care) • CMU Study in 2007 only 17% firms had org wide cyber risk teams. • In 2011 CMU study 87% have cyber risk teams • Ponomon Institute shows investement in cyber up 100% from 2007 vs 2012 • Major firms (E&Y) now using ISA model
The APT----Average Persistent Threat “The most sophisticated, adaptive and persistent class of cyber attacks is no longer a rare event…APT is no longer just a threat to the public sector and the defense establishment …this year significant percentages of respondents across industries agreed that APT drives their organizations security spending.” PricewaterhouseCoopers Global Information Security Survey September 2011
APT: We Are Not Winning • 80% of A & D security experts surveyed said that their companies security policies did not address APT style attacks. In addition more than half of all respondents report that their organization does not have the core capabilities directly or indirectly relevant to countering this strategic threat.” PWC 2011
Are we thinking of APT all wrong? • “Companies are countering the APT principally through virus protection (51%) and either intrusion detection/prevention solutions (27%) –PWC 2011 • “Conventional information security defenses don’t work vs. APT. The attackers successfully evade all anti-virus network intrusion and other best practices, remaining inside the targets network while the target believes they have been eradicated.”---M-Trend Reports 2011
ISA and APT • Roach Motel Model 2008 (Jeff Brown Raytheon Chair) • Expanded APT best Practices (Rick Howard, VeriSign, Tom Kelly Boeing and Jeff Brown co- chairs)
Supply chain “The exploitation of information technology (IT) products and services through the supply chain is an emerging threat. In January 2012, the Director of National Intelligence identified the vulnerabilities associated with the IT supply chain for the nation’s networks as one of the greatest strategic cyber threat challenges the country faces.” • GAO Report March 2012
Recommend
More recommend