2009 09 24 larry clinton isa aia public policy webinar
TRANSCRIPT
-
7/31/2019 2009 09 24 Larry Clinton ISA AIA Public Policy Webinar
1/48
Larry Clinton
President
Internet Security [email protected]
703-907-7028 (O) 202-236-0001 (C)
-
7/31/2019 2009 09 24 Larry Clinton ISA AIA Public Policy Webinar
2/48
ISA Presentation to AIA
1. Who is the ISA?2. Brief history of USG Cyber Security
Policy
3. Current Congressional and ObamaAdministration Activity
4.
Whats to come in the immediate future?5. Upcoming AIA/ISA Webinars
-
7/31/2019 2009 09 24 Larry Clinton ISA AIA Public Policy Webinar
3/48
Upcoming AIA/ISAWebinars
Managing Financial Risks and Cyber Security, featuring Ty Sagalow,Executive Vice President & Chief Innovation Officer, Zurich and JoeBuonomo, President, Direct Computer Resources, Inc. To be presentedon 9/24/09
Information Sharing Modern Technology and Legal Structuresfeaturing Jeff Brown,Director, Infrastructure Services and CISOInformation Technology, Raytheon. To be presented on 10/22/09
Testing In A Real Environment Leads to Faster Cyber SecurityInnovation featuring General (Ret.) Charles Charlie Croom, VicePresident of Cyber Security Solutions, Lockheed Martin InformationSystems & Global Services and Curt Aubley, Chief Technology OfficerCTO, Lockheed Martin Operations & Next Generation Solutions. To be
presented on 11/5/09 Supply Chain Issues in Cyber Security A Framework for Moving
Forward featuring Scott Borg, Director and Chief Economist (CEO) at theU.S. Cyberconsequences Unit. To be presented on 11/19/09
Legal Framework for Securing Unified Communications featuringJeffrey Ritter, President, Waters Edge Consulting.
-
7/31/2019 2009 09 24 Larry Clinton ISA AIA Public Policy Webinar
4/48
ISA Board of Directors
Ty Sagalow, Esq. ChairPresident Innovation Division, ZurichTim McKnight Second V Chair, CSO,Northrop Grumman
Ken Silva, Immediate Past Chair. CSO VeriSignGen. Charlie Croom (Ret.) VP Cyber Security, Lockheed MartinJeff Brown, CISO/Director IT Infrastructure, RaytheonEric Guerrino, SVP/CIO, Bank of New York/Mellon FinancialLawrence Dobranski, Chief Strategic Security, NortelPradeep Khosla, Dean, Carnegie Mellon University School ofComputer SciencesJoe Buonomo, President, DCRBruno Mahlmann, VP Cyber Security, Perot SystemsLinda Meeks, CISO Information Security, Boeing
J. Michael Hickey, 1st Vice ChairVP Government Affairs, Verizon
Marc-Anthony Signorino, Treas.National Assoc. of Manufacturers
-
7/31/2019 2009 09 24 Larry Clinton ISA AIA Public Policy Webinar
5/48
Our Partners
-
7/31/2019 2009 09 24 Larry Clinton ISA AIA Public Policy Webinar
6/48
-
7/31/2019 2009 09 24 Larry Clinton ISA AIA Public Policy Webinar
7/48
Internet Security AlliancePriority Projects
1. Public Policy: The Cyber Security SocialContract: Recommendations to Obama
2. Financial Risk Management of CyberEvents
3. Securing the Globalized IT Supply chain4.
Securing the Unified CommunicationsPlatform
5. Modernizing Law in the Digital Age
-
7/31/2019 2009 09 24 Larry Clinton ISA AIA Public Policy Webinar
8/48
The Old Web
-
7/31/2019 2009 09 24 Larry Clinton ISA AIA Public Policy Webinar
9/48
Source: http://cm.bell-labs.com/who/ches/map/gallery/index.html
The Web Today
-
7/31/2019 2009 09 24 Larry Clinton ISA AIA Public Policy Webinar
10/48
What is the I-Net & how do weManage it?
Inherently insecure Constantly changingInternational
Doesnt fit in traditional governanceboxes
Not even really an it its a network ofnetworks/digital/public/private/shared Tied into everything
-
7/31/2019 2009 09 24 Larry Clinton ISA AIA Public Policy Webinar
11/48
Post 9-11 Cyber Security Policy
National Strategy to Secure Cyber Space DIB EffortComprehensive National Cyber Initiative(CNCI)
CSIS and ISA Proposals to Obama/Congress
60-day review & Obama Speech (5/29/09)
-
7/31/2019 2009 09 24 Larry Clinton ISA AIA Public Policy Webinar
12/48
National Strategy to Secure
Cyber Space (2002-03) First comprehensive Administration view
of problem
Raised many key issues Predicted market forces would adequately
motivate private sector
General lack of follow through by USG
-
7/31/2019 2009 09 24 Larry Clinton ISA AIA Public Policy Webinar
13/48
USG is a user and an enforcer
-
7/31/2019 2009 09 24 Larry Clinton ISA AIA Public Policy Webinar
14/48
Extent of the Problem
Military Testimony. Vice Chairman of the Joint Chiefs of Staff JamesCartwright told Congress in March 2007 that America is under widespreadattack in cyberspace.
Wall Street Journal: Cyberspies have penetrated the U.S. electrical gridand left behind software programs that could be used to disrupt the system,according to current and former national-security officials.
Wired Magazine: The Defense Departments geeks are spooked by arapidly spreading worm crawling across their networks. So theyvesuspended the use of so-called thumb drives, CDs, flash media cards, andall other removable data storage devices from their nets, to try to keep theworm from multiplying any further.
CSIS: Americas failure to protect cyberspace is one of the most urgentnational security problems facing the new administration that will take office
in January 2009. It is, like ULTRA and Enigma, a battle fought mainly in theshadows. It is a battle we are losing.
New York Times: TJX says it has spent at least $130 million on legal andother matters related to the security breach.
-
7/31/2019 2009 09 24 Larry Clinton ISA AIA Public Policy Webinar
15/48
Latter Bush Years
Comprehensive National Cyber Initiative(CNCI)
Largely classified (except for Project 12)including proposing use of:
British Consultancy Model DIB initiative
-
7/31/2019 2009 09 24 Larry Clinton ISA AIA Public Policy Webinar
16/48
DIB program
DoD agrees to: Provide classified tips and analysis on threat actors Distribute attributed data from DoD and other industry partners Protect data attributable to specific companies Provide selected forensic support
~30 cleared defense contractors agree to: Report compromised computers to DoD Provide analysis of information exposed Provide forensic image of computer if requested Participate in formal Damage Assessment run by DoD acquisition
community
-
7/31/2019 2009 09 24 Larry Clinton ISA AIA Public Policy Webinar
17/48
What to Tell President Obama?
1. We need to increase our emphasis andinvestment on cyber security
2. Cyber Security must be recognized ascritical infrastructure maintenance
3. Cyber Security is not a IT problem.4.
Cyber security is a enterprise wide riskmanagement problem
5. Government and Industry need newrelationship
-
7/31/2019 2009 09 24 Larry Clinton ISA AIA Public Policy Webinar
18/48
Releasing the Cyber Security Social ContractNovember, 2008
-
7/31/2019 2009 09 24 Larry Clinton ISA AIA Public Policy Webinar
19/48
ISA Cyber Social Contract
Similar to the agreement that led to publicutility infrastructure dissemination in 20th C
Infrastructure develop -- market incentives Consumer protection through regulation Gov role is more creativeharder
motivate, not mandate, compliance Industry role is to develop practices andstandards and implement them
-
7/31/2019 2009 09 24 Larry Clinton ISA AIA Public Policy Webinar
20/48
Administration and CongressGet More Active
White House 60-day policy review: Thegovernment, working with State and localpartners, should identify procurement strategiesthat will incentivize the market to make moresecure products and services available to thepublic.
Congress: Network Defense Act placesrequirements on contractors doing business withDHS
Department of Defense: Announcing results ofDFARS review
-
7/31/2019 2009 09 24 Larry Clinton ISA AIA Public Policy Webinar
21/48
DoD Action
DOD is currently evaluating information securitystandards and developing DFARS language (tobe released in Summer/Fall)
Army Labs Policy Memo directs acquisitionexecutives to engage their Program ExecutiveOffices and Program Managers to takeimmediate steps to:
Ensure that CUI is identified and appropriatelyprotected in DoD acquisition programsReport incidences and exfiltration
-
7/31/2019 2009 09 24 Larry Clinton ISA AIA Public Policy Webinar
22/48
Current Congressional Activity
Over Hearings & Actions Different Committees
Congress Investigative Arm Reports on Cyber Issues
Senate Bill (S. 773) House Bill (H.R. 2195)
-
7/31/2019 2009 09 24 Larry Clinton ISA AIA Public Policy Webinar
23/48
Current Congressional Activity
S 773 Rockefeller Snow Lieberman Collins (Sen. Homeland
Security)
House Commerce Committee House Homeland Security Committee
-
7/31/2019 2009 09 24 Larry Clinton ISA AIA Public Policy Webinar
24/48
Rockefeller/Snowe S 773
NIST standards for federal agencies & private sector NIST responsibility for international cyber standards
development and enforcement National licensing & certification for cyber professionals NSF support for R&D & test beds Cyber Clearinghouse for threats & vulnerabilities (including
access) Secure Products & Services Acquisition Board (Approval Seal) Presidential Kill-Switch
-
7/31/2019 2009 09 24 Larry Clinton ISA AIA Public Policy Webinar
25/48
Presidential Interest
Hacking Obamas Website Its no secret that my presidential campaign harnessed the Internet
and technology to transform politics. What isnt widely known is thatduring the general election hackers managed to penetrate ourcomputer systems. (President Obama, May 29, 2009)
Source In Iran Sees Plans for Presidents Chopper(USA Today, Mar. 2, 2009)
The U.S. Navy is investigating how an unauthorized user in Irangained online access to blueprints and other information about ahelicopter in President Obamas fleet.
-
7/31/2019 2009 09 24 Larry Clinton ISA AIA Public Policy Webinar
26/48
Obama speaks on cyber security
My administration will pursue a new comprehensiveapproach to securing Americas digital infrastructure.
This new approach with this: From now on, our digitalinfrastructure the networks and computers wedepend on every day will be treated as theyshould be: as a strategic national asset. Protecting
this infrastructure will be a.
(President Obama, May 29, 2009)
-
7/31/2019 2009 09 24 Larry Clinton ISA AIA Public Policy Webinar
27/48
President Obamas Report onCyber Security (May 30 2009)
ISA Social Contract is first item quoted in theExecutive Summary in Obamas Cyber SecurityReport
ISA is also the final source quoted in the ExSummary for President Obamas Cyber SecurityReport
The Obama Report cites 13 different ISA Policy andwhite papers in creating the Administrations CyberSpace Policy Review
President Obama himself: Let me make one thingvery clear, we will not mandate standards to theprivate sector.
-
7/31/2019 2009 09 24 Larry Clinton ISA AIA Public Policy Webinar
28/48
President Obamas Report onCyber Security (May 30, 2009)
The government, working with State and local partners,should identify procurement strategies that will incentivizethe market to make more secure products and servicesavailable to the public. Additional incentive mechanismsthat the government should explore include adjustments toliability considerations (reduced liability in exchange forimproved security or increased liability for theconsequences of poor security), indemnification, taxincentives, and new regulatory requirements andcompliance mechanisms. Presidents Cyber Space Policy
Review May 30, 2009 page v
Quoting Internet Security Alliance Cyber Security SocialContract: Recommendations to the Obama Administrationand 111th Congress
-
7/31/2019 2009 09 24 Larry Clinton ISA AIA Public Policy Webinar
29/48
Obama Near Term Action Plan:
1. Appoint a Cyber Security policy coordinator directly responsible to thePresident and dual-hatted to both the NSC and the NEC.
2. Prepare for the Presidents approval an updated national strategy to securethe information and communications infrastructure. This strategy should
include continued evaluation of CNCI activities and, where appropriate,build on its successes.
5. Convene appropriate interagency mechanisms to conduct interagency-cleared legal analyses of priority cybersecurity-related issues identifiedduring the policy-development process and formulate coherent unifiedpolicy guidance that clarifies roles, responsibilities, and the application of
agency authorities for cybersecurity-related activities across the Federalgovernment.
Presidents Cyber Space Policy Review May 30, 2009 page vi
-
7/31/2019 2009 09 24 Larry Clinton ISA AIA Public Policy Webinar
30/48
Obama near term Action Plan
Initiate a national awareness campaign.(train workforce/improve education also inmid-term plan)
Expand information sharing programs Refine Government procurement and
improve market incentives
-
7/31/2019 2009 09 24 Larry Clinton ISA AIA Public Policy Webinar
31/48
Congressional TestimonyOctober, 2007
-
7/31/2019 2009 09 24 Larry Clinton ISA AIA Public Policy Webinar
32/48
ISA Proposed Incentives(Testimony E & C May 1, 2009)
1. R & D Grants2. Tax incentives3. Procurement Reform4.
Streamlined Regulations5. Liability Protection
6. Public Education7. Insurance8. SBA loans9. Awards programs10. Cyber SAFETY Act
-
7/31/2019 2009 09 24 Larry Clinton ISA AIA Public Policy Webinar
33/48
Proposed Incentives: Liability
The Federal government should consider options forincentivizing collective action and enhancecompetition in the development of cybersecuritysolutions. For example, the legal concepts forstandard of care to date do not exist forcyberspace. Possible incentives include adjustmentsto liability considerations (reduced liability inexchange for improved security or increased liabilityfor the consequences of poor security),
indemnification, tax incentives, and new regulatoryrequirements and compliance mechanisms. ---Obama Administrations Report on Cyber SecurityMay 2009 page 28)
-
7/31/2019 2009 09 24 Larry Clinton ISA AIA Public Policy Webinar
34/48
The Economy is reliant on theInternet
The state of Internet security is erodingquickly. Trust in online transactions isevaporating, and it will require strong
security leadership for that trust to berestored. For the Internet to remain the
juggernaut of commerce and productivity it
has become will require more, not less,input from security. PWC Global CyberSecurity Survey 2008
Th d t d t d b i
-
7/31/2019 2009 09 24 Larry Clinton ISA AIA Public Policy Webinar
35/48
The need to understand businesseconomics to address cyber
issues If the risks and consequences can be assigned
monetary value, organizations will have greaterability and incentive to address cybersecurity. In
particular, the private sector often seeks a businesscase to justify the resource expenditures needed forintegrating information and communications systemsecurity into corporate risk management and forengaging partnerships to mitigate collective risk.Government can assist by considering incentive-based legislative or regulatory tools to enhance thevalue proposition and fostering an environment thatencourages partnership. --- Presidents CyberSpace Policy Review May 30, 2009 page 18
-
7/31/2019 2009 09 24 Larry Clinton ISA AIA Public Policy Webinar
36/48
Financial Management ofCyber Risk
It is not enough for the information technologyworkforce to understand the importance ofcybersecurity; leaders at all levels of government andindustry need to be able to make business andinvestment decisions based on knowledge of risks
and potential impacts. Presidents Cyber SpacePolicy Review May 30, 2009 page 15
ISA-ANSI Project on Financial Risk Management ofCyber Events: 50 Questions Every CFO should Ask
----including what they ought to be asking theirGeneral Counsel and outside counsel. Also, HR, BusOps, Public and Investor Communications &Compliance
-
7/31/2019 2009 09 24 Larry Clinton ISA AIA Public Policy Webinar
37/48
Financial Impact of Cyber RiskOctober, 2008
-
7/31/2019 2009 09 24 Larry Clinton ISA AIA Public Policy Webinar
38/48
Information Sharing
Problem Clearly needs additional work DIB model results, good, but some
problems and not scalable Trust is built on mutual exchangeAlternatives: British Consultancy Model Roach Motel Model
-
7/31/2019 2009 09 24 Larry Clinton ISA AIA Public Policy Webinar
39/48
Cyber Security as a NewBusiness Opportunity
Military contractors are now in the enviableposition of turning what they learned from
protecting sensitive Pentagon data that sitson their own computers, into a lucrativebusiness that could replace revenue form thecancellation of conventional weapons
systems as the demand for greater computersecurity spreads to health care, energy andthe rest of the critical infrastructures. NYTimes 5/31/09
-
7/31/2019 2009 09 24 Larry Clinton ISA AIA Public Policy Webinar
40/48
Securing the IT Supply Chain
The challenge with supply chain attacks is that asophisticated adversary might narrowly focus onparticular systems and make manipulation virtually
impossible to discover. Foreign manufacturing doespresent easier opportunities for nation-stateadversaries to subvert products; however, the samegoals could be achieved through the recruitment ofkey insiders or other espionage activities. ----Presidents Cyber Space Policy Review May 30,2009 page 34
-
7/31/2019 2009 09 24 Larry Clinton ISA AIA Public Policy Webinar
41/48
Securing The IT Supply ChainIn The Age of Globalization
November, 2007
-
7/31/2019 2009 09 24 Larry Clinton ISA AIA Public Policy Webinar
42/48
ISA/CMU Supply Chain Project
18 months long (start fall 07) Focus on firmware Carnegie Mellon University and Center for Cyber
Consequences Unit 3 conferences 100 Gov., Industry and Academic participants Results are strategy and framework provided toUSG for NSC 60-day review of cyber policy
-
7/31/2019 2009 09 24 Larry Clinton ISA AIA Public Policy Webinar
43/48
ISA/CMU Supply Chain Project
1. Globalization of IT Supply Chain will increase2. USG reliance on IT will also increase3. Threat from IT supply chain significant for USG4. USG-only solution impractical5. Attackers will be fluid and creative so fixed
policies will be ineffective long term
6. Need a flexible framework of solutions7. Framework must account for both security and
cost
-
7/31/2019 2009 09 24 Larry Clinton ISA AIA Public Policy Webinar
44/48
Appendix C of Obama
Administration Report: Conclusion The history of electronic communications in the United States
reflects steady, robust technological innovation punctuated bygovernment efforts to regulate, manage, or otherwise respond to
issues presented by these new media, including securityconcerns. The iterative nature of the statutory and policydevelopments over time has led to a mosaic of government lawsand structures governing various parts of the landscape forinformation and communications security and resiliency.Effectively addressing the fragmentary and diverse nature of the
technical, economic, legal, and policy challenges will require aleadership and coordination framework that can stitch thispatchwork together into an integrated whole. Presidents CyberSpace Policy Review May 30, 2009 page C-12
-
7/31/2019 2009 09 24 Larry Clinton ISA AIA Public Policy Webinar
45/48
Other Legal Issues That needto be Resolved
Scores of legal issues emerged, such asconsiderations related to the aggregation ofauthorities, what authorities are available for the
government to protect privately owned criticalinfrastructure, the placement of Internet monitoringsoftware, the use of automated attack detection andwarning sensors, data sharing with third partieswithin the Federal government, and liabilityprotections for the private sector. (Obama
Administrations Report on Cyber Security May 2009page 3)
-
7/31/2019 2009 09 24 Larry Clinton ISA AIA Public Policy Webinar
46/48
Developing SCAP Automated Security &Assurance for VoIP & Converged Networks
September, 2008
ISA Unified Communications
-
7/31/2019 2009 09 24 Larry Clinton ISA AIA Public Policy Webinar
47/48
ISA Unified CommunicationsLegal Compliance Analysis
(June 2009)1.Descibes available Unified
Communications (UC) Technologies
2. Describes Security Risks of Deployment3. Inventory of Laws to be considered pre
deployment
4. Analysis if ECPA creates a legal barrier todeployment
5 Toolkit for lawyers and clients to assist inavoiding exposure from deployment
-
7/31/2019 2009 09 24 Larry Clinton ISA AIA Public Policy Webinar
48/48
Larry Clinton
President
Internet Security [email protected]
703-907-7028 (O) 202-236-0001 (C)