2009 12 15 larry clinton supply chain and voip presentation to the software assurance working group
TRANSCRIPT
-
7/31/2019 2009 12 15 Larry Clinton Supply Chain and VoIP Presentation to the Software Assurance Working Group
1/30
The Internet Security Alliance
The Internet Security Alliance is a collaborative effort with
Carnegie Mellon University. It is a cross-sector, internationally-
based trade association devoted to cyber security. ISA has
individual corporate memberships and wholesale
memberships with TIA, NAM, AIA & other associations
-
7/31/2019 2009 12 15 Larry Clinton Supply Chain and VoIP Presentation to the Software Assurance Working Group
2/30
ISA Board of Directors
Ty Sagalow, Esq. ChairPresident, Innovation Division, Zurich
Tim McKnight Second V Chair,CSO, Northrop Grumman
Ken Silva, Immediate Past Chair, CSO VeriSignJoe Buonomo, President, DCRJeff Brown, CISO/Director IT Infrastructure, RaytheonLawrence Dobranski, Chief Strategic Security, NortelGen. Charlie Croom (Ret.), VP Cyber Security, Lockheed Martin
Eric Guerrino, SVP/CIO, bank of New York/Mellon FinancialPradeep Khosla, Dean Carnegie Mellon School of Computer SciencesBruno Mahlmann, VP Cyber Security, Dell-Perot SystemsLinda Meeks, VP CISO, Boeing Corporation
J. Michael Hickey, 1st Vice ChairVP Government Affairs, Verizon
Marc-Anthony Signorino, TreasurerNational Association of Manufacturers
-
7/31/2019 2009 12 15 Larry Clinton Supply Chain and VoIP Presentation to the Software Assurance Working Group
3/30
Why ?ISAlliance Mission Statement
ISA seeks to integrate advancements in
technology with pragmatic business needsand enlightened public policy to create a
sustainable system of cyber security.
-
7/31/2019 2009 12 15 Larry Clinton Supply Chain and VoIP Presentation to the Software Assurance Working Group
4/30
-
7/31/2019 2009 12 15 Larry Clinton Supply Chain and VoIP Presentation to the Software Assurance Working Group
5/30
ISA Cyber Social Contract
Similar to the agreement that led topublic utility infrastructuredissemination in 20th Century
Infrastructure development -- marketincentives
Consumer protection through regulation Govt. role is more creativeharder
motivate, not mandate, compliance
Industry role is to develop practicesand standards and implement them
-
7/31/2019 2009 12 15 Larry Clinton Supply Chain and VoIP Presentation to the Software Assurance Working Group
6/30
President Obamas
Report on Cyber Security
The United States faces the dual challenge ofmaintaining an environment that promotes
efficiency, innovation, economic prosperity,and free trade while also promoting safety,
security, civil liberties, and privacy rights.(Presidents Cyber Space Policy Review page
iii)
Quoting from Internet Security Alliance CyberSecurity Social Contract: Recommendationsto the Obama Administration and the 111th
Congress November 2008
-
7/31/2019 2009 12 15 Larry Clinton Supply Chain and VoIP Presentation to the Software Assurance Working Group
7/30
ISA Obama CSPRMajor Points of Agreement
Cyber Security is a priority national issue White House needs to take leadership role Need an Enterprise Wide Risk Management
approach to cyber security
Cyber security is as much a strategic & economicissue as an operational & technology issue
Private Sector is on the front lines of the cybersecurity defense, hence need partnership Market incentives, not regulation, must be
deployed to enhance private sector cyber security
-
7/31/2019 2009 12 15 Larry Clinton Supply Chain and VoIP Presentation to the Software Assurance Working Group
8/30
Social Contract II
Implementing the Obama
Cyber Security Strategy
via the
ISA Social Contract Model
-
7/31/2019 2009 12 15 Larry Clinton Supply Chain and VoIP Presentation to the Software Assurance Working Group
9/30
Chapter 1: Economics of
Cyber Security All the current incentives favor the bad guys Attacks are cheap, easy, very profitable & the
perimeter to attack is virtually limitless
Defense can be hard, expensive, a generationbehind the attackers and ROI is hard to show
Cost of cyber attacks are not transparent So long as the economic equation of cyber security
is unbalanced we will have attacks
-
7/31/2019 2009 12 15 Larry Clinton Supply Chain and VoIP Presentation to the Software Assurance Working Group
10/30
Cyber Space Policy
Review is Pro-Economic The Cyber Coordinator will report to the National
Economic Council as well as the National Security
Council
CSPR embraces a enterprise wide riskmanagement philosophy (including EnterpriseEducation)
For the first time the government proposes the useof economic incentives to promote better privatesector security
-
7/31/2019 2009 12 15 Larry Clinton Supply Chain and VoIP Presentation to the Software Assurance Working Group
11/30
Chapter 2: Partnership at theBusiness Plan Level
Studies, CIA, NSA all say we know how to solve80-90% of the problem---just not doing it
Regulation doesnt fit the I-Net (slow, minimalist, USonly, create economic & security problems)
Obama personally rejected regulation of PS Gov role to evaluate & create incentives for
adopting good cyber secure policies practices andtechnologies just as in other areas of economy
Market incentives endorsed by Obama CSPR
-
7/31/2019 2009 12 15 Larry Clinton Supply Chain and VoIP Presentation to the Software Assurance Working Group
12/30
Congressional TestimonyOctober, 2007
-
7/31/2019 2009 12 15 Larry Clinton Supply Chain and VoIP Presentation to the Software Assurance Working Group
13/30
ISA Testimony onIncentives (May 1, 2009)
1. R & D Grants2. Tax incentives3. Procurement Reform4.
Streamlined Regulations5. Liability Protection
6. Public Education7. Insurance8. SBA loans9. Awards programs10. Cyber SAFETY Act
-
7/31/2019 2009 12 15 Larry Clinton Supply Chain and VoIP Presentation to the Software Assurance Working Group
14/30
Obamas Report on CyberSecurity (May 30, 2009)
The government, working with State and local partners,
should identify procurement strategies that will incentivize
the market to make more secure products and services
available to the public. Additional incentive mechanismsthat the government should explore include adjustments to
liability considerations (reduced liability in exchange for
improved security or increased liability for the
consequences of poor security), indemnification, tax
incentives, and new regulatory requirements and
compliance mechanisms.
Presidents Cyber Space Policy Review May 30, 2009
page vs.
Quoting Internet Security Alliance Cyber Security SocialContract: Recommendations to the Obama Administration
and 111th Congress
-
7/31/2019 2009 12 15 Larry Clinton Supply Chain and VoIP Presentation to the Software Assurance Working Group
15/30
Chapter 3: Information
Sharing
Current model doesnt work Modern business systems too open
Limited participation in ISACs especially SMEs Gov wont give source material, industry wont give
attack data or important internal information
Cant keep out determined attackers Once in the systems we have more control over
attackers
-
7/31/2019 2009 12 15 Larry Clinton Supply Chain and VoIP Presentation to the Software Assurance Working Group
16/30
Information Sharing--Incentives
Large Orgs become designated reporters (gold,silver etc.) which can be used for marketing
Rpt C2 sites, (URLs-web sites) not that they havebeen breached or internal data
Gov reports---not source data AV community circulate the info for profit Small companies able to participate easy and
cheap to block C-2
-
7/31/2019 2009 12 15 Larry Clinton Supply Chain and VoIP Presentation to the Software Assurance Working Group
17/30
Securing The IT Supply ChainIn The Age of GlobalizationNovember, 2007
-
7/31/2019 2009 12 15 Larry Clinton Supply Chain and VoIP Presentation to the Software Assurance Working Group
18/30
Chapter 4 Supply Chain
ISA & CMU launched its supply chain project in2006
3 Conferences at CMU and DC w/more than 100industry, govt. and academic experts
CMU Report 2007/2008 Scott Borg US Cyber Consequences Center leading
effort in 2009/2010 Focus on hardware/firmware
-
7/31/2019 2009 12 15 Larry Clinton Supply Chain and VoIP Presentation to the Software Assurance Working Group
19/30
Securing the ITSupply Chain
The challenge with supply chain attacks is that a sophisticated adversary
might narrowly focus on particular systems and make manipulation
virtually impossible to discover. Foreign manufacturing does present
easier opportunities for nation-state adversaries to subvert products;
however, the same goals could be achieved through the recruitment ofkey insiders or other espionage activities.
For organizations that have not yet made cyber security a true priority
there are other barriers, often primarily economic.
Presidents Cyber Space Policy Review May 30, 2009 page 34
-
7/31/2019 2009 12 15 Larry Clinton Supply Chain and VoIP Presentation to the Software Assurance Working Group
20/30
Supply Chain Economic
Issues Secure Foundry unsustainable (think prisons) Govt. mandates unsustainable We are inherently a global economy US firms cant compete with heavy special burdens Mandating security for US firms will hurt
economically, reduce quality and harm security by
driving providers off-shore even more
-
7/31/2019 2009 12 15 Larry Clinton Supply Chain and VoIP Presentation to the Software Assurance Working Group
21/30
ISA Supply Chain
Framework
5 Phases, design, fabrication, assembly,distribution & maintenance
Remedies to interuption of production, corruptionof production, discrediting of production and loss
of control of production
Legal Support for : unambigious contracts w/security measures, responsible corporation w/longterm interests, motivation 4 workers and execs,
verification & enforcement
-
7/31/2019 2009 12 15 Larry Clinton Supply Chain and VoIP Presentation to the Software Assurance Working Group
22/30
2010 Supply Chain Agenda
5 Workshops in first 2 quarters of 2010
I. Securing the Design and Fabrication Phases. II. Securing the Assembly, Distribution, and
Maintenance Phases.
III. Establishing the Necessary Legal andContractual Conditions.
-
7/31/2019 2009 12 15 Larry Clinton Supply Chain and VoIP Presentation to the Software Assurance Working Group
23/30
Chapter 4: Enterprise
Education focus on $
It is not enough for the information technologyworkforce to understand the importance of cyber
security; leaders at all levels of government andindustry need to be able to make business and
investment decisions based on knowledge of risksand potential impacts. Presidents Cyber Space
Policy Review May 30, 2009 page 15
ISA-ANSI Project on Financial Risk Management
of Cyber Events: 50 Questions Every CFO
should Ask ----including what they ought to beasking their General Counsel and outside
counsel. Also, HR, Bus Ops, Public and InvestorCommunications & Compliance
-
7/31/2019 2009 12 15 Larry Clinton Supply Chain and VoIP Presentation to the Software Assurance Working Group
24/30
Releasing the Cyber SecuritySocial ContractNovember, 2008
-
7/31/2019 2009 12 15 Larry Clinton Supply Chain and VoIP Presentation to the Software Assurance Working Group
25/30
Financial Management ofCyber Risk 2010
* Phase I 50 questions CFOs ask
Complete Phase II responses to the 50 questionsevery CFO Should ask operations, HR, risk
manager, communications, legal & compliance
Phase III Separate Programs & best practice foreach organizational section on cyber security
CIO Net & European Commission request proposalsfor EU versions of ISA/ANSI program
-
7/31/2019 2009 12 15 Larry Clinton Supply Chain and VoIP Presentation to the Software Assurance Working Group
26/30
Chapter 5 & 6 VOIPstandards & Old Laws
The history of electronic communications in the United States reflects steady,robust technological innovation punctuated by government efforts to regulate,manage, or otherwise respond to issues presented by these new media,including security concerns. The iterative nature of the statutory and policydevelopments over time has led to a mosaic of government laws and structuresgoverning various parts of the landscape for information and communicationssecurity and resiliency. Effectively addressing the fragmentary and diversenature of the technical, economic, legal, and policy challenges will require aleadership and coordination framework that can stitch this patchwork togetherinto an integrated whole.
Presidents Cyber Space Policy Review May 30, 2009 page C-12
-
7/31/2019 2009 12 15 Larry Clinton Supply Chain and VoIP Presentation to the Software Assurance Working Group
27/30
Developing SCAP Automated Security &Assurance for VoIP & Converged NetworksSeptember, 2008
-
7/31/2019 2009 12 15 Larry Clinton Supply Chain and VoIP Presentation to the Software Assurance Working Group
28/30
ISA Partners
-
7/31/2019 2009 12 15 Larry Clinton Supply Chain and VoIP Presentation to the Software Assurance Working Group
29/30
VoIP Participants
AJ West, Boeing
Alex Fielding, Ripcord NetworksAllie Larman, Oklahoma Office of State
Finance
Andrew Bove, Secure Acuity Networks, LLC
Andriy Markov, VoIPshield Systems Inc.
Barry Wasser, Department of Homeland
Security
Blake Frantz, Center For Internet Security
Bob Moskowitz, ICSAlabs, an Independent
Division of Verizon Business Systems
Bogdan Materna, VoIPshield Systems Inc.
Calvin Bowditch, Joint Task Force-Global
Network Operations
Carl Herberger, Evolve IP
Cheri Sigmon, Department of Defense
Cynthia Reese, Science Applications
International Corporation (SAIC)
David Lukasik, Department of Veterans
Affairs
Dawn Adams, EWA-Canada
Denise Walker, DBA, Lone Star College System
Ed Stull, Direct Computer ResourcesEd White, McAfee
Edward Cummins, Raytheon
Gary Gapinski, National Aeronautics and Space
Administration
Imran Khan, Consultant
James Mesta, Agilent Technologies, Inc.
Jeffrey Ritter, Waters Edge Consulting
Jim Meyer, Institute for Defense Analyses
John Fulater, HSBC North America
Joseph Dalessandro, Withheld
Ken Fee, Firefly Communications
Ken Stavinoha, Microsoft
Kenneth Kousky, Salare Security, LLC
Kevin Watkins, McAfee
Laurie Hestor, Defense Information Systems
Agency
Linda Kostic, eTrade Financial
Lorelei Knight, ICSAlabs, an Independent Division of
Verizon Business SystemsLynn Hitchcock, Raytheon
Mark Humphrey, Boeing
Matt Trainor, Nortel Networks
Paul Salva, HSBC North America
Pete Eisele, Northrop Grumman
Peter Thermos, Palindrome Technologies
Rick Mellendick, Food and Drug Administration
Robert Smith, Global UniDocs Company
Ronald Rice, Defense Information Systems Agency
Scott Armstrong, Gideon Technologies
Shawn Dickson, Raytheon
Sheila Christman, National Security Agency
Steve Carver, FAA (Retired)
Steven Draper, National Security Agency
Terry Rimmer, Oklahoma Office of State Finance
Tom Grill, VeriSign
Chair of the Applicability Group
Paul Sand, Salare Security
-
7/31/2019 2009 12 15 Larry Clinton Supply Chain and VoIP Presentation to the Software Assurance Working Group
30/30
VOIP legal and technical
products
1.Legal Compliance & Security Report describes
Available Unified Communications (UC) Technologies
Security Risks of Deployment Inventory of Laws to be considered pre deployment If ECPA creates a legal barrier to deployment Toolkit for lawyers and clients to assist in avoiding
exposure from deployment2. Technical w/NIST Program addresses
SCAP Suitability and baseline standards
NSA/DHS Grant proposal