2009 12 15 larry clinton supply chain and voip presentation to the software assurance working group

7/31/2019 2009 12 15 Larry Clinton Supply Chain and VoIP Presentation to the Software Assurance Working Group

1/30

The Internet Security Alliance

The Internet Security Alliance is a collaborative effort with

Carnegie Mellon University. It is a cross-sector, internationally-

based trade association devoted to cyber security. ISA has

individual corporate memberships and wholesale

memberships with TIA, NAM, AIA & other associations


2/30

ISA Board of Directors

Ty Sagalow, Esq. ChairPresident, Innovation Division, Zurich

Tim McKnight Second V Chair,CSO, Northrop Grumman

Ken Silva, Immediate Past Chair, CSO VeriSignJoe Buonomo, President, DCRJeff Brown, CISO/Director IT Infrastructure, RaytheonLawrence Dobranski, Chief Strategic Security, NortelGen. Charlie Croom (Ret.), VP Cyber Security, Lockheed Martin

Eric Guerrino, SVP/CIO, bank of New York/Mellon FinancialPradeep Khosla, Dean Carnegie Mellon School of Computer SciencesBruno Mahlmann, VP Cyber Security, Dell-Perot SystemsLinda Meeks, VP CISO, Boeing Corporation

J. Michael Hickey, 1st Vice ChairVP Government Affairs, Verizon

Marc-Anthony Signorino, TreasurerNational Association of Manufacturers


3/30

Why ?ISAlliance Mission Statement

ISA seeks to integrate advancements in

technology with pragmatic business needsand enlightened public policy to create a

sustainable system of cyber security.


4/30


5/30

ISA Cyber Social Contract

Similar to the agreement that led topublic utility infrastructuredissemination in 20th Century

Infrastructure development -- marketincentives

Consumer protection through regulation Govt. role is more creativeharder

motivate, not mandate, compliance

Industry role is to develop practicesand standards and implement them


6/30

President Obamas

Report on Cyber Security

The United States faces the dual challenge ofmaintaining an environment that promotes

efficiency, innovation, economic prosperity,and free trade while also promoting safety,

security, civil liberties, and privacy rights.(Presidents Cyber Space Policy Review page

iii)

Quoting from Internet Security Alliance CyberSecurity Social Contract: Recommendationsto the Obama Administration and the 111th

Congress November 2008


7/30

ISA Obama CSPRMajor Points of Agreement

Cyber Security is a priority national issue White House needs to take leadership role Need an Enterprise Wide Risk Management

approach to cyber security

Cyber security is as much a strategic & economicissue as an operational & technology issue

Private Sector is on the front lines of the cybersecurity defense, hence need partnership Market incentives, not regulation, must be

deployed to enhance private sector cyber security


8/30

Social Contract II

Implementing the Obama

Cyber Security Strategy

via the

ISA Social Contract Model


9/30

Chapter 1: Economics of

Cyber Security All the current incentives favor the bad guys Attacks are cheap, easy, very profitable & the

perimeter to attack is virtually limitless

Defense can be hard, expensive, a generationbehind the attackers and ROI is hard to show

Cost of cyber attacks are not transparent So long as the economic equation of cyber security

is unbalanced we will have attacks


10/30

Cyber Space Policy

Review is Pro-Economic The Cyber Coordinator will report to the National

Economic Council as well as the National Security

Council

CSPR embraces a enterprise wide riskmanagement philosophy (including EnterpriseEducation)

For the first time the government proposes the useof economic incentives to promote better privatesector security


11/30

Chapter 2: Partnership at theBusiness Plan Level

Studies, CIA, NSA all say we know how to solve80-90% of the problem---just not doing it

Regulation doesnt fit the I-Net (slow, minimalist, USonly, create economic & security problems)

Obama personally rejected regulation of PS Gov role to evaluate & create incentives for

adopting good cyber secure policies practices andtechnologies just as in other areas of economy

Market incentives endorsed by Obama CSPR


12/30

Congressional TestimonyOctober, 2007


13/30

ISA Testimony onIncentives (May 1, 2009)

1. R & D Grants2. Tax incentives3. Procurement Reform4.

Streamlined Regulations5. Liability Protection

6. Public Education7. Insurance8. SBA loans9. Awards programs10. Cyber SAFETY Act


14/30

Obamas Report on CyberSecurity (May 30, 2009)

The government, working with State and local partners,

should identify procurement strategies that will incentivize

the market to make more secure products and services

available to the public. Additional incentive mechanismsthat the government should explore include adjustments to

liability considerations (reduced liability in exchange for

improved security or increased liability for the

consequences of poor security), indemnification, tax

incentives, and new regulatory requirements and

compliance mechanisms.

Presidents Cyber Space Policy Review May 30, 2009

page vs.

Quoting Internet Security Alliance Cyber Security SocialContract: Recommendations to the Obama Administration

and 111th Congress


15/30

Chapter 3: Information

Sharing

Current model doesnt work Modern business systems too open

Limited participation in ISACs especially SMEs Gov wont give source material, industry wont give

attack data or important internal information

Cant keep out determined attackers Once in the systems we have more control over

attackers


16/30

Information Sharing--Incentives

Large Orgs become designated reporters (gold,silver etc.) which can be used for marketing

Rpt C2 sites, (URLs-web sites) not that they havebeen breached or internal data

Gov reports---not source data AV community circulate the info for profit Small companies able to participate easy and

cheap to block C-2


17/30

Securing The IT Supply ChainIn The Age of GlobalizationNovember, 2007


18/30

Chapter 4 Supply Chain

ISA & CMU launched its supply chain project in2006

3 Conferences at CMU and DC w/more than 100industry, govt. and academic experts

CMU Report 2007/2008 Scott Borg US Cyber Consequences Center leading

effort in 2009/2010 Focus on hardware/firmware


19/30

Securing the ITSupply Chain

The challenge with supply chain attacks is that a sophisticated adversary

might narrowly focus on particular systems and make manipulation

virtually impossible to discover. Foreign manufacturing does present

easier opportunities for nation-state adversaries to subvert products;

however, the same goals could be achieved through the recruitment ofkey insiders or other espionage activities.

For organizations that have not yet made cyber security a true priority

there are other barriers, often primarily economic.

Presidents Cyber Space Policy Review May 30, 2009 page 34


20/30

Supply Chain Economic

Issues Secure Foundry unsustainable (think prisons) Govt. mandates unsustainable We are inherently a global economy US firms cant compete with heavy special burdens Mandating security for US firms will hurt

economically, reduce quality and harm security by

driving providers off-shore even more


21/30

ISA Supply Chain

Framework

5 Phases, design, fabrication, assembly,distribution & maintenance

Remedies to interuption of production, corruptionof production, discrediting of production and loss

of control of production

Legal Support for : unambigious contracts w/security measures, responsible corporation w/longterm interests, motivation 4 workers and execs,

verification & enforcement


22/30

2010 Supply Chain Agenda

5 Workshops in first 2 quarters of 2010

I. Securing the Design and Fabrication Phases. II. Securing the Assembly, Distribution, and

Maintenance Phases.

III. Establishing the Necessary Legal andContractual Conditions.


23/30

Chapter 4: Enterprise

Education focus on $

It is not enough for the information technologyworkforce to understand the importance of cyber

security; leaders at all levels of government andindustry need to be able to make business and

investment decisions based on knowledge of risksand potential impacts. Presidents Cyber Space

Policy Review May 30, 2009 page 15

ISA-ANSI Project on Financial Risk Management

of Cyber Events: 50 Questions Every CFO

should Ask ----including what they ought to beasking their General Counsel and outside

counsel. Also, HR, Bus Ops, Public and InvestorCommunications & Compliance


24/30

Releasing the Cyber SecuritySocial ContractNovember, 2008


25/30

Financial Management ofCyber Risk 2010

* Phase I 50 questions CFOs ask

Complete Phase II responses to the 50 questionsevery CFO Should ask operations, HR, risk

manager, communications, legal & compliance

Phase III Separate Programs & best practice foreach organizational section on cyber security

CIO Net & European Commission request proposalsfor EU versions of ISA/ANSI program


26/30

Chapter 5 & 6 VOIPstandards & Old Laws

The history of electronic communications in the United States reflects steady,robust technological innovation punctuated by government efforts to regulate,manage, or otherwise respond to issues presented by these new media,including security concerns. The iterative nature of the statutory and policydevelopments over time has led to a mosaic of government laws and structuresgoverning various parts of the landscape for information and communicationssecurity and resiliency. Effectively addressing the fragmentary and diversenature of the technical, economic, legal, and policy challenges will require aleadership and coordination framework that can stitch this patchwork togetherinto an integrated whole.

Presidents Cyber Space Policy Review May 30, 2009 page C-12


27/30

Developing SCAP Automated Security &Assurance for VoIP & Converged NetworksSeptember, 2008


28/30

ISA Partners


29/30

VoIP Participants

AJ West, Boeing

Alex Fielding, Ripcord NetworksAllie Larman, Oklahoma Office of State

Finance

Andrew Bove, Secure Acuity Networks, LLC

Andriy Markov, VoIPshield Systems Inc.

Barry Wasser, Department of Homeland

Security

Blake Frantz, Center For Internet Security

Bob Moskowitz, ICSAlabs, an Independent

Division of Verizon Business Systems

Bogdan Materna, VoIPshield Systems Inc.

Calvin Bowditch, Joint Task Force-Global

Network Operations

Carl Herberger, Evolve IP

Cheri Sigmon, Department of Defense

Cynthia Reese, Science Applications

International Corporation (SAIC)

David Lukasik, Department of Veterans

Affairs

Dawn Adams, EWA-Canada

Denise Walker, DBA, Lone Star College System

Ed Stull, Direct Computer ResourcesEd White, McAfee

Edward Cummins, Raytheon

Gary Gapinski, National Aeronautics and Space

Administration

Imran Khan, Consultant

James Mesta, Agilent Technologies, Inc.

Jeffrey Ritter, Waters Edge Consulting

Jim Meyer, Institute for Defense Analyses

John Fulater, HSBC North America

Joseph Dalessandro, Withheld

Ken Fee, Firefly Communications

Ken Stavinoha, Microsoft

Kenneth Kousky, Salare Security, LLC

Kevin Watkins, McAfee

Laurie Hestor, Defense Information Systems

Agency

Linda Kostic, eTrade Financial

Lorelei Knight, ICSAlabs, an Independent Division of

Verizon Business SystemsLynn Hitchcock, Raytheon

Mark Humphrey, Boeing

Matt Trainor, Nortel Networks

Paul Salva, HSBC North America

Pete Eisele, Northrop Grumman

Peter Thermos, Palindrome Technologies

Rick Mellendick, Food and Drug Administration

Robert Smith, Global UniDocs Company

Ronald Rice, Defense Information Systems Agency

Scott Armstrong, Gideon Technologies

Shawn Dickson, Raytheon

Sheila Christman, National Security Agency

Steve Carver, FAA (Retired)

Steven Draper, National Security Agency

Terry Rimmer, Oklahoma Office of State Finance

Tom Grill, VeriSign

Chair of the Applicability Group

Paul Sand, Salare Security


30/30

VOIP legal and technical

products

1.Legal Compliance & Security Report describes

Available Unified Communications (UC) Technologies

Security Risks of Deployment Inventory of Laws to be considered pre deployment If ECPA creates a legal barrier to deployment Toolkit for lawyers and clients to assist in avoiding

exposure from deployment2. Technical w/NIST Program addresses

SCAP Suitability and baseline standards

NSA/DHS Grant proposal

2009 12 15 larry clinton supply chain and voip presentation to the software assurance working group

Documents