the internet security alliance
TRANSCRIPT
The Internet Security Alliance
The Internet Security Alliance is a collaborative effort with Carnegie Mellon University. It is a cross-sector, internationally-based trade association devoted to cyber security. ISA has individual corporate memberships and “wholesale” memberships with TIA, NAM, AIA & other associations
ISA Board of Directors
Ty Sagalow, Esq. Chair President, Innovation Division, Zurich Tim McKnight Second V Chair, CSO, Northrop Grumman
• Ken Silva, Immediate Past Chair, CSO VeriSign • Joe Buonomo, President, DCR • Jeff Brown, CISO/Director IT Infrastructure, Raytheon • Lawrence Dobranski, Chief Strategic Security, Nortel • Gen. Charlie Croom (Ret.), VP Cyber Security, Lockheed Martin • Eric Guerrino, SVP/CIO, bank of New York/Mellon Financial • Pradeep Khosla, Dean Carnegie Mellon School of Computer Sciences • Bruno Mahlmann, VP Cyber Security, Dell-Perot Systems • Linda Meeks, VP CISO, Boeing Corporation
J. Michael Hickey, 1st Vice Chair VP Government Affairs, Verizon Marc-Anthony Signorino, Treasurer National Association of Manufacturers
Why ? ISAlliance Mission Statement
ISA seeks to integrate advancements in technology with pragmatic business needs and enlightened public policy to create a sustainable system of cyber security.
ISA Cyber Social Contract
• Similar to the agreement that led to public utility infrastructure dissemination in 20th Century
• Infrastructure development -- market incentives
• Consumer protection through regulation • Gov’t. role is more creative—harder—
motivate, not mandate, compliance • Industry role is to develop practices
and standards and implement them
President Obama’s Report on Cyber Security
• The United States faces the dual challenge of maintaining an environment that promotes efficiency, innovation, economic prosperity, and free trade while also promoting safety, security, civil liberties, and privacy rights. (President’s Cyber Space Policy Review page iii)
• Quoting from Internet Security Alliance Cyber Security Social Contract: Recommendations to the Obama Administration and the 111th Congress November 2008
ISA Obama CSPR Major Points of Agreement
• Cyber Security is a priority national issue • White House needs to take leadership role • Need an Enterprise Wide Risk Management
approach to cyber security • Cyber security is as much a strategic & economic
issue as an operational & technology issue • Private Sector is on the front lines of the cyber
security defense, hence need partnership • Market incentives, not regulation, must be
deployed to enhance private sector cyber security
Social Contract II
Implementing the Obama Cyber Security Strategy
via the ISA Social Contract Model
Chapter 1: Economics of Cyber Security
• All the current incentives favor the bad guys • Attacks are cheap, easy, very profitable & the
perimeter to attack is virtually limitless • Defense can be hard, expensive, a generation
behind the attackers and ROI is hard to show • Cost of cyber attacks are not transparent • So long as the economic equation of cyber security
is unbalanced we will have attacks
Cyber Space Policy Review is Pro-Economic
• The Cyber Coordinator will report to the National Economic Council as well as the National Security Council
• CSPR embraces a enterprise wide risk management philosophy (including Enterprise Education)
• For the first time the government proposes the use of economic incentives to promote better private sector security
Chapter 2: Partnership at the Business Plan Level
• Studies, CIA, NSA all say we know how to solve 80-90% of the problem---just not doing it
• Regulation doesn’t fit the I-Net (slow, minimalist, US only, create economic & security problems)
• Obama personally rejected regulation of PS • Gov role to evaluate & create incentives for
adopting good cyber secure policies practices and technologies just as in other areas of economy
• Market incentives endorsed by Obama CSPR
Congressional Testimony October, 2007
ISA Testimony on Incentives (May 1, 2009)
1. R & D Grants 2. Tax incentives 3. Procurement Reform 4. Streamlined Regulations 5. Liability Protection 6. Public Education 7. Insurance 8. SBA loans 9. Awards programs 10. Cyber SAFETY Act
Obama’s Report on Cyber Security (May 30, 2009)
The government, working with State and local partners, should identify procurement strategies that will incentivize the market to make more secure products and services available to the public. Additional incentive mechanisms that the government should explore include adjustments to liability considerations (reduced liability in exchange for improved security or increased liability for the consequences of poor security), indemnification, tax incentives, and new regulatory requirements and compliance mechanisms. President’s Cyber Space Policy Review May 30, 2009 page vs.
» Quoting Internet Security Alliance Cyber Security Social Contract: Recommendations to the Obama Administration and 111th Congress
Chapter 3: Information Sharing
• Current model doesn’t work • Modern business systems too open • Limited participation in ISACs especially SMEs • Gov wont give source material, industry won’t give
attack data or important internal information • Can’t keep out determined attackers • Once in the systems we have more control over
attackers
Information Sharing--Incentives
• Large Orgs become designated reporters (gold, silver etc.) which can be used for marketing
• Rpt C2 sites, (URLs-web sites) not that they have been breached or internal data
• Gov reports---not source data • AV community circulate the info for profit • Small companies able to participate easy and
cheap to block C-2
Securing The IT Supply Chain In The Age of Globalization November, 2007
Chapter 4 Supply Chain
• ISA & CMU launched its supply chain project in 2006
• 3 Conferences at CMU and DC w/more than 100 industry, govt. and academic experts
• CMU Report 2007/2008 • Scott Borg US Cyber Consequences Center leading
effort in 2009/2010 • Focus on hardware/firmware
Securing the IT Supply Chain
The challenge with supply chain attacks is that a sophisticated adversary might narrowly focus on particular systems and make manipulation virtually impossible to discover. Foreign manufacturing does present easier opportunities for nation-state adversaries to subvert products; however, the same goals could be achieved through the recruitment of key insiders or other espionage activities.
For organizations that have not yet made cyber security a true priority
there are other barriers, often primarily economic.”
President’s Cyber Space Policy Review May 30, 2009 page 34
Supply Chain Economic Issues
• Secure Foundry unsustainable (think prisons) • Govt. mandates unsustainable • We are inherently a global economy • US firms can’t compete with heavy special burdens • Mandating security for US firms will hurt
economically, reduce quality and harm security by driving providers off-shore even more
ISA Supply Chain Framework
• 5 Phases, design, fabrication, assembly, distribution & maintenance
• Remedies to interuption of production, corruption of production, discrediting of production and loss of control of production
• Legal Support for : unambigious contracts w/security measures, responsible corporation w/long term interests, motivation 4 workers and execs, verification & enforcement
2010 Supply Chain Agenda
5 Workshops in first 2 quarters of 2010
• I. Securing the Design and Fabrication Phases. • II. Securing the Assembly, Distribution, and
Maintenance Phases. • III. Establishing the Necessary Legal and
Contractual Conditions.
Chapter 4: Enterprise Education focus on $
It is not enough for the information technology workforce to understand the importance of cyber security; leaders at all levels of government and industry need to be able to make business and investment decisions based on knowledge of risks and potential impacts. – President’s Cyber Space Policy Review May 30, 2009 page 15 ISA-ANSI Project on Financial Risk Management of Cyber Events: “50 Questions Every CFO should Ask ----including what they ought to be asking their General Counsel and outside counsel. Also, HR, Bus Ops, Public and Investor Communications & Compliance
Releasing the Cyber Security Social Contract November, 2008
Financial Management of Cyber Risk 2010
* Phase I 50 questions CFOs ask • Complete Phase II responses to the 50 questions
every CFO Should ask operations, HR, risk manager, communications, legal & compliance
• Phase III Separate Programs & best practice for each organizational section on cyber security
• CIO Net & European Commission request proposals for EU versions of ISA/ANSI program
Chapter 5 & 6 VOIP standards & Old Laws
The history of electronic communications in the United States reflects steady, robust technological innovation punctuated by government efforts to regulate, manage, or otherwise respond to issues presented by these new media, including security concerns. The iterative nature of the statutory and policy developments over time has led to a mosaic of government laws and structures governing various parts of the landscape for information and communications security and resiliency. Effectively addressing the fragmentary and diverse nature of the technical, economic, legal, and policy challenges will require a leadership and coordination framework that can stitch this patchwork together into an integrated whole. President’s Cyber Space Policy Review May 30, 2009 page C-12
Developing SCAP Automated Security & Assurance for VoIP & Converged Networks September, 2008
ISA Partners
VoIP Participants
AJ West, Boeing Alex Fielding, Ripcord Networks Allie Larman, Oklahoma Office of State Finance Andrew Bove, Secure Acuity Networks, LLC Andriy Markov, VoIPshield Systems Inc. Barry Wasser, Department of Homeland Security Blake Frantz, Center For Internet Security Bob Moskowitz, ICSAlabs, an Independent Division of Verizon Business Systems Bogdan Materna, VoIPshield Systems Inc. Calvin Bowditch, Joint Task Force-Global Network Operations Carl Herberger, Evolve IP Cheri Sigmon, Department of Defense Cynthia Reese, Science Applications International Corporation (SAIC) David Lukasik, Department of Veterans Affairs Dawn Adams, EWA-Canada
Denise Walker, DBA, Lone Star College System Ed Stull, Direct Computer Resources Ed White, McAfee Edward Cummins, Raytheon Gary Gapinski, National Aeronautics and Space Administration Imran Khan, Consultant James Mesta, Agilent Technologies, Inc. Jeffrey Ritter, Waters Edge Consulting Jim Meyer, Institute for Defense Analyses John Fulater, HSBC North America Joseph Dalessandro, Withheld Ken Fee, Firefly Communications Ken Stavinoha, Microsoft Kenneth Kousky, Salare Security, LLC Kevin Watkins, McAfee Laurie Hestor, Defense Information Systems Agency Linda Kostic, eTrade Financial
Lorelei Knight, ICSAlabs, an Independent Division of Verizon Business Systems Lynn Hitchcock, Raytheon Mark Humphrey, Boeing Matt Trainor, Nortel Networks Paul Salva, HSBC North America Pete Eisele, Northrop Grumman Peter Thermos, Palindrome Technologies Rick Mellendick, Food and Drug Administration Robert Smith, Global UniDocs Company Ronald Rice, Defense Information Systems Agency Scott Armstrong, Gideon Technologies Shawn Dickson, Raytheon Sheila Christman, National Security Agency Steve Carver, FAA (Retired) Steven Draper, National Security Agency Terry Rimmer, Oklahoma Office of State Finance Tom Grill, VeriSign
Chair of the Applicability Group Paul Sand, Salare Security
VOIP legal and technical products
1.Legal Compliance & Security Report describes • Available Unified Communications (UC) Technologies • Security Risks of Deployment • Inventory of Laws to be considered pre deployment • If ECPA creates a legal barrier to deployment • Toolkit for lawyers and clients to assist in avoiding
exposure from deployment 2. Technical w/NIST Program addresses • SCAP Suitability and baseline standards • NSA/DHS Grant proposal