2012 03 27 larry clinton presentation to aia cio members

7/31/2019 2012 03 27 Larry Clinton Presentation to AIA CIO Members

1/28

Larry ClintonPresident & CEO

Internet Security [email protected]

202-236-0001

www.isalliance.org


2/28

Joe Buonomo, President and CEO, Direct Computer ResourcesLt. Gen. Charlie Croom (Ret.) VP Cyber Security Solutions, Lockheed MartinValerie Abend, Managing Director, Information Risk, Bank of New York/Mellon FinancialPradeep Khosla, Dean College of Engineering & CyLab, Carnegie Mellon UniversityMarcus Sachs, VP of Government Affairs and National Security PolicyBarry Hensley, VP and Director Counter Threat Unit/Research Group, Dell/SecureworksTom Kelly, Director of Information Security Assessments and Vulnerabilities, Boeing

Gene Fredriksen, Global Information Security Officer, TycoJulie Taylor,VP Cyber & Information Solutions Business UnitRick Howard, iDefense General Manager, VeriSignBrian Raymond, Director Tax, Tech & Economic Policy, National Association of Manufactures

Tim McKnight, Chair, VP and CISO,Northrop GrummanJeff Brown, First Vice Chair, VP of Infrastructure Services and CISO for InformationTechnology, Raytheon

Gary McAlum, Second Vice Chair,Senior VP and Chief Security Officer, USAA

Board of Directors


3/28

How Real is the Cyber

threat? . . . I have to begin by noting a worrisome fact: cyberspace is becoming more dangerous. TheIntelligence Communitys world-wide threat brief to Congress in January raised cyber threats to just

behind terrorism and proliferation in its list of the biggest challenges facing our nation . . - Gen. Keith

Alexander, Director of the National Security Agency and Commander of U.S. Cyber Command

"If terrorist groups were able to acquire [] destructive cyber capabilities, I think we should feargreatly that they would use them . . . The capabilities are not yet in the hands of the most maliciousactors, so we have a window of opportunity to improve our defenses . . .We don't know exactly how

long that window of opportunity is, but I think we should feel a strong need to improve our defensesbefore that happens. - William Lynn, Former U.S. Deputy Secretary for Defense

"This threat is so intrusive, it's so serious . . . If we don't address it, it's going to have a severe impact. Ithink we have no choice but to address it, and some of that process will be regulatory. - Michael

McConnell, Former Director of National Intelligence

Weve got the wrong mental model here . . . I think we have to go to a model where we assume thatthe adversary is in our networks. Its on our machines, and weve got to operate anyway. - Dr. James

S. Peery, Director of the Sandia National Laboratories Information Systems Analysis Center


4/28

ISAlliance

Mission Statement

ISA seeks to integrate advanced technologywith economics and public policy to create a

sustainable system of cyber security.


5/28

Why are we not cyber

secure?

We find that misplaced incentives are as

important as technical designsecurity failure is

caused as least as often by bad incentives as by

bad technological design

Anderson and Moore The Economics of Information Security


6/28

Economics Incentives

Favor Attackers Offence: Attacks are cheap Offence: Attacks are easy to launch Offence: Profits from attacks are enormous Offence: GREAT business model Defense: Perimeter to defend is unlimited Defense: Hard to show ROI Defense: Usually a generation behind the attacker Defense: Prosecution is difficult and rare Economic incentives to be INSECURE---VOIP/mobile

devices, Cloud, International Supply Chains


7/28

ISA Goals

Thought Leadership in Cyber Security

Public Policy Advocacy

Develop Programs to stimulate improved cybersecurity

Build the Alliance


8/28

Senate bills

Lieberman Collins----Major issue is Title I DHSregulatory authority vs. major attacks (APT)

McCain et. al. info sharing/R & D/FISMA/lawenforcement authority----no DHS reg role

Admin supports LC No action before May ISA has been asked to offer rewrite of Title Ihow

to address CI w/out adding DHS regs


9/28

House

Thornberry Task Force----Incentives---Map to ISA Rogers liability for info sharing

Lungren Some DHS regstudy incent--NISO Possibly Smith/Goodlattebest practices E & C bipartisan commission on incentives Lungren may go the full HLS next week Lungren and Rogers could be on the floor April


10/28

2012 ISA Board Projects

Public Policy AdvocacyThe Cyber Security SocialContract---market incentives over regulations

APT for small/mid-sized (not huge) companies Supply Chain for hardware (model contracts) Financial Management of Cyber Risk Modernized Information Sharing Model CyberTrak (under development)


11/28

The Social Contract

The historic social contracts for infrastructuredevelopment (phones and electricity) combine

public policy, technology and economics

successfully

A cyber security social contract ---with differentterms can do the same


12/28

Terms for the Cyber

Social Contract Create an international entity to judge

effectiveness of standards, practices, technologies

Government's) create a menu of incentives for voladoption of proven practices standards and

technologies on a sliding scale (gold silver etc.)

Adapt incentives from the rest of the economy(procurement, liability, insurance, streamlinedregulation/licensing/marketing advantages/taxes)


13/28

Growth of the social

contract idea 2008 ISA Publishes Cyber Social Contract 2009 Obamas Cyber Space Policy Review

2011 endorsed by multi-association/civil libertieswhite paper on cyber security

2011 GOP Cyber Task Force Report 2012 Rogers-Ruppersberger legislation (passes

Intel committee 17-1)

2012 World Institute for Nuclear Security (WINS)


14/28

Enterprise Cyber Security

The challenge in cyber security is not that best

practices need to be developed, but instead lies in

communicating these best practices demonstrating

the value in implementing them and encouragingindividuals and organizations to adopt them.

The Information Systems Audit and Control Association (ISACA)

quoted in Dept. of Commerce Green Paper - March 2011


15/28

Overall, cost was most frequently cited as thebiggest obstacle to ensuring the security of criticalnetworks.

Making the business case for cyber security remainsa major challenge, because management often doesnot understand either the scale of the threat or therequirements for a solutions.

The number one barrier is the security folks whohavent been able to communicate the urgency wellenough and they havent actually been able topersuade the decision makers of the reality of thethreat.

CSIS & PWC Surveys 2010

Why Are We Not Doing It?


16/28


17/28

Financial Management of

Cyber Risk (2010)


18/28

Growth in Financial Risk

Management Approach ISA Release Cyber Risk Team approach in 2007,

2010 and 2012 (health care)

CMU Study in 2007 only 17% firms had org widecyber risk teams.

In 2011 CMU study 87% have cyber risk teams Ponomon Institute shows investement in cyber up

100% from 2007 vs 2012 Major firms (E&Y) now using ISA model


19/28

The APT----Average

Persistent ThreatThe most sophisticated, adaptive and persistent class

of cyber attacks is no longer a rare eventAPT is

no longer just a threat to the public sector and the

defense establishment this year significantpercentages of respondents across industries

agreed that APT drives their organizations securityspending. PricewaterhouseCoopers Global

Information Security Survey September 2011


20/28

APT: We Are Not

Winning 80% of A & D security experts surveyed said that

their companies security policies did not address

APT style attacks. In addition more than half of all

respondents report that their organization does nothave the core capabilities directly or indirectly

relevant to countering this strategic threat. PWC2011


21/28

Are we thinking of APT

all wrong? Companies are countering the APT principally

through virus protection (51%) and either intrusion

detection/prevention solutions (27%) PWC 2011

Conventional information security defenses dontwork vs. APT. The attackers successfully evade allanti-virus network intrusion and other best

practices, remaining inside the targets networkwhile the target believes they have been

eradicated.---M-Trend Reports 2011


22/28

ISA and APT

Roach Motel Model 2008 (Jeff Brown RaytheonChair)

Expanded APT best Practices (Rick Howard,VeriSign, Tom Kelly Boeing and Jeff Brown co-

chairs)


23/28

Supply chain

The exploitation of information technology (IT)products and services through the supply chain is

an emerging threat. In January 2012, the Director

of National Intelligence identified thevulnerabilities associated with the IT supply chain

for the nations networks as one of the greateststrategic cyber threat challenges the country

faces.

GAO Report March 2012


24/28

Supply Chain laws/regs

National Defense Authorization Act passed inDecember 201--Sec 818 requires DoD to establish

guidelines for industry in terms of counterfeit part

management. With respect to Hardwarecounterfeits, DoD is looking a the Society of

Automotive Engineerings 5453 standard to informthe DoD guideline, but that there is no equivalent

standard that addresses cyber.

ISA has Guidelines about to be published


25/28

ISA Proposal to AIA

The objective would be to leverage ISAsexperience and programs with AIAs resources and

membership in a mutually beneficial fashion.

ISA will contracting with AIA to do a series ofworkshops designed to create a publicationaddressing the above mentioned cyber security

issues with respect specifically to the AIAmembership. (APT/Supply Chain/Org Risk

Management & use of Incentives)


26/28

ISA Proposal to AIA

The publication would meet three specific goals:1) Usefulness 2) Effectiveness 3) Economy

One or two workshops over the next 8 monthsresulting publication in first quarter of 2013

ISA will provide the base line material for eachworkshop area (supply chain, financial risk

management. APT and incentives) as well asorganize the workshops


27/28

ISA Proposal to AIA

AIA will be responsible for populating theworkshops with their member companies and

financing them via a $100,000 payment to ISA. The $100,000 will earn for AIA a sponsor level

channel partnership entitling all AIA members toparticipate in the ISA run workshops and including

AIA participation in the ISA Board ISA and AIA agree to collaborate on any future

derivative programs (e.g. training/certification)


28/28

Larry ClintonPresident & CEO

Internet Security Alliance

[email protected]

202-236-0001

www.isalliance.org

2012 03 27 larry clinton presentation to aia cio members

Documents