Larry Clinton President & CEO Internet Security Alliance lclinton@isalliance.org 703-907-7028 202-236-0001 www.isalliance.

org

Board of Directors
Tim McKnight, Chair, VP and CISO, Northrop Grumman Jeff Brown, First Vice Chair, VP of Infrastructure Services and CISO for Information Technology, Raytheon Gary McAlum, Second Vice Chair, Senior VP and Chief Security Officer, USAA Joe Buonomo, President and CEO, Direct Computer Resources Lt. Gen. Charlie Croom (Ret.) VP Cyber Security Solutions, Lockheed Martin Valerie Abend, Managing Director, Information Risk, Bank of New York/Mellon Financial Pradeep Khosla, Dean College of Engineering & CyLab, Carnegie Mellon University Marcus Sachs, VP of Government Affairs and National Security Policy Barry Hensley, VP and Director Counter Threat Unit/Research Group, Dell/Secureworks Tom Kelly, Director of Information Security Assessments and Vulnerabilities, Boeing Gene Fredriksen, Global Information Security Officer, Tyco Julie Taylor, VP Cyber & Information Solutions Business Unit Rick Howard, iDefense General Manager, VeriSign Brian Raymond, Director Tax, Tech & Economic Policy, National Association of Manufactures

How Real is the Cyber threat?

. . . I have to begin by noting a worrisome fact: cyberspace is becoming more dangerous. The Intelligence Communitys world-wide threat brief to Congress in January raised cyber threats to just behind terrorism and proliferation in its list of the biggest challenges facing our nation . . - Gen. Keith Alexander, Director of the National Security Agency and Commander of U.S. Cyber Command "If terrorist groups were able to acquire [] destructive cyber capabilities, I think we should fear greatly that they would use them . . . The capabilities are not yet in the hands of the most malicious actors, so we have a window of opportunity to improve our defenses . . .We don't know exactly how long that window of opportunity is, but I think we should feel a strong need to improve our defenses before that happens. - William Lynn, Former U.S. Deputy Secretary for Defense "This threat is so intrusive, it's so serious . . . If we don't address it, it's going to have a severe impact. I think we have no choice but to address it, and some of that process will be regulatory. - Michael McConnell, Former Director of National Intelligence Weve got the wrong mental model here . . . I think we have to go to a model where we assume that the adversary is in our networks. Its on our machines, and weve got to operate anyway. - Dr. James S. Peery, Director of the Sandia National Laboratories Information Systems Analysis Center

ISAlliance Mission Statement

ISA seeks to integrate advanced technology with economics and public policy to create a sustainable system of cyber security.

Why are we not cyber secure?

We find that misplaced incentives are as important as technical designsecurity failure is caused as least as often by bad incentives as by bad technological design
Anderson and Moore The Economics of Information Security

Economics Incentives Favor Attackers

Offence: Attacks are cheap Offence: Attacks are easy to launch Offence: Profits from attacks are enormous Offence: GREAT business model Defense: Perimeter to defend is unlimited Defense: Hard to show ROI Defense: Usually a generation behind the attacker Defense: Prosecution is difficult and rare Economic incentives to be INSECURE---VOIP/mobile devices, Cloud, International Supply Chains

ISA Goals
Thought Leadership in Cyber Security Public Policy Advocacy Develop Programs to stimulate improved cyber security Build the Alliance

Senate bills
Lieberman Collins----Major issue is Title I DHS regulatory authority vs. major attacks (APT) McCain et. al. info sharing/R & D/FISMA/law enforcement authority----no DHS reg role Admin supports LC No action before May ISA has been asked to offer rewrite of Title Ihow to address CI w/out adding DHS regs

House
Thornberry Task Force----Incentives---Map to ISA Rogers liability for info sharing Lungren Some DHS regstudy incent--NISO Possibly Smith/Goodlattebest practices E & C bipartisan commission on incentives Lungren may go the full HLS next week Lungren and Rogers could be on the floor April

2012 ISA Board Projects

Public Policy AdvocacyThe Cyber Security Social Contract---market incentives over regulations APT for small/mid-sized (not huge) companies Supply Chain for hardware (model contracts) Financial Management of Cyber Risk Modernized Information Sharing Model CyberTrak (under development)

The Social Contract

The historic social contracts for infrastructure development (phones and electricity) combine public policy, technology and economics successfully A cyber security social contract ---with different terms can do the same

Terms for the Cyber Social Contract

Create an international entity to judge effectiveness of standards, practices, technologies Government's) create a menu of incentives for vol adoption of proven practices standards and technologies on a sliding scale (gold silver etc.) Adapt incentives from the rest of the economy (procurement, liability, insurance, streamlined regulation/licensing/marketing advantages/taxes)

Growth of the social contract idea

2008 ISA Publishes Cyber Social Contract 2009 Obamas Cyber Space Policy Review 2011 endorsed by multi-association/civil liberties white paper on cyber security 2011 GOP Cyber Task Force Report 2012 Rogers-Ruppersberger legislation (passes Intel committee 17-1) 2012 World Institute for Nuclear Security (WINS)

Enterprise Cyber Security

The challenge in cyber security is not that best practices need to be developed, but instead lies in communicating these best practices demonstrating the value in implementing them and encouraging individuals and organizations to adopt them.
The Information Systems Audit and Control Association (ISACA) quoted in Dept. of Commerce Green Paper - March 2011

Why Are We Not Doing It?

Overall, cost was most frequently cited as the biggest obstacle to ensuring the security of critical networks. Making the business case for cyber security remains a major challenge, because management often does not understand either the scale of the threat or the requirements for a solutions. The number one barrier is the security folks who havent been able to communicate the urgency well enough and they havent actually been able to persuade the decision makers of the reality of the threat.
CSIS & PWC Surveys 2010

PwC 2011 study in A & D

A & D respondents were 2x as likely to report financial losses from security incidents than 2008 Security spending deferrals and cut backs UP for the 3rd year in a row20-40% over last year The confidence rating among A & D Sr. Execs declined by 19 points since 2006 Single greatest obstacle: decision makers at the top of the house.

Financial Management of Cyber Risk (2010)

Growth in Financial Risk Management Approach

ISA Release Cyber Risk Team approach in 2007, 2010 and 2012 (health care) CMU Study in 2007 only 17% firms had org wide cyber risk teams. In 2011 CMU study 87% have cyber risk teams Ponomon Institute shows investement in cyber up 100% from 2007 vs 2012 Major firms (E&Y) now using ISA model

The APT----Average Persistent Threat

The most sophisticated, adaptive and persistent class of cyber attacks is no longer a rare eventAPT is no longer just a threat to the public sector and the defense establishment this year significant percentages of respondents across industries agreed that APT drives their organizations security spending. PricewaterhouseCoopers Global Information Security Survey September 2011

APT: We Are Not Winning

80% of A & D security experts surveyed said that their companies security policies did not address APT style attacks. In addition more than half of all respondents report that their organization does not have the core capabilities directly or indirectly relevant to countering this strategic threat. PWC 2011

Are we thinking of APT all wrong?

Companies are countering the APT principally through virus protection (51%) and either intrusion detection/prevention solutions (27%) PWC 2011 Conventional information security defenses dont work vs. APT. The attackers successfully evade all anti-virus network intrusion and other best practices, remaining inside the targets network while the target believes they have been eradicated.---M-Trend Reports 2011

ISA and APT

Roach Motel Model 2008 (Jeff Brown Raytheon Chair) Expanded APT best Practices (Rick Howard, VeriSign, Tom Kelly Boeing and Jeff Brown cochairs)

Supply chain
The exploitation of information technology (IT) products and services through the supply chain is an emerging threat. In January 2012, the Director of National Intelligence identified the vulnerabilities associated with the IT supply chain for the nations networks as one of the greatest strategic cyber threat challenges the country faces. GAO Report March 2012

Supply Chain laws/regs

National Defense Authorization Act passed in December 201--Sec 818 requires DoD to establish guidelines for industry in terms of counterfeit part management. With respect to Hardware counterfeits, DoD is looking a the Society of Automotive Engineerings 5453 standard to inform the DoD guideline, but that there is no equivalent standard that addresses cyber. ISA has Guidelines about to be published

ISA Proposal to AIA

The objective would be to leverage ISAs experience and programs with AIAs resources and membership in a mutually beneficial fashion. ISA will contracting with AIA to do a series of workshops designed to create a publication addressing the above mentioned cyber security issues with respect specifically to the AIA membership. (APT/Supply Chain/Org Risk Management & use of Incentives)

ISA Proposal to AIA

The publication would meet three specific goals: 1) Usefulness 2) Effectiveness 3) Economy One or two workshops over the next 8 months resulting publication in first quarter of 2013 ISA will provide the base line material for each workshop area (supply chain, financial risk management. APT and incentives) as well as organize the workshops

ISA Proposal to AIA

AIA will be responsible for populating the workshops with their member companies and financing them via a $100,000 payment to ISA. The $100,000 will earn for AIA a sponsor level channel partnership entitling all AIA members to participate in the ISA run workshops and including AIA participation in the ISA Board ISA and AIA agree to collaborate on any future derivative programs (e.g. training/certification)

Larry Clinton President & CEO Internet Security Alliance lclinton@isalliance.org 703-907-7028 202-236-0001

www.isalliance.org