LARRY CLINTON PRESIDENT & CEO INTERNET SECURITY ALLIANCE office (703) cell (202)

Transcription

1 LARRY CLINTON PRESIDENT & CEO INTERNET SECURITY ALLIANCE office (703) cell (202)

2 During the Last Minute 45 new viruses 200 new malicious web sites 180 personal identities stolen 2 million dollars lost

3 Internet Security Alliance Mission ISA seeks to integrate advanced technology with economics and public policy to create a sustainable system of cyber security.

4

5 If Your Thinking... Breaches and perimeter defense Hackers Going after networks You are thinking all wrong!

6

7 I Want You!!!!!!!!!! Is he government? No Is he your friend? No Believable, specific, staged Not trying to PII just inserting malware Accountants/Lawyers/Senior Execs

8 If Your Thinking Tech... An Enterprise Wide Risk Management Issue Technology without economics is as misguided as thinking of economics without technology Tech tells us HOW attacks occur, economics tells us WHY attacks occur The single biggest threat is from insiders

9 Digitalization Changes Everything Concepts of Privacy Concepts of National Defense Concepts of Self Economics

10 Back to Basics What is the problem we are trying to solve? What is preventing us from solving the problem? How do we approach this problem in a risk management framework?

11 Two Types of Attacks Basic attacks Vast majority Can be very damaging Can be managed Ultra-Sophisticated Attacks (e.g., APT) Well organized, well funded, multiple methods, probably state supported They will get in

12 The Big Con

13 Cyber Security and the Economics We find that misplaced incentives are as important as technical design security failure is caused as least as often by bad incentives as by bad technological design Anderson and Moore The Economics of Information Security

14 Cyber Economic Equation: Incentives Favors Attackers Offense: Attacks are cheap Offense: Attacks are easy to launch Offense: Profits from attacks are enormous Offense: GREAT business model ( resell same service) Defense: Perimeter to defend is unlimited Defense: Is compromised hard to show ROI Defense: Usually a generation behind the attacker Defense: Prosecution is difficult and rare

15 More Problems Business efficiency demands less secure systems (VOIP/national supply chains/cloud) Profits for advanced tech are not used to advance security Regulatory compliance is not correlated with security may be counter productive

16 Misaligned Incentives Economists have long known that liability should be assigned to the entity that can manage risk. Yet everywhere we look we see online risk allocated poorly people who connect their machines to risky places do not bear full consequences of their actions. And developers are not compensated for costly efforts to strengthen their code. Anderson and Moore Economics of Information Security

17

18 The Good News: We know (mostly)what to do! PWC/Gl Inform Study best practices 100% CIA % can be stopped Verizon % can be stopped NSA % can be prevented Secret Service/Verizon % can be stopped or mitigated by adopting inexpensive best practices and standards already existing

19 Why Are We Not Doing It? The challenge in cyber security is not that best practices need to be developed, but instead lies in communicating these best practices demonstrating the value in implementing them and encouraging individuals and organizations to adopt them. The Information Systems Audit and Control Association (ISACA) quoted in Dept. of Commerce Green Paper - March 2011

20 Why Are We Not Doing It? Many technical and network management solutions that would greatly enhance security already exist in the marketplace but are not always used due to cost and complexity. Obama Administration Cyberspace Policy Review May 30, 2009

21 Why Are We Not Doing It? Overall, cost was most frequently cited as the biggest obstacle to ensuring the security of critical networks. Making the business case for cyber security remains a major challenge, because management often does not understand either the scale of the threat or the requirements for a solutions. The number one barrier is the security folks who haven t been able to communicate the urgency well enough and they haven t actually been able to persuade the decision makers of the reality of the threat. ----from CSIS & PWC Surveys 2010

22 What s Washington Doing? Senate bills (Rockefeller/Snow & Lieberman/ Collins) move out of Committee Reid process to generate Senate bill in Sept. Administration s non-critical (Commerce NOI) proposal plus legislative (critical) proposal and new DoD strategy House Thornberry Task Force w/committee action bills expected summer and fall 2011 Industry/Civil Liberties White Paper

23 Senate Approach (Expected) The Kill Switch Make the Cyber Czar report to Congress Update FISMA Stimulate Cyber security Education Enhance DHS regulatory authority NIST to control establishing CS standards Covered Critical Infrastructure mandates Audits/Fines Civil Penalties

24 Administration Legislative Plan Clearly align federal authorities for gov networks Create a national breach notification law Enhance education for cyber security Create a regulatory structure for PS critical infrastructure (broadly defined) PS writes plans for CS/approved by DHS Annual evaluations of CI cyber security Name and shame no DHS fines or civil penalties

25 Industry View of Sen & Admin Plans Agree on Gov Reorganization/FISMA Reform/ National Breach management/>crime Resources Disagree on Definitions of Covered Critical Infrastructure Disagree on Expanded accounting and auditing Disagree on Gov mandates Disagree on Gov notion of incentives

26 Bad Legislation Can Make Things Worse Regulating will change the Partnership model Government standards may be rejected or copied by their countries Government process will be political and minimal Name and shame creates incentive not to look Name and shame creates incentive to attack Audits may not improve security and could enhance the insider threat

27 Private Sector Plan Joint trade association white paper on public-private partnerships Cooperative effort between ISA, US Chamber, Business Software Alliance, Tech America and Center for Democracy and Technology House and Senate briefings held March 11 Met with Howard Schmidt on March 21

28 Industry/Civil Liberties White Paper Partnership Model outlined in NIPP and CSPR Take Risk Management Approach appreciating that Gov and industry access risk differently Leverage existing standards process, assess for effectiveness & create market for good behavior Attack the cost issues via market incentives Adapt existing structures for enhanced information sharing to address APT Address long term issues through partnership

29 U.S. House Action Speaker Boehner Appoints Task Force Task Force To Develop Framework By October Meanwhile Legislative Process To Begin--- Bills Expected In Summer/Fall House Priorities I. Incentives/Critical Infrastructure II. Info Sharing III. Updating Cyber Crime Laws IV. Aligning Gov Authority

30 What We Can Do: Basic Provide Incentives Liability Incentives Procurement Incentives Streamline Regulation SEMA TECH Model Insurance Cyber SAFETY Act Leverage Current Government Spending

31 What we can do---apt Understand this is not your father s attack Accept the need for a true Public-Private Partnership----regulation is not quick enough to keep up with these guys Adapt or strategy from perimeter defense to generic attacks to internal analysis, and remediation, new methods, new metrics For Example the Roach Motel Model for info sharing w/new roles and incentives

32 APT: You can t stop them, you contain them You are able to predict, detect and respond You increase the cost to them for accessing and disrupting your system make it too expensive You have ability to use threat intel to use proactive detection and response You have enterprise wide and network based ability to deploy threat intel from industry aqnd third parties

33 Enterprise Cyber Risk Management Focus on Finances & Investment

34 Enterprise Cyber Risk Management Focus on Finances & Investment

35 Business Approach to Cyber Security The security discipline has so far been skewed toward technology firewalls, ID management, intrusion detection instead of risk analysis and proactive intelligence gathering. PWC Global Cyber Security Survey o o 1/3 of Companies are doing an effective job of combating cyber threats----what does that mean? Can we get the rest of the economy up to speed?

36 Obama: What We Need to Do It is not enough for the information technology workforce to understand the importance of cybersecurity; leaders at all levels of government and industry need to be able to make business and investment decisions based on knowledge of risks and potential impacts. Obama Administration Cyberspace Policy Review May 30, 2009 page 15

37 We are Not Cyber Structured In 95% of companies the CFO is not directly involved in information security 2/3 of companies don t have a risk plan 83% of companies don t have a cross organizational privacy/security team Less than ½ have a formal risk management plan, 1/3 of the ones who do don t consider cyber in the plan In 2009 & 2010, 50%-66% of US companies deferred or reduced investment in cyber security

38 ANSI ISA Program Outlines an enterprise wide process to attack cyber security broadly and economically CFO strategies HR strategies Legal/compliance strategies Operations/technology strategies Communications strategies Risk Management/insurance strategies

39 What CFOs Need to Do Own the problem Appoint an enterprise wide cyber risk team Meet regularly Develop an enterprise wide cyber risk management plan Develop an enterprise wide cyber risk budget Implement the plan, analyze it regularly, test and reform based on enterprise-wide feedback

40 Progress in Corporate Approach to Cyber Security 65% Corporation Cyber Risk Management Teams in up from 17% in 2008 Increase in involvement of Senior Execs across industries we see evidence of recognition that security s strategic value is more closely aligned with business than IT Increase in CISO repts to Sr Officer not IT---CFO, up 36%, to COO, up 67%, CEO, up 13% (PWC 2011 Global Information Survey)

41

42

43

44 LARRY CLINTON PRESIDENT & CEO INTERNET SECURITY ALLIANCE office (703) cell (202)