LARRY CLINTON PRESIDENT & CEO INTERNET SECURITY ALLIANCE lclinton@isalliance.

org office (703)907-7028 cell (202)236-0001

During the Last Minute

45 new viruses 200 new malicious web sites 180 personal identities stolen 2 million dollars lost

Internet Security Alliance Mission

ISA seeks to integrate advanced technology with economics and public policy to create a sustainable system of cyber security.

If Your Thinking...

Breaches and perimeter defense Hackers Going after networks You are thinking all wrong!

I Want You !!!!!!!!!!

Is he government? No Is he your friend? No Believable, specific, staged Not trying to PIIjust inserting malware Accountants/Lawyers/Senior Execs

If Your Thinking Tech...

An Enterprise Wide Risk Management Issue

Technology without economics is as misguided as thinking of economics without technology Tech tells us HOW attacks occur, economics tells us WHY attacks occur The single biggest threat is from insiders

Digitalization Changes Everything

Concepts of Privacy Concepts of National Defense Concepts of Self Economics

Back to Basics

What is the problem we are trying to solve? What is preventing us from solving the problem? How do we approach this problem in a risk management framework?

Two Types of Attacks

Basic attacks

Vast majority Can be very damaging Can be managed Well organized, well funded, multiple methods, probably state supported They will get in

Ultra-Sophisticated Attacks (e.g., APT)

Cyber Security and the Economics

We find that misplaced incentives are as important as technical designsecurity failure is caused as least as often by bad incentives as by bad technological design
Anderson and Moore The Economics of Information Security

Cyber Economic Equation: Incentives Favors Attackers

Offense: Attacks are cheap Offense: Attacks are easy to launch Offense: Profits from attacks are enormous Offense: GREAT business model (resell same service)

Defense: Perimeter to defend is unlimited Defense: Is compromised hard to show ROI Defense: Usually a generation behind the attacker Defense: Prosecution is difficult and rare

More Problems
Business efficiency demands less secure systems (VOIP/international supply chains/Cloud) Profits for advanced tech are not used to advance security Regulatory compliance is not correlated with securitymay be counter productive

Misaligned Incentives
Economists have long known that liability should be assigned to the entity that can manage risk. Yet everywhere we look we see online risk allocated poorlypeople who connect their machines to risky places do not bear full consequences of their actions. And developers are not compensated for costly efforts to strengthen their code.
Anderson and Moore Economics of Information Security

The Good News: We know (mostly)what to do!

PWC/Gl Inform Study 2006--- best practices 100% CIA 2007---90% can be stopped Verizon 200887% can be stopped NSA 2009---80% can be prevented Secret Service/Verizon 2010---94% can be stopped or mitigated by adopting inexpensive best practices and standards already existing

Why Are We Not Doing It?

The challenge in cyber security is not that best practices need to be developed, but instead lies in communicating these best practices demonstrating the value in implementing them and encouraging individuals and organizations to adopt them.
The Information Systems Audit and Control Association (ISACA) quoted in Dept. of Commerce Green Paper - March 2011

Why Are We Not Doing It?

Many technical and network management solutions that would greatly enhance security already exist in the marketplace but are not always used due to cost and complexity.
Obama Administration Cyberspace Policy Review May 30, 2009

Why Are We Not Doing It?

Overall, cost was most frequently cited as the biggest obstacle to ensuring the security of critical networks. Making the business case for cyber security remains a major challenge, because management often does not understand either the scale of the threat or the requirements for a solutions. The number one barrier is the security folks who havent been able to communicate the urgency well enough and they havent actually been able to persuade the decision makers of the reality of the threat.

CSIS & PWC Surveys 2010

Whats Washington Doing?

Senate bills (Rockefeller/Snow & Lieberman/ Collins) move out of Committee Reid process to generate Senate bill in Sept. Administrations non-critical (Commerce NOI) proposal plus legislative (critical) proposal and new DoD strategy House Thornberry Task Force w/Committee action bills expected summer and fall 2011 Industry/Civil Liberties White Paper

Bad Legislation Can Make Things Worse

Regulating will change the Partnership model Government standards may be rejected or copied by their countries Government process will be political and minimal Name and shame creates incentive not to look Name and shame creates incentive to attack Audits may not improve security and could enhance the insider threat

Private Sector Plan

Joint trade association white paper on public-private partnerships Cooperative effort between ISA, US Chamber, Business Software Alliance, Tech America and Center for Democracy and Technology House and Senate briefings held March 11 Met with Howard Schmidt on March 21

Industry/Civil Liberties White Paper

Partnership Model outlined in NIPP and CSPR Take Risk Management Approach appreciating that Gov and industry access risk differently Leverage existing standards process, assess for effectiveness & create market for good behavior Attack the cost issues via market incentives Adapt existing structures for enhanced information sharing to address APT Address long term issues through partnership

What We Can Do: Provide Basic Incentives

Liability Incentives Procurement Incentives Streamline Regulation SEMA TECH Model Insurance Cyber SAFETY Act Leverage Current Government Spending

APT: You cant stop them, you contain them

You are able to predict, detect and respond You increase the cost to them for accessing and disrupting your system make it too expensive You have ability to use threat intel to use proactive detection and response You have enterprise wide and network based ability to deploy threat intel from industry and third parties

Enterprise Cyber Risk Management Focus on Finances & Investment

Enterprise Cyber Risk Management Focus on Finances & Investment

We are Not Cyber Structured

In 95% of companies the CFO is not directly involved in information security 2/3 of companies dont have a risk plan 83% of companies dont have a cross organizational privacy/security team Less than have a formal risk management plan, 1/3 of the ones who do dont consider cyber in the plan In 2009 & 2010, 50%-66% of US companies deferred or reduced investment in cyber security

ANSI ISA Program

Outlines an enterprise wide process to attack cyber security broadly and economically CFO strategies HR strategies Legal/compliance strategies Operations/technology strategies Communications strategies Risk Management/insurance strategies

What CFOs Need to Do

Own the problem Appoint an enterprise wide cyber risk team Meet regularly Develop an enterprise wide cyber risk management plan Develop an enterprise wide cyber risk budget Implement the plan, analyze it regularly, test and reform based on enterprise-wide feedback

Progress in Corporate Approach to Cyber Security

65% Corporation Cyber Risk Management Teams in 2010---up from 17% in 2008 Increase in involvement of Senior Execs Across industries we see evidence of recognition that securitys strategic value is more closely aligned with business than IT Increase in CISO reports to Senior Officer not IT--CFO, up 36%, to COO, up 67%, CEO, up 13% (PWC 2011 Global Information Survey)

LARRY CLINTON PRESIDENT & CEO INTERNET SECURITY ALLIANCE lclinton@isalliance.org office (703)907-7028 cell (202)236-0001