Larry Clinton President & CEO Internet Security Alliance lclinton@isalliance.org 703-907-7028 202-236-0001 www.isalliance.

org

Board of Directors
Tim McKnight, Chair, VP and CISO, Northrop Grumman Jeff Brown, First Vice Chair, VP of Infrastructure Services and CISO for Information Technology, Raytheon Gary McAlum, Second Vice Chair, Senior VP and Chief Security Officer, USAA Joe Buonomo, President and CEO, Direct Computer Resources Lt. Gen. Charlie Croom (Ret.) VP Cyber Security Solutions, Lockheed Martin Valerie Abend, Managing Director, Information Risk, Bank of New York/Mellon Financial Pradeep Khosla, Dean of the College of Engineering and Founding Director of CyLab, Carnegie Mellon University Marcus Sachs, VP of Gov. Affairs and National Security Policy Barry Hensley, VP and Director of Dell Secureworks Counter Threat Unit/Research Group, Dell/Secureworks Tom Kelly, Director of Information Security Assessments and Vulnerabilities, Boeing Gene Fredriksen, Global Information Security Officer, Tyco Julie Taylor, VP Cyber & Information Solutions Business Unit Rick Howard, iDefense General Manager, VeriSign Brian Raymond, Director Tax, Technology and Domestic Economic Policy, National Association of Manufactures

What Do You Know About Cyber Security?

Hackers? Breaches? Perimeter Defense? A Technology Problem? Firewalls and Passwords? Corporate Irresponsibility? APT?

Digital Changes
Privacy Cognitive Functions Concepts of Defense Business Economics Government/Industry Roles and Responsibilities

Rethinking The Problem

Its Not An IT Problem We Need To Think Beyond Security Systems Approach Infrastructure Development Organizational Structure International Competitiveness

ISAlliance Mission Statement

ISA seeks to integrate advanced technology with business economics and public policy to create a sustainable system of cyber security.

Cyber Economy Is Misaligned

[E]conomists have long known that liability should be assigned to the part that can best manage risk. Yet everywhere we look we see online risk allocated poorlypeople who connect insecure machines to the Internet do not bear the full consequences of their actions (and) developers are not compensated for costly efforts to strengthen code. Anderson and Moore, Information Security, 2-3.

Cyber Security Economics Are Skewed

Responsibility, Costs, Harms and Incentives are Misaligned Individual and Corporate Financial Loss (e.g.. banks) Defense Industrial Base Core Investment is Undermined by Edge Insecurity Enterprises are not Structured to Properly Analyze Cyber Risk Competitive Pressure Drives Toward Insecurity

VOIP/Smart Phones etc Unified Communications

while unified communications offer a compelling business case, the strength of the UC solutions in leveraging the internet is also vulnerability. Not only are UC solutions exposed to the security vulnerabilities and risk that the Internet presents, but the availability and relative youth of UC solutions encouraged malicious actors to develop and launch new types of attacks. Navigating Compliance and Security for Unified Communication, .

Cloud Computing
62% of IT professionals surveyed reported that they had little or no faith in the security of data placed in the cloud----including 48% who had already placed their data in the cloud. PricewaterhouseCoopers/CIO Magazine Global Information Security Survey 2011

What We Do Know Is All Bad

All the economic incentives favor the attackers, i.e. attacks are cheap, easy, profitable and chances of getting caught are small Defense inherently is a generation behind the attacker, the perimeter to defend is endless, ROI is hard to show Until we solve the cyber economics equation we will not have cyber security

Why China and the APT?

Countries that grow by 8-13% can only do this by copying. Copying is easy at firstyou copy simple factoriesbut to grow by more than 8% you need serious know how. There are only 2 ways to get this: partnering and theft. China cannot afford to NOT to grow 8% yearly. Partnering wont transfer enough know how to sustain 8%+ so all thats left is theft and almost all the theft is electronic. Scott Borg, US Cyber Consequences Unit

Why Federal Regulation wont work

It misunderstands the problem as corporate avarice or consumer product safety----its warfare The technology and attacks change too quickly There isnt adequate jurisdiction The rules would be too general to be of use vs. APT Diverting resources from security to compliance is counter productive Reg procedure stifles investment & innovation

The Social Contract

The historic social contracts for infrastructure development (phones and electricity) combine public policy, technology and economics successfully A cyber security social contract ---with different terms, can do the same

Terms For The Cyber Social Contract

Create an international entity to judge effectiveness of standards, practices, technologies Government's) create a menu of incentives for vol adoption of proven practices standards and technologies on a sliding scale (gold silver etc.) Adapt incentives from the rest of the economy (procurement, liability, insurance, streamlined regulation/licensing/marketing advantages/taxes)

Growth Of The Social Contract Idea

2008 ISA Publishes Cyber Social Contract 2009 Obamas Cyber Space Policy Review 2011 endorsed by multi-association/civil liberties white paper on cyber security 2011 GOP Cyber Task Force Report 2012 Rogers-Ruppersberger legislation (passes Intel committee 17-1) 2012 World Institute for Nuclear Security (WINS)

Applying The Systems Approach In Enterprise

ISA Information Sharing model VOIP/smart phone standards Financial Management of Cyber Risk (50 questions for CFOs/answers/health care adaption----E & Y adoption and Lawrence Livermore project Supply Chain and Model contracts

Senate bills
Lieberman Collins----Major issue is Title I DHS regulatory authority vs. major attacks (APT) McCain et. al. info sharing/R & D/FISMA/law enforcement authority----no DHS reg role Admin supports LC----getting testy No action before May

ISA Issues with LC

No Need targeted infra already regulated for cyber No need---we are stopping APTs now Fed Reg bad fit for APT---art not science Regs will divert resources to compliance and away from security DHS infrastructure not adequate to the task at this time

ISA Issues with LC

Incentives will work better---none in LC Prolonged regulatory process will stifle innovation and investment thus harming cyber security Unclear what is actually covered under the definitions (except no IT???) thus adding to uncertainty thus bad for markets Title I does not contain event the basic reg safeguards in similar legislation

House
Thornberry Task Force----Incentives Rogers liability for info sharing Lungren Some DHS regstudy incent--NISO Possibly Smith/Goodlattebest practices E & C bipartisan commission on incentives Lungren may go the full HLS next week Lungren and Rogers could be on the floor April

Larry Clinton President & CEO Internet Security Alliance lclinton@isalliance.org 703-907-7028 202-236-0001

www.isalliance.org