Larry Clinton President & CEO

Internet Security Alliance lclinton@isalliance.org

703-907-7028 202-236-0001

www.isalliance.org

• Joe Buonomo, President and CEO, Direct Computer Resources • Lt. Gen. Charlie Croom (Ret.) VP Cyber Security Solutions, Lockheed Martin • Valerie Abend, Managing Director, Information Risk, Bank of New York/Mellon Financial • Pradeep Khosla, Dean College of Engineering & CyLab, Carnegie Mellon University • Marcus Sachs, VP of Government Affairs and National Security Policy • Barry Hensley, VP and Director Counter Threat Unit/Research Group, Dell/Secureworks • Tom Kelly, Director of Information Security – Assessments and Vulnerabilities, Boeing • Gene Fredriksen, Global Information Security Officer, Tyco • Julie Taylor, VP Cyber & Information Solutions Business Unit • Rick Howard, iDefense General Manager, VeriSign • Brian Raymond, Director Tax, Tech & Economic Policy, National Association of Manufactures

• Tim McKnight, Chair, VP and CISO, Northrop Grumman • Jeff Brown, First Vice Chair, VP of Infrastructure Services and CISO for Information Technology, Raytheon • Gary McAlum, Second Vice Chair, Senior VP and Chief Security Officer, USAA

Board of Directors

How Real is the Cyber threat?

•  “. . . I have to begin by noting a worrisome fact: cyberspace is becoming more dangerous. The Intelligence Community’s world-wide threat brief to Congress in January raised cyber threats to just behind terrorism and proliferation in its list of the biggest challenges facing our nation . .” - Gen. Keith Alexander, Director of the National Security Agency and Commander of U.S. Cyber Command

•  "If terrorist groups were able to acquire [] destructive cyber capabilities, I think we should fear greatly that they would use them . . . The capabilities are not yet in the hands of the most malicious actors, so we have a window of opportunity to improve our defenses . . .We don't know exactly how long that window of opportunity is, but I think we should feel a strong need to improve our defenses before that happens.“ - William Lynn, Former U.S. Deputy Secretary for Defense

•  "This threat is so intrusive, it's so serious . . . If we don't address it, it's going to have a severe impact. I think we have no choice but to address it, and some of that process will be regulatory.” - Michael McConnell, Former Director of National Intelligence

•  “We’ve got the wrong mental model here . . . I think we have to go to a model where we assume that the adversary is in our networks. It’s on our machines, and we’ve got to operate anyway.” - Dr. James S. Peery, Director of the Sandia National Laboratories Information Systems Analysis Center

ISAlliance Mission Statement

ISA seeks to integrate advanced technology with economics and public policy to create a sustainable system of cyber security.

Why are we not cyber secure? “We find that misplaced incentives are as important as technical design…security failure is caused as least as often by bad incentives as by bad technological design”

Anderson and Moore “The Economics of Information Security”

Economics Incentives Favor Attackers

•  Offence: Attacks are cheap •  Offence: Attacks are easy to launch •  Offence: Profits from attacks are enormous •  Offence: GREAT business model •  Defense: Perimeter to defend is unlimited •  Defense: Hard to show ROI •  Defense: Usually a generation behind the attacker •  Defense: Prosecution is difficult and rare •  Economic incentives to be INSECURE---VOIP/mobile

devices, Cloud, International Supply Chains

ISA Goals

•  Thought Leadership in Cyber Security

•  Public Policy Advocacy

•  Develop Programs to stimulate improved cyber security

•  Build the Alliance

Senate bills

•  Lieberman Collins----Major issue is Title I DHS regulatory authority vs. major attacks (APT)

•  McCain et. al. info sharing/R & D/FISMA/law enforcement authority----no DHS reg role

•  Admin supports LC •  No action before May •  ISA has been asked to offer rewrite of Title I—how

to address CI w/out adding DHS regs

House

•  Thornberry Task Force----Incentives---Map to ISA •  Rogers liability for info sharing •  Lungren – Some DHS reg—study incent--NISO •  Possibly Smith/Goodlatte—best practices •  E & C bipartisan commission on incentives •  Lungren may go the full HLS next week •  Lungren and Rogers could be on the floor April

2012 ISA Board Projects

•  Public Policy Advocacy—The Cyber Security Social Contract---market incentives over regulations

•  APT for small/mid-sized (not huge) companies •  Supply Chain for hardware (model contracts) •  Financial Management of Cyber Risk •  Modernized Information Sharing Model •  CyberTrak (under development)

The Social Contract

•  The historic social contracts for infrastructure development (phones and electricity) combine public policy, technology and economics successfully

•  A cyber security social contract ---with different

terms can do the same

Terms for the Cyber Social Contract

•  Create an international entity to judge effectiveness of standards, practices, technologies

•  Government's) create a menu of incentives for vol adoption of proven practices standards and technologies on a sliding scale (gold silver etc.)

•  Adapt incentives from the rest of the economy (procurement, liability, insurance, streamlined regulation/licensing/marketing advantages/taxes)

Growth of the social contract idea

•  2008 ISA Publishes Cyber Social Contract •  2009 Obama’s Cyber Space Policy Review •  2011 endorsed by multi-association/civil liberties

white paper on cyber security •  2011 GOP Cyber Task Force Report •  2012 Rogers-Ruppersberger legislation (passes

Intel committee 17-1) •  2012 World Institute for Nuclear Security (WINS)

Enterprise Cyber Security

“The challenge in cyber security is not that best practices need to be developed, but instead lies in communicating these best practices demonstrating the value in implementing them and encouraging individuals and organizations to adopt them.” The Information Systems Audit and Control Association (ISACA) quoted in Dept. of Commerce Green Paper - March 2011

•  “Overall, cost was most frequently cited as “the biggest obstacle to ensuring the security of critical networks.”

•  “Making the business case for cyber security remains a major challenge, because management often does not understand either the scale of the threat or the requirements for a solutions.”

•  “The number one barrier is the security folks who haven’t been able to communicate the urgency well enough and they haven’t actually been able to persuade the decision makers of the reality of the threat.” CSIS & PWC Surveys 2010

Why Are We Not Doing It?

PwC 2011 study in A & D

•  A & D respondents were 2x as likely to report

financial losses from security incidents than 2008 •  Security spending deferrals and cut backs UP for the

3rd year in a row—20-40% over last year •  The confidence rating among A & D Sr. Execs

declined by 19 points since 2006 •  Single greatest obstacle: “decision makers at the top

of the house.”

Financial Management of Cyber Risk (2010)

Growth in Financial Risk Management Approach

•  ISA Release Cyber Risk Team approach in 2007, 2010 and 2012 (health care)

•  CMU Study in 2007 only 17% firms had org wide cyber risk teams.

•  In 2011 CMU study 87% have cyber risk teams •  Ponomon Institute shows investement in cyber up

100% from 2007 vs 2012 •  Major firms (E&Y) now using ISA model

The APT----Average Persistent Threat

“The most sophisticated, adaptive and persistent class of cyber attacks is no longer a rare event…APT is no longer just a threat to the public sector and the defense establishment …this year significant percentages of respondents across industries agreed that APT drives their organizations security spending.” PricewaterhouseCoopers Global Information Security Survey September 2011

APT: We Are Not Winning

•  80% of A & D security experts surveyed said that their companies security policies did not address APT style attacks. In addition more than half of all respondents report that their organization does not have the core capabilities directly or indirectly relevant to countering this strategic threat.” PWC 2011

Are we thinking of APT all wrong?

•  “Companies are countering the APT principally through virus protection (51%) and either intrusion detection/prevention solutions (27%) –PWC 2011

•  “Conventional information security defenses don’t work vs. APT. The attackers successfully evade all anti-virus network intrusion and other best practices, remaining inside the targets network while the target believes they have been eradicated.”---M-Trend Reports 2011

ISA and APT

•  Roach Motel Model 2008 (Jeff Brown Raytheon Chair)

•  Expanded APT best Practices (Rick Howard, VeriSign, Tom Kelly Boeing and Jeff Brown co-chairs)

Supply chain

“The exploitation of information technology (IT) products and services through the supply chain is an emerging threat. In January 2012, the Director of National Intelligence identified the vulnerabilities associated with the IT supply chain for the nation’s networks as one of the greatest strategic cyber threat challenges the country faces.”

•  GAO Report March 2012

Supply Chain laws/regs

•  National Defense Authorization Act passed in December 201--Sec 818 requires DoD to establish guidelines for industry in terms of counterfeit part management. With respect to Hardware counterfeits, DoD is looking a the Society of Automotive Engineering’s 5453 standard to inform the DoD guideline, but that there is no equivalent standard that addresses cyber.

•  ISA has Guidelines about to be published

ISA Proposal to AIA

•  The objective would be to leverage ISA’s experience and programs with AIA’s resources and membership in a mutually beneficial fashion.

•  ISA will contracting with AIA to do a series of workshops designed to create a publication addressing the above mentioned cyber security issues with respect specifically to the AIA membership. (APT/Supply Chain/Org Risk Management & use of Incentives)

ISA Proposal to AIA

The publication would meet three specific goals:  1) Usefulness 2) Effectiveness 3) Economy •  One or two workshops over the next 8 months

resulting publication in first quarter of 2013 •  ISA will provide the base line material for each

workshop area (supply chain, financial risk management. APT and incentives) as well as organize the workshops

ISA Proposal to AIA

•  AIA will be responsible for populating the workshops with their member companies and financing them via a $100,000 payment to ISA. 

•  The $100,000 will earn for AIA a sponsor level “channel partnership” entitling all AIA members to participate in the ISA run workshops and including AIA participation in the ISA Board

•  ISA and AIA agree to collaborate on any future derivative programs (e.g. training/certification)

Larry Clinton President & CEO

Internet Security Alliance lclinton@isalliance.org

703-907-7028 202-236-0001

www.isalliance.org