Dave McCurdy Executive Director, Internet Security Alliance - - PowerPoint PPT Presentation

Dave McCurdy Executive Director, Internet Security Alliance President, Electronic Industries Alliance

Electronic Industries Alliance

“The Whole is Greater Than the Sum of the Individual Parts”

Telecommunications Industry Association (TIA) Solid State and Semiconductor Technology (JEDEC) NSTEP National Science & Technology Education Partnership (Foundation) Affiliates Consumer Electronics Association (CEA) Government Electronics & Information Technology Association (GEIA) Electronic Components, Assemblies & Materials Association (ECA)

Electronic Representative Association (ERA) Internet Security Alliance (ISAlliance) National Association of Relay Manufactures (NARM)

Electronic Industries Alliance Mission

• EIA the Alliance

– “Promote market development and competitiveness of the high- tech industry through domestic and international policy efforts.”

• EIA the Entity

– Serves as a common voice for industry to educate policymakers and public – Addresses sustained and critical issues important to the constituent industry – Mobilizes the industry on critical issues – Coordinates policies and strategies with all allied associations – Promotes standards that serve the industry

Electronic Industries Alliance

• Brings together top-level

government officials and corporate leaders.

• Each of the past four U.S.

presidents and other major policy makers meet with EIA.

• EIA provides major US tech

link to international

• rganizations

The Internet Security Alliance

The Internet Security Alliance is a collaborative effort between Carnegie Mellon University’s Software Engineering Institute (SEI) and its CERT Coordination Center (CERT/CC) and the Electronic Industries Alliance (EIA), a federation of trade associations with

• ver 2,500 members.

Sponsors

ISAlliance = Power-Synergy

• Draws on the political muscle of EIA and its 80

year history in technology policy, market development and standards creation.

• Draws on the internet security expertise of the

CERT at Carnegie Mellon

• Draws on an international membership to bring

cohesion and focus to issues

ISAlliance International--- India--Participation

• ISAlliance has active members on 4 continents
• 20% of ISAlliance Board are non-US based

companies, Board Chair is from CW of England

• TCS is the ISAlliance Founding Sponsor from India
• TCS has offered to become the first “ISAlliance

Security Anchor”

Outline of Today’s Presentation

• The substance and politics of outsourcing in the

United States today

• The relationship between security issues and
• utsourcing and its potential effect on public policy

and international business cooperation.

• A proposal for NASSCOM and its member

companies to formally join/work together

Economics of Offshore Outsourcing for the US

• The U.S. is now facing a third consecutive year of

job losses.

• Last summer the US lost a quarter million jobs,

while US firms shipped 30,000 new service jobs to India.

• Estimates are that during the next 15 years the US

will lose 3.3 million jobs to foreign companies along with $136 billion dollars in lost wages.

Positive Aspects of Outsourcing to India

• India provides significant assets for high-tech

companies: a highly-educated workforce well- versed in math and science and possessing engineering degrees comparable to U.S. colleges and universities.

• India is becoming an increasingly important

member of the international economic community. This strength could also bring better relations between the U.S. and India, and a vested interest in international security.

The US Politics of Outsourcing to India

• The U.S. face a “job loss” economic recovery.
• Homeland security-including cyber security-

continues to have strong political appeal.

• “The AFL-CIO (the largest union in the US) has

mobilized support around the country for legislation that calls for an outright ban on

• verseas contracting” (Wash Post 1/31/04)

Results of Political Pressure in US

• In November the state of Indiana canceled a $15

million contract with an Indian company due to public outcry over outsourcing.

• Last year 8 states considered legislation to ban

contracts using overseas workers----none passed but more pressure is expected

• On Jan 23 2004 President Bush signed into law a

provision prohibiting certain government contracts to companies performing the work overseas.

New US law is tip of the Iceberg

• THE LAW IS LIMITED
• 1. It pertains to only a

narrow range of mostly transportation contracts.

• 2. It is already set to

expire in September

• 3. Very few contracts

are likely to be affected

• THE LAW IS A

WARNING

• 1. State bills defeated last

year have a better chance now

• 2. Congress and the

Administration are now

• n record as willing to

take aggressive action

What Drives the Outsourcing Politics ?

• Speaking of the new US federal law in Saturday’s

Washington Post Stan Soloway (Pres. US Professional Service Council) is quoted as saying:

“he knows of no such competitions that have resulted

in jobs going overseas. (It is) security restrictions that keep government contractors from using foreign workers.” (Wash. Post 1/31/04)

A Security Focus may be a good approach for India

• India is considered to have a much better cultural

and legal climate for IP protection than many other nations offering offshore coding. Poorer nations

• ften don't have laws protecting foreign companies

and rarely enforce whatever laws may exist.

• India’s membership in WTO and adherence to TRIPS

will help reduce fear.

US also needs a focus on Internet Security

• 1. Concerns about offshore-related security is on the rise.
• 2. Shift to higher-level outsourcing will put security more in
• spotlight. Database testing offers higher level of risk than

application development and maintenance.

• 3. US industry develop cooperative policies, or high-tech

companies will be penalized by those who are not as familiar with the issues or who wish to capitalize on the misfortunes of voters.

Growth in Incidents Reported to the CERT/CC

1988 1989 1990 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000 2001 2002 132 110,000 55,100 21,756 9,859 3,734 2,134 2,573 2,412 2,340 1,334 773 406 252 6

20000 40000 60000 80000 100000 120000

The Dilemma: Growth in Number of Vulnerabilities Reported to CERT/CC

4,129 2,437 171 345 311 262 417 1,090

500 1,000 1,500 2,000 2,500 3,000 3,500 4,000 4,500

1995 2002

Human Agents

• Hackers
• Disgruntled employees
• White collar criminals
• Organized crime
• Terrorists

Methods of Attack

• Brute force
• Denial of Service
• Viruses & worms
• Back door taps &

misappropriation,

• Information Warfare (IW)

techniques Exposures

• Information theft, loss &

corruption

• Monetary theft & embezzlement
• Critical infrastructure failure
• Hacker adventures, e-graffiti/

defacement

• Business disruption

Representative Incidents

• Code Red, Nimda, Sircam
• CD Universe extortion, e-Toys

“Hactivist” campaign,

• Love Bug, Melissa Viruses

The Threats – The Risks

Attack Sophistication v. Intruder Technical Knowledge

High Low

1980 1985 1990 1995 2000

password guessing self-replicating code password cracking exploiting known vulnerabilities disabling audits back doors hijacking sessions sweepers sniffers packet spoofing GUI automated probes/scans denial of service www attacks

Tools Attackers

Intruder Knowledge Attack Sophistication

“stealth” / advanced scanning techniques burglaries network mgmt. diagnostics DDOS attacks

Discovered Virus Threats Per Day

10 20 30 40 50 60 70

1991 1992 1993 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 Est

The Speed of Attacks Accelerates

Slammer (January 2003) Blended threat exploits known vulnerability Global in 3 minutes Enterprises scramble to restore business availability MYDOOM (January 2004) Even Faster

Machines Infected per Hour at Peak

10,000 20,000 30,000 40,000 50,000 60,000 70,000 80,000 90,000 100,000 Code Red Nimda Goner Slammer

Computer Virus Costs (in billions)

30 60 90 120 150 '96 '97 '98 '99 '00 '01 '02 '03

Range Damage

(Through Oct 7)

$

billion

ISA Security Anchor Proposal

Go beyond isolated conferences to

• Full service trade association for cyber security

providing on-going services in:

• Information sharing on threats and incidents
• Best practices/standards/assessment development
• Locally-based education and training
• Domestic & international policy development
• Develop market incentives for cyber security

What Indian Partners Can Do:

• Become Security Anchors in India
• TCS will be a Security Anchor in India —other

companies or Associations may also apply

• Join ISAlliance, be a conduit for ISAlliance services
• Work jointly on projects of mutual benefit
• Work jointly on increasing confidence in free

market policies in the Internet age

• Work jointly on developing Return on Investment

programs in cyber-security

ISAlliance/CERT Knowledgebase Examples

Benefits of Information Sharing Organizations

• May lesson the likelihood of attack

“Organizations that share information about computer break- ins are less attractive targets for malicious attackers.” – NYT 2003

• Participants in information sharing have the

ability to better prepare for attacks

Benefits of Information Sharing Organizations

• SNMP vulnerability

– CERT notified Alliance members Oct. 2001 – Publicly disclosed Feb. 2002

• Slammer worm

– CERT notified Alliance members May 2002 – Worm exploited Jan. 2003

Why ISA Info Sharing Works

• Carnegie Mellon/CERT leadership and credibility
• History and regularity build up trust
• Enforcing the rules builds trust
• Cross-sector/international model lessens

competitive concerns

• Success breeds greater success

A Risk Management Approach is Needed

“Installing a network security device is not a substitute for a constant focus and keeping our defenses up to date… There is no special technology that can make an enterprise completely secure.”

– National Plan to Secure Cyberspace, 2/14/03

Chief Technology Officers’ Knowledge of their Cyber Insurance

34% Incorrectly thought they were covered 36% Did not have Insurance 23% Did not know if they had insurance 7% Knew that they were insured by a specific policy

ISAlliance Cyber- Insurance Program

• Coverage for members
• Free Assessment through AIG
• Market incentive for increased security practices
• 10% discount off best prices from AIG
• Additional 5% discount for implementing ISAlliance

Best Practices (July 2002)

Adopt and Implement Best Practices

• Cited in US National

Draft Strategy to Protect Cyber Space (September 2002)

• Endorsed by TechNet for

CEO Security Initiative (April 2003)

• Endorsed by US India

Business Council (April 2003)

Common Sense Guide Top Ten Practice Topics

• Practice #1: General Management
• Practice #2: Policy
• Practice #3: Risk Management
• Practice #4: Security Architecture & Design
• Practice #5: User Issues
• Practice #6: System & Network Management
• Practice #7: Authentication & Authorization
• Practice #8: Monitor & Audit
• Practice #9: Physical Security
• Practice #10: Continuity Planning & Disaster Recovery

Other ISAlliance Best Practice Publications

• Common Sense Guide for Home Users and

Traveling Executives (February 2003)

• Common Sense Guide to Cyber Security for Small

Businesses (Commissioned by National Cyber Security Summit Meeting 11/03)

Cooperative work on assessment/certification

• TechNet CEO Self-

Assessment Program

• Bring cyber security to the

C-level based on ISA Best Practices

• Create a baseline of

security even CEOs can understand

• Global Security

Consortium 3-Party Assessment program

• Risk Preparedness Index

for assessment as “Qualified Member”

• Develop quantitative

independent ROI for cyber security

ISAlliance Qualification Program

• No Standardized Certification Program Exists or

will exist soon

• ISAlliance in cooperation with big 4 accounting

firms and insurance industry create quantitative measurement for “qualification” for ISA discounts as proxy for certification

• ISA works with CMU CyLab on Certification

ISAlliance/CERT Training

• Concepts and Trends In Information Security
• Information Security for Technical Staff
• OCTAVE Method Training Workshop
• Overview of Managing Computer Security Incident

Response Teams

• Fundamentals of Incident Handling
• Advanced Incident Handling for Technical Staff
• Information Survivability an Executive Perspective

Public Policy

• Policy must address Internet as a new technology
• No one “owns” the Internet
• It is constantly evolving
• International operation makes regulation difficult
• Mandates will truncate innovation and the economy

Putnam Legislation

• Risk assessment
• Risk mitigation
• Incident response program
• Tested continuity plan
• Updated patch management program
• Putnam has said “industry led Internet Security

efforts won’t work.”

ISAlliance Incentive Model

• Model Programs for market Incentives
• --AIG ----Nortel
• --Visa ----Verizon

SemaTech Program Tax Incentives Liability Carrots Procurement Model Research and Development

A Coherent 10 step Program

• f Cyber Security
• 1. Members and CERT create best practices
• 2. Members and CERT share information
• 3. Cooperate with industry and government to

develop new models and products consistent with best practices

A Coherent Program of Cyber Security

• 4. Provide Education and Training programs based
• n coherent theory and measured compliance
• 5. Coordinate across sectors
• 6. Coordinate across borders

A coherent program

• 7. Develop the business case (ROI) for improved

cyber security

• 8. Develop market incentives and tools for consistent

maintenance of cyber security

• 9. Integrate sound theory and practice and

evaluation into public policy

• 10. Constantly expand the perimeter of cyber

security by adding new members

Benefits

• Share critical information across industries and

across national borders

• Provide secure setting to work on common

problems

• Provide economic incentive programs
• Develop model industry evaluation and training

programs

For Additional Information

• Dave McCurdy 703-907-7508

Dmccurdy@eia.org

• Larry Clinton 703-907-7028

lclinton@isalliance.org