Larry Clinton President Internet Security Alliance - - PowerPoint PPT Presentation

larry clinton president internet security alliance
SMART_READER_LITE
LIVE PREVIEW

Larry Clinton President Internet Security Alliance - - PowerPoint PPT Presentation

Aug 24, 2023 116 likes •351 views

Larry Clinton President Internet Security Alliance lclinton@isalliance.org 703-907-7028 202-236-0001 ISA Board of Directors J. Michael Hickey, 1 st Vice Chair Ty Sagalow, Esq. Chair VP Government Affairs, Verizon President, Innovation

slide-1
SLIDE 1

Larry Clinton President Internet Security Alliance lclinton@isalliance.org 703-907-7028 202-236-0001

slide-2
SLIDE 2

ISA Board of Directors

Ty Sagalow, Esq. Chair President, Innovation Division, Zurich Tim McKnight Second V Chair, CSO, Northrop Grumman

  • Ken Silva, Immediate Past Chair, CSO VeriSign
  • Lt. Gen. Charlie Croom (Ret.) VP Cyber Security, Lockheed Martin
  • Jeff Brown, CISO/Director IT Infrastructure, Raytheon
  • Eric Guerrino, SVP/CIO, bank of New York/Mellon Financial
  • Pradeep Khosla, Dean Carnegie Mellon School of Computer Sciences
  • Joe Buonomo, President, DCR
  • Bruno Mahlmann, VP Cyber Security, Dell
  • Linda Meeks, VP CISO Boeing Corporation
  • Justin Somaini, CISO Symantec
  • J. Michael Hickey, 1st Vice Chair

VP Government Affairs, Verizon Marc-Anthony Signorino, Treasure National Association of Manufacturers

slide-3
SLIDE 3

ISAlliance Mission Statement

ISA seeks to integrate advancements in technology with pragmatic business needs and enlightened public policy to create a sustainable system of cyber security.

slide-4
SLIDE 4

The Internet Changes Everything

  • Concepts of Privacy
  • Concepts of National Defense
  • Concepts of Self
  • Concepts of Economics
  • We have been focused on the HOW cyber

attacks we need to focus on the WHY ($)

  • Cyber security is an economic/strategic

issue as much operational/technical one

slide-5
SLIDE 5

Is Cyber bet thought of as a Global Commons?

  • Definition:“Commons belongs to no one

and is held for the good of all”… but Unlike

  • ther commons (air/space/seas)……
  • Internet is not a “space” it’s a network of

defined networks

  • The internet is a network owned by many
  • The Internet is under constant attack
  • Cyber systems control other areas of the

global commons

slide-6
SLIDE 6

More Differences

  • The Internet was created by man tightly
  • rganized by man reliant on man made

standards practices and technologies

  • Other domains are ruled by government

entities, the Internet is primarily governed by the private sector

  • Cyber crime is currently a big business

with national security implications

slide-7
SLIDE 7

* Internet is a unique and broad based infrastructure with different owners and governance structures & unique problems * Internet Security is an infrastructure enhancement issue

  • The “Social Contract” used for earlier

infrastructures is a better model

  • An Economic issue as well as tech/ops

Another model to consider Internet Governance

slide-8
SLIDE 8

Cyber Security Economics are Skewed

  • Responsibility, costs, harms and

incentives are misaligned

  • Individual and Corporate Financial loss
  • National Defense
  • Core investment is undermined by edge

insecurity

  • Enterprises are not structured to properly

analyze cyber risk

slide-9
SLIDE 9

What we do know is all bad

  • All the economic incentives favor the

attackers, i.e. attacks are cheap, easy, profitable and chances of getting caught are small

  • Defense inherently is a generation behind

the attacker, the perimeter to defend is endless, ROI is hard to show

slide-10
SLIDE 10

Bad News and Good News

  • Bad: The situation is getting worse
  • Good: We know how to stop/mitigate

80/90% of cyber attacks

  • Bad: Although attacks are up, Investment

is down in 50-66% of American firms (PWC/CSIS/Gartner)

slide-11
SLIDE 11

Regulation is not the answer

  • Compliance (not security) already eats up

much of the “security” budget

  • Specific Regs can’t keep up with attacks
  • Vague regs show no effect
  • Regs increase costs uniquely for American

companies

  • Regs can be counter productive ‘ceilings”

g(Campaign Finance)

slide-12
SLIDE 12

A Social Contract Approach yields different solutions

  • Information Sharing
  • Supply Chain Management
  • Corporate Structure and Enterprise

Education

  • A Public Private Partnership built on

effectiveness and market incentives

  • A US solution that can lead the world
slide-13
SLIDE 13

Social Contract: Info Sharing

  • We need to be sure information being

shared can be put into action…We need to get the roadblocks out of the way

  • Most companies w/limited budgets are

locked into reactive defensive posture allowing for little more than signature based perimeter monitoring and if detected malware eradication.

slide-14
SLIDE 14

Roach Motel: Bugs Get In Not Out

  • No way to stop determined intruders
  • Stop them from getting back out (w/data)

by disrupting attackers command and control back out of our networks

  • Identify web sites and IP addresses used

to communicate w/malicious code

  • Cut down on the “dwell time” in the

network

  • Don’t stop attacks—make them less useful
slide-15
SLIDE 15

New Model (based on AV model)

  • Focus not on sharing attack info
  • Focus IS ON disseminating info on attacker

C2 URLs & IP address & automatically block OUTBOUND TRAFFIC to them

  • Threat Reporters (rept malicious C2

channels)

  • National Center (clearing house)
  • Firewall Vendors (push info into field of

devices like AV vendors do now)

slide-16
SLIDE 16

The ISA Supply Chain Strategy/Framework

  • Solve the supply chain problem in a way that

ALSO produces other security benefits thus justifying the increased expenditure

  • Businesses are not suffering greatly from supply

chain attacks, but are suffering from other attacks

  • Key is to make the entire supply chain secure,

i.e. supply chain must be part of a comprehensive framework

slide-17
SLIDE 17

Framework: Legal Support Needed

  • 1. Rigorous contracts delineating security

measures

  • 2. Locally responsible corporations w/long term

interest in complying

  • 3. Local ways of motivating workers and

executives

  • 4. Adequate provision for verifying implementation
  • f security
  • 5. Local law enforcement of agreements at all

levels

slide-18
SLIDE 18

We are not cyber structured

  • In 95% of companies the CFO is not directly

involved in information security

  • 2/3 of companies don’t have a risk plan
  • 83% of companies don’t have a cross
  • rganizational privacy/security team
  • Less than ½ have a formal risk management

plan—1/3 of the ones who do don’t consider cyber in the plan

slide-19
SLIDE 19

ANSI-ISA Program

  • Outlines an enterprise wide process to attack

cyber security broadly and economically

  • CFO strategies
  • HR strategies
  • Legal/compliance strategies
  • Operations/technology strategies
  • Communications strategies
  • Risk Management/insurance strategies
slide-20
SLIDE 20

What CFO needs to do

  • Own the problem
  • Appoint an enterprise wide cyber risk team
  • Meet regularly
  • Develop an enterprise wide cyber risk

management plan

  • Develop an enterprise wide cyber risk budget
  • Implement the plan, analyze it regularly, test and

reform based on EW feedback

slide-21
SLIDE 21

Incentive based model for cyber security

  • Rely on status quo methods to create

cyber security standards and practices

  • Test for effectiveness (e.g. FDA)
  • Create tiered levels based on risk profile
  • Apply market incentives to vol adoption
  • Embraced by CSPR (tax/ liability/

procurement/insurance) & legislation

slide-22
SLIDE 22

Summary

  • Internet may not be best analyzed as

global commons

  • The private sector will need to be more

engaged in cyber defense than ever before demanding a unique partnership

  • Economics will be as important as

technology

  • Different questions yield different answers
slide-23
SLIDE 23

Larry Clinton President Internet Security Alliance lclinton@isalliance.org 703-907-7028 202-236-0001