Three policy changes to deter, disable, and degrade hostile - - PowerPoint PPT Presentation

Three policy changes to deter, disable, and degrade hostile adversary capabilities

• Dr. Samuel Liles

Statements and/or opinions do not reflect current, past, or future government department/agency/organization policy or opinions

Pr Presentation scope and ask

A presentation on Cybersecurity that focuses on the ability of Cybersecurity efforts to deter malicious actors from harming American interests. President Obama recently noted that "we need a capability to deter and impose costs on those responsible for significant harmful cyber activity where it really hurts — at their bottom line.” The briefing should show how this could be done for various classes of threat actors and how Cybersecurity strategy should be integrated with other national security strategies.

Tuesday, May 10, 2016 UNCLASSIFIED 2

Gi Given

• The focus is deterrence and imposition of costs (work

factor)

• The focus is action to be taken towards mitigating

harmful cyber activity

• The focus is on different classes of threat actors
• The focus is on the 80-20 principle by Vilfredo Pareto,

the first 80 percent will take only 20 percent of the cost, and the last 20 percent will cost 80 percent

• This presentation will not focus on prevention,

detection, or correction of current DoD or government networks or cyber hygiene.

Tuesday, May 10, 2016 UNCLASSIFIED 3

St Stating s som

• me of
• f t

the myths

Myth 1: Attribution has nothing to do with security Reality: Attribution is deterrence Myth 2: Cyberspace has no borders so stopping stuff is not possible Reality: Balkanization of the Internet exists Myth 3: The insider threat is the key to successful cybersecurity Reality: Though insider and partner attacks occur the external threat is extensive

Tuesday, May 10, 2016 UNCLASSIFIED 4

Ad Adversaries

• Internal or External
• Internal (knowing and unknowing)
• External (existential or criminal)
• Nation States or Nots
• Nation states
• Military
• Intelligence
• Patriots
• Nots
• For profit
• Not for profit

Analogies

• Vandals
• Burglars
• Thugs
• Spies
• Saboteurs

From Dr. Andy Ozment DUS CS&C Tuesday, May 10, 2016 UNCLASSIFIED 5

At Attribution

Tuesday, May 10, 2016 UNCLASSIFIED 6

Th The primary risk to organizations is an external actor and not an in inter ernal l actor (80 to 95 per ercen ent). Ve Verizon Data Breach Report 2015 ht http: p://www.verizone nent nterpr prise.com/verizon-in insig ights-la lab/dbir ir/

Tuesday, May 10, 2016 UNCLASSIFIED 7

Th The number on

• ne hos
• sting environ
• nment and cyber attack launch

lo locatio ion is is Unit ited ed States es domes estic ic (56% to the e res est 44%). So Solutionary Th Threat Report 2015 ht http: p://www www.nttcomsecurity.com/us/uploads/files/US_GTIR_Executiv e_ e_Summary_Public lic_Approved ed_v8.pdf

Tuesday, May 10, 2016 UNCLASSIFIED 8

Ac Action

• n 1: The ability to
• attribute hos
• stile activity is

ac accomplis lished at at mult ltip iple le le levels

• ls. There is

is polit litic ical, al, technic ical, al, an and forensic ic le levels ls of at attrib ibutio

• ion. Deterrence of ad

adversar ary ac actio ion an and dis isruptio ion of ad adversar ary in infras astructure is is possib ible le.

• Policy inject 1: Regulatory and statutory frameworks need to be aligned

and harmonized between intelligence, military, and law enforcement actors enabling sharing

• Policy inject 2: Detect and degrade the utilization of domestic

infrastructure and degrade adversary ability to operate through interdiction

• Policy result 1: Current intelligence law does not allow for domestic

surveillance of hostile actors regardless of point of origin

• Policy result 2:Naming and shaming can deter actor activity as has been

seen previously

Tuesday, May 10, 2016 UNCLASSIFIED 9

Ac Action

• n 2: The United States has regulator
• ry and statutor
• ry

co controls that ca can co constrain, deter, and disrupt adversary in interac actio ions utiliz ilizin ing US domestic ic in infras astructure for hostile ile ac actio ions in in cyberspac ace.

• Policy inject 1: End short term free domain registrations

(currently 7 days)

• Policy inject 2: Hold infrastructure owners

accountable/liable for criminal utilization of their networks

• Policy result 1: Remove the economic disparity between

attack and defense through economic means

• Policy result 2: Denial of adversary advantage on utilization
• f US infrastructure and equivalent to area denial principles

Tuesday, May 10, 2016 UNCLASSIFIED 10

Ac Action

• n 3: The foc
• cus on
• n for
• reign adversaries is not
• t misplaced.

Th The utilization of domestic infrastructure by y foreign ad adversar arie ies exis ists an and can an be mit itig igat ated.

• Policy inject 1: Automate detection of foreign registrants of

domestic infrastructure utilized in hostile actions and suspend or disable accesses

• Policy inject 2: Information sharing should be increased at

the operational level by removing privacy and civil rights protections that are inherently not harmonized with reality and actually protect privacy and civil rights (IP addresses are not PII).

• Policy result 1: As with the case study discussion this keeps

adversaries cheap, easy, fast, and intelligence free infrastructures from being utilized

• Policy result 2: Information sharing is passive, but if done

well can result in increased adversary work factor.

Tuesday, May 10, 2016 UNCLASSIFIED 11

Questions?

Bo Bonus Round

Action 4: Create a war-fighting led operational entity for the domain of cyber

• Policy Inject 1: Separate CyberCom from NSA by

modifying NDAA as in done in current NDAA Section 911

• Policy Inject 2: Create a cyber academy as in and US

Military Academy (1802), Naval Academy (1845), Coast Guard Academy (1876), Air Force Academy (1947),

• Policy Inject 3: Create a Cyber War College (as was

done with Air War College in 1946 a year before USAF was created 1947, Key West Agreement 1948)

Tuesday, May 10, 2016 UNCLASSIFIED 13