Outbrief by INSA on CyberSecurity


Published on

Outbrief by INSA on CyberSecurity to former head of CyberSecurity Melissa Hathaway

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Outbrief by INSA on CyberSecurity

  1. 1. 60 Day Cyber Study INSA Response Presented to Melissa Hathaway Lou Von Thaer - Chair March 26, 2009
  2. 2. Agenda Overview Lou Von Thaer Government s Government’s Role John Russack Multiple Root Structure Rob Pate Public/Private Partnership Steve Cambone Closing Thoughts Ellen McCarthy 2 March 26, 2009
  3. 3. INSA Industry Task Force Seneca Technology Group, LLC Crucial Point LLC 3 March 26, 2009
  4. 4. Approach ƒ Guidance: focus on prioritized recommendations and implementation ƒ Formed blended industry teams ƒ Worked questions with teams of experts ƒ Combined inputs and reviewed ƒ Presented high-level findings Paper reflects personal rather than company opinions of the experts involved 4 March 26, 2009
  5. 5. Three Questions to INSA ƒ Government’s role in securing the critical Government s infrastructure and private networks ƒ Impact of moving to a multiple root structure for domain name service ƒ Define and create the public/private partnership for cyber security 5 March 26, 2009
  6. 6. Key Insights and Summary ƒ Continue to work technical solutions ƒ Define who is in charge and why ƒ Single root but prepare for contingencies ƒ Public/private partnership: ƒ Industries need timely information ƒ Protect industry when it cooperates y p ƒ Government is educator, standard-setter, compliance auditor, and law enforcer ƒ Government needs public and industry support 6 March 26, 2009
  7. 7. Government’s Role in Securing the Critical Infrastructure and Private Private Networks QUESTION 1 What is (or should be) the government’s role in securing/protecting the critical infrastructures and private sector networks from attack, damage, etc. (from nation states)? ƒ What are the minimum standards that must be established? ƒ How will these standards affect procurement / acqu t o po c es? acquisition policies 7 March 26, 2009
  8. 8. Government’s Role in Securing the Critical Infrastructure and Private Private Networks RECOMMENDATIONS ƒ Create and empower a U.S. Government leadership position ƒ Establish White House-level position to lead cyber ƒ Codify roles: authorities, responsibilities, and resources ƒ Develop and set minimum cyber defense requirements for critical infrastructure ƒ Develop a National Cyber Recovery Plan ƒ Promote, suppo t and coordinate information sharing o ote, upport d oo d ate o a o a g ƒ Enhance attribution and take action ƒ Establish communities of interest for improved analytics for attribution 8 March 26, 2009
  9. 9. Government’s Role in Securing the Critical Infrastructure and Private Private Networks RECOMMENDATIONS Promote, support, and coordinate information sharing ƒ Key to multiple INSA cyber security recommendations ƒ Government-wide FOIA exemption for cyber ƒ Establish executive branch guidance on cyber CIP information sharing (executive order?) ƒ Review all applicable law, policy, and procedures dealing with cyber CIP information sharing between government and private sector owners and operators with the goal of better enabling real time information sharing o a o a g ƒ Improve the context, timeliness, and value (information should be better tailored to the recipient) of what information the U.S. Government shares with the private sector 9 March 26, 2009
  10. 10. Government’s Role in Securing the Critical Infrastructure and Private Private Networks RECOMMENDATIONS What are the minimum standards: ƒ Consensus Audit Guidelines (CAG) are a good start ƒ Government-led consortium must own these standards and guidelines ƒ In addition to CAG, standards need to include: ƒ Policies and guidance for Supply Chain Protection ƒ Vulnerability analysis of COTS and GOTS software ƒ Leverage DHS initiative: “Build Security In” 10 March 26, 2009
  11. 11. Multiple Root Structure QUESTION 2 How would the security and stability of the Internet be affected if the single, authoritative root were to be replaced by a multiple root structure? ƒ What would be the economic and technical consequences of a multiple root structure? ƒ What, if any, influences do you see that may: ƒ Move the Internet in the direction of greater fragmentation? ƒ Help to preserve and maintain a single, interoperable Internet? ƒ What are the implications of these forces? 11 March 26, 2009
  12. 12. Multiple Root Structure RECOMMENDATIONS ƒ Field DNSSEC and continue with single root ƒ Direct National Communications System and US- CERT to monitor 13 recognized root servers ƒ Develop, test, and be prepared to implement contingency plans ƒ Address multilingual/multi cultural environment of multilingual/multi- the Internet ƒ More effectively engage international communities to preserve the current Internet governance system 12 March 26, 2009
  13. 13. Public/Private Partnership QUESTION 3 Our lifestyle is based upon a digital infrastructure that is privately owned and globally operated. ƒ How do we get to a public/private partnership and action plan that will build protection and security in – and enable information sharing to better understand when it is under a local or global attack (warning)? ƒ What is the model public/private relationship? ƒ Who and how will oversight be conducted in the IC and national security community? ƒ How would you provide common situational awareness? 13 March 26, 2009
  14. 14. Public/Private Partnership RECOMMENDATIONS ƒ Private sector increasingly recognizes need for security of the Internet ƒ Growing willingness to accept government leadership ƒ Build on existing public/private partnership models to create “regulatory environment” ƒ Purpose is to identify anomalous behavior ƒ Result is a more secure operating environment ƒ Agreed-upon set of standards ƒ An acceptance of government authoritytto sanction A f t th it ti anomalous behavior and to enforce agreed-upon standards 14 t March 26, 2009
  15. 15. Public/Private Partnership RECOMMENDATIONS ƒ Government increase transparency in the regulatory environment h d for ƒ Methods f managi ing environment and defined role i d d fi d l of citizens ƒ Similar public-private examples in international communities ƒ Aggressively fund private sector R&D in key cyber assurance areas 15 March 26, 2009
  16. 16. Closing Thoughts ƒ The team is ready to explain all of the recommendations further, if needed ƒ Paper includes some additional questions that we think ought to be studied ƒ INSA and its members are ready to assist 16 March 26, 2009
  17. 17. INSA Report Volunteers Chairman: Lou Von Thaer Bob Giesler Marilyn Quagliotti Tom Goodman J.R. Reagan Question Leads Cristin Goodwin Flynn Dave Rose Rob Pate Bob Gourley Mark Schiller Steve Cambone Dan Hall Andy Singer John Russack Vince Jarvie Mary Sturtevant Contributors Jose Jimenez Almaz Tekle Nadia Short Kevin Kelly Mel Tuckfield Scott Dratch Michael Kushin Ann Ward Scott Aken Bob Landgraf Jennifer Warren Greg Astfalk Joe Mazzafro Zal Azmi Gary McAlum INSA Fred Brott David McCue Ellen McCarthy Lorraine Castro Marcus McInnis Frank Blanco Jim Crowley Brian McKenney Jared Gruber Bob Farrell Linda Meeks Jarrod Chlapowski Barbara Fast Billy O'Brien Dennis Gilbert Marie O'Neill Sciarrone 17 March 26, 2009