Developer Data Modeling Mistakes: From Postgres to NoSQL
Outbrief by INSA on CyberSecurity
1. 60 Day Cyber Study
INSA Response
Presented to Melissa Hathaway
Lou Von Thaer - Chair
March 26, 2009
2. Agenda
Overview Lou Von Thaer
Government s
Government’s Role John Russack
Multiple Root Structure Rob Pate
Public/Private Partnership Steve Cambone
Closing Thoughts Ellen McCarthy
2
March 26, 2009
3. INSA Industry Task Force
Seneca Technology Group, LLC
Crucial Point LLC
3
March 26, 2009
4. Approach
ƒ Guidance: focus on prioritized
recommendations and implementation
ƒ Formed blended industry teams
ƒ Worked questions with teams of experts
ƒ Combined inputs and reviewed
ƒ Presented high-level findings
Paper reflects personal rather than company
opinions of the experts involved
4
March 26, 2009
5. Three Questions to INSA
ƒ Government’s role in securing the critical
Government s
infrastructure and private networks
ƒ Impact of moving to a multiple root
structure for domain name service
ƒ Define and create the public/private
partnership for cyber security
5
March 26, 2009
6. Key Insights and Summary
ƒ Continue to work technical solutions
ƒ Define who is in charge and why
ƒ Single root but prepare for contingencies
ƒ Public/private partnership:
ƒ Industries need timely information
ƒ Protect industry when it cooperates
y p
ƒ Government is educator, standard-setter,
compliance auditor, and law enforcer
ƒ Government needs public and industry support
6
March 26, 2009
7. Government’s Role in Securing the
Critical Infrastructure and Private
Private
Networks
QUESTION 1
What is (or should be) the government’s role in
securing/protecting the critical infrastructures and
private sector networks from attack, damage, etc.
(from nation states)?
ƒ What are the minimum standards that must be
established?
ƒ How will these standards affect procurement /
acqu t o po c es?
acquisition policies
7
March 26, 2009
8. Government’s Role in Securing the
Critical Infrastructure and Private
Private
Networks
RECOMMENDATIONS
ƒ Create and empower a U.S. Government leadership
position
ƒ Establish White House-level position to lead cyber
ƒ Codify roles: authorities, responsibilities, and resources
ƒ Develop and set minimum cyber defense requirements
for critical infrastructure
ƒ Develop a National Cyber Recovery Plan
ƒ Promote, suppo t and coordinate information sharing
o ote, upport d oo d ate o a o a g
ƒ Enhance attribution and take action
ƒ Establish communities of interest for improved analytics for
attribution
8
March 26, 2009
9. Government’s Role in Securing the
Critical Infrastructure and Private
Private
Networks
RECOMMENDATIONS
Promote, support, and coordinate information sharing
ƒ Key to multiple INSA cyber security recommendations
ƒ Government-wide FOIA exemption for cyber
ƒ Establish executive branch guidance on cyber CIP information
sharing (executive order?)
ƒ Review all applicable law, policy, and procedures dealing with cyber
CIP information sharing between government and private sector
owners and operators with the goal of better enabling real time
information sharing
o a o a g
ƒ Improve the context, timeliness, and value (information should be
better tailored to the recipient) of what information the U.S.
Government shares with the private sector
9
March 26, 2009
10. Government’s Role in Securing the
Critical Infrastructure and Private
Private
Networks
RECOMMENDATIONS
What are the minimum standards:
ƒ Consensus Audit Guidelines (CAG) are a good start
ƒ Government-led consortium must own these
standards and guidelines
ƒ In addition to CAG, standards need to include:
ƒ Policies and guidance for Supply Chain Protection
ƒ Vulnerability analysis of COTS and GOTS software
ƒ Leverage DHS initiative: “Build Security In”
10
March 26, 2009
11. Multiple Root Structure
QUESTION 2
How would the security and stability of the Internet be
affected if the single, authoritative root were to be
replaced by a multiple root structure?
ƒ What would be the economic and technical consequences of
a multiple root structure?
ƒ What, if any, influences do you see that may:
ƒ Move the Internet in the direction of greater fragmentation?
ƒ Help to preserve and maintain a single, interoperable Internet?
ƒ What are the implications of these forces?
11
March 26, 2009
12. Multiple Root Structure
RECOMMENDATIONS
ƒ Field DNSSEC and continue with single root
ƒ Direct National Communications System and US-
CERT to monitor 13 recognized root servers
ƒ Develop, test, and be prepared to implement
contingency plans
ƒ Address multilingual/multi cultural environment of
multilingual/multi-
the Internet
ƒ More effectively engage international communities
to preserve the current Internet governance
system
12
March 26, 2009
13. Public/Private Partnership
QUESTION 3
Our lifestyle is based upon a digital infrastructure
that is privately owned and globally operated.
ƒ How do we get to a public/private partnership and
action plan that will build protection and security in –
and enable information sharing to better understand
when it is under a local or global attack (warning)?
ƒ What is the model public/private relationship?
ƒ Who and how will oversight be conducted in the IC and
national security community?
ƒ How would you provide common situational awareness?
13
March 26, 2009
14. Public/Private Partnership
RECOMMENDATIONS
ƒ Private sector increasingly recognizes need for
security of the Internet
ƒ Growing willingness to accept government leadership
ƒ Build on existing public/private partnership models
to create “regulatory environment”
ƒ Purpose is to identify anomalous behavior
ƒ Result is a more secure operating environment
ƒ Agreed-upon set of standards
ƒ An acceptance of government authoritytto sanction
A f t th it ti
anomalous behavior and to enforce agreed-upon
standards
14 t
March 26, 2009
15. Public/Private Partnership
RECOMMENDATIONS
ƒ Government increase transparency in the
regulatory environment
h d for
ƒ Methods f managi
ing environment and defined role
i d d fi d l
of citizens
ƒ Similar public-private examples in international
communities
ƒ Aggressively fund private sector R&D in key cyber
assurance areas
15
March 26, 2009
16. Closing Thoughts
ƒ The team is ready to explain all of the
recommendations further, if needed
ƒ Paper includes some additional questions
that we think ought to be studied
ƒ INSA and its members are ready to assist
16
March 26, 2009
17. INSA Report Volunteers
Chairman: Lou Von Thaer Bob Giesler Marilyn Quagliotti
Tom Goodman J.R. Reagan
Question Leads Cristin Goodwin Flynn Dave Rose
Rob Pate
Bob Gourley Mark Schiller
Steve Cambone
Dan Hall Andy Singer
John Russack
Vince Jarvie Mary Sturtevant
Contributors Jose Jimenez Almaz Tekle
Nadia Short Kevin Kelly Mel Tuckfield
Scott Dratch Michael Kushin Ann Ward
Scott Aken Bob Landgraf Jennifer Warren
Greg Astfalk Joe Mazzafro
Zal Azmi Gary McAlum INSA
Fred Brott David McCue Ellen McCarthy
Lorraine Castro Marcus McInnis Frank Blanco
Jim Crowley Brian McKenney Jared Gruber
Bob Farrell Linda Meeks Jarrod Chlapowski
Barbara Fast Billy O'Brien
Dennis Gilbert Marie O'Neill Sciarrone
17
March 26, 2009