The document discusses the history and future of cyber security. It covers how the internet has changed security, current cyber threats facing the nation, and recommendations from a cyber security commission. The author advocates for near-term actions like updating procurement practices and the FISMA framework, as well as longer-term initiatives to fundamentally change security approaches and business models through standards like SCAP and new workforce development. The overall message is that cyber security must be treated as a high priority through cooperative public-private efforts.

1. Cyber Security: Past and Future
John M. Gilligan
CERT’s 20th Anniversary Technical Symposium
Pittsburgh, PA
March 10, 2009

2. Topics
• Historical Perspectives
• Cyber Security Today--A National Crisis
• Cyber Security Commission Recommendations
• Near Term Opportunities
• Longer-Term Game Changing Initiatives
• Closing Thoughts

3. Historical Perspectives
• Computer Security in the Cold War Era
• Security “Gurus”—Keepers of the Kingdom
• The Internet changes the security landscape--
forever
• The Age of Information Sharing
• Omissions of the past are now our “Achilles
Heel”
Our Approaches To Providing Mission Enabling IT Are Stuck In The Past

4. Cyber Security Today—A New “Ball Game”
• Our way of life depends on a reliable cyberspace
• Intellectual property is being downloaded at an
alarming rate
• Cyberspace is now a warfare domain
• Attacks increasing at an exponential rate
• Fundamental network and system vulnerabilities
cannot be fixed quickly
• Entire industries exist to “Band Aid” over
engineering and operational weaknesses
Cyber Security is a National Security Crisis!

5. Commission Cyber Security for the 44th Presidency:
Key Recommendations
• Create a comprehensive national security
strategy for cyberspace
• Lead from the White House
• Reinvent public-private partnerships
• Regulate cyberspace
• Modernize authorities
• Leverage government procurement
• Build on recent progress with CNCI

6. Near-Term Opportunities
• Use government IT acquisitions to change IT
business model
• Enhance public-private partnerships
• Adopt the Consensus Audit Guidelines (CAG)
• Update FISMA
• Implement more secure Internet protocols
• Implement comprehensive, federated
authentication strategy
• Leverage Stimulus Package to improve cyber
security

7. Use Government IT Procurement
• Cyber security needs to be reflected in our
contractual requirements
• Many “locked down” configuration defined
• Use government-industry partnership to
accelerate implementation of secure
configurations
• Get started now, improve configuration
guidelines over time and leverage SCAP!
Build on FDCC Successes and Lessons Learned

8. Security Content Automation Protocol (SCAP)
• What is it: A set of open standards that allows for
the monitoring, positive control, and reporting of
security posture of every device in a network.
• How is it implemented: Commercial products
implement SCAP protocols to exchange and
enforce configuration, security policy, and
vulnerability information.
• Where is it going: Extensions in development to
address software design weaknesses, attack
patterns, and malware attributes.
SCAP Enables Automated Tools To Implement And Enforce Secure Operations

9. Enhance Public-Private Partnerships
• Most of our nation’s critical infrastructure is
owned by the private sector
• Much of our government-sponsored research
intellectual property is “protected” by industry
• Regulators need to guide/govern private
sector efforts
• Private and public sectors must act in
cooperation
– Defense Industrial Base (DIB): an excellent model
Protecting Government and Military Systems Is Not Sufficient

10. Implement Consensus Audit Guidelines (CAG)
• Underlying Rationale
– Let “Offense drive Defense”
– Focus on most critical areas
• CAG: Twenty security controls based on
attack patterns
• Emphasis on auditable controls and
automated implementation/enforcement
• Public comment period through March 25th
• Pilots and standards for tools later this year

11. Update FISMA
• Emphasize evaluating effectiveness of controls
vs. paper reviews
• Enhance authority and accountability of CISO
• Foster government leadership
– Independent, expert reviews
– Procurement standards
– Dynamic sharing of lessons learned

12. Near-Term Opportunities
• Use government IT acquisitions to change IT
business model
• Enhance public-private partnerships
• Adopt Consensus Audit Guidelines (CAG)
• Update FISMA
• Implement more secure Internet protocols
• Implement comprehensive, federated
authentication strategy
• Leverage Stimulus Package to improve cyber
security

13. Longer-Term: IT Reliably Enabling Economy
• Change the dialogue: Reliable, resilient IT is
fundamental to future economic growth
• New business model for software industry
• Redesign the Internet
• Get the “man out of the loop”—use
automated tools (e.g., SCAP)
• Develop professional cyberspace workforce
• Foster new IT services models
Need to Fundamentally “Change the Game” to Make Progress

14. Closing Thoughts
• Government and Industry need to treat cyber
security as an urgent priority
• Near-term actions important but need to
fundamentally change the game to get ahead
of threat
• IT community needs to reorient the dialogue
on cyber security—the objective is reliable
and resilient information
Cyber Security is Fundamentally a Leadership Issue!

15. Contact Information
jgilligan@gilligangroupinc.com
www.gilligangroupinc.com
John M. Gilligan

16. 16
Security Standards Efforts:
Security Content Automation Protocol (SCAP)
• CPE (Platforms)What IT systems do I have in
my enterprise?
• CVE (Vulnerabilities)What vulnerabilities do I need
to worry about?
• CVSS (Scoring System)What vulnerabilities do I need
to worry about RIGHT NOW?
• CCE (Configurations)How can I configure my
systems more securely?
• XCCDF (Configuration Checklists)How do I define a policy of
secure configurations?
• OVAL (Assessment Language)How can I be sure my systems
conform to policy?

17. Security Standards Efforts: Next Steps*
17
• CPE (Platforms)What IT systems do I have in my enterprise?
• CVE (Vulnerabilities)What vulnerabilities do I need to worry about?
• CVSS (Scoring System)What vulnerabilities do I need to worry about
RIGHT NOW?
• CCE (Configurations)How can I configure my systems more securely?
• XCCDF (Configuration Checklists)How do I define a policy of secure
configurations?
• OVAL (Assessment Language) In ProgressHow can I be sure my systems conform to
policy?
• CWE (Weaknesses)What weaknesses in my software could be
exploited?
• CAPEC (Attack Patterns)What attacks can exploit which weaknesses?
• CEE (Events)What should be logged, and how?
• CRF (Results)How can I aggregate assessment results?
• MAEC (Malware Attributes)How can we recognize malware?
* Making Security Measurable – The MITRE Corporation