The document discusses cyber security threats and recommendations to address them. It outlines that cyber security is now a national crisis, with attacks increasing exponentially. It recommends near-term opportunities like using government IT procurement to change business models and enhance partnerships. Longer-term it recommends fundamentally changing the IT industry to improve reliability and resilience through approaches like redesigning the internet and developing a cybersecurity workforce.
1. Cyber Security: Threats and Needed Actions
John M. Gilligan
DoD National Security Studies Program
George Washington University
April 1, 2009
2. Topics
• Historical Perspectives
• Cyber Security Threats--A National Crisis
• Cyber Security Commission Recommendations
• Near Term Opportunities
• Longer-Term Game Changing Initiatives
• Closing Thoughts
3. Historical Perspectives
• Internet, software industry, (personal)
computers—rooted in creativity not
engineering
• Security in the Cold War Era
– Security “Gurus”—Keepers of the Kingdom
• The World Wide Web changes the security
landscape-- forever
• Post Cold War: The Age of Information Sharing
Legacy of the past is now our “Achilles Heel”
4. Cyber Security Threats Today--A New “Ball Game”
• Our way of life depends on a reliable cyberspace
• Intellectual property is being downloaded at an
alarming rate
• Cyberspace is now a warfare domain
• Attacks increasing at an exponential rate
• Fundamental network and system vulnerabilities
cannot be fixed quickly
• Entire industries exist to “Band Aid” over
engineering and operational weaknesses
Cyber Security is a National Security Crisis!
5. DoD Perspectives
• Any future military engagement will have cyber component
• Cyberspace has interrelated military disciplines
– Network defense
– Network attack
– Information exploitation
• Cyberspace necessarily involves private sector and international
communities
• Fragmented management and inadequate discipline of cyberspace
compounds effective threat deterence
• DoD organization and career development issues
– What organization structure is appropriate
– Who are the cyber operators
– What is the command, control and coordination “rules”
– Unique role of NSA as an “operator”
– How do you grow cyber warriors
6. Commission Cyber Security for the 44th Presidency:
Key Recommendations
• Create a comprehensive national security
strategy for cyberspace
• Lead from the White House
• Reinvent public-private partnerships
• Regulate cyberspace
• Modernize authorities
• Leverage government procurement
• Build on recent progress with CNCI
7. Near-Term Opportunities
• Use government IT acquisitions to change IT business
model
• Enhance public-private partnerships
• Adopt the Consensus Audit Guidelines (CAG)
• Update Federal Information Security Management Act
(FISMA)
• Implement more secure Internet protocols
• Implement comprehensive, federated authentication
strategy
• Leverage Stimulus Package to improve cyber security
8. Longer-Term: IT Reliably Enabling Economy
• Change the dialogue: Reliable, resilient IT is
fundamental to future National Security and
Economic Growth
• New business model for software industry
• Redesign the Internet
• Get the “man out of the loop”—use automated
tools (e.g., SCAP)
• Develop professional cyberspace workforce
• Foster new IT services models
Need to Fundamentally “Change the Game” to Make Progress
9. President’s 60-Day Cyber Security
Initiative
• Broad outreach to government and private sector
• Tie cyber security to economic and national
security (w/ attention to privacy and civil
liberties)
– Digital maturity
– Interconnection of related efforts
• Identify priorities and options
• Likely to recommend NSC office for cyber security
• Answer question: What is role of government?
10. Closing Thoughts
• Government and Industry need to treat cyber
security as an urgent priority
• Near-term actions important but need to
fundamentally change the game to get ahead of
threat
• IT community needs to reorient the dialogue on
cyber security—the objective is reliable and
resilient information
• Cyber Security in DoD is more mature—but still
woefully inadequate
Cyber Security is Fundamentally a Leadership Issue!
12. Use Government IT Procurement
• Cyber security needs to be reflected in our
contractual requirements
• Many “locked down” configuration defined
• Use government-industry partnership to
accelerate implementation of secure
configurations
• Get started now, improve configuration
guidelines over time and leverage SCAP!
Build on FDCC Successes and Lessons Learned
13. Security Content Automation Protocol (SCAP)
• What is it: A set of open standards that allows for
the monitoring, positive control, and reporting of
security posture of every device in a network.
• How is it implemented: Commercial products
implement SCAP protocols to exchange and
enforce configuration, security policy, and
vulnerability information.
• Where is it going: Extensions in development to
address software design weaknesses, attack
patterns, and malware attributes.
SCAP Enables Automated Tools To Implement And Enforce Secure Operations
14. Enhance Public-Private Partnerships
• Our nation’s critical infrastructure is critical to
National Security relevant
• Much of our government-sponsored research
intellectual property is “protected” by industry
• Regulators need to guide/govern private
sector efforts
• Private and public sectors must act in
cooperation
– Defense Industrial Base (DIB): an excellent model
Protecting Government and Military Systems Is Not Sufficient
15. Implement Consensus Audit Guidelines (CAG)
• Underlying Rationale
– Let “Offense drive Defense”
– Focus on most critical areas
• CAG: Twenty security controls based on
attack patterns
• Emphasis on auditable controls and
automated implementation/enforcement
• Public comment period through March 25th
• Pilots and standards for tools later this year
16. Update FISMA
• Emphasize evaluating effectiveness of controls
vs. paper reviews
• Enhance authority and accountability of CISO
• Foster government leadership
– Independent, expert reviews
– Procurement standards
– Dynamic sharing of lessons learned
17. Near-Term Opportunities
• Use government IT acquisitions to change IT
business model
• Enhance public-private partnerships
• Adopt Consensus Audit Guidelines (CAG)
• Update FISMA
• Implement more secure Internet protocols
• Implement comprehensive, federated
authentication strategy
• Leverage Stimulus Package to improve cyber
security