Cyber Security: Threats and Needed Actions
- 1. Cyber Security: Threats and Needed Actions John M. Gilligan DoD National Security Studies Program George Washington University April 1, 2009
- 2. Topics • Historical Perspectives • Cyber Security Threats--A National Crisis • Cyber Security Commission Recommendations • Near Term Opportunities • Longer-Term Game Changing Initiatives • Closing Thoughts
- 3. Historical Perspectives • Internet, software industry, (personal) computers—rooted in creativity not engineering • Security in the Cold War Era – Security “Gurus”—Keepers of the Kingdom • The World Wide Web changes the security landscape-- forever • Post Cold War: The Age of Information Sharing Legacy of the past is now our “Achilles Heel”
- 4. Cyber Security Threats Today--A New “Ball Game” • Our way of life depends on a reliable cyberspace • Intellectual property is being downloaded at an alarming rate • Cyberspace is now a warfare domain • Attacks increasing at an exponential rate • Fundamental network and system vulnerabilities cannot be fixed quickly • Entire industries exist to “Band Aid” over engineering and operational weaknesses Cyber Security is a National Security Crisis!
- 5. DoD Perspectives • Any future military engagement will have cyber component • Cyberspace has interrelated military disciplines – Network defense – Network attack – Information exploitation • Cyberspace necessarily involves private sector and international communities • Fragmented management and inadequate discipline of cyberspace compounds effective threat deterence • DoD organization and career development issues – What organization structure is appropriate – Who are the cyber operators – What is the command, control and coordination “rules” – Unique role of NSA as an “operator” – How do you grow cyber warriors
- 6. Commission Cyber Security for the 44th Presidency: Key Recommendations • Create a comprehensive national security strategy for cyberspace • Lead from the White House • Reinvent public-private partnerships • Regulate cyberspace • Modernize authorities • Leverage government procurement • Build on recent progress with CNCI
- 7. Near-Term Opportunities • Use government IT acquisitions to change IT business model • Enhance public-private partnerships • Adopt the Consensus Audit Guidelines (CAG) • Update Federal Information Security Management Act (FISMA) • Implement more secure Internet protocols • Implement comprehensive, federated authentication strategy • Leverage Stimulus Package to improve cyber security
- 8. Longer-Term: IT Reliably Enabling Economy • Change the dialogue: Reliable, resilient IT is fundamental to future National Security and Economic Growth • New business model for software industry • Redesign the Internet • Get the “man out of the loop”—use automated tools (e.g., SCAP) • Develop professional cyberspace workforce • Foster new IT services models Need to Fundamentally “Change the Game” to Make Progress
- 9. President’s 60-Day Cyber Security Initiative • Broad outreach to government and private sector • Tie cyber security to economic and national security (w/ attention to privacy and civil liberties) – Digital maturity – Interconnection of related efforts • Identify priorities and options • Likely to recommend NSC office for cyber security • Answer question: What is role of government?
- 10. Closing Thoughts • Government and Industry need to treat cyber security as an urgent priority • Near-term actions important but need to fundamentally change the game to get ahead of threat • IT community needs to reorient the dialogue on cyber security—the objective is reliable and resilient information • Cyber Security in DoD is more mature—but still woefully inadequate Cyber Security is Fundamentally a Leadership Issue!
- 12. Use Government IT Procurement • Cyber security needs to be reflected in our contractual requirements • Many “locked down” configuration defined • Use government-industry partnership to accelerate implementation of secure configurations • Get started now, improve configuration guidelines over time and leverage SCAP! Build on FDCC Successes and Lessons Learned
- 13. Security Content Automation Protocol (SCAP) • What is it: A set of open standards that allows for the monitoring, positive control, and reporting of security posture of every device in a network. • How is it implemented: Commercial products implement SCAP protocols to exchange and enforce configuration, security policy, and vulnerability information. • Where is it going: Extensions in development to address software design weaknesses, attack patterns, and malware attributes. SCAP Enables Automated Tools To Implement And Enforce Secure Operations
- 14. Enhance Public-Private Partnerships • Our nation’s critical infrastructure is critical to National Security relevant • Much of our government-sponsored research intellectual property is “protected” by industry • Regulators need to guide/govern private sector efforts • Private and public sectors must act in cooperation – Defense Industrial Base (DIB): an excellent model Protecting Government and Military Systems Is Not Sufficient
- 15. Implement Consensus Audit Guidelines (CAG) • Underlying Rationale – Let “Offense drive Defense” – Focus on most critical areas • CAG: Twenty security controls based on attack patterns • Emphasis on auditable controls and automated implementation/enforcement • Public comment period through March 25th • Pilots and standards for tools later this year
- 16. Update FISMA • Emphasize evaluating effectiveness of controls vs. paper reviews • Enhance authority and accountability of CISO • Foster government leadership – Independent, expert reviews – Procurement standards – Dynamic sharing of lessons learned
- 17. Near-Term Opportunities • Use government IT acquisitions to change IT business model • Enhance public-private partnerships • Adopt Consensus Audit Guidelines (CAG) • Update FISMA • Implement more secure Internet protocols • Implement comprehensive, federated authentication strategy • Leverage Stimulus Package to improve cyber security