Lessons from Defending Cyberspace The Challenge of Addressing National Cyber Risk Andy Purdy Workshop on Cyber Security Center for American Studies, Christopher Newport College 10 28-2009
Cyber Threat Some day we will sit down at a banquet table where our menu will consist of consequences ----- consequences of the decisions we make and those we fail to make.
Context United States is dependent on cyber for our national security, economic wellbeing, law enforcement, and public safety, and privacy.
Cyber The use of innovative technology and interconnected networks in operations improves productivity and efficiency, but also increases the Nation s vulnerability to cyber threats if cybersecurity is not addressed and integrated appropriately. A spectrum of malicious actors routinely conducts attacks against the cyber infrastructure using cyber attack tools. Because of the interconnected nature of the cyber infrastructure, these attacks could spread quickly and have a debilitating effect.
Cyber Security Cybersecurity includes preventing damage to, unauthorized use of, or exploitation of electronic information and communications systems and the information contained therein to ensure confidentiality, integrity, and availability. Cybersecurity also includes restoring electronic information and communications systems in the event of a terrorist attack or natural disaster.
Overview U.S. is dependent on cyber for national security, economic well-being, law enforcement, and public safety, and privacy The users, regulators, and owners and operators are dispersed among government and private sector Innumerable government and private entities are attempting to address cyber issues A strategic approach should facilitate and systematize public/private collaboration and information sharing to set requirements, and resource, execute, and track progress. The international nature of cyber must be reflected throughout in engagement by international stakeholders
Public Policy Challenge Nation is dependent on cyber for national security, economic well-being, public safety, and law enforcement Risk is real but not visible and obvious Authority/control is spread among multiple entities in the public and private sectors Cyber is international Individuals and organizations are reactive and tactical, not proactive and strategic We do not learn lessons from the past
What is the current cyber risk? Moderately sophisticated malicious actors can intrude into systems almost at will Intrusion into systems give outsiders the access of insiders Economic espionage - theft of proprietary data Theft of personal information and access to online accounts Broad-based or targeted disruption of communications and database access, or attacks on the integrity of data
What is our operating premise? Will it take a cyber calamity to drive an effective approach? Why expect that to make a difference? What can we expect to happen if there is a cyber disaster? How can we use that reality to drive action?
Current Approaches Either: Do more of what we have been doing, with greater effort and sharing of information? Find a benevolent, powerful despot to drive effective prioritization, adequate resource commitment, and enhanced collaboration and information sharing? Or Take a strategic approach
What is missing? What do we need to worry about and what do we need to do about it? We need to know our risk posture, identify requirements for addressing that risk that are generated by a public-private collaboration, and Make it easy to hold stakeholders accountable.
What does the nation need? A strategic approach to facilitate public/private collaboration and information sharing to set requirements, and resource, execute, and track progress on: Cyber risk; Cyber preparedness; Malicious activity and cyber crime; and Research and development.
Mission of the International Cyber Center To facilitate strategic collaboration and information sharing to better identify and address global ICT issues.
Priority Issues Capacity: Promote sustainable IT development & CERT capacity building in the developing world Risk: Develop collaboration framework to assess and mitigate risk to global ICT Response:Enhance global ICT preparedness situational awareness, analysis, information sharing, response, and recovery Crime: Strengthen coordinated, global effort against malicious activity and cyber crime to reduce frequency, impact, and risk R&D: Enhance global coordination to better assess and mitigate risk, and address long-term hard problems in cyberspace
CERT Capacity Building Int l Cyber Center (ICC) received a grant from the National Science Foundation grant to promote national CERTS in Africa, effective 10/1/09. We seek partners, advisors, & supplemental funding to support this effort. We understand CERT-FI is helping South Africa. We look for others who want to help.
Strategic Approach to Malicious Cyber Activity We are pursuing an initiative to promote a strategic approach by government (not just law enforcement) and the private sector against malicious cyber activity Seeking funding to create an information sharing capability to collect, preserve, analyze, and share information on malicious cyber actors AND enablers using a federated data-sharing model.
What capabilities do we need? Participation by key stakeholders in cyber risk, response and recovery Commitment to assess, prioritize, and implement measures to mitigate risk Situational awareness Analytical and forensic capabilities Incident response capability
Risk management for organizations & countries Risk management is critical for organization and entire countries Limited resources require prioritization Internal stakeholders must work together in ongoing, dynamic process to identify critical functions, interdependencies, risks Exercise and improve Provide resource requirements to seniors
How should we address cyber risk? Stakeholders at the national and int l levels must work together to assess and mitigate risk, and plan, and build capacity for, response and recovery. Use standards to drive risk reduction. Exercise to identify gaps and improve. Use this process to identify requirements to drive resource allocation and risk mitigation. Limited resources require prioritization.
Contact information: Andy Purdy Co-Director, International Cyber Center George Mason University President, DRA Enterprises, Inc. Andy.Purdy@comcast.net