Recent cyber-security studies in the U.S. David D. Clark MIT CFP May, 2009

Similar documents
Cyber Security and Infrastructure: Problems of Today, Challenges for Tomorrow

Germany: Report on Developments in the Field of Information and Telecommunications in the Context of International Security (RES 69/28),

TUSKEGEE CYBER SECURITY PATH FORWARD

Appendix A: Gap Analysis Spreadsheet. Competency and Skill List. Critical Thinking

Today s Global Cyber Security Status and Trustworthy Systems That Leverage Distrust Amongst Sovereigns

The Senior Executive s Role in Cybersecurity. By: Andrew Serwin and Ron Plesco.

2 Gabi Siboni, 1 Senior Research Fellow and Director,

National Cyber Security Policy -2013

The virtual battle. by Mark Smith. Special to INSCOM 4 INSCOM JOURNAL

NATIONAL CYBERSECURITY STRATEGIES: AUSTRALIA AND CANADA

CYBERSPACE SECURITY CONTINUUM

Cloud Computing Technologies Achieving Greater Trustworthiness and Resilience

Second Cyber Security Summit, November 11, 2013 in Bonn Final communique

National Security & Homeland Security Councils Review of National Cyber Security Policy. Submission of the Business Software Alliance March 19, 2009

NATIONAL STRATEGY FOR GLOBAL SUPPLY CHAIN SECURITY

Lessons from Defending Cyberspace

Security Risk Management For Health IT Systems and Networks

C DIG COMMITTED TO EXCELLENCE IN CYBER DEFENCE. ONE MISSION. ONE GROUP. CSCSS / DEFENCE INTELLIGENCE GROUP

The Comprehensive National Cybersecurity Initiative

Cybersecurity: Mission integration to protect your assets

ARI 26/2013 (Translated from Spanish) 17 September Cyber cells: a tool for national cyber security and cyber defence

S. 21 IN THE SENATE OF THE UNITED STATES

An Overview of Large US Military Cybersecurity Organizations

S. ll IN THE SENATE OF THE UNITED STATES

資 通 安 全 產 品 研 發 與 驗 證 (I) ICT Security Overview. Prof.. Albert B. Jeng ( 鄭 博 仁 教 授 ) 景 文 科 技 大 學 資 訊 工 程 系

Thank you for your very kind introduction.

National Cyber Security Strategies: United States

A COMPREHENSIVE INTER-AMERICAN CYBERSECURITY STRATEGY: A MULTIDIMENSIONAL AND MULTIDISCIPLINARY APPROACH TO CREATING A CULTURE OF CYBERSECURITY

CyberSecurity Solutions. Delivering

Testimony of Matthew Rhoades Director Cyberspace & Security Program Truman National Security Project & Center for National Policy

A Community Position paper on. Law of CyberWar. Paul Shaw. 12 October Author note

PACB One-Day Cybersecurity Workshop

NATIONAL DEFENSE AND SECURITY ECONOMICS

GLOBAL BUSINESS DIALOGUE ON ELECTRONIC COMMERCE CYBER SECURITY AND CYBER CRIME SEPTEMBER 26, CEO EDS Corporation

National Information Assurance and Cyber Security Strategy (NIACSS) Jordan s Approach to National CS&IA

Supplemental Tool: Executing A Critical Infrastructure Risk Management Approach

NATO & Cyber Conflict: Background & Challenges

No. 33 February 19, The President

CYBER SECURITY GUIDANCE

UN Emergency Summit on Cyber Security Topic Abstract

WRITTEN TESTIMONY OF

FFIEC Cybersecurity Assessment Tool

CONSULTING IMAGE PLACEHOLDER

Subject: Critical Infrastructure Identification, Prioritization, and Protection

Cyber Diplomacy A New Component of Foreign Policy 6

Cyberspace Situational Awarness in National Security System

December 17, 2003 Homeland Security Presidential Directive/Hspd-7

Network Mission Assurance

Understanding Cyber Defense A Systems Architecture Approach

NICE and Framework Overview

CYBERSECURITY RISK RESEARCH CENTRE (832)

How To Secure The Internet In Jordan

Cyber Security Strategy

Introduction to NICE Cybersecurity Workforce Framework

Cybercrimes: A Multidisciplinary Analysis

NASCIO 2014 State IT Recognition Awards

Developing a National Strategy for Cybersecurity FOUNDATIONS FOR SECURITY, GROWTH, AND INNOVATION. Cristin Flynn Goodwin J.

National Cyber Security Strategy

AG/RES CYBER SECURITY STRATEGY (RESOLUTION)

Government of Kenya Ministry of Information Communications and Technology Telposta Towers, 10th Floor, Kenyatta Ave Nairobi, Kenya

Privacy and Security in Healthcare

Cyber Side-Effects: How Secure is the Personal Information Entered into the Flawed Healthcare.gov? Statement for the Record

GOVERNMENT OF THE REPUBLIC OF LITHUANIA

The Dow Chemical Company. statement for the record. David E. Kepler. before

Cybersecurity Strategy of the Republic of Cyprus

Panel on Emerging Cyber Security Technologies. Robert F. Brammer, Ph.D., VP and CTO. Northrop Grumman Information Systems.

Developing a robust cyber security governance framework 16 April 2015

Five Principles for Shaping Cybersecurity Norms

Introduction to Cybersecurity Overview. October 2014

REMARKS BY US PRESIDENT BARACK OBAMA ON SECURING THE NATION'S CYBER INFRASTRUCTURE

A Tipping Point The Fight for our Nation s Cyber Security

Business Continuity for Cyber Threat

Hearing before the House Permanent Select Committee on Intelligence. Homeland Security and Intelligence: Next Steps in Evolving the Mission

Update on U.S. Critical Infrastructure and Cybersecurity Initiatives

On the European experience in critical infrastructure protection

The main object of my research is :

How To Manage Risk On A Scada System

Government-University-Industry Research Roundtable

Cy berspace policy RevIew. Assuring a Trusted and Resilient Information and Communications Infrastructure

The Landscape of Cyber, critical infrastructure and how Regulation fits in

SECURE AND TRUSTWORTHY CYBERSPACE (SaTC)

PENETRATION TESTING GUIDE. 1

State of Minnesota. Enterprise Security Strategic Plan. Fiscal Years

Department of Defense DIRECTIVE

Preventing and Defending Against Cyber Attacks November 2010

Internet Safety and Security: Strategies for Building an Internet Safety Wall

Confrontation or Collaboration?

Into the cybersecurity breach

I N T E L L I G E N C E A S S E S S M E N T

National Initiative for Cyber Security Education

Legislative Language

DoD Strategy for Defending Networks, Systems, and Data

THE drop cap white spread is the chartacter style to use for the drop cap. Use this masater

(U) Appendix E: Case for Developing an International Cybersecurity Policy Framework

ESTABLISHING A NATIONAL CYBERSECURITY SYSTEM IN THE CONTEXT OF NATIONAL SECURITY AND DEFENCE SECTOR REFORM

Preface to the Fourth Edition

Cybersecurity Information Sharing Legislation Protecting Cyber Networks Act (PCNA) National Cybersecurity Protection Advancement (NCPA) Act

HOLISTIC APPROACHES TO CYBERSECURITY TO ENABLE NETWORK CENTRIC OPERATIONS

El Camino College Homeland Security Spring 2016 Courses

Transcription:

Recent cyber-security studies in the U.S. David D. Clark MIT CFP May, 2009

Two recent studies National Academies Study: Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities. Computer Science and Telecommunication Board, May 2009 60 Day Review : comprehensive high-level review of state of U.S. cyber-security. Melissa E. Hathaway, Acting Senior Director for Cyberspace for the National Security and Homeland Security Councils. (Undergoing White House and security review.)

CSTB study Emphasis: offensive activities, and cyberattack (as opposed to cyber-exploits). Attack implies the goal of disruption, destruction, deception, interference, loss of capability. Exploit implies penetration for purposes such as espionage.

Why offensive activities? Offensive activities have largely been classified, with many implications. No/little opportunity for open policy discussion. Much misunderstanding of capabilities and potential. Do the movies have it right?

What is different? Compared to other attacks, cyber-attacks: Seem easy to use. Can give a high degree of anonymity and plausible deniability. So tempting for covert operations. Are more uncertain in their outcomes. Estimation of collateral or indirect damage is hard. Can be used over a wide range of scopes, timeframes, and degrees of intended outcomes. Indirect and 3rd order outcomes will be the most important.

Starting point Judge an attack by its effects, not its means. E.g. compare its effect to that of a non-cyber equivalent (kinetic) attack to see what law applies. Does it seem like an armed attack or use of force? These terms have special meaning in the U.N.Charter and the laws of armed conflict.

High-level theme Ambiguity and ambivalence Attack vs. exploit: same tools, different intent. Inference of intention hard, and prone to misunderstanding. Attribution: hard to do. Scope of damage: hard to define, but tools seem very versatile. Seems to expand scope of options. Tools are cheap--anyone can play, but nation states can marshal lots of resources. Easy or hard to use? Some tools can only be used once. No demonstration or war-games can be undertaken. Existing laws seem to provide the right framework, but do not account for non-state actors and technology specifics.

Select findings In the U.S. (and perhaps in most countries) policy and organizational issues are unclear. Having clear policy can help in lots of ways. Many stakeholders: military, intelligence, law, private sector. Where secrecy impedes understanding. While nation states may have an advantage in scale, no country (e.g. the U.S) can expect to dominate the battle. Cannot rely on superiority. Advanced nation states have much to lose. Accordingly, non-state actors may have an advantage.

An interesting question When might a cyber-attack be seen as a violation of human rights? What are the ethical issues? Do we (in this modern society) have a right to the Internet and our Blackberry. Is disrupting the Internet bombing us back to the stone age? This has real implications with respect to war crimes. My prediction: the first cyber war crime will be perfidy.

Another interesting question What is the difference between cyberattack (as an act of a nation state or a non-state actor) and a crime? Totally different laws. But can we find the bright line? Should we judge it by its effects? Hard to assess, especially in real time.

Recommendations Most follow directly from findings. If policy and operational rules are ill-defined, sort this out. But some are note-worthy. Consider the establishment of an arm of the government intended to help private sector actors that are under attack. Specific R&D: better limits on scope, attribution, geo-location of attacks, IFF

The 60 day review White House called for comprehensive review of U.S. posture and status with respect to cyber-security. Will (probably) lead to major initiative to improve status of the nation. Review is complete, but undergoing review. The director, Melissa Hathaway, has given a public speech.

An example from her talk November 2008 illustrates both the speed and the scope of these challenges. In a single 30-minute period, 130 automated teller machines in 49 cities around the world were illicitly emptied. These and other risks have the potential to undermine our confidence in the information systems that underlie our economic and national security interests.

What she would say It is the fundamental responsibility of our government to address strategic vulnerabilities in cyberspace and to ensure that the United States and the world can realize the full potential of the information technology revolution. This responsibility transcends the jurisdictional purview of individual departments and agencies because, although each agency has a unique contribution to make, no single agency has a broad enough perspective to match the sweep of the challenges. It requires leading from the top -- from the White House, to Departments and Agencies, State, local, tribal governments, the C-Suite, and to the local classroom and library.

Continued The national dialogue on cybersecurity must advance now. We need to explain the challenges and discuss what the Nation can do to solve problems in a way that the American people can appreciate the need for action. The United States cannot succeed in securing cyberspace if our government works in isolation. Cyberspace knows no boundaries. There is a unique opportunity for the United States to work with countries around the world to make the digital infrastructure a safe and secure place that drives prosperity and innovation for all nations.

More The Federal government cannot entirely delegate or abrogate its role in securing the nation from a cyber incident or accident. The Federal government has the responsibility to protect and defend the country, and all levels of government have the responsibility to ensure the safety and well-being of citizens. The private sector, however, designs, builds, owns, and operates most of the digital infrastructures that government and private sector use in concert. The public and private sector s interests are intertwined with a shared responsibility for ensuring a secure, reliable infrastructure upon which businesses and government services depend.

Finally Building toward the architecture of the future requires research and development that focuses on game-changing technologies that could enhance the security, reliability, resilience and trustworthiness of our digital infrastructure. The White House must lead the way forward with leadership that draws upon the strength, advice and ideas of the entire nation.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information