2009 08 07 larry clinton supply chain presentation for gsa in dc

7/31/2019 2009 08 07 Larry Clinton Supply Chain Presentation for GSA in DC

1/18

Larry ClintonPresident

Internet Security [email protected]

202-236-0001


2/18

ISA Board of Directors

Ty Sagalow, Board Chair; President Innovation Division ZurichInsurance

Mike Hickey, Board 1st Vise Chair, VP Government Affairs and NationalSecurity Verizon Corp.

Tim McKnight, Board 2nd V Chair VP & CSO Northrop Grumman Ken Silva, CSO VeriSign (immediate past Board Chair) Jeff Brown, CISO Information Security Raytheon Charlie Croom, VP Cyber Security Solutions, Lockheed Martin Eric Gureno, CIO, Bank of New York/Mellon Financial Pradeep Khosla, Dean, School of Computer Sciences Carnegie Mellon U Lawrence Dobranski, Security Manager, Nortel Mark Antony Signorino, Chief Technology Nat. Assoc Manufacturers Joe Buonomo, Pres. Direct Computer Resources Inc. Bruno Mahlmann, VP Security Perot Systems Linda Meeks, CISO Information Security Boeing


3/18

Our Partners


4/18

ISA Mission

Integrate technology with

economically practical business

considerations and public policy tocreate a sustainable system of cyber

security


5/18

2009 ISA Priority Projects

1. Create a Cyber Security Social Contract betweenbusiness and government to provide marketincentives for improved security

2. Develop Best Practices for financial riskmanagement of cyber incidents

3. Create a framework for managing conflictinglegal structures and unified communications tech.

4. Develop standards to secure the VOIP platform5. Framework to secure the IT supply Chain


6/18

The Supply Chain Danger

Electronic Components (e.g. chips) could be infiltrated byhostile agents in the supply chain

Alter the circuitry or substitute counterfeit circuitry Malicious firmware functions like malicious software giving

attacker control of the information system

EG a logic bomb could be triggered by certain activity Shut down the system or turn it against the owner Impossible to detect


7/18

Possible Solutions

Domestic only production? Inconsistent with Obama approach to Cyber

Security Cost more than govt. willing to pay Crash critical portions of the industry Harm the US both from a security perspective and

economic perspective


8/18

Likelihood of Supply Chain

Attacks

Limited targets for supply chain attacks Expensive Time consuming Can only be deployed once Probably easier ways to do most attacks

Nation states might not be deterred Sophisticated Criminal activity


9/18

National Risk Continuum

Conseque

nce

Very low Very high

Nati

on-state/unlimitedresources

Nation-state/terrorist

limitedresources

Nation-state/

Stea

l

Crim

inal

gang

Verylo

w

HackersProje

ctpower/dama

geordestroy

Projectpower

Severe


10/18

ISA Supply Chain Project

18 months long (start fall 07) Focus on firmware Carnegie Mellon University and Center for CyberConsequences Unit 3 conferences 100 Gov., Industry and Academic participants Results are strategy and framework provided to

USG for NSC 60-day review of cyber policy


11/18

ISA/CMU Study Results

1. Globalization of IT Supply Chain will increase2. USG reliance on IT will also increase3. Threat from IT supply chain significant for USG4. USG-only solution impractical5. Attackers will be fluid and creative so fixed

policies will be ineffective long term

6. Need a flexible framework of solutions7. Framework must account for both security and

cost


12/18

The ISA Strategy/

Framework

Solve the supply chain problem in a way thatALSO produces other security benefits thus

justifying the increased expenditure

Businesses are not suffering greatly from supplychain attacks, but are suffering from other attacks

Key is to make the entire supply chain secure, i.e.supply chain must be part of a comprehensiveframework


13/18

Types of Attacks

Interrupt the operation

Corrupt the Operation Discredit the Operation Undermine the basis of the operation


14/18

Types of Supply Chain

Attacks & Remedies

1. Interrupt Operation: Maintain alternative sources andcontinual sharing of production across chain

2. Corrupt Operation (e.g. insert malware): strict control ofenvironment where key IP is being applied, logical andphysical tamper proof seals/tracking containers

3. Discredit the operation (undermine trust or brand value):logging operation and responsibility

4. Loss of information: Versioning as a tool for protecting IP


15/18

Framework: Stages When

Attacks May Occur

1. Design Phase2. Fabrication Phase3. Assembly Phase

4.

Distribution Phase

5. Maintenance Phase


16/18

Stages

Remedies


17/18

Framework: Legal Support

Needed

1. Rigorous contracts delineating security measures2. Locally responsible corporations w/long term

interest in complying

3. Local ways of motivating workers and executives4. Adequate provision for verifying implementation

of security

5. Local law enforcement of agreements at all levels


18/18

Larry ClintonPresident

Internet Security Alliance

[email protected]

202-236-0001

2009 08 07 larry clinton supply chain presentation for gsa in dc

Documents