getting to zero: achieving zero loss of crown jewel ip

Getting to Zero: Achieving Zero Loss of Crown Jewel IPGetting to Zero: Achieving

Zero Loss of Crown Jewel IPCTO Design Challenge Team

A National CrisisA National Crisis

• Ongoing, state-sponsored theft of Government and Commercial IP

• “This may be the greatest transfer of wealth through theft and piracy in the history of the world and we are on the losing end of it.”

- Sen. Sheldon Whitehouse of Rhode Island

• $300 Billion cost to US each year- Source: Commission on the Theft of American

Intellectual Property

A Policy and Technology Response

A Policy and Technology Response

• “If we do not hang together, we shall surely hang separately” – Thomas Paine

• “Everyone has been penetrated and will continue to be penetrated” – US Gov’t

Crown JewelsCrown Jewels• Fake Jewels with Payload (think of “parting gift”)

• Code looks real, compiles, boots, gathers data and phones home

• Traceable “Honeypots”, “Honeytokens”, signatures• Prevent Single Points of Failure with requirement of

Multiple trusted employees using “two keys for a missile launch”

• Frequent, inconsistent movement of IP “shell game”• Protect by physical isolation• Obfuscate the Jewels

• Distribute components, withhold “keystone” offsite

Trade Policy – Trans Pacific PartnersTrade Policy – Trans Pacific Partners• Import tariffs on stolen IP-based products

– Alt: Delay imports, deny entry, seize ships/goods• Prevent companies trading technology for access

– Enforce Wassenaar Arrangement• Export controls on arms and dual-use tech

• Penalize companies selling stolen-IP– Arrest, charge execs of offending companies– Deny/revoke visas to other company representatives– Deny access to stock exchanges– Deny ownership in US companies

Industry PolicyIndustry Policy• Create industry-specific consortia

– Establish consortia-specific private networks– Think “SABREnet” (US airlines)

• Create/Leverage Industry CSO organization– Discuss/share threat information, observations– Establish threat levels, vectors

• Physical isolation, secure networks, & restrictive access policies

Governmental PolicyGovernmental Policy• CSO: SEC compliance statement

– Separate from financial audit– Security compliance, reporting– Data classification and marking

• Equivalent of MSDS sheet• How valuable to other people• (Nat’l, Industrial, Corp) Security or Trade Secret

– Watermarking, digital leakage prevention

Academic PoliciesAcademic Policies• Universities must have IP protection as part of their

major studies required coursework in order to apply for/receive US agency funding– Renewed/audited yearly for first 5 years– Benefits both US students, and instills IP mindset in

foreign students– Publishing hold-backs: key processes held back from

generally-published papers• Universities need to understand their own profitability• Detail requires specific disclosure process• Particular audits for non Trans-

Pacific Partnership disclosures

Organization PoliciesOrganization Policies• Implement dual networks (red/green)• Machines run dual VMs (red/green)• Red VM and network interface

– Internal applications, Email (restricted)– Intranet access only– Changing IP and MAC addresses randomly– Aggressive network monitoring

• Green VM and network interface– Internet access– no access to internal network

• Document classification mapped topotential dollar loss. Required training.

Organization ITOrganization IT• Machines/devices locked-down

– TPM ecosystem, NIST 7904 (Geofencing/Geolocation)– No BYOD, devices encrypted, secured

• Ports are locked-out, UETF-lockout– Only boot from encrypted HD

• Drives encrypted – require TPM• Only the application that has access to the information has the

encryption access– Must go through the agent

• Encryption and Key management is reasonable expense: $20K for a company, $2K for a server

• Ability for Emergency Push of changes

A National Priority?A National Priority?

• So let me now be blunt for you and for the American people – Sequestration forces the intelligence community to reduce all intelligence activities and functions without regard to impact on our mission. In my considered judgment as the nation's senior intelligence officer, sequestration jeopardizes our nation's safety and security, and this jeopardy will increase over time.

• – James R. Clapper, Director of National Intelligence

Thank you…Thank you…

Organization: Executive LevelOrganization: Executive Level• Board of Directors Accountability & Awareness• Chief Security Officer – SEC compliance

– Responsibility of rank-ordering the Crown Jewels periodically. Refresh entire list.

• Full review/update of organizational security made 20 years ago. Aggressive steps– Drive internal security culture change– Required continual training of employees

• Planted employees

Organization PoliciesOrganization Policies• Tiered defense• IP classification on all

documents/devices/materials– Red/Orange/Yellow books– No removal from room/bldg/campus

• Compartmentalize information, limited disclosure• Traceability: both individuals and devices• Clean, secured desks/cabinets

– Strong Enforcement: One warning and/or dismissal

Organizations: FacilitiesOrganizations: Facilities

• Secured, limited entrances; no piggybacking– Positive, two-factor identity in critical areas

• Visible, changing badges

• Cameras, monitoring

• Changes in unexpected ways– Avoid predictability

EmployeeEmployee

• Badge changes, limited access

• Periodic access and security reviews, renewals

• Building, server, group policies

• Enforce Least Privilege

• Org Processes and Methodologies– IP clarification: know your crown jewels– Tiered defense– Protect by physical isolation– Frequent movement– Compartmentalization– Traceability: both individuals and devices– Multiple stakeholders: “two set of eyes”– Move IP and IT to a more secure Cloud Based

solution

• Organization and Governance– Org culture change related to security awareness– Training of internal stakeholders– Board of Directors role

Private Sector IP Protection Tactics – Multidisciplinary Approach

Private Sector IP Protection Tactics – Multidisciplinary Approach

• Technology Solutions– Encryption done the right way: do it all– Key protection– Privileged credential protection– Information sharing management– Device tracking outside network– Use Strong Compliance Frameworks:

FedRAMP, ISO 27000, PCI

• Private sector coalition– Framework to defend and retaliate

• Increase the role of government– Enforcing Law, Diplomatic Pressure, Share DoD level Security Protection Methods

• Raise the economic cost of IP theft– Ban products based on IP theft from US market

– Restrict US financial system for companies whose products are based on IP theft

• Build offensive capabilities

Public Sector Role in IP Protection – Balance between strong offensive and defensive strategies

Public Sector Role in IP Protection – Balance between strong offensive and defensive strategies

Broad Scope of Impact and InvolvementBroad Scope of Impact and Involvement

Stakeholder Ecosystem

• Corporate Executives

• Employees

• Partners (e.g., supply chain, distribution, etc.)

• Policy makers

Vehicles for IP Theft Ecosystem

• All devices (PCs, laptops, mobile devices, sensors, etc.)

• Networks

• Other??

A M

ult

ilay

ered

S

olu

tio

nA

Mu

ltil

ayer

ed

So

luti

on