Transcript Organizing Nationally for Cybersecurity

Organizing Nationally for
Cybersecurity
Southeast Europe Cybersecurity
Conference
Sofia, Bulgaria
8-9 September 2003
Howard A. Schmidt
Vice President, Chief of Security
eBay Inc.
Exploiting vulnerabilities is not new…
Network Security Incident – c. 1986

In 1986, the first well-publicized international security incident
was identified by Cliff Stoll, then of Lawrence Berkeley
National Laboratory in northern California. A simple
accounting error in the computer records of systems
connected to the ARPANET led Stoll to uncover an
international effort, using the network, to connect to
computers in the United States and copy information from
them. These U.S. computers were not only at universities, but
at military and government sites all over the country. When
Stoll published his experience in a 1989 book, The Cuckoo's
Egg, he raised awareness that the ARPANET could be used
for destructive purposes.
Source: CERT/CC
Worms are not new either…
Malicious Code Attack – c. 1988


In 1988, the ARPANET had its first automated network security
incident, usually referred to as "the Morris worm“. A student at Cornell
University (Ithaca, NY), Robert T. Morris, wrote a program that would
connect to another computer, find and use one of several vulnerabilities to
copy itself to that second computer, and begin to run the copy of itself at
the new location. The worm used so many system resources that the
attacked computers could no longer function. As a result, 10% of the U.S.
computers connected to the ARPANET effectively stopped at about
the same time.
By that time, the ARPANET had grown to more than 88,000 computers and
was the primary means of communication among network security experts.
With the ARPANET effectively down, it was difficult to coordinate a response
to the worm. Many sites removed themselves from the ARPANET
altogether, further hampering communication and the transmission of the
solution that would stop the worm.
Source: CERT/CC
CERT Incidents and Vulnerabilities
Increase for 16th Consecutive Year
Incidents Reported to CERT/CC
Vulnerabilities Reported to CERT/CC
60000
3000
50000
2500
40000
2000
30000
1500
20000
1000
500
10000
0
1986
0
1988
1990
1992
1994
Year
1996
1998
2000
2002
1986
1988
1990
1992
1994
1996
Year
Source: CERT/CC
1998
2000
2002
Steps to Organize Nationally


Need to look at this as National challenge
 Inter-connectivity required to look at this
from a “system” approach
US President established President’s
Commission for Critical Information Protection
(1996) “PCCIP”
 Members include industry, defense, law
enforcement, academia and other
government agencies.
Steps to Organize Nationally


PCCIP report established vast majority of
Critical Information Infrastructure owned and
operated by private industry.
 Approx. 85%
Interdependencies existed across 8 major
sectors.

Banking & Finance, ICT, Transportation, Gas
& Oil, Electricity, Public Safety, Water, Rail
Transportation
Steps to Organize Nationally



Discovered no one group had a complete over
view of interdependencies and cascading
effects.
May 1998, President signed Presidential
Decision Directive 63 (PDD 63)
Key Points



Need better understanding of interdependencies
Need Information Sharing Analysis Centers (ISACS)
Need better Private-Public partnerships with ALL
levels of government
Steps to Organize Nationally
1st Information Sharing Analysis Center
(Banking & Finance) (1999)
 2nd ICT (Feb 2001)
 Plan for President’s Critical Infrastructure
Protection Board

Proposed April 2001
 Executive Order by President Bush Oct 2001
 Special Advisor for CyberSpace Security

Steps to Organize Nationally
November 2001, President directed the
creation of a National Strategy to Defend
Cyberspace
 Public “Town Hall” meetings
 Draft released for public comment
September 18th, 2002
 Final Released Feb 14th, 2003

Steps to Organize Nationally



Prevent cyber attacks against our critical
infrastructures;
Reduce our national vulnerabilities to cyber
attack; and
Minimize the damage and recovery time from
cyber attacks that do occur.
Priority 1: National Cyberspace Security Response
System
Analysis
Warning
Incident
Management
Response /
Recovery
Components/Capabilities
Center for analysis
•Strategic group
•Tactical group
•Vulnerability
assessments
Incident
Operations
Center
CWIN
ISACs
Incident
management
structure
•Federal
coordination
•Private,
State and
Local
coordination
National
Response
Contingency
plans
•Federal plans
•Private plan
coordination
Priority 2: Threat and Vulnerability
Reduction

Enhance law enforcement’s capabilities;

Pursue national vulnerability assessments;

Secure the mechanisms of the Internet;

Foster trusted DCS/SCADA;



Reduce and remediate software
vulnerabilities;
Understand interdependencies
Improve physical security of cyber &
telecom;

Prioritize Federal cybersecurity R&D

Assess and secure emerging systems.
Priority 3: Awareness & Training

Promote a national awareness program
to empower all users to secure their
parts of cyberspace;

Ensure adequate training and education
programs exist to support the nation’s
cybersecurity needs;

Increase the efficiency of existing
Federal cybersecurity training
programs; and

Advance private sector support for a
well coordinated, widely recognized
professional cybersecurity certification.
Priority 4: Securing Government’s
Cyberspace

Continuously assess threats and
vulnerabilities to Federal cyber systems;

Authenticate and maintain authorization
for users of Federal cyber systems;

Secure Federal wireless local area
networks;

Improve security in Government
outsourcing and procurement;

Establish an Office of Information Security
Support Services; and

Encourage State and local governments to
consider establishing IT security programs
and participating in ISACS with similar
governments.
Priority 5: International Cooperation

Strengthen counterintelligence efforts;

Improve attack attribution capabilities;

Improve coordination for responding to cyber
attacks;

Work through international organizations and w/
industry to promote a global “culture of
security;”

Foster the establishment of national &
international watch-and-warning networks; and

Encourage other nations to accede to the COE
Convention on Cybercrime.
Thank You
Howard A. Schmidt
[email protected]
408-376-6282