190 likes | 582 Views
U.S. Government: Demonstrating Leadership in Cyber-Security. March 14, 2000. Cyber-Attack. Economy and National Security dependent upon computer controlled systems One-Third of US Economic Growth 95-98 Security not a design consideration for most critical systems/networks
E N D
U.S. Government: Demonstrating Leadership in Cyber-Security March 14, 2000
Cyber-Attack • Economy and National Security dependent upon computer controlled systems • One-Third of US Economic Growth 95-98 • Security not a design consideration for most critical systems/networks • Large number of ‘attacks’, unauthorized intrusions, down-loads, malicious code insertion • Other nations developing offensive cyber-attack capabilities -- aimed at the U.S. • New and Novel Intrusions
PDD-63: Protecting Critical Infrastructures • Action by Federal, state and local, private sector participants • Federal: National Security, public health and safety • State and local governments: Maintain order and essential services • Private Sector: Essential communications, energy, financial, and transportation services • Initial Operating Capability by 2000; Final Operating Capability by 2003 • Established: • National Coordinator -- NSC • National Infrastructure Protection Center (NIPC) • Critical Infrastructure Assurance Office (CIAO)
National Plan Blueprint:Four Key Themes • US Government a Model of Information Security • Building the Public Private Partnership • R&D for Solutions • Law Enforcement and National Security Capabilities
The White House Is Watching(So is Congress) • President • National Plan for Information Systems Protection • Cyber-Summit • Agency Directive • White House • OMB Director Lew Guidance • Chief of Staff Podesta Guidance • Ongoing Chief of Staff Conference Calls • Congress • GSA reports • Many Hearings • Many Bills
FY 2000/ 2001 Budget • FY 2000 - $1.75 B Appropriated • 10% Civilian Agency • FY 2001 - $2.01 B Requested • 25% Civilian Agency • Key Initiatives - $100 M • Institute for Information Infrastructure Protection • Federal Cyber Service • FIDNET • PKI • ISACs • Expert Review Team • R&D - $606 M • FY 2000 Supplemental - $9 M
Future Budgets • OMB/NSC/Interagency Process • 1) Proposals Developed • From Agency Experts • From Interagency Working Groups • 2) Interagency/White House OK • 3) Action by Departments • 4) OMB Review if not part of Departmental Request • New Process • In Use for Other Cross-cutting Issues
National Plan Blueprint:Four Key Themes • US Government a Model of Information Security • Building the Public Private Partnership • R&D for Solutions • Law Enforcement and National Security Capabilities
U.S. Government as Model • Identify and Address Vulnerabilities • Implement Best Practices • Install Defensive Detection Systems • Train and Recruit Security Experts • Fund R&D
One: Identify and Address Vulnerabilities • Vulnerability Assessment vs Threat Analysis • Tension between Cyber and Physical • Interdependencies and Single Points of Failure • New Elements: • Project Matrix • Expert Review Team • Open Source Software • Patch Prioritization • Recommended Practices • PKI
Project MatrixShared Interdependencies • Complete Picture of Asset Dependencies and Interdependencies • Three Steps • Identify PDD-63 Relevant Assets • Capture Major Nodes and Networks which USG Critical Assets Depend • Tie Critical Assets and Supporting Nodes/Networks to Underlying Infrastructures
Two:Implement Best Practices • Convergenceof Three Initiatives • Critical Infrastructure Protection Working Group • Model Information Systems Security Program • CIO Council Strategic Objectives • CIO Council Security, Privacy and Critical Infrastructure Committee Lead • Objective: Into the hands of practitioners soon
Three:Defensive Detection Systems • Invest in Current Best of Breed • Intrusion Detection Monitors/Firewalls • Access/Activity Rules • Enterprise Wide Management Systems • Deploy Next Generation Government-Wide Systems • JTF-CND -- for DOD • FIDNet -- for Civilian Agences • NSIRC -- for national security systems • Drive Technology • Vendor conference 3/15
FIDNet Architecture • System of Systems • Departments run own intrusion detection systems • Link to FIDNet • Information Exchange • Enhances FedCIRC Capabilities • Run by GSA • Base for Additional Capabilities • patch distribution
Four: Train and Recruit Security Experts: • Centers for IT Excellence • Scholarship for Service Program • High School Recruitment and Computer Security Awareness program • Federal Computer Security Awareness Program • IT Occupational Study/Reform
Five:Fund R&D • Institute for Information Infrastructure Protection • National framework: Coordinated Federal and Private Sector efforts • Key Priorities • Indications of anomalous behavior within systems • Large-scale automated correlation of events • Automated alarm analysis
Summary • Federal Government Must be a Model • White House Support for Budget and Resources • Need for Action • Vulnerabilities • Best Practices • FIDNet and Detection Systems • Training and Recruitment • R&D
CHAIR, USG as a Model Working Group Tom Burke General Services Administration (GSA) 202 708 7000 Tom.Burke@GSA.GOV NSC Senior Director for Critical Infrastructure Jeffrey Hunker National Security Council (NSC) 202 456 9351 Jeffrey_A._Hunker@NSC.EOP.GOV CONTACT