320 likes | 455 Views
Toward a Strategic Approach to National ICT Risk A Perspective from the U.S. Andy Purdy Co-Director, International Cyber Center George Mason University 2009 Workshop on Cyber Security and Global Affairs St Peter’s College, Oxford University August 3, 2009.
E N D
Toward a Strategic Approach to National ICT Risk A Perspective from the U.S. Andy Purdy Co-Director, International Cyber Center George Mason University 2009 Workshop on Cyber Security and Global Affairs St Peter’s College, Oxford University August 3, 2009
Mission of the Int’l Cyber Center To facilitate strategic collaboration and information sharing to better identify and address global ICT issues.
Priority Issues • Capacity: Promote sustainable IT development/CERT capacity building in the developing world • Risk: Develop collaboration framework to assess and mitigate risk to global ICT • Response: Enhance global ICT preparedness – situational awareness, analysis, information sharing, response, and recovery • Crime: Strengthen coordinated, global effort against malicious activity and cyber crime to reduce frequency, impact, and risk • R&D: Enhance global coordination to better assess and mitigate risk, and address long-term hard problems in cyberspace
Summary • Current cyber risk • Public policy challenges • Threat versus risk • What approach should we take? • Risk management – for organizations, countries, and the international community • A strategic approach to international collaboration and information sharing
What is the current cyber risk? • Moderately sophisticated malicious actors can intrude into systems almost at will • Intrusion into systems give outsiders the access of insiders • Economic espionage - theft of proprietary data • Theft of personal information and access to online accounts • Broad-based or targeted disruption of communications and database access, or attacks on the integrity of data
Public Policy Challenge • Nation is dependent on cyber for national security, economic well-being, public safety, and law enforcement • Risk is real but not visible and obvious • Authority and control is spread among multiple entities in the public and private sectors • Cyber is international • Individuals and organizations are reactive and tactical • We do not learn lessons from the past
Lessons Learned • We do not learn lessons well – hindsight is not “20/20” • What lessons should we learn from 9/11, Hurricane Katrina, and cyber attacks and intrusions/exfiltrations? • That we must be proactive rather than reactive. We must act strategically.
Learn Lessons • Reacting to threats is not enough • Must address risk • Who cares about public-private partnership? • Information sharing is not the goal • Government will not protect us • Law enforcement cannot stop the bad guys • Have we learned anything from Conficker?
Threat versus Risk • Traditional model has been to react to known or perceived threats • “Threat” - intent and capability of malicious actors • Key lesson we must learn and operationalize is to use a risk management approach at the organizational, national, and international levels • “Risk” - threat, vulnerabilities, and consequences
Current Approaches for National Cyber Risk Either: • Do more of what we have been doing, with greater effort and sharing of information? • Find a benevolent, powerful despot to drive effective prioritization, adequate resource commitment, and enhanced collaboration and information sharing? Or… • Take a strategic approach
What is our operating premise? • Will it take a cyber calamity to drive an effective approach? • Why expect that to make a difference? • What can we expect to happen if there is a cyber disaster? • How can we use that reality to drive action?
Strategic Thinking “Nothing more terrible than activity without insight.”
What is missing? • What do we need to worry about and what do we need to do about it? • We need to • know our risk posture, and • identify requirements for addressing that risk that are generated by a public-private collaboration
What do we need? A strategic approach to facilitate public/private collaboration and information sharing to set requirements, and resource, execute, and track progress on: • Cyber risk; • Cyber preparedness; • Malicious activity and cyber crime; and • Research and development.
Cyber Risk • Nation’s threat paradigm needs to be replaced by a risk paradigm (threat, vulnerabilities, and consequences); • We need a national cyber risk assessment that spells out what the nation needs to worry about and what we need to do about it; • Using a risk focus, expand the NIE (threat) model of broad-based government participation, to include private sector.
Cyber Preparedness • Set requirements for situational awareness and a common operating picture for govt and critical infrastructure • Set requirements for a a public-private collaborative framework to address cyber incidents: • Analysis • Response • Recovery
Research and Development • The nation must develop a national cyber R&D agenda to better assess and mitigate risk, enhance preparedness, and address the long-term hard problems we face in cyberspace • The agenda must be informed by government and private sector, academia, and our closest allies.
Malicious Activity • We must act strategically and proactively • Malicious activity is a key component of ICT risk • Law enforcement must work across government and with the private sector to prioritize action and resources, track progress, and impact malicious activity to reduce risk. • Accountability is key to progress.
Malicious Activity and Cyber Crime • Malicious activity/cyber crime should be seen as one part of a continuum of risk that the nation faces from terrorists, sophisticated hackers and hacktivists, organized criminal groups, and nation states (and those working for them). • Law enforcement, others in govt, and the private sector – domestically and internationally – must work together to: • develop a strategic approach to the collection and sharing of data on malicious actors and enablers to identify the most significant globally; • use all tools available to governments and private companies to purse the bad actors and those who enable them and shut off the payment processing and money laundering on which they thrive; and • mitigate the circumstances and vulnerabilities that allow them to operate.
Malicious Activity/Cyber Crime – Status & Need Status • Some collaboration among LE - FBI, Secret Service, Customs, Postal, FTC on threats and awareness raising, between LE/DOJ and other government entities • LE outreach and information sharing with private sector – e.g., Infragard (FBI) and Electronic Crimes Task Forces (USSS), Interpol, IMPACT • Targeted collaboration – National Cyber Forensics & Training Alliance Need • Identify as a priority the need engage in a strategic approach to malicious activity and cyber crime (and the black market in exploit tools and skills), domestically and internationally • Set in motion a process by govt and private sector, first domestically, then internationally, to collect and share data on the most significant malicious actors/enablers and track a coordinated effort to shut them down and reduce frequency & impact, including private lawsuits • Build on efforts like NCFTA and NCMEC/FSTC (porn pyt processing)
Malicious Activity/Cyber Crime • Govt and private sector should partner to collect and share data on the most significant malicious actors & enablers • Coordinated effort to shut them down and reduce frequency & impact of activity • Encourage private lawsuits as a complement to law enforcement • Build on efforts like NCFTA and NCMEC/FSTC (e.g., pornography pyts)
Attacking Malicious Activity By Focusing on the Resources Actors Need • Take the example of spam; spammers need: • Spam-sending software • Addresses to spam • Un-blocklisted IP addresses through which to route their spam (these may be compromised consumer hosts on a rented botnet, for example) • Hosting for spamvertised web sites (whether on so-called bullet proof hosting, fast flux hosting, or whatever), and • Domain names • Payment vehicles, frequently credit card merchant accounts • If we can cut off access to resources malicious activity becomes harder
Not my job – or, “I just supply the pipes” • Conficker/Botnets • Emerging trend toward responsibility • Craig’s List Murder Case – online advertiser due diligence imposed • Gambling online • Child pornography • Tortious negligence legal responsibility • Enablers facilitate fraudulent and other malicious activity and must help stop it
Pursue Enablers Through Civil and Criminal Process • Registrars • ISPs • Web hosts • Email providers • Telco providers • Domestic and foreign banks • Check cashing services, wire funds transfer svcs • Credit card processors • Certificate authorities • Shippers (FedEx, UPS, USPS)
Legal Triage • Use technology tools and legal talent to convert Internet data points into offense legal action against fraudsters & enablers • Engage enablers with cease & desist e-mail and certified letters campaigns • Formal demands with subpoenas issued in strategic lawsuits against “John Doe” defs • Track cyber threats back to human sources, real identity of third parties who can stop fraudsters, real location of hard assets of fraudsters, and real identity of fraudsters and enablers
Promote Policies Against Malicious Actors and Enablers • Use data on malicious actors and enabelers to inform policies • Egress filtering • BCP-38 • ICANN and others re: registrar due diligence • What else?
Key: Easy Access to Domain Names • Avoiding SURBL/URIBL Filtering • Trying to Stay Off Law Enforcement (LE)'s Radar • If a spammer spamvertises multiple domain names, it becomes at least marginally harder for LE to mechanically aggregate all that spam traffic, reducing a spammer's chance of being targeted • Load Balancing and/or Enhanced Survivability:Multiple domain names also makes possible load balancing and/or to increase website survivability • Market Segmentation: Use of multiple domain names also facilitate spammer market segmentation. • Tracking/Crediting Affiliate Traffic: Spamvertising multiple domain names also makes it easy for spammers to track and credit affiliate traffic. • Credit for next three slides: Joe St Sauver, Ph.D. (joe@uoregon.edu) Senior Technical Advisor, Messaging Anti-Abuse Working Group
A Few Registrars Have The Potential To Help Combating Abuse • Looking at the domains on the SURBL for which it was possible to identify a responsible registrar (just under 600,000 listed domains): -- 4 registrars account for 50% of listed domains -- 24 registrars account for 80% of listed domains -- 69 registrars (all of the ones with more than a tenth of a percent of all listed domains) cover roughly 92% of listed domains
Summary – Domain Names • Malicious actors need a variety of resources. Domain names are one such resource, which means that registrars can play a critical role in fighting malicious activity. • A relatively small number of registrars control a significant fraction of the addresses listed on the SURBL. Other registrars have a high concentration of domains associated with abuse, may be willing to take action. • Proxy/private registration services may exacerbate the problems associated with abused/abusive domains. • The status of any registrar at any single point in time is not as important as what happens over time -- are the number abused/abusive domains increasing or decreasing?
Path Forward • Convene Strategic Communities of Interest - Government and Private • A steering committee should be formed from among representatives of a larger group of government and private sector organizations • That group, with input from the larger community, should coordinate and leverage existing efforts and set requirements. • Choose Strategic Issues, Requirements, and Path Forward • Cyber Risk • Cyber Preparedness • Malicious activity/cyber crime • Research and Development • Commit to Meaningful International Collaboration
Conclusion It is essential that we bring together representatives of key domestic and international public and private organizations to dynamically address cyber issues strategically by identifying requirements and tracking execution. This process can tell our nation’s leaders what we need to worry about, what we need to do about it, and keep them informed about the status of our progress, and hold key stakeholders in govt and private sector accountable.
Andy Purdy Co-Director, International Cyber Center George Mason University; Fairfax, Virginia, USA President, DRA Enterprises, Inc. Andy.Purdy@andypurdy.com www.internationalcybercenter.org