2009 04 02 Larry Clinton Supply Chain Presentation at the NDIAs DIB CIP Conference
-
Upload
isalliance -
Category
Documents
-
view
220 -
download
0
Transcript of 2009 04 02 Larry Clinton Supply Chain Presentation at the NDIAs DIB CIP Conference
-
7/31/2019 2009 04 02 Larry Clinton Supply Chain Presentation at the NDIAs DIB CIP Conference
1/15
Larry ClintonPresident
Internet Security [email protected]
202-236-0001
-
7/31/2019 2009 04 02 Larry Clinton Supply Chain Presentation at the NDIAs DIB CIP Conference
2/15
ISA Board of Directors
Ty Sagalow, Board Chair; President innovation Division ZurichInsurance
Mike Hickey, Board Vise Chair, VP Government Affairs and nationalSecurity Verizon Corp.
Tim McKnight, VP & CSO Northrop Grumman Jeff Brown, CISO Information Security Raytheon Charlie Croom, VP Cyber Security Solutions, Lockheed Martin Eric Gureno, CIO, Bank of new York/Mellon Financial Pradeep Khosla, Dean, School of Computer Sciences Carnegie Mellon U Lawrence Dobranski, Security Manager, Nortel Mark Antony Signorino, Chief Technology Nat. Assoc Manufacturers Joe Buonomo, Pres. Direct Computer Resources Inc.
-
7/31/2019 2009 04 02 Larry Clinton Supply Chain Presentation at the NDIAs DIB CIP Conference
3/15
Our Partners
-
7/31/2019 2009 04 02 Larry Clinton Supply Chain Presentation at the NDIAs DIB CIP Conference
4/15
ISA Mission
Integrate technology with
economically practical business
considerations and public policy tocreate a sustainable system of cyber
security
-
7/31/2019 2009 04 02 Larry Clinton Supply Chain Presentation at the NDIAs DIB CIP Conference
5/15
-
7/31/2019 2009 04 02 Larry Clinton Supply Chain Presentation at the NDIAs DIB CIP Conference
6/15
National Risk Continuum
Consequence
Very low Very high
Nati
on-state/unlimitedresources
Nation-state/terrorist
limitedresources
Nation-state/
Stea
l
Crim
inal
gang
Verylo
w
HackersProje
ctpower/damageordestroy
Projectpower
Severe
-
7/31/2019 2009 04 02 Larry Clinton Supply Chain Presentation at the NDIAs DIB CIP Conference
7/15
2009 ISA Priority Projects
1. Create a Cyber Security Social Contract betweenbusiness and government to provide marketincentives for improved security
2. Develop Best Practices for financial riskmanagement of cyber incidents
3. Create a framework for managing conflictinglegal structures and unified communications tech.
4. Develop standards to secure the VOIP platform5. Framework to secure the IT supply Chain
-
7/31/2019 2009 04 02 Larry Clinton Supply Chain Presentation at the NDIAs DIB CIP Conference
8/15
ISA Supply Chain Project
18 months long (start fall 07) Focus on firmware Carnegie Mellon University and Center for CyberConsequences Unit 3 conferences 100 Gov., Industry and Academic participants Results are strategy and framework provided to
USG for NSC 60-day review of cyber policy
-
7/31/2019 2009 04 02 Larry Clinton Supply Chain Presentation at the NDIAs DIB CIP Conference
9/15
ISA/CMU Study Results
1. Globalization of IT Supply Chain will increase2. USG reliance on IT will also increase3. Threat from IT supply chain significant for USG4. USG-only solution impractical5. Attackers will be fluid and creative so fixed
policies will be ineffective long term
6. Need a flexible framework of solutions7. Framework must account for both security and
cost
-
7/31/2019 2009 04 02 Larry Clinton Supply Chain Presentation at the NDIAs DIB CIP Conference
10/15
Framework: Danger of
Malicious Firmware
Serious danger of infiltrating the supply chain Altered circuitry to transfer control over info
systems
A logic bomb cold lay dormant then activated atthe worst possible moment
A weapons system could be shut down whenneeded, or even turned against the owner
Virtually impossible to detect Domestic sole sourcing is economically impractical
-
7/31/2019 2009 04 02 Larry Clinton Supply Chain Presentation at the NDIAs DIB CIP Conference
11/15
Framework: Economic
Issues
Supply chain attacks are very difficult andexpensive
Almost always cheaper and more effective to usemore traditional cyber attacks
NATION STATES CAN AFFORD AND MIGHT BEWILLING TO INVEST IN SUPPLY CHAIN ATTACKS
Some criminal conspiracies might also be willing toconduct supply chain attacks
Malicious firmware is a serious but limited issue
-
7/31/2019 2009 04 02 Larry Clinton Supply Chain Presentation at the NDIAs DIB CIP Conference
12/15
Types of Supply Chain
Attacks & Remedies
1. Interrupt Operation: Maintain alternative sources andcontinual sharing of production across chain
2. Corrupt Operation (e.g. insert malaria): strict control ofenvironment where key IP is being applied, logical andphysical tamper proof seals/tracking containers
3. Discredit the operation (undermine trust or brand value):logging operation and responsibility
4. Loss of information: Versioning as a tool for protecting IP
-
7/31/2019 2009 04 02 Larry Clinton Supply Chain Presentation at the NDIAs DIB CIP Conference
13/15
Framework: Stages When
Attacks May Occur
1. Design Phase2. Fabrication Phase3. Assembly Phase
4.
Distribution Phase
5. Maintenance Phase
-
7/31/2019 2009 04 02 Larry Clinton Supply Chain Presentation at the NDIAs DIB CIP Conference
14/15
Framework: Legal Support
Needed
1. Rigorous contracts delineating security measures2. Locally responsible corporations w/long term
interest in complying3. Local ways of overcoming agency problems and
motivating workers and executives
4. Adequate provision for verifying implementationof security
5. Local law enforcement of agreements at all levels
-
7/31/2019 2009 04 02 Larry Clinton Supply Chain Presentation at the NDIAs DIB CIP Conference
15/15
Larry ClintonPresident
Internet Security Alliance
202-236-0001