Cyber Security Professionalism

Cyber Security Becomes a Profession Navigating U.S. Sectoral Security

S.773 - the Current Impetus

Is “CyberSecurity” a Profession?What About “Risk Analysis?”

Are these Trick/Gotcha Questions? Maybe

Why…What is the Dilemma? Long tradition of fields, disciplines, callings

actively seek legitimacy of professional status Vs. Once you’re a Professional, Public Expectations

Hold you Feet to the Fire What is the Role of S.773 & S.778 in

CyberSecurity Professionalism?

What is a Profession? Traditionally only 3 professions:

Divinity, Medicine, Law Persons/firms who supply specialized knowledge (subject, field,

science) to fee-paying clients Also the body of qualified professional persons Derived from Latin professiō - to swear (an oath), avowal, public

declaration Professional (adj) - behaves properly, not amateurish The oath dictates ethical standards, usually include

confidentiality, truthfulness, expertise, all for client’s benefit; also upholding profession’s good name

EX: Architects, Accountants, Actuaries, Chiropractors, Clergy,

Dentists, Engineers, Lawyers, Librarians, Nurses, Occupational/ Physical Therapists, Pharmacists, Physicians, Professors/Teachers, Psychiatrists, Veterinarians

(Cyber-)Security “Professionals” too?!?

Milestones towards Profession

Full-Time Occupation Training & University Instruction Accreditation of Instruction & Qualifications Associations: local, national, int’l Codes of Conduct (govt & self-)

ethics, professional responsibility, self-discipline Law/Regulation Compels Professional Status

Licensure, Certification

Characteristics of Most Professions Skill based on theoretical

knowledge Professional associations Extensive period of education Testing of competence Institutional training

(apprenticeship) Licensure/Certification Work autonomy Code of professional conduct

or ethics Self-regulation Self-Discipline Public service and altruism

(pro bono)

Exclusion, monopoly & legal recognition

Fee & advertising control High status & rewards Individual clients vs. In-House

single client Legitimacy, legal authority over

some activities Body of Knowledge

Inaccessible to Laity Professional interpretation

required for body of knowledge Professional Mobility

Is CNSSI a Professional Program?

Ostensibly, but is it persistent?!? CNSS standards for training & education were

embraced by 169 U.S. institutions Provides baseline for cadre of IA professionals

Educational Standards for IA professionals NSTISSI 4011-Information Systems Security (INFOSEC)

Professionals CNSSI 4012-Senior Systems Managers CNSSI 4013-System Administrators CNSSI 4014-Information Systems Security Officers NSTISSI 4015-System Certifiers CNSSI 4016-Risk Analyst

IT Governance Drives Professionalism

“specifying the decision rights and accountability framework to encourage desirable behavior in the use of IT.”

“the leadership and organizational structures and processes that ensure that [IT serves strategic objectives].”

Corporate governance constraints; impact of law, regulators, security & privacy standards; SOX; Implemented through:

technology transfer agreements private contracts employment restrictions IP constraints eCommerce commercial practice

Standardization of Security Duties

ISO 17799 (predecessor: BS7799) & : Progeny: now replaced by ISO/IEC 27000 series

ISO 27001 Info. Security Mgt. ISO 27002 Best Practices

ISO 15408 Common Criteria: Computer Security

PCI DSS payment card security COBIT (ISACA: Info. Sys. Audit & Control Assn) ITIL IT Infrastructure Library: IT Service Mgt NIST’s Fed. Info. Processing Stds Fair Information Practice Principles (FIPP):

(1) Notice, (2) Choice, (3) Participation, (4) Security, (5) Redress

Why are Standards Important? Stds are emerging from obscurity More widely understood to impact most economic

activity Increasingly viewed less as technically objective

matters; more as arbitrary choices from among near infinite alternatives

Increasingly perceived to favor particular nations, industries, identifiable groups or individual firms who participate most effectively

Increasingly have behavioral component

Why Standards Impact CyberSecurity Duties

Stds Created CyberSpace: Consider: html, ftp, http, xml, 802.11

Facilitates comparison, interoperability, competition Attracts investment in compatible technologies, products &

services Standardization promises superior process design & best

practice integration Domain experts develop rather than meddlers

Standards Reduce Risks of Variety Incompatibility, Incompetence

Conformity Assessment Analyzes Non-Compliance Risk, Provides Feedback Incentivizes Compliance & Improvement

Risks of Security Standardization

General Disadvantages of Standardization Lock in old/obsolete technology Resists favorable evolution or adaptation Favors/disfavors particular groups

Voluntary Consensus is really a Sub-optimal Compromise that Dictates too much Design However, Standardization Risks Stagnancy & Communicates Widespread Vulnerability

Economic Analysis of Security The Law & Economics Approach:

legal theory applies methods of economics to law; economic concepts explain effects of law/regulation; assesses efficient rules; predicts legal rules will/should be promulgated

Micro-Economics Fundamentals1. Information Asymmetries 2. Market Failure & its Justification for alternative policies 3. Adverse Selection 4. Moral Hazard 5. Positive vs. Negative Externalities 6. Free Rider & Tragedy of the Commons

Game Theoretic Framework & Network Economics Approach1. Critical Mass 2. Network Externality 3. Vulnerability Markets & Disclosure Incentive

Some Public Policies Pressing Security Duties

Privacy Law Requires CyberSecurity G/L/B, SourBox (a/k/a SOX), FCPA

Internal Control The Primary Federal Privacy Regulator: FTC

Enforcement Caselaw, deceptive trade practices State Privacy & Info Security Laws

CA state Privacy Czar Breach Notification, see: Privacyrights.org Mass, Nev. Comprehensive Regulations Tort Liability for Privacy Violations

HIPAA now HITECH PHI std IA laws Impact Security Duties

Outsourcing (SAS70) Trade Secrecy (IP) & National Security

USA PATRIOT Act FTC Privacy Enforcement Common Law History

Red Flags (best/worst practices), Disposal Rule, Exposing then Stamping Out Deception

Example of Security Complexity: the Purported IPAS Drivers PSU “Policies”

FN07, Credit Card Sales AD11 - University Policy on Confidentiality of Student Records AD19 - Use of Penn State Identifier and Social Security Number AD20, Computer and Network Security AD22 - Health Insurance Portability and Accountability Act (HIPAA) AD23, Use of Institutional Data Trusted Network Specifications AD35, University Archives and Records Management AD53 - Privacy Statement

Public Policies Health Insurance Portability and Accountability Act (HIPAA) Gramm-Leach-Bliley Act (G/L/B) Family Educational Rights and Privacy Act (FERPA) PA Breach of Personal Information Notification Act 73 P.S. § 2301 PA Mental Health Law 21 USC Ch. 16 - Drug Abuse Prevention, Treatment, & Rehab

What is Federal Pre-Emption?

Only the most central institutional design feature in the whole “American Experience” E.g., Reaction to English Crown, Articles of

Confederation, Civil War, New Deal, Reagan’s New Federalism

Fed. Law May Displace State Law EX: FDA labeling overrides state products liability Why would it be good to bar the states from

regulating CyberSecurity? Why would it be good to include states in

regulating CyberSecurity?

S.773 & S.778 S.773=Cyber Security Act of 2009

Sponsors John Rockefeller [D, WV] + 3 Co-Sponsors Evan Bayh [D, IN] Bill Nelson [D, FL] Olympia Snowe [R, ME]

S.773 Bill Actions 4.1.09: Introduced & Read twice Referred to Commerce, Science & Transportation.

S.778 Companion to S.773 Creates White House Office of National Cybersecurity Advisor Authority/Power: from S.773 & later legislation/delegation

Some S.773 & S.778 Provisions Raise CyberSecurity profile within Fed. Govt. Streamline cyber-related govt functions & authorities Establish: Office of the National CyberSecurity Advisor Develop CyberSecurity national strategy Quadrennial Cybersecurity Review

modeled after the DoD Quadrennial Defense Review to examine cyber strategy, budget, plans & policies

Require a threat & vulnerability assessment Promote public awareness Protect civil liberties Require comprehensive legal review

More S.773 & S.778 Provisions ISAC:

pub-pvt clearinghouse for cyber threat & vulnerability info-sharing CyberSecurity Advisory Panel

industry, academia, not-for, advocacy organizations review & advise President

Establish enforceable cybersecurity standards NIST to create measureable, auditable CyberSecurity stds

Licensing & certification of CyberSecurity professionals Establish & negotiate international norms

cybersecurity deterrence measures Foster innovation and creativity in cybersecurity Scholarship-For-Cyber-Service program NSF: Increase federal cybersecurity R&D Develop CyberSecurity risk evaluation framework$

Probability of S.773 Passage

Much proposed legislation is arguably political grandstanding, with scant probability of success Passage of any proposed legislation is uncertain Predictions based on heuristics of domain experts

Few sectors reactive, most pro-active Limits of empirical approaches to prediction

See: “Resume of Congressional Activity:” http://www.senate.gov/pagelayout/reference/two_column_table/Resumes.htm

110th Cong. 1st Sess. (Jan. 4-Dec. 31, 2007) 138 enacted/9227 introduced = 1.5% yield

110th Cong. 2nd Sess. (Jan. 3, 2008 – Jan. 2, 2009) 278 enacted/4815 introduced = 5.8% yield

Security Risk Analysis is Sectoral Risk Analysis Differs by Domain

Just like U.S. Privacy Law, but not EU Privacy Law Major Differences: Physical vs. Intangible Security

Most domains blend tangible w/ information Many Key Domains Track Critical Infrastructures as defined in

USA Patriot’s CIPA §1016(e) “…systems and assets, whether physical or virtual, so vital to the U.S.

that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.”

telecommunications; electrical power systems; gas & oil storage & transportation; banking & finance; transportation; water supply systems; emergency services (e.g., medical, police, fire, & rescue), govt. continuity & CyberSpace

Calls for National Effort to Enhance Modeling & Analytical Capacities appropriate mechanisms to ensure the stability [of] complex & interdependent

systems, [incl] continuous viability & adequate protection of critical infrastructures

What is Shared Among these Vastly Different Sectors?

Law Permits/Regulates Risk Analytics

Quantitative Statistical Actuarial Mortality & Morbidity Admissibility of

Forensic Quality Expertise

Decision Analysis Failure Analysis

Qualitative Heuristic Visualization Interdependence Risk Assessment

Education Demographics Risk Recognition Emotion

Epilogue

There is far more here than meets the eye! A website devoted to the developing public

policy of cyber security professionalism http://faculty.ist.psu.edu/bagby/SecurityProfession

alism/

This IS interdisciplinary! Good luck w/o interdisciplinarity…

Financial Info Security Risks: SEC Financial Institutions w/in SEC Juris. Must:

Adopt written policies & procedures, reasonably designed to …

Insure security & confidentiality of customer records Protect against anticipated threats or hazards Protect against unauthorized access or use that could

result in substantial harm or inconvenience

Disposal Rule: must properly dispose of PII using reasonable measures to

protect against unauthorized access to or use of PII

Controls over Internal Risks

COSO’s Definition of Internal Control “a process, effected by an entity’s board of directors,

management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives” in these categories: effectiveness and efficiency of operations; reliability of financial reporting; and compliance with applicable laws and regulations.

Components of Internal Control are: - Control Environment- Risk Assessment - Control Activities- Information & Communication- Monitoring

GLB Safeguards Rule Financial institutions must design, implement and maintain

safeguards Purpose: to protect private info Must implement written information security program

appropriate to company's size & complexity, nature & scope of activities, & sensitivity of customer data

Security program must also: assign one or more employees to oversee program; conduct risk assessment; put safeguards in place to control risks identified in assessment then

regularly test & monitor them require service providers, by written contract, to protect customers'

personal information; & periodically update security program

Admitting then Analyzing Outsourcing Risks

Not Outsourcing Risks Internal Failure Interdependency Reduces (Some) Risks of Conflict

Outsourcing Sacrifices Monitoring Risking Injury from Diminished Control Slipshod Rush to Outsource for $avings Cross-Cultural Ignorance Obscures Outsourcing

Vulnerabilities

SAS 70 Requires Outsourcing Risk Analysis/Mgt SLC Negotiation Opportunities to Reduce Risk

NIST Risk Mgt Method

Asset Valuation Information, software, personnel, hardware, & physical

assets Intrinsic value & the near-term impacts & long-term

consequences of its compromise

Consequence Assessment Degree of harm or consequence that could occur

Threat Identification Typical threats are error, fraud, disgruntled employees,

fires, water damage, hackers, viruses

Vulnerability Analysis Safeguard Analysis

Any action that reduces an entity’s vulnerability to a threat Includes the examination of existing security measures &

the identification of new safeguards

Risk Management Requires Risk Analysis Analyzed in terms of missing safeguards“The Process of

Identifying, Controlling and Minimizing the Impact of Uncertain Events” (NIST, 1995 @59)

NIST Risk Mgt Method

Source: NIST Handbook

Roles of Law/Reg/Policy in Risk Analysis & Risk Management Law Resolves Disputes, Shifts Risk of Loss

Risk Analysis Failure Shifts Liability Risks to Creator Actual Injuries Trigger Disputes over Risk Duties

Law Defines Risks & Duties of Care Crimes, Torts, Contracts, Standards, Determination of Injury Law Dis-Incentivizes Risky Deeds (DD&tDDC)

Law Defines Risk Management Duties Law Compensates Injuries Derived from Law Defines/Constrains Damage Computation

Law Encourages Risk Mgt Law Defines Risk Mgt Professionalism Law Enforces Risk Shifting Contracts Law Requires Risk Analysis & Impacts Methods But Law may Disincentivize Introspection w/o Self-Eval Privilege

Law Regulates Risk Management Industry Law Enforces Risk Mgt Profession’s Arrangements