Toward a Strategic Approach to National ICT Risk A Perspective from the U.S. Andy Purdy Co-Director, International Cyber Center George Mason University 2009 Workshop on Cyber Security and Global Affairs St Peter’s College, Oxford University August 3, 2009. - PowerPoint PPT Presentation
32
1 Toward a Strategic Toward a Strategic Approach to National Approach to National ICT Risk ICT Risk A Perspective from the A Perspective from the U.S. U.S. Andy Purdy Andy Purdy Co-Director, International Cyber Center Co-Director, International Cyber Center George Mason University George Mason University 2009 Workshop on Cyber Security and 2009 Workshop on Cyber Security and Global Affairs Global Affairs St Peter’s College, Oxford St Peter’s College, Oxford University University August 3, 2009 August 3, 2009
Transcript
1
Toward a Strategic Toward a Strategic Approach to National Approach to National
ICT Risk ICT Risk A Perspective from the A Perspective from the
U.S.U.S.Andy PurdyAndy Purdy
Co-Director, International Cyber CenterCo-Director, International Cyber CenterGeorge Mason UniversityGeorge Mason University
2009 Workshop on Cyber Security and Global Affairs2009 Workshop on Cyber Security and Global Affairs St Peter’s College, Oxford UniversitySt Peter’s College, Oxford University
August 3, 2009August 3, 2009
2
Mission of the Int’l Cyber Mission of the Int’l Cyber CenterCenter
To facilitate strategic collaboration and To facilitate strategic collaboration and information sharing to better identify and information sharing to better identify and address global ICT issues.address global ICT issues.
3
Priority IssuesPriority Issues Capacity:Capacity: Promote sustainable IT development/CERT Promote sustainable IT development/CERT
capacity building in the developing worldcapacity building in the developing world Risk:Risk: Develop collaboration framework to assess and Develop collaboration framework to assess and
mitigate risk to global ICTmitigate risk to global ICT Response:Response: Enhance global ICT preparedness – Enhance global ICT preparedness –
situational situational awareness, analysis, information awareness, analysis, information sharing, sharing, response, and recoveryresponse, and recovery
Crime:Crime: Strengthen coordinated, global effort against Strengthen coordinated, global effort against malicious activity and cyber crime to reduce malicious activity and cyber crime to reduce
frequency, impact, and riskfrequency, impact, and risk R&D:R&D: Enhance global coordination to better assess Enhance global coordination to better assess
and mitigate risk, and address long-term hard and mitigate risk, and address long-term hard problems in cyberspaceproblems in cyberspace
4
SummarySummary Current cyber riskCurrent cyber risk Public policy challengesPublic policy challenges Threat versus riskThreat versus risk What approach should we take?What approach should we take? Risk management – for organizations, Risk management – for organizations,
countries, and the international communitycountries, and the international community A strategic approach to international A strategic approach to international
collaboration and information sharingcollaboration and information sharing
5
What is the current cyber What is the current cyber risk?risk?
Moderately sophisticated malicious actors can intrude Moderately sophisticated malicious actors can intrude into systems almost at willinto systems almost at will
Intrusion into systems give outsiders the access of Intrusion into systems give outsiders the access of insiders insiders
Economic espionage - theft of proprietary dataEconomic espionage - theft of proprietary data Theft of personal information and access to online Theft of personal information and access to online
accountsaccounts Broad-based or targeted disruption of Broad-based or targeted disruption of
communications and database access, or attacks on communications and database access, or attacks on the integrity of datathe integrity of data
6
Public Policy ChallengePublic Policy Challenge
Nation is dependent on cyber for national security, Nation is dependent on cyber for national security, economic well-being, public safety, and law economic well-being, public safety, and law enforcementenforcement
Risk is real but not visible and obviousRisk is real but not visible and obvious Authority and control is spread among multiple Authority and control is spread among multiple
entities in the public and private sectorsentities in the public and private sectors Cyber is internationalCyber is international Individuals and organizations are reactive and tacticalIndividuals and organizations are reactive and tactical We do not learn lessons from the pastWe do not learn lessons from the past
7
Lessons LearnedLessons Learned
We do not learn lessons well – hindsight is not We do not learn lessons well – hindsight is not “20/20”“20/20”
What lessons should we learn from 9/11, What lessons should we learn from 9/11, Hurricane Katrina, and cyber attacks and Hurricane Katrina, and cyber attacks and intrusions/exfiltrations?intrusions/exfiltrations?
That we must be proactive rather than reactive. That we must be proactive rather than reactive. We must act strategically. We must act strategically.
8
Learn Lessons Learn Lessons
Reacting to threats is not enoughReacting to threats is not enough Must address riskMust address risk Who cares about public-private partnership?Who cares about public-private partnership? Information sharing is not the goalInformation sharing is not the goal Government will not protect usGovernment will not protect us Law enforcement cannot stop the bad guysLaw enforcement cannot stop the bad guys Have we learned anything from Conficker?Have we learned anything from Conficker?
9
Threat versus RiskThreat versus Risk Traditional model has been to react to known Traditional model has been to react to known
or perceived threatsor perceived threats ““Threat” - intent and capability of malicious Threat” - intent and capability of malicious
actorsactors Key lesson we must learn and operationalize Key lesson we must learn and operationalize
is to use a risk management approach at the is to use a risk management approach at the organizational, national, and international organizational, national, and international levelslevels ““Risk” - threat, vulnerabilities, and Risk” - threat, vulnerabilities, and
consequencesconsequences
10
Current Approaches for Current Approaches for National Cyber RiskNational Cyber Risk
Either:Either: Do more of what we have been doing, with Do more of what we have been doing, with
greater effort and sharing of information?greater effort and sharing of information? Find a benevolent, powerful despot to drive Find a benevolent, powerful despot to drive
effective prioritization, adequate resource effective prioritization, adequate resource commitment, and enhanced collaboration and commitment, and enhanced collaboration and information sharing?information sharing?
Or…Or… Take a strategic approachTake a strategic approach
11
What is our operating What is our operating premise?premise?
Will it take a cyber calamity to drive an Will it take a cyber calamity to drive an effective approach?effective approach? Why expect that to make a difference?Why expect that to make a difference?
What can we expect to happen if there What can we expect to happen if there is a cyber disaster?is a cyber disaster?
How can we use that reality to drive How can we use that reality to drive action?action?
12
Strategic ThinkingStrategic Thinking
““Nothing more terrible than activity Nothing more terrible than activity without insight.”without insight.”
13
What is missing?What is missing?
What do we need to worry about and what do What do we need to worry about and what do we need to do about it?we need to do about it?
We need to We need to know our risk posture, and know our risk posture, and identify requirements for addressing that risk that identify requirements for addressing that risk that
are generated by a public-private collaborationare generated by a public-private collaboration
14
What do we need?What do we need?
A strategic approach to facilitate public/private A strategic approach to facilitate public/private collaboration and information sharing to set collaboration and information sharing to set requirements, and resource, execute, and requirements, and resource, execute, and track progress on:track progress on:
Cyber risk;Cyber risk; Cyber preparedness;Cyber preparedness; Malicious activity and cyber crime; andMalicious activity and cyber crime; and Research and development.Research and development.
15
Cyber RiskCyber Risk Nation’s threat paradigm needs to be replaced Nation’s threat paradigm needs to be replaced
by a risk paradigm (threat, vulnerabilities, and by a risk paradigm (threat, vulnerabilities, and consequences); consequences);
We need a national cyber risk assessment that We need a national cyber risk assessment that spells out what the nation needs to worry about spells out what the nation needs to worry about and what we need to do about it;and what we need to do about it;
Using a risk focus, expand the NIE (threat) Using a risk focus, expand the NIE (threat) model of broad-based government model of broad-based government participation, to include private sector. participation, to include private sector.
16
Cyber PreparednessCyber Preparedness
Set requirements for situational awareness and Set requirements for situational awareness and a common operating picture for govt and a common operating picture for govt and critical infrastructurecritical infrastructure
Set requirements for a a public-private Set requirements for a a public-private collaborative framework to address cyber collaborative framework to address cyber incidents:incidents: AnalysisAnalysis ResponseResponse RecoveryRecovery
17
Research and Development
The nation must develop a national cyber The nation must develop a national cyber R&D agenda to better assess and mitigate risk, R&D agenda to better assess and mitigate risk, enhance preparedness, and address the long-enhance preparedness, and address the long-term hard problems we face in cyberspaceterm hard problems we face in cyberspace
The agenda must be informed by government The agenda must be informed by government and private sector, academia, and our closest and private sector, academia, and our closest allies.allies.
18
Malicious ActivityMalicious Activity
We must act strategically and proactivelyWe must act strategically and proactively Malicious activity is a key component of ICT Malicious activity is a key component of ICT
riskrisk Law enforcement must work across Law enforcement must work across
government and with the private sector to government and with the private sector to prioritize action and resources, track progress, prioritize action and resources, track progress, and impact malicious activity to reduce risk.and impact malicious activity to reduce risk.
Accountability is key to progress.Accountability is key to progress.
19
Malicious Activity and Malicious Activity and Cyber CrimeCyber Crime
Malicious activity/cyber crime should be seen as one part of a Malicious activity/cyber crime should be seen as one part of a continuum of risk that the nation faces from terrorists, continuum of risk that the nation faces from terrorists, sophisticated hackers and hacktivists, organized criminal sophisticated hackers and hacktivists, organized criminal groups, and nation states (and those working for them).groups, and nation states (and those working for them).
Law enforcement, others in govt, and the private sector – Law enforcement, others in govt, and the private sector – domestically and internationally – must work together to:domestically and internationally – must work together to: develop a strategic approach to the collection and sharing of data develop a strategic approach to the collection and sharing of data
on malicious actors and enablers to identify the most significant on malicious actors and enablers to identify the most significant globally;globally;
use all tools available to governments and private companies to use all tools available to governments and private companies to purse the bad actors and those who enable them and shut off the purse the bad actors and those who enable them and shut off the payment processing and money laundering on which they thrive; payment processing and money laundering on which they thrive; andand
mitigate the circumstances and vulnerabilities that allow them to mitigate the circumstances and vulnerabilities that allow them to operate.operate.
20
Malicious Activity/Cyber Crime – Malicious Activity/Cyber Crime – Status & NeedStatus & Need
StatusStatus Some collaboration among LE - FBI, Secret Service, Customs, Postal, FTC on Some collaboration among LE - FBI, Secret Service, Customs, Postal, FTC on
threats and awareness raising, between LE/DOJ and other government entitiesthreats and awareness raising, between LE/DOJ and other government entities LE outreach and information sharing with private sector – e.g., Infragard (FBI) LE outreach and information sharing with private sector – e.g., Infragard (FBI)
and Electronic Crimes Task Forces (USSS), Interpol, IMPACTand Electronic Crimes Task Forces (USSS), Interpol, IMPACT Targeted collaboration – National Cyber Forensics & Training AllianceTargeted collaboration – National Cyber Forensics & Training AllianceNeedNeed Identify as a priority the need engage in a strategic approach to malicious Identify as a priority the need engage in a strategic approach to malicious
activity and cyber crime (and the black market in exploit tools and skills), activity and cyber crime (and the black market in exploit tools and skills), domestically and internationallydomestically and internationally
Set in motion a process by govt and private sector, first domestically, then Set in motion a process by govt and private sector, first domestically, then internationally, to collect and share data on the most significant malicious internationally, to collect and share data on the most significant malicious actors/enablers and track a coordinated effort to shut them down and reduce actors/enablers and track a coordinated effort to shut them down and reduce frequency & impact, including private lawsuitsfrequency & impact, including private lawsuits
Build on efforts like NCFTA and NCMEC/FSTC (porn pyt processing)Build on efforts like NCFTA and NCMEC/FSTC (porn pyt processing)
Govt and private sector should partner to collect Govt and private sector should partner to collect and share data on the most significant malicious and share data on the most significant malicious actors & enablers actors & enablers
Coordinated effort to shut them down and Coordinated effort to shut them down and reduce frequency & impact of activityreduce frequency & impact of activity
Encourage private lawsuits as a complement to Encourage private lawsuits as a complement to law enforcementlaw enforcement
Build on efforts like NCFTA and Build on efforts like NCFTA and NCMEC/FSTC (e.g., pornography pyts)NCMEC/FSTC (e.g., pornography pyts)
22
Attacking Malicious Activity By Attacking Malicious Activity By Focusing on the Resources Actors Focusing on the Resources Actors
NeedNeed Take the example of spam; spammers need:Take the example of spam; spammers need:
Spam-sending softwareSpam-sending software Addresses to spamAddresses to spam Un-blocklisted IP addresses through which to route Un-blocklisted IP addresses through which to route
their spam (these may be compromised consumer hosts on their spam (these may be compromised consumer hosts on a rented botnet, for example) a rented botnet, for example)
Hosting for spamvertised web sites (whether on so-calledHosting for spamvertised web sites (whether on so-called bullet proof hosting, fast flux hosting, or whatever), and bullet proof hosting, fast flux hosting, or whatever), and
Enablers facilitate fraudulent and other Enablers facilitate fraudulent and other malicious activity and must help stop itmalicious activity and must help stop it
24
Pursue Enablers Through Pursue Enablers Through Civil and Criminal ProcessCivil and Criminal Process
RegistrarsRegistrars ISPsISPs Web hostsWeb hosts Email providersEmail providers Telco providersTelco providers Domestic and foreign banksDomestic and foreign banks Check cashing services, wire funds transfer svcsCheck cashing services, wire funds transfer svcs Credit card processors Credit card processors Certificate authoritiesCertificate authorities Shippers (FedEx, UPS, USPS)Shippers (FedEx, UPS, USPS)
25
Legal TriageLegal Triage Use technology tools and legal talent to convert Use technology tools and legal talent to convert
Internet data points into offense legal action against Internet data points into offense legal action against fraudsters & enablersfraudsters & enablers
Engage enablers with cease & desist e-mail and Engage enablers with cease & desist e-mail and certified letters campaignscertified letters campaigns
Formal demands with subpoenas issued in strategic Formal demands with subpoenas issued in strategic lawsuits against “John Doe” defslawsuits against “John Doe” defs
Track cyber threats back to human sources, real Track cyber threats back to human sources, real identity of third parties who can stop fraudsters, real identity of third parties who can stop fraudsters, real location of hard assets of fraudsters, and real identity location of hard assets of fraudsters, and real identity of fraudsters and enablersof fraudsters and enablers
26
Promote Policies Against Promote Policies Against Malicious Actors and Malicious Actors and
EnablersEnablers Use data on malicious actors and enabelers to Use data on malicious actors and enabelers to
inform policiesinform policies Egress filteringEgress filtering BCP-38BCP-38 ICANN and others re: registrar due diligenceICANN and others re: registrar due diligence What else?What else?
27
Key: Easy Access to Domain Key: Easy Access to Domain NamesNames
Avoiding SURBL/URIBL FilteringAvoiding SURBL/URIBL Filtering Trying to Stay Off Law Enforcement (LE)'s RadarTrying to Stay Off Law Enforcement (LE)'s Radar
If a spammer spamvertises multiple domain names, it becomes at least marginally If a spammer spamvertises multiple domain names, it becomes at least marginally harder for LE to mechanically aggregate all that spam traffic, reducing a spammer's harder for LE to mechanically aggregate all that spam traffic, reducing a spammer's chance of being targetedchance of being targeted
Load Balancing and/or Enhanced Survivability:Load Balancing and/or Enhanced Survivability: Multiple domain names also makes possible load balancing and/or to increase Multiple domain names also makes possible load balancing and/or to increase website survivabilitywebsite survivability
Market Segmentation: Market Segmentation: Use of multiple domain names also facilitate Use of multiple domain names also facilitate spammer market segmentation.spammer market segmentation.
Tracking/Crediting Affiliate Traffic:Tracking/Crediting Affiliate Traffic: Spamvertising multiple domain Spamvertising multiple domain names also makes it easy for spammers to track and credit affiliate traffic.names also makes it easy for spammers to track and credit affiliate traffic.
Credit for next three slides: Joe St Sauver, Ph.D. (Credit for next three slides: Joe St Sauver, Ph.D. ([email protected]@uoregon.edu) ) Senior Technical Advisor, Messaging Anti-Abuse Working GroupSenior Technical Advisor, Messaging Anti-Abuse Working Group
28
A Few Registrars Have The A Few Registrars Have The Potential To Help Combating Potential To Help Combating
AbuseAbuse Looking at the domains on the SURBL for which it was Looking at the domains on the SURBL for which it was
possible to identify a responsible registrar (just under possible to identify a responsible registrar (just under 600,000 listed domains):600,000 listed domains): -- 4 registrars account for 50% of listed domains-- 4 registrars account for 50% of listed domains
-- 24 registrars account for 80% of listed domains-- 24 registrars account for 80% of listed domains
-- 69 registrars (all of the ones with more than a -- 69 registrars (all of the ones with more than a tenth of a percent of all listed domains) cover tenth of a percent of all listed domains) cover roughly 92% of listed domains roughly 92% of listed domains
29
Summary – Domain NamesSummary – Domain Names
Malicious actors need a variety of resources. Domain names Malicious actors need a variety of resources. Domain names are one such resource, which means that registrars can play a are one such resource, which means that registrars can play a critical role in fighting malicious activity.critical role in fighting malicious activity.
A relatively small number of registrars control a significant A relatively small number of registrars control a significant fraction of the addresses listed on the SURBL. Other fraction of the addresses listed on the SURBL. Other registrars have a high concentration of domains associated registrars have a high concentration of domains associated with abuse, may be willing to take action.with abuse, may be willing to take action.
Proxy/private registration services may exacerbate the Proxy/private registration services may exacerbate the problems associated with abused/abusive domains.problems associated with abused/abusive domains.
The status of any registrar at any single point in time is not The status of any registrar at any single point in time is not as important as what happens over time -- are the number as important as what happens over time -- are the number abused/abusive domains increasing or decreasing?abused/abusive domains increasing or decreasing?
30
Path ForwardPath Forward Convene Strategic Communities of Interest - Government and Convene Strategic Communities of Interest - Government and
PrivatePrivate A steering committee should be formed from among A steering committee should be formed from among
representatives of a larger group of government and private representatives of a larger group of government and private sector organizationssector organizations
That group, with input from the larger community, should That group, with input from the larger community, should coordinate and leverage existing efforts and set requirements.coordinate and leverage existing efforts and set requirements.
Choose Strategic Issues, Requirements, and Path ForwardChoose Strategic Issues, Requirements, and Path Forward Cyber RiskCyber Risk Cyber PreparednessCyber Preparedness Malicious activity/cyber crimeMalicious activity/cyber crime Research and DevelopmentResearch and Development
Commit to Meaningful International CollaborationCommit to Meaningful International Collaboration
31
ConclusionConclusion
It is essential that we bring together representatives of It is essential that we bring together representatives of key domestic and international public and private key domestic and international public and private organizations to dynamically address cyber issues organizations to dynamically address cyber issues strategically by identifying requirements and strategically by identifying requirements and tracking execution. tracking execution.
This process can tell our nation’s leaders what we This process can tell our nation’s leaders what we need to worry about, what we need to do about it, need to worry about, what we need to do about it, and keep them informed about the status of our and keep them informed about the status of our progress, and hold key stakeholders in govt and progress, and hold key stakeholders in govt and private sector accountable.private sector accountable.
32
Andy PurdyAndy Purdy
Co-Director, International Cyber CenterCo-Director, International Cyber Center
George Mason University; Fairfax, Virginia, USAGeorge Mason University; Fairfax, Virginia, USA
President, DRA Enterprises, Inc.President, DRA Enterprises, Inc.
