 |
2500 Wilson Boulevard Testimony of
Dave McCurdy before the
House Select Committee on Homeland Security’s Subcommittee
on Cybersecurity, Science, and Research & Development and Subcommittee
on Infrastructure and Border Security regarding The DHS Infrastructure Protection Division: Public-Private Partnerships to Secure Critical Infrastructures April 21, 2004 Thank You Mr. Chairman. My name is Dave McCurdy. I am President of the Electronic Industries Alliance and Executive Director of the Internet Security Alliance (ISAlliance). I am delighted to be here today to discuss how the federal government can improve its coordination with the private sector and thus, improve worldwide information security. As a cross-sector, international organization, which integrates many different security services into one coherent model, the Internet Security Alliance, is structured in a fundamentally different way than traditional Information Sharing and Analysis Centers (ISACs). We believe this model has much to recommend, not as a substitute for the ISACs, but as a complement to them. I am concerned, however, that we are not yet seeing this potential realized. Greater involvement and coordination with the ISACs and the Department of Homeland Security (DHS) would be extremely helpful to organizations like the ISAlliance, and the companies they represent and I believe would be in the best interests of our own national security. Today I would l like to cover three main points. 1. I would like to outline the model the Internet Security Alliance
operates under and suggest some fundamental differences from the
traditional ISAC model. Before I begin I want to make our posture with respect to the ISACs very clear. About a quarter of our membership also participates in ISACs. Some of our Board members also serve on the Boards of various ISACs. We regard the ISACs as “comrades in arms.” It is surely
true that there are some issues unique to industry sectors that
are most
effectively dealt with by a sector specific
domestic entity. However, the ISAlliance also concurs with the
National Strategy to Secure Cyber Space that found that “some
cyber security problems have national implications and cannot be
solved by individual enterprises and sectors alone.” CROSS-SECTOR INFORMATION SHARING & ANALYSIS AVAILABLE TO ALL The ISAlliance was created in April of 2001, five months before the attacks on the Pentagon and the World Trade Center. We created it because, even then, we saw the need for a new approach to the growing cyber threat. In contrast to the ISACs, which are generally structured along traditional industry specific silos, the ISAlliance has members from many different sectors. We designed the organization this way because the Internet is organized this way. Essentially, we are all using the same Internet. So, from the cyber security perspective the threats and attacks may be very similar regardless if you are Coca-Cola, Sony, Visa or VeriSign (all members of ours). As a result, there is much to learn from, and help can be offered to, your brother companies regardless of industry sector. As a member of the Board of Advisors of the Software Engineering Institute at Carnegie Mellon University, I have had substantial contact with the experts at the CERT/cc at Carnegie Mellon who educated me on this growing problem in 2000. We decided then that the private sector needed to not only contribute to, but to demonstrate leadership in making this critical infrastructure more secure. We devised a creative public private partnership, which integrated and maximized the complementary assets of CERT, the federal government and private industry. CERT/cc, which was funded primarily by the U.S. federal government, had long been recognized as the premier center for Internet threat and vulnerability information. But it lacked a practical channel to get this information to the private sector, or stimulate interest in the necessary education, training, policy development and incentive programs that would be required to fully achieve the goal of information security. EIA has been involved in physical security through the Telecommunications Industry Association (TIA) which is both a sector of EIA and an ISAC sector coordinator. Since we understood that physical and cyber security are most effectively dealt with in an integrated fashion, we sought a mechanism to bring these entities together. We decided on collaboration between CERT/cc and EIA called the ISAlliance. Using the EIA member companies as a marketing base we recruited corporations to join the ISAlliance. They paid dues, and in return, operating under strict non-disclosure agreements would receive access to prime CERT/cc information. They would share this information with each other and the CERT/cc to identify and analyze looming threats and collectively work on solutions. Since the ISAlliance members were receiving more from CERT/cc than the general public they agreed to pay a fee for this benefit. It was seen as a user fee similar to that paid by patrons at National Parks. While some companies using other, non-CERT, the ISAlliance services paid substantial dues, we never wanted money to be a barrier to entry into the ISAlliance. Dues entitling companies to the same CERT/cc information (albeit fewer copies) were set as low as $3,000 a year--affordable for virtually any private firm. And, though we don’t like to publicize it for obvious reasons, we have made financial adjustments for companies who had difficulty making the specified dues payment. INTERNATIONAL The ISAlliance is also focused internationally, where ISACs tend to be U.S. - centric. The ISAlliance has members on four continents. Our current Chairman of the Board. Dr. Bill Hancock, is from a British company and we have four other non-U.S. based companies on our Board along with eleven U.S. based companies. The international aspect of our efforts is important because cyber security is inherently an international issue. Many attacks originate offshore and implementing a truly effective means of securing cyber space must include finding and working with trusted offshore partners. As the U.S. National Strategy to Secure Cyber Space states, in part; “America’s cyberspace is linked to the rest of the world…. Securing global cyber space will require international cooperation to raise awareness, increase information sharing, promote security standards…The United States will seek the participation of U.S. industry to engage foreign counterparts in peer-to-peer dialogue with the twin objectives of making an effective business case for cyber security and explaining successful means for partnering with government on cyber security.” I’d like to offer a quick example of our efforts. After making a presentation to the Organization of American States (OAS) first broad conference on cyber security last August, OAS staff requested that the ISAlliance construct a specific program to integrate the private sector in the OAS region into the state-to-state programs for cyber security that were being developed. We came up with what we call our “Security Anchor” program. This program is built on the “Transition Partner” program developed at Carnegie Mellon University. Under the Security Anchor Program private sector entities would obtain a special membership with the ISAlliance, which will allow them to essentially become “branch offices” within their regions. The Security Anchor for the region would distribute appropriate information about threats and vulnerabilities and hold meetings and conferences, but on local time providing translation as necessary for materials. The Anchor “tenant” would also be required to send personnel to Carnegie Mellon where they would be trained as trainers. The Anchor would then provide this training in their region, for which they could receive payment. We believe providing a market incentive to our Anchor partner is the most efficient and effective way to accomplish the goals set forth in our National Strategy. In this way we hope to make international cyber security “home grown.” We believe this is the only way that we can hope to succeed in reaching the international goals as set forth in the National Strategy. The U.S. can’t expect to “export” security. AN INTERGRATED COMPREHENSIVE AND COHERENT APPROACH TO CYBER SECURITY USING MARKET FORCES AS INCENTIVES The ISAlliance attempts to provide its members with a comprehensive, coherent and integrated approach to cyber security that uses market forces to drive on-going improvements in cyber hygiene. INFORMATION DISSEMINATION AND ANALYSIS Like many ISACs, we begin with information dissemination and sharing about emerging threats, vulnerabilities and attacks on the Internet. We have historically done this though a contractual relationship with the CERT/cc as a founding partner in the ISAlliance. In our three years of operations we have sent out literally thousands of these notices. We just released our first quarter technical report to the membership, which showed that in 2004 alone we have already sent out through our e-mail channel hundreds of reports, which have been followed by scores of analytical conferences between the members and CERT/cc. When we, started several years ago, our prime activity was information sharing, mostly through e-mail notices. However, experience has taught us that simply disseminating information is by no means enough. In fact, our members have told us that at times there is too much information being circulated and the real need is to be able to separate out what is important and what is simply noise. Information analysis is critical if threat and vulnerability data is to be used effectively. We facilitate the analytical process with regularly scheduled, as well as specially scheduled, meetings where in our members discuss the state of the network with the CERT/cc professionals. We have found the regularity of this process creates, over time, a sense of trust and confidence that we think is vital for effective information sharing. DEVELOPING BROADLY ENDORSED BEST PRACTICES While information sharing and analysis is a critical first step on the road to cyber security, is not sufficient to secure cyber space. Virtually every recent major attack we have experienced such as Blaster, Slammer, or MyDoom, resulted from a vulnerability, which was already well known, in the community. At the ISAlliance we took the collaborative process of sharing information and built from it a systematic program of best practices. The process of developing the best practices is lead by the experts at Carnegie Mellon and CERT/cc and is consistent with the years of grounded research they have done and the theory of security that has evolved from their experience and analysis. However, we also involve the full membership in our processes, so that the perspectives of actual businesses from multiple sectors and counties are folded into the final product. One advantage of this inclusive process has been that our practices have received an impressive level of support and endorsement from a wide breadth of the user community. For example, our first publication, “The Common Sense Guide for Senior Managers” was endorsed by the National Association of Manufacturers (NAM) which represents 12,000 of the most traditional of industries, as well TechNet which primarily represents the high-tech companies in Silicon Valley. Internationally it has been translated into Spanish and Japanese and was endorsed by the U.S. India Business Council and distributed by the Organization of American States. CREATING MARKET INCENTIVES TO ENCOURAGE ADOPTION OF BEST PRACTICES--THE QUALIFIED MEMBER PROGRAM However, developing best practices is also not enough. CEOs are overwhelmed with information. To succeed with them on this subject, which has traditionally been viewed as a “cost center,” you have to do more than just tell them it’s the right thing to do. We have to talk about issues they care about, like profitability, liability protection and marketing. We need to develop market incentives to increase the Return on Investment (ROI) for cyber security. The ISAlliance has taken the lead on this issue. In the final quarter of 2003 we signed an agreement with AIG, which is the world’s market leader in cyber insurance. Under this new agreement AIG will provide insurance premium credits of up to 15% for companies that will join the ISAlliance and subscribe to our best practices. We believe this is the first operating program which specifically ties a widely, and independently endorsed set of cyber security best practices directly to lower business costs. We are working through AIG and the Global Security Consortium (GSC), comprised of the big auditing and accounting firms, on empirical standards with which we will be able to use to measure compliance with these practices. Not only will this tool enable us to more reliably determine who qualifies for the credits, but also it opens up another potential market incentive for improved security. We want to interest firms in marketing cyber security. Firms that achieve a specified score will be deemed a “Qualified Member” allowing them to use that designation as a market differentiator. Through this mechanism we hope to make cyber security a useful marketing tool for good actor companies, much like the Baldrige Award has been used for high quality companies. GSC hopes to have their tool completed shortly and then this phase of the program can begin. DISCOUNTED EDUCATION AND TRAINING COMPLETE THE LOOP BEST PRACTICES FOR SMALLER BUSINESSES This program is just one example of our activities. In fact, this afternoon we will be testifying before another Committee on a similar program, this time specifically targeted to the unique needs of smaller businesses. The National Cyber Summit, recognizing the value of programs such as I have just described, and realizing that there was not nearly enough being done to reach out to smaller businesses, asked us to undertake this new effort this past December. Although smaller businesses have not until now been our prime market interest we agreed to take up the challenge. Working with the U.S. Chamber of Commerce, the National Federation of Independent Business (NFIB) and NAM we followed the same integrated, market centered model we described above. We held ten focus groups involving nearly 100 small businesses to find out what needed to be done to improve their cyber security. What we learned was that smaller institutions are indeed different from larger ones. In fact, we found that organizations across a wide spectrum of business types had remarkably similar problems from a cyber perspective. The similarities for these businesses were not the type of business they were in, but the size of their business and the extent of the technology available to them. As a result, the “Common Sense Guide to Cyber security for Small and Medium Sized Businesses” looks quite different from the Guide for Senior Corporate Managers. We are happy to report that what was not very different is the response, which has been extremely positive. Already the Cyber Security Partnership that grew out of the National Cyber Summit as well as on the web sites for the ISAlliance, the Electronic Industries Alliance and the National Association of Manufacturers is distributing the Small Business Guide. The U.S. Chamber of Commerce has informed us they expect to endorse the document at their next Board of Directors meeting and the Financial Services Sector Coordinating Council, an alliance of 28 financial services trade associations will be making it available to their members and holding a series of meetings with thousands of its members where the Guide will be highlighted. Given the fact that this project is only a couple of months old we are naturally very encouraged. When mature, we fully expect this program will be coherent, measurable and market driven just as was the case with the Senior Managers program. CYBER AND PHYSICAL SECURITY--REACHING OUT TO RISK MANAGERS Another area we are working on is the integration of cyber and physical security. We believe, as Secretary Ridge has said, that you can’t have cyber security without physical security and you can’t have physical security without cyber security. However, in corporate America there remains a misconception that cyber security is an “IT problem.” While obviously there are many IT aspects to cyber security it is not properly classified only as an “IT problem.” Cyber security is a management problem. It is an economic problem. It is an employee training, compliance and retention problem. Most of all, cyber security is a risk management problem. However, most corporate structures still relegate the discussion of cyber security to the IT department rather than fully integrating it into the discussions with physical security and risk management. We have heard a good deal of talk recently about structures within the federal security bureaucracy which may have limited information sharing and proper threat management. Private industry is not immune to these same types of organizational problems. Therefore, we have recently undertaken a pilot study reaching out to the risk managers in industry in an attempt to find out how we can better involve them in the cyber security discussion. We believe that it’s critical to better integrate physical and cyber security issues within the overall corporate risk management structure. We are trying to find out how we can do that, from the people who are actually making the organizational, budgeting, and resource allocation decisions. Although we have initiated this study, it is too early to report
results. We do expect however, that, as was the case with our other
projects, we will learn from this effort and we can make further
impact in securing cyber space. We look forward to sharing these
approaches both with industry, and to the federal government. We believe the comprehensiveness of the ISAlliance program is making a positive contribution to the cause of information security. • Hundreds
of technical notices about Internet threats and vulnerabilities
each year to our members from the best source available
to private industry. But the key aspect is that it is a coherent program. We start with the hard data we get from CERT and we blend into that the real world needs and experiences of industry and develop programs, practices and policies which can drive pragmatic improvements. And then, if individual entities can’t make the grade they are offered training based on the same theories and practices that were used to develop the best practices. COORDINATING WITH THE ISACS AND DHS As proud of these accomplishments as we are, we have some concerns for the future. We supported, and continue to support, the creation of the Department of Homeland Security. We in no way wish to be critical of the effort and sincerity of the people who are working at DHS. They are working very hard to accomplish an enormous task virtually immediately. We sincerely hope that our testimony at this point will be taken in the spirit it is given, constructive suggestions that we believe will assist all of us who are working in this space to be more effective. In fact the ideas we offer the Committee today have been previously raised with staff and principals and we are continuing to work on them. We anticipate that in the due course of time they will be satisfactorily resolved. We believe, however, that there are very important issues, which must be appropriately addressed. DHS SHOULD COORDINATE WITH ALL INFORMATION SHARING ORGANIZATIONS--NOT JUST ISACS We suggest DHS broaden its systematic communication to include organizations, such as the ISAlliance, who are providing important services, although they are not ISACs. In the interdependent cyber world the “critical infrastructures” may be dependent on the “non-critical” organizations that service them. In addition to the IT, telecom and financial institutions we represent we count the National Association of Manufacturers among our sponsors. These are the people who manufacture the parts used to construct our defense products and operate the supply chains upon which many “critical” businesses rely. These organizations also need to be systematically included in the on-going public private partnership with DHS. Moreover, while we are focused on cyber security today from a national security perspective, most Internet attacks have nothing to do with international terrorism. Cyber security is also a critical business issue and from a business perspective the “non-critical” portions of the economy deserve as much protection as the rest of the economy. The Department of Homeland Security seems to have decided upon the ISACs and the ISAC Council as the primary linkage to the private sector. Since we are not formally an ISAC, we are not part of the ISAC Council and hence we are not in many of the meetings and discussions from which DHS appears to be receiving their primary input. We would like to work with DHS and the ISAC Council to integrate our broad membership into this forum. Two years ago Congress passed legislation, which attempted to facilitate the sharing of information between private industry and the government. In the initial drafts of that bill the adjustments to FOIA, etc. were confined to ISACs. It was correctly pointed out to the drafters that there is in fact information sharing outside of the formal ISAC structure and the legislation was redrafted to read “information sharing organizations.” We believe DHS should follow this precedent in developing their public private partnership. COMPANIES NEED THE CERT/CC DATA THEY HAVE COME TO RELY ON Over the past several years the nearly 60 companies who are members of the ISAlliance have come to rely on our working relationship with CERT/cc. Last year, DHS announced that they would be launching USCERT utilizing in main the facilities formerly known as CERT/cc at Carnegie Mellon. We have no objection to DHS creating USCERT. Indeed, we see it as following and extending the model we created over three years ago for how to disseminate CERT/cc data to the private sector. However, it would be problematic if suddenly the ISAlliance members who have relied on this information to build their corporate security plans and policies, are now denied access to that data. Indeed, such an outcome could result in a substantial reduction in corporate cyber security as companies scramble to find alternative ways to receive this information. Moreover, the fact that this data might now be available though an ISAC is not an answer since the majority of the ISAlliance members, do not participate in ISACs We would like to work with DHS to assure that the transfer from
CERT/cc to USCERT and their new partners does not ironically result
in less information being available to some worthy companies. And finally I want to thank you, Mr. Chairman and the joint Committee for all your work and for holding this hearing this morning.
|