2005 EDUCAUSE POLICY CONFERENCE April 6, 2005 10:30 AM – 11:15 AM Fairmont Hotel Washington, D.C. National Policy Issues for Cyber Security

2005 EDUCAUSE POLICY CONFERENCE

April 6, 2005

10:30 AM – 11:15 AM

Fairmont Hotel

Washington, D.C.

National Policy Issues for Cyber Security

®2004 Citadel Security Software Inc. 2

ROBERT B. DIX, JR.Vice President

Government Affairs & Corporate Development

Citadel Security Software, [email protected]

Former Staff Director

Subcommittee on Technology, Information

Policy, Intergovernmental

Relations and the Census

Committee on Government Reform,

United States House of Representatives


Viruses, Worms, Spam, Spyware, Phishing, Malware, Backdoors, etc., etc.

Hackers, Malcontents, Criminals ( fraud, theft, extortion ), Organized Crime, Terrorists

Software Defects…Misconfigurations…Backdoors…Unnecessary Services…Unsecured Accounts

FEDERAL SYSTEMS ARE TARGETS OF THE BAD GUYS!!


FEDERAL GOVERNMENT IN TRANSITION…

• HOW CAN INFORMATION TECHNOLOGY BE UTILIZED TO TRANSFORM THE FEDERAL GOVERNMENT TO A MORE CUSTOMER-CENTRIC AND CUSTOMER SERVICE ORIENTED OPERATION AND UTILIZED TO BECOME EFFICIENT, PRODUCTIVE, AND COST-EFFECTIVE…?



• WHAT IS THE MOST EFFECTIVE STRATEGY TO TRANSFORM AND TRANSITION THE FEDERAL GOVERNMENT FROM A CULTURAL AND OPERATIONAL PRACTICE OF “STOVEPIPE” ACTIVITIY TO ONE OF MORE CROSS-AGENCY COLLABORATION, COMMUNICATION, AND COOPERATION…IN ORDER TO ACHIEVE A MORE EFFICIENT DELIVERY OF MISSION CRITICAL RESULTS…TO FOSTER VITAL INFORMATION SHARING…AND TO IMPROVE CUSTOMER SERVICE…BOTH INTERNALLY AND EXTERNALLY…?



• President’s Management Agenda• E-Government Initiatives, Lines of Business• Federal Enterprise Architecture• Information Sharing• Information Security


THE CHALLENGE OF CYBER SECURITY

HOW DO WE PROTECT THE INFORMATION THAT IS GATHERED, STORED, AND SHARED WHILE SECURING THE NETWORKS AND DESKTOPS THAT SUPPORT THE OPERATIONS AND ACTIVITIES OF THE VARIOUS AGENCIES AND DEPARTMENTS OF THE FEDERAL GOVERNMENT…?

HOW DO WE PROTECT THE INFORMATION THAT IS GATHERED, STORED, AND SHARED WHILE SECURING THE NETWORKS AND DESKTOPS THAT SUPPORT THE OPERATIONS AND ACTIVITIES OF THE VARIOUS AGENCIES AND DEPARTMENTS OF THE FEDERAL GOVERNMENT…?



Today, the world is a different…and increasingly more dangerous place

Today, the world is a different…and increasingly more dangerous place



It is easier to visualize the potential high risk targets like skyscrapers, bridges, tunnels, power plants and other physical assets.

It is easier to visualize the potential high risk targets like skyscrapers, bridges, tunnels, power plants and other physical assets.


A continuum of undeniable threats exist in cyber space…threats that can manifest themselves by exploiting vulnerabilities 24 x 7…every single day…from virtually anyplace in the world!

A continuum of undeniable threats exist in cyber space…threats that can manifest themselves by exploiting vulnerabilities 24 x 7…every single day…from virtually anyplace in the world!




Not enough people…even in some of the most important leadership positions in this nation recognize or understand the magnitude of the threat and the potential damage that can be done.

Not enough people…even in some of the most important leadership positions in this nation recognize or understand the magnitude of the threat and the potential damage that can be done.

The threat of terrorism has become part of our daily lives…and is likely to be that way for a very long time.

The threat of terrorism has become part of our daily lives…and is likely to be that way for a very long time.



The fact that zero day exploits are upon us…who is really prepared…?

The fact that some 10 million U. S. identities were stolen during the last year with an estimated economic impact of $50 billion dollars on the U. S. economy.

The fact that some estimate that as many as 50% of desktops may be controlled in reality by someone else!



The knowledge base of the bad guys is

extensive and growing every day. Much of the fraud, theft, extortion and

other criminal activity conducted through

the internet has been linked to organized

crime There is reported evidence that some

terrorist organizations may in fact be

using the proceeds derived by identity

theft schemes to finance physical attacks.


Organized Crime Invades CyberspaceNews Story by Dan Verton

Once the work of vandals, viruses and other malware are now being launched by criminals looking for profits.

AUGUST 30, 2004 (COMPUTERWORLD) -

Antivirus researchers have uncovered a startling increase in organized virus- and worm-writing activity that they say is powering an underground economy specializing in identity theft

and spam.


Organized Crime Invades Cyberspace,

cont’d.News Story by Dan Verton

Sidebar: Signs of the Underground Economy

• A massive underground community is engaging in online theft.

• Windows machines are infected with viruses, then turned into proxies, Web servers or attack networks.

• Lists of such servers are being sold and bought online.

• Credit card databases are being sold and bought. • EBay, PayPal and E-gold accounts are

being sold and bought. • Hacked servers are being sold and bought. • Distributed denial-of-service attack

networks are being sold and bought.


By Alan Sipress

Washington Post Foreign Service

Tuesday, December 14, 2004; Page A19

JAKARTA, Indonesia -- After Imam Samudra was charged with engineering the devastating Bali nightclub bombings two years ago, he taunted his police accusers in court, then greeted his death sentence with the cry, "Infidels die!"

So when Samudra published a jailhouse autobiography this fall, it was not surprising that it contained virulent justifications for the Bali attacks, which killed 202 people, most of them foreign tourists.

But tucked into the back of the 280-page book is a chapter of an entirely different cast titled "Hacking, Why Not?" There, Samudra urges fellow Muslim radicals to take the holy war into cyberspace by attacking U.S. computers, with the particular aim of committing credit card fraud, called "carding." The chapter then provides an outline on how to get started.

"The worry is that an army of people doing cybercrime could raise a great deal of money for other activities that terrorists are carrying out," said Alan Paller, research director of the Sans Institute, a U.S. Internet-security training company.

Samudra, 34, is among the most technologically savvy members of Jemaah Islamiah, an underground Islamic radical movement in Southeast Asia that is linked to al Qaeda. He sought to fund the Bali attacks in part through online credit card fraud, according to Indonesian police. They said Samudra's laptop computer revealed an attempt at carding, but it was unclear whether he had succeeded.

An Indonesian's Prison Memoir Takes

Holy War Into CyberspaceIn Sign of New Threat, Militant Offers Tips on Credit Card Fraud

An Indonesian's Prison Memoir Takes

Holy War Into CyberspaceIn Sign of New Threat, Militant Offers Tips on Credit Card Fraud


ALL OF US HAVE A ROLE AND RESPONSIBILITY TO

BE PART OF THE SOLUTION…OR AT

LEAST CONTRIBUTE TO AN IMPROVEMENT IN THE

OVERALL INFORMATION SECURITY

PROFILE OF THIS NATION!

ALL OF US HAVE A ROLE AND RESPONSIBILITY TO

BE PART OF THE SOLUTION…OR AT

LEAST CONTRIBUTE TO AN IMPROVEMENT IN THE

OVERALL INFORMATION SECURITY

PROFILE OF THIS NATION!



THE NATIONAL STRATEGY TOSECURE CYBERSPACEFebruary, 2003

“In the past few years, threats in cyberspace have risen dramatically. The policy of the United States is to protect against the debilitating disruption of the operation of information systems for critical infrastructures and, thereby, help to protect the people, economy, and national security of the United States. We must act to reduce our vulnerabilities to these threats before they can be exploited to damage the cyber systems supporting our Nation’s critical infrastructures and ensure that such disruptions of cyberspace are infrequent, of minimal duration, manageable, and cause the least damage possible.”

President George W. Bush


SO…IS THE ISSUE OF COMPUTER SECURITY AND CRITICAL INFRASTRUCTURE PROTECTION NEW TO THE

FEDERAL GOVERNMENT??




Presidential Decision Directive NSC/63, Cont’d.Presidential Decision Directive NSC/63, Cont’d.




Memo for Heads of Departments and Agencies, Cont’d. Memo for Heads of Departments and Agencies, Cont’d.






FEDERAL SECURITY REPORT CARD - February 16, 2005

GOVERNMENTWIDE GRADE 2004: D+


• Consistent and predictable empowerment of the Federal CIO and Federal CISO along with appropriate responsibility, authority and accountability for compliance with statutory and regulatory requirements for information security and improvement of the overall information security profile of their agency or department

• Enforcement of consequences by OMB for those who fail to meet the requirements of federal guidance, regulation or statute as it relates to information security

• Expanded training and certification opportunities for information security professionals in federal agencies

• Expanded training and certification opportunities for contracting officers and procurement specialists responsible for acquisition of the federal government’s $60 billion dollar annual investment in information technology products and services

• Continued implementation of a comprehensive federal enterprise architecture initiative to include information security as a fundamental and integral element of all IT investments and critical infrastructure protection efforts


• Enhanced collaboration with the private sector to identify tools, strategies, and best practices for the design, implementation, maintenance, and improvements to a comprehensive agency risk management plan that considers the integration of functional legacy systems with new systems; recognizes the disparate requirements of some component agencies; and includes a comprehensive examination of vulnerability management across the enterprise (users.)

• Additionally, continue to work diligently with the technology sector to identify collaborative approaches that will produce improve quality and security of software and hardware products ( producers ).

• Continue the examination and oversight of third party access to federal agency networks to include supply chain participants, contractors, researchers, etc.


• Continue to work with academic institutions and the private sector to expand Research & Development efforts to develop the next generation of tools for development and testing.

• Continue to work with institutions of higher education to educate and train the next generation of information security professionals

• Provide additional resources to NIST, and particularly the Computer Security Division, to expand efforts to develop and distribute standards, guidelines, and evaluations to support the work of agencies to comply with federal guidelines, regulates and statutes in an effort to achieve the goals and objectives of a secure infrastructure of information systems, networks and desktops for federal agencies on behalf of the American people and the U. S. economy.

• Expand efforts to work with domestic and international intelligence and law enforcement agencies in the efforts at cooperation, apprehension and prosecution of cyber criminals


MUCH HAS BEEN DONE…MUCH MORE NEEDS TO BE DONE

WE ARE AT RISK…AND THERE IS A SENSE OF URGENCY TO THIS ISSUE

THE THREAT IS REAL!

THE VULNERABILITIES ARE EXTENSIVE!

THE TIME FOR ACTION IS NOW!

Documents

2005 EDUCAUSE POLICY CONFERENCE April 6, 2005 10:30 AM – 11:15 AM Fairmont Hotel Washington, D.C. National Policy Issues for Cyber Security