Hathaway Bolsters Internet Security Alliance

By Kevin M. Nixon, Information-Security-Resources.com Security Editor

Despite numerous lukewarm reviews of the 2009 RSA Security Conference by attendees and reporters, the Internet Security Alliance’s President Larry Clinton recognized that the keynote address to the collective conference body by Melissa E. Hathaway, Acting Senior Director for Cyberspace for the National Security and Homeland Security Councils, offers affirmation of the mission and principles on which the Internet Security Alliance (ISAlliance) was founded.

The ISAlliance began in April of 2001 as the result of the Former Chairman of the House Intelligence Committee of the U.S. House of Representatives, Dave McCurdy, in direct collaboration with Rich Pethia, Director of the Carnegie Mellon University Software Engineering Institute’s CERT/CC℠.

In an email communiqué, sent to “ISAlliance Insiders”, Mr. Clinton provided an update on the RSA Conference overall and then by distributing an advance copy of the text of Melissa Hathaway’s remarks, demonstrated the strength of the collaborative efforts between the ISAlliance and the National Security and Homeland Security Councils.

Early in 2002, after the devastating events of 9/11, the ISAlliance Board of Directors forged a relationship with the then Cyber Tsar Richard A. Clarke and “Assistant Tsar” Howard Schmidt.

The ISAlliance members worked tirelessly on numerous Whitehouse Work Groups and National Critical Infrastructure Committees to create the foundational elements of cyber security policy with the various agencies that were eventually reorganized into what is now know as the Department of Homeland Security.  The ISAlliance played a key role in the final report to the President entitled “The National Strategy To Secure Cyberspace” which was officially released in February 2003.

Over the last 6 years and 3 months, many of those original recommendations have languished and were continuously reprioritized due to the war on terror and redirected funding in support of other efforts.

However, the ISAlliance never lost sight of their mission, their vision and most importantly the value of a unified approach to securing our national computing infrastructure.

The current administration realized during the post election transition period, it was faced with a crumbling economy and what can best be described as a shaky global financial network, the time had arrived for serious collaboration on a unified posture.

Even before the clock struck 12 noon on inauguration day, some of the brightest security, privacy and public policy minds across industries were assembled to resurrect the previous work papers in preparation for an official Presidential Directive to assemble recommendations.

True to form and within the first 30 days in office, President Obama called for a report on the requirements necessary to transition to a more secure computing environment.

Larry Clinton stated in his communiqué that the Federal Agency Deputies are now considering the recommendations in a (yet to be made public) report created by Ms. Hathaway’s team.

The agency deputies are pouring over recommendations that cover everything from necessary alignments in the Code of Federal Regulations, holes in the national budget, and the agencies and departments which must all congeal into a final report that must be on the President’s desk on schedule.

Mr. Clinton optimistically pointed out that Ms. Hathaway’s team and agency deputies are advocating support for three (3) major issues that the ISAlliance has considered fundamental since the organization was founded.

The ISAlliance was pleased to hear the following items covered in the keynote, notably:

Recommendations calling for greater consideration of economics when discussing cyber security (i.e. this is more than a technical [funding or tax relief] issue - it is an enterprise wide risk management issue)

Recommendations calling for the focus of control for Government cyber security be elevated to White House oversight

And most importantly Ms. Hathaway stated, (for the first time by an Administration), the need to improve market incentives for private sector cyber security.

The third point is a position originated by ISAlliance and for which it is the leading and most sophisticated and vocal organization in this effort.  It should be noted that as far back at 2001, representative members of the Internet Security Alliance testified before the Republican High Tech Task Force and the Senate Armed Services Committee to illuminate members of Congress on the necessity of improved incentives of various types which will strengthen the very infrastructure which connects the global economy.

So, while the attendees at the RSA Conference may have left the keynote with less than warm and fuzzy feelings that things will change, it is clearly an optimistic time for the very dedicated members of the Internet Security Alliance.  ISAlliance understands far better than most that adage, “with time and patience the mulberry leaf turns to silk”.

To view the entire keynote presentation via streamed video click on the link below:

RSA Keynote address by Melissa E. Hathaway, Acting Senior Director for Cyberspace for the National Security and Homeland Security Councils

The complete written text of the Senior Director’s remarks is reprinted below as provided by the Internet Security Alliance.

Remarks by Melissa E. Hathaway, Acting Senior Director for Cyberspace for the National Security and Homeland Security Councils As Prepared for Delivery At the RSA Conference 2009, San Francisco, California

Released April 22, 2009

As many of you know, I am Melissa Hathaway, the Acting Senior Director for Cyberspace for the National Security and Homeland Security Councils. It has been my great honor to serve the President of the United States and the nation as part of the 60-day cyberspace policy review completed last week. I feel that it was just yesterday when we were celebrating New Years, and that was only “2” sixty-ish day periods ago! The days have been long and the task at hand has been the most challenging of my career.

Introduction

Oh yes, I almost forgot, this speech will now self-destruct, but don’t worry… this is the Internet-age, there are already hundreds of copies which you can download online. Thank you.

I am proud of the momentum that we have garnered in the last two months and I believe that we have a strong view of what is needed to drive change. As Ralph Waldo Emerson said, “who shall set a limit to the influence of a human being?” Today, I ask each of you, who shall limit our influence if we work together? Only ourselves and as a testimony to that, I want to thank you for the opportunity to speak here today.

All humor aside, the United States really is at a crossroads. The globally-interconnected digital information and communications infrastructure known as cyberspace underpins almost every facet of modern society and provides critical support for the U.S. economy, civil infrastructure, public safety and national security. This technology has transformed the global economy and connected people in ways never imagined. For example, my boys are 8 and 9 and use the Internet daily to do homework, blog with their friends and teacher, and to feed their Webkinz. As their mom, I stand before you today with no less than 3 blackberries and a pager! One of which will, apparently, self-destruct soon. I just have to figure out which one.

The Threat and What’s at stake

Despite all of our efforts — and I know that many of you understand well the challenges — our global digital infrastructure, based largely upon the Internet, is neither secure enough nor resilient enough for what we use it for today and will need in to the future. This poses one of the most serious economic and national security challenges of the 21st century. The design of today’s digital infrastructure was driven more by considerations of interoperability and efficiency than of security.

Consequently, a growing array of state and non-state actors are able to compromise, steal, change, or destroy our information. We have witnessed countless intrusions that have allowed criminals to steal hundreds of millions of dollars and allowed nation states and others to steal intellectual property and sensitive military information. They even have the ability to threaten or damage portions of our critical infrastructure.

One recent example from November 2008 illustrates both the speed and the scope of these challenges. In a single 30-minute period, 130 automated teller machines in 49 cities around the world were illicitly emptied.

These and other risks have the potential to undermine our confidence in the information systems that underlie our economic and national security interests.

A few hours south of here, there are creative Hollywood writers and actors who have imagined and produced stories that capture the essence of the problem, including: Matthew Broderick in War Games, Robert Redford in Sneakers, Sandra Bullock in The Net, and Bruce Willis in Live Free and Die Hard. These and other movies present the types of issues that we should care about and solve together.

Previous attempts to deal with cyber security in isolation have failed, in no small part, because they were perceived to be in conflict with the broader societal goals of progress and innovation, civil liberties and privacy rights. However, cyber security only succeeds in the context of broader economic progress. At times, it was a destination in itself, rather than a compass that guides us toward our objective. If treated in a broader context, cyber security will enable higher and far-reaching national goals, have better acceptance, and as a result, a greater chance for success. Our goals depend on trust, and trust cannot be achieved if people believe that they are vulnerable to fraud and theft or if they cannot depend upon the resources (infrastructure services, i.e., water, power, telephone service) being available when needed most. At the same time, security has no meaning if the application that serves society no longer is practical or usable. Stated differently, progress and security must not viewed in a zero-sum fashion.

History has taught us that security, when pursued properly, enables innovation and growth and protects existing investments. In no small part, security is about protecting what already exists, creating a safe environment where innovation thrives unthreatened, and enabling the unencumbered natural growth for the future. Harmonized innovation and security are mutually reinforcing ideas; and policies, including our government’s policies, must recognize and treat them as an integrated and synergistic whole.

It can be said that the Federal government is not organized appropriately to address this growing problem because responsibilities for cyberspace are distributed across a wide array of federal departments and agencies, many with overlapping authorities and none with sufficient decision authority to direct actions that can address the problem completely. We need an agreed way forward based on common understanding and acceptance of the problem.

This is why the President requested the clean-slate review.

Recognizing the challenges and opportunities, the President identified cyber security as one of the top priorities for his Administration and directed an early 60-day, comprehensive review to assess U.S. cyber policy and structures. The review addressed all missions and activities associated with the information and communications infrastructure, a.k.a. digital infrastructure. It included the missions of computer network defense, law enforcement investigations, military and intelligence activities, and the intersection thereof with information assurance, counter intelligence, counter terrorism, telecommunications policies, and general critical infrastructure protection. I am not sure many people at the outset and possibly even now, understood the breadth of our task…and we had, effectively, two months to complete it! By the way, sixty days included the Saturdays and Sundays.

I assembled a team of experienced government cyber experts and in our first week we inventoried relevant presidential policy directives, executive orders, national strategies and studies from government advisory boards and private sector entities. We identified over 250 needs, tasks, and recommendations. We also solicited input from government departments and agencies on their specific cyber activities, authorities, and capabilities and requested them to identify any new or existing requirements that may not have been identified as part our initial inventory.

Scores of legal issues emerged during this review, such as the aggregation of authorities, data sharing with third parties within the Federal government, and liability protections for the private sector.

We successfully engaged a wide array of stakeholders inside and outside of the Federal government, including some of you here today. We engaged industry, academia, the civil liberties and privacy communities, State governments, international partners, the Legislative Branch, and others in the Executive Branch.

We know there are opportunities for everyone — academia, industry, and governments — to work together to build a trusted and resilient communications and information infrastructure. We engaged you and asked to be informed by you. We had more than 40 meetings with different stakeholder groups during those 60 days and received and read more than 100 papers that provided specific recommendations and goals. You helped us identify key requirements, illuminated policy gaps, suggested areas for improved collaboration, and framed the decision space for cyberspace policy. You will see your influence in our report when it is released in the coming days.

Our outreach involved unprecedented transparency and engagement for a National Security Council initiative and having come from the private sector myself, I recognized it was vital to the review’s overall success.

When the report is made public you will see that there is a lot of work for us to do together and an ambitious action plan to accomplish our goals. Cyberspace won’t be secured overnight and on the basis of one good plan. As they say, this is a marathon not a sprint. But with this review, we have taken the first steps to make real and lasting progress.

Sixty days’ work is just the beginning of the beginning, and the pace for this marathon we’re now running is one that we’d best set to ensure we have the legs to make it over the finish line. Being in security, I’ve learned that security is just that, a marathon…and here in San Francisco, you can well appreciate it being an uphill run.

The Report

Last Friday, April 17th, we completed our report and it summarizes our conclusions and outlines the beginning of a way forward in building a reliable, resilient, trustworthy digital infrastructure for the future. It provides the President with recommendations for a White House organizational structure that can effectively address cyberspace-related issues and include, as I have mentioned, an action plan for identifying and prioritizing further work in this area. After the President and his Administration have had an opportunity to carefully review our report, we will begin discussing the results publicly.

Having said that, I am able to share with you the 60-day movie trailer–if you will…

It is the fundamental responsibility of our government to address strategic vulnerabilities in cyberspace and to ensure that the United States and the world can realize the full potential of the information technology revolution.

This responsibility transcends the jurisdictional purview of individual departments and agencies because, although each agency has a unique contribution to make, no single agency has a broad enough perspective to match the sweep of the challenges.

It requires leading from the top — from the White House, to Departments and Agencies, State, local, tribal governments, the C-Suite, and to the local classroom and library. The national dialogue on cyber security must advance now. We need to explain the challenges and discuss what the Nation can do to solve problems in a way that the American people can appreciate the need for action.

The United States cannot succeed in securing cyberspace if our government works in isolation. Cyberspace knows no boundaries. There is a unique opportunity for the United States to work with countries around the world to make the digital infrastructure a safe and secure place that drives prosperity and innovation for all nations.

The Federal government cannot entirely delegate or abrogate its role in securing the nation from a cyber incident or accident. The Federal government has the responsibility to protect and defend the country, and all levels of government have the responsibility to ensure the safety and well-being of citizens. The private sector, however, designs, builds, owns, and operates most of the digital infrastructures that government and private sector use in concert. The public and private sector’s interests are intertwined with a shared responsibility for ensuring a secure, reliable infrastructure upon which businesses and government services depend. Information is key to preventing, detecting, responding to and recovering from cyber incidents. Again, this requires evolving our partnerships together. Government and industry leaders, both here and abroad, need to delineate roles and responsibilities, balance capabilities, and take ownership of the problem to develop holistic solutions. Only through such partnerships will the United States be able to enhance cyber security and reap the full benefits of the digital revolution.

Building toward the architecture of the future requires research and development that focuses on game-changing technologies that could enhance the security, reliability, resilience and trustworthiness of our digital infrastructure. We need to be mindful of how we, government and industry together, can optimize our collective research and development dollars and work together to improve market incentives for secure and resilient hardware and software products, new security innovation, and secure managed services. The White House must lead the way forward with leadership that draws upon the strength, advice and ideas of the entire nation.

Please get involved and have a view

It takes a combination of strategies aimed at a handful of vital behaviors to solve weighty and persistent problems. The tasks we face are many and interdependencies profound.

During this 60-day review I had a chance to read the book “Influencer.” The authors argue that peer pressure can help create social support and harness the power of everyone to make change. People who are respected and connected can propel people to act in ways that are hard to imagine.

I can think of no better venue and more connected people than all of you here today.

Can we call for changes in widely shared norms?

Are we ready to talk openly about the challenges we face and how we share the responsibility for reversing the trend? Can we create the conditions where innovation and security are mutually reinforcing and treat them as an integrated and synergistic whole? Can government and the private sector, national and international parties accelerate the changes we need?  And, if not us, then who? If not now, then when?

I worry about these questions every night; they infiltrate my dreams. And since the theme of this year’s conference relies upon the influence of Edgar Allen Poe, I cite you words from his work, “A Dream. “

“A few evenings since, I laid myself down for my night’s repose. It has been a custom with me, for years past, to peruse a portion of the scriptures before I close my eyes in the slumbers of night. I did so in the present instance. By chance, I fell upon the spot where inspiration has recorded the dying agonies of the God of Nature. Thoughts of these, and the scenes which followed his giving up the ghost, pursued me as I slept.”

I often wake up at 2:30 or 4:30 in the morning having “worked” the problem in my sleep…and sometimes even develop a good idea.

We need to sow the seeds for a national dialogue, nurture them, even see them in our dreams, to help this critical conversation grow.

Cyber security isn’t only the responsibility of governments and corporations, but that of individuals, including each of us here today, as well.

Closing
Protecting cyberspace requires strong vision and leadership and will require changes in policy, technology, education, and perhaps law. We need to demonstrate abroad and here at home that the United States takes cyberspace issues, policies, and activities seriously. Achieving this vision requires leadership and commitment from the highest levels of government, industry, and civil society. That leadership and commitment will allow the United States to continue to innovate and adopt cutting edge technology, while enhancing national security and the global economy.

About RSA® Conference

RSA® Conference is helping drive the information security agenda worldwide with annual industry events in the U.S., Europe and Japan. Throughout its 17 year history, RSA® Conference has consistently attracted the world’s best and brightest in the field, creating opportunities for conference attendees to learn about IT security’s most important issues through first-hand interactions with peers, luminaries and emerging and established companies. As the IT security field continues to grow in importance and influence, RSA® Conference plays an integral role in keeping security professionals across the globe connected and educated.

RSA® developed the RSA® Conference in 1991 as a forum for cryptographers to gather and share the latest knowledge and advancements in the area of Internet security. Today, the RSA® Conference and related, RSA® Conference branded activities, are still managed by RSA®, the Security Division of EMC, with the support of the industry. RSA® Conference event programming is judged and developed by information security practitioners and other related professionals.

About the Internet Security Alliance

Mission: To use the collective experience of the members of the Internet Security Alliance to promote sound information security practices, policies, and technologies that enhance the security of the Internet and global information systems.

The Internet Security Alliance (ISAlliance) was created to provide a forum for information sharing and thought leadership on information security issues. The ISAlliance represents corporate security interests before legislators and regulators, in so doing the alliance aims to identify and standardize best practices in Internet security and network survivability, while creating a collaborative environment to develop and implement information security solutions.

The Internet Security Alliance is a non-profit collaboration between the Electronic Industries Alliance (EIA), a federation of trade associations, and Carnegie Mellon University’s CyLab.

CyLab works closely with the CERT® Coordination Center (CERT/CC®), a leading, recognized center of Internet security expertise.

About CERT® and CERT/CC®

While we continue to respond to major security incidents and analyze product vulnerabilities, our role has expanded over the years. Along with the rapid increase in the size of the internet and its use for critical functions, there have been progressive changes in intruder techniques, increased amounts of damage, increased difficulty of detecting an attack, and increased difficulty of catching the attackers. To better manage these changes, the CERT/CC® is now part of the larger CERT® Program, which develops and promotes the use of appropriate technology and systems management practices to resist attacks on networked systems, to limit damage, and to ensure continuity of critical services.

Kevin has testified as an expert witness before the Congressional High Tech Task Force, the Chairman of the Senate Armed Services Committee, and the Chairman of the House Ways and Means Committee. He has also served on infrastructure security boards and committees including the Disaster Recovery Workgroup for the Office of Homeland Security, and as a consultant to the Federal Trade Commission.

The Author gives permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author and to Information-Security-Resources.com

Stay Informed With RSS Feeds or Email Alerts Here: 

Filed under: D&O Liability, FEATURE ARTICLE, Financial, Government, Kevin M. Nixon, Military, Sarbanes-Oxley, Uncategorized, hackers, identity-theft, national security, privacy 

Comments

• ISR Headline Index

  • Quick Tips for Using Secure Shell
  • Consolidate Compliance With Open Source
  • DoS Attack Reveals Widespread Vulnerabilities
  • Study Shows Employees Put Data at Risk
  • Tracking Google’s Script Kiddie Hackers
  • Newbie Introduction to Digital Forensics Part 2
  • Simple Log Review Checklist Released
  • Press F1 for Help? Microsoft Zero Day Threat!
  • A Newbie’s Introduction to Digital Forensics
  • Security Best Practice: Trust But Verify…
  • Google, Adobe, and Big Oil Under Attack!
  • Building your OWN Malware Lab (Part 2)
  • How Twitter Spam Steals From Google, Yahoo!
  • Tech Stocks Week in Review Featuring iPad
  • DoD Endorses Certification for Hackers

• Recent Comments

  • Ryan Aslett on Data Loss Prevention Has Jumped the Shark
  • Tom on (Lack Of) Encryption and The HITECH Act
  • ADMIN on Patriot Hacker Hits Jihad With DDoS Attacks
  • Robert Siciliano on Data Loss Prevention Has Jumped the Shark
  • Karen J. Cox on Data Loss Prevention Has Jumped the Shark
  • Scot McLeod on Outsourcing Breach Response Lowers Costs
  • John Marke on Gartner Tells CIOs to Embrace Social Media
  • Social Engineering and Enterprise Security | CIO – Blogs and … | Enterprise Engineering Addict on Gartner Tells CIOs to Embrace Social Media
  • From Russia, With Smartphones on Top 8 Social Media Security Threats
  • Judith Hoffman on Scam Alert: Rogue Gmail Account Phishing
• 
  

  Information Security Resources

  Top network security blogs

• Categories

  • Anthony M. Freed (26)
  • Bill Brenner (2)
  • Bob Violino (1)
  • Bozidar Spirovski (23)
  • Breach (540)
  • Britt Womelsdorf (5)
  • By Dr. InfoSec (2)
  • Cara Garretson (7)
  • CCCNews (1)
  • Chorey Taylor & Feil (8)
  • Christophe Veltsos (2)
  • Christopher Burgess (7)
  • CIOZone (26)
  • Class Action Lawsuit (111)
  • Cloud computing (106)
  • Coby Royer (5)
  • CTO Forum (9)
  • D&O Liability (594)
  • Daniel Wallace (5)
  • Danny Lieberman (11)
  • DataLine (10)
  • David Alexander (2)
  • Derek Crawford (1)
  • Doug Pollack (7)
  • due diligence (303)
  • Fame Foundry (1)
  • FEATURE ARTICLE (428)
  • Financial (580)
  • Fred Leland (7)
  • Gene Kim (3)
  • Government (366)
  • Greg George (5)
  • H1N1 (15)
  • hackers (532)
  • healthcare (127)
  • Heather Bourgoin (1)
  • HomeATM (8)
  • identity-theft (528)
  • IDExperts (17)
  • Ike Z. Devji (1)
  • Infosec Island Network (31)
  • Insider Threat (483)
  • Internet Crime Complaint Center (1)
  • Internet Security Alliance (64)
  • ISR News (321)
  • Jacqueline Herships (2)
  • Jenni Hesterman (3)
  • John M. Salomon (2)
  • John Watkins (7)
  • John-Patrick Skaar (2)
  • Kaliber Data Security and Compliance Consultants (3)
  • Kat Sanders (2)
  • Ken Leeser (3)
  • Kevin L. Jackson (10)
  • Kevin M. Nixon (21)
  • Larry Ketchersid (1)
  • Laton McCartney (7)
  • Lauren Taylor (1)
  • Linda McGlasson (1)
  • malware (494)
  • Mark Smail (1)
  • Mark Wright (1)
  • Mel Duvall (3)
  • Michael Eggebrecht (3)
  • Michael Lohr (1)
  • Michael O'Conner (4)
  • MicroSolved (1)
  • Mike Duncan (3)
  • Mike Meikle (4)
  • Mike Spinney (1)
  • Military (204)
  • national security (446)
  • PCI (301)
  • PCI Security Standards Council (32)
  • Physical Security (11)
  • privacy (545)
  • Rachel James (10)
  • reach (4)
  • Rebecca Herold (16)
  • Richard Stiennon (44)
  • Robert Siciliano (34)
  • Sarbanes-Oxley (495)
  • ScamStop (2)
  • Sean Wilkins (2)
  • Semyon Dukach (1)
  • Simon Heron (14)
  • Software Associates (11)
  • Steven Fox (19)
  • SUPERAntiSpyware (3)
  • Sybase (6)
  • Symplified (5)
  • The Jester (8)
  • The Privacy Professor (16)
  • Thomas R. Fox (8)
  • Tom Groenfeldt (2)
  • Tom McLain (2)
  • Trefis (14)
  • Tripwire (18)
  • Uncategorized (621)
  • virtualization (94)
  • Webcast (49)