U'S' Government: Demonstrating Leadership in CyberSecurity

1
U.S. Government Demonstrating Leadership
in Cyber-Security

• March 14, 2000

2
Cyber-Attack

• Economy and National Security dependent upon
  computer controlled systems
• One-Third of US Economic Growth 95-98
• Security not a design consideration for most
  critical systems/networks
• Large number of attacks, unauthorized
  intrusions, down-loads, malicious code insertion
• Other nations developing offensive cyber-attack
  capabilities -- aimed at the U.S.
• New and Novel Intrusions

3
PDD-63 Protecting Critical Infrastructures

• Action by Federal, state and local, private
  sector participants
• Federal National Security, public health and
  safety
• State and local governments Maintain order and
  essential services
• Private Sector Essential communications, energy,
  financial, and transportation services
• Initial Operating Capability by 2000 Final
  Operating Capability by 2003
• Established
• National Coordinator -- NSC
• National Infrastructure Protection Center (NIPC)
• Critical Infrastructure Assurance Office (CIAO)

4
National Plan BlueprintFour Key Themes

• US Government a Model of Information Security
• Building the Public Private Partnership
• RD for Solutions
• Law Enforcement and National Security
  Capabilities

5
The White House Is Watching(So is Congress)

• President
• National Plan for Information Systems Protection
• Cyber-Summit
• Agency Directive
• White House
• OMB Director Lew Guidance
• Chief of Staff Podesta Guidance
• Ongoing Chief of Staff Conference Calls
• Congress
• GSA reports
• Many Hearings
• Many Bills

6
FY 2000/ 2001 Budget

• FY 2000 - 1.75 B Appropriated
• 10 Civilian Agency
• FY 2001 - 2.01 B Requested
• 25 Civilian Agency
• Key Initiatives - 100 M
• Institute for Information Infrastructure
  Protection
• Federal Cyber Service
• FIDNET
• PKI
• ISACs
• Expert Review Team
• RD - 606 M
• FY 2000 Supplemental - 9 M

7
Future Budgets

• OMB/NSC/Interagency Process
• 1) Proposals Developed
• From Agency Experts
• From Interagency Working Groups
• 2) Interagency/White House OK
• 3) Action by Departments
• 4) OMB Review if not part of Departmental Request
• New Process
• In Use for Other Cross-cutting Issues

8
National Plan BlueprintFour Key Themes

• US Government a Model of Information Security
• Building the Public Private Partnership
• RD for Solutions
• Law Enforcement and National Security
  Capabilities

9
U.S. Government as Model

• Identify and Address Vulnerabilities
• Implement Best Practices
• Install Defensive Detection Systems
• Train and Recruit Security Experts
• Fund RD

10
One Identify and Address Vulnerabilities

• Vulnerability Assessment vs Threat Analysis
• Tension between Cyber and Physical
• Interdependencies and Single Points of Failure
• New Elements
• Project Matrix
• Expert Review Team
• Open Source Software
• Patch Prioritization
• Recommended Practices
• PKI

11
Project MatrixShared Interdependencies

• Complete Picture of Asset Dependencies and
  Interdependencies
• Three Steps
• Identify PDD-63 Relevant Assets
• Capture Major Nodes and Networks which USG
  Critical Assets Depend
• Tie Critical Assets and Supporting Nodes/Networks
  to Underlying Infrastructures

12
TwoImplement Best Practices

• Convergence of Three Initiatives
• Critical Infrastructure Protection Working Group
• Model Information Systems Security Program
• CIO Council Strategic Objectives
• CIO Council Security, Privacy and Critical
  Infrastructure Committee Lead
• Objective Into the hands of practitioners soon

13
ThreeDefensive Detection Systems

• Invest in Current Best of Breed
• Intrusion Detection Monitors/Firewalls
• Access/Activity Rules
• Enterprise Wide Management Systems
• Deploy Next Generation Government-Wide Systems
• JTF-CND -- for DOD
• FIDNet -- for Civilian Agences
• NSIRC -- for national security systems
• Drive Technology
• Vendor conference 3/15

14
FIDNet Architecture

• System of Systems
• Departments run own intrusion detection systems
• Link to FIDNet
• Information Exchange
• Enhances FedCIRC Capabilities
• Run by GSA
• Base for Additional Capabilities
• patch distribution

15
Four Train and Recruit Security Experts

• Centers for IT Excellence
• Scholarship for Service Program
• High School Recruitment and Computer Security
  Awareness program
• Federal Computer Security Awareness Program
• IT Occupational Study/Reform

16
FiveFund RD

• Institute for Information Infrastructure
  Protection
• National framework Coordinated Federal and
  Private Sector efforts
• Key Priorities
• Indications of anomalous behavior within systems
• Large-scale automated correlation of events
• Automated alarm analysis

17
Summary

• Federal Government Must be a Model
• White House Support for Budget and Resources
• Need for Action
• Vulnerabilities
• Best Practices
• FIDNet and Detection Systems
• Training and Recruitment
• RD

18
CONTACT

• CHAIR, USG as a Model Working Group
• Tom Burke
• General Services Administration (GSA)
• 202 708 7000
• Tom.Burke_at_GSA.GOV

• NSC Senior Director for Critical Infrastructure
• Jeffrey Hunker
• National Security Council (NSC)
• 202 456 9351
• Jeffrey_A._Hunker_at_NSC.EOP.GOV