The State of Cybersecurity

1
The State of Cybersecurity A View From Inside
the Beltway

• Robert Y. BigmanChief, Information Assurance
  Group
• Central Intelligence Agency

The opinions contained herein are mine and not
necessarily shared by the CIA.

2
State of Cybersecurity

• Recent High Profile Breaches
• JTF Strike Fighter design drawings stolen
• Classified data on the Presidents helicopter
  accidentally leaked over P2P file sharing network
• Chinese reportedly penetrate U.S. electric grid,
  also infect 1,200 government computers in 103
  countries
• Heartland Payment Systems resulted in expenses
  and accruals of 12.6 million
• Hannaford Brothers exposed 4.2 million credit and
  debit card numbers
• UC Berkley loses 160,000 health and personal
  records

3
State of Cybersecurity

• Worse of All
• The Agent.BTZ Story
• The Chinese
• The Global Criminal Element
• The Global Hacker with a Habit

4
State of Cybersecurity

• Security/Privacy on the Internet
• Its as if everyone was driving in a new city
  without license plates.
• Its the Wild Wild West without even local
  sheriffs.
• For most users it is as if they landed on
  another planet with only water and oxygen in
  common.

5
State of Cybersecurity

• So Why is This Happening?
• The value (to global organized crime and
  state/non-state actors) far outweighs the risks
• Global legal remedies not even a discussion topic
• Where are the boundaries on the Internet?
• The ease of remote access
• The vulnerabilities inherent in commercial IT
  products
• The shocking lack of competent IA talent
• The shocking lack of organizational commitment to
  implementing basic IA capabilities and procedures

6
State of Cybersecurity

• Inside The Beltway Solutions to The Problem
• Lets pass laws
• Lets regulate the internet
• Lets appoint a Cyberczar
• Lets create a Cyber-command

7
State of Cybersecurity

• Whats Missing
• While some new laws and regulations are needed,
  developing a meaningful public-private
  partnership is more important
• Cybersecurity literacy requires investment
• We have to value secure software like we current
  value feature-rich software
• We need a trusted identity for all internet users

8
State of Cybersecurity

• Common Sense Procedural Measures
• Limit users ability to transfer data to only
  those trained and certified
• Train and certify system administrators
• Have all users trained and sign a memorandum of
  information assurance responsibilities
• Install IA into all IT configuration management
  boards and practices

9
State of Cybersecurity

• Common Sense Technical Measures
• Implementing NIST, NSA, and DISA Stig
  Configuration Guides
• NIST SP800-53 - Twenty critical controls
• Two-Factor Authentication
• Patching
• DEP
• IPSEC
• DNSSEC
• Device Locking/DLP
• Host Intrusion Detection
• Source Code Testing

10
Questions?